[Full-disclosure] Apple Safari ... DoS Vulnerability
scarybeasts at gmail.com
Tue Mar 3 02:13:16 GMT 2009
On Fri, Feb 27, 2009 at 5:36 AM, Thierry Zoller <Thierry at zoller.lu> wrote:
> Michal with all due respect I'd like to beg to differ (and maybe be
> too nitpicky here).
> MZ> Vulnerabilities are a subset of software engineering bugs.
> I do not think this is the case (lack of the term software). How's
> this for being nitpicky ? ;)
> In my book, maybe only in mine, a software bug is security relevant
> (sorry for the lack of clarity - it's late over here) as soon as
> Integrity / Availabilty / Confidentiality are under arbritary direct
> or indirect control of a another entity (i.e attacker). Period,
> personaly this represents the ultima ratio
> After this - it's just a measure of _how much_. And the question of how much
> is a completely other one.
> If a chrome tab can be crashed arbritarely (remotely) it is a DoS attack
> but with ridiculy low impact to the end-user as it only crashes the tab
> it was subjected to, and not the whole browser or operation system.
> But the fact remains that this was the impact of a DoS condition,
> the tab crashes arbritarily.
Eh? If you visit www.evil.com and your tab crashes, that's no
> MZ> As the name
> MZ> implies, they are defined strictly by the impact they have; if a bug
> MZ> does not render the victim appreciably susceptible to anything that
> MZ> would be of value to external attackers, it is not a security problem.
> You define vulnerability like a boolean that is true when the impact is of
> value to the attacker. "would be of value to external attacker" - I
> cleary disgress, I don't think that a the nature/ of a bug
> (vulnerability) can be defined by the "value" it has for the attacker.
> What about damage to the victim ? What about lost revenue, agreement
> breaches etc pp. I'd not recommend to measure security from the perspective
> of the attacker, but rather the (potential) loss of the entity that tries to
> MZ> Anyway... bottom line is, any attempts to formalize the criteria are
> MZ> bound to fail (and have mostly failed in the past), and common sense
> MZ> is the best tool we have.
> If we want to arrive at a state where risk can be managed, it needs
> to be measured. And if we aren't that far in 2009 I pity us all.
> Thierry Zoller
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
Full-Disclosure is hosted and sponsored by Secunia.