Full Disclosure mailing list archives
Re: Apple Safari ... DoS Vulnerability
From: Michael Krymson <krymson () gmail com>
Date: Thu, 26 Feb 2009 10:46:33 -0600
The fun times of security semantics! I'd have to argue that DoS conditions have the potential to be security issues. Then again, I'd also prefer not to remove A from CIA, but this is not from the standpoint of a developer or software vendor. I understand how that opinion changes based on perspective... Maybe someone will be interested in some non-technical discussion! =) Three examples: A- A DoS condition is discovered in Apache. I can trigger it by sending a specially crafted packet to Apache. Apache crashes. I can do this many times until you stop me or Apache fixes it. B- A DoS condition is discovered in Safari. I can trigger it by getting you to go to my web page www.youhavenobusinessreasontobehere.com/goats.blah. You hit my site, you decide not to come back after your browser bombs. C- A DoS condition is discovered in Safari, the same as before. I can trigger it by editing your intranet portal and inserting my lovely code. All of your internal users need to use your intranet portal, but they all keep crashing, crashing, crashing. Yikes! I would suggest that DoS conditions are not a priori security issues, but it certainly depends on the context and whether security has or could have an *interest* in them. I would suggest A is a security issue because more power is in the hands of the attacker than the user. (Yeah, what a horrible definition that will be once someone tears it up!) I would suggest B is simply a bug and not something that really affects the world too much. I would suggest C is a security bug in the intranet portal, but the browser crash is of a concern to security as well. It might not specifically be a security issue in the browser, but the effect of it is a concern to security. On Thu, Feb 26, 2009 at 9:21 AM, Thierry Zoller <Thierry () zoller lu> wrote:
Just because a bug class can crash an application doesn't make it a security issue.A remotely triggerable DoS condition is a security issue per se, my opinion about the trend to remove the A in CIA for statisitca reasons can be read here : http://blog.zoller.lu/2009/01/open-letter-remove-a-in-cia-or-venting.html -- http://secdev.zoller.lu Thierry Zoller
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Apple Safari ... DoS Vulnerability Michael Krymson (Feb 26)
- Re: Apple Safari ... DoS Vulnerability Thierry Zoller (Feb 26)
- Re: Apple Safari ... DoS Vulnerability Michal Zalewski (Feb 26)
- <Possible follow-ups>
- Re: Apple Safari ... DoS Vulnerability Thierry Zoller (Feb 27)
- Re: Apple Safari ... DoS Vulnerability J. Oquendo (Feb 27)
- Re: Apple Safari ... DoS Vulnerability Michal Zalewski (Feb 27)
- Re: Apple Safari ... DoS Vulnerability Jeremy Brown (Feb 27)
- Re: Apple Safari ... DoS Vulnerability Valdis . Kletnieks (Feb 27)
- Re: Apple Safari ... DoS Vulnerability Michal Zalewski (Feb 27)
- Re: Apple Safari ... DoS Vulnerability J. Oquendo (Feb 27)