Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Apple Safari ... DoS Vulnerability

From: Michael Krymson <krymson () gmail com>
Date: Thu, 26 Feb 2009 10:46:33 -0600
The fun times of security semantics! I'd have to argue that DoS conditions
have the potential to be security issues. Then again, I'd also prefer not to
remove A from CIA, but this is not from the standpoint of a developer or
software vendor. I understand how that opinion changes based on
perspective...  Maybe someone will be interested in some non-technical
discussion! =)

Three examples:
A- A DoS condition is discovered in Apache. I can trigger it by sending a
specially crafted packet to Apache. Apache crashes. I can do this many times
until you stop me or Apache fixes it.

B- A DoS condition is discovered in Safari. I can trigger it by getting you
to go to my web page www.youhavenobusinessreasontobehere.com/goats.blah. You
hit my site, you decide not to come back after your browser bombs.

C- A DoS condition is discovered in Safari, the same as before. I can
trigger it by editing your intranet portal and inserting my lovely code. All
of your internal users need to use your intranet portal, but they all keep
crashing, crashing, crashing. Yikes!

I would suggest that DoS conditions are not a priori security issues, but it
certainly depends on the context and whether security has or could have an
*interest* in them.

I would suggest A is a security issue because more power is in the hands of
the attacker than the user. (Yeah, what a horrible definition that will be
once someone tears it up!)

I would suggest B is simply a bug and not something that really affects the
world too much.

I would suggest C is a security bug in the intranet portal, but the browser
crash is of a concern to security as well. It might not specifically be a
security issue in the browser, but the effect of it is a concern to
security.





On Thu, Feb 26, 2009 at 9:21 AM, Thierry Zoller <Thierry () zoller lu> wrote:




Just because a bug class can crash an application
doesn't make it a security issue.

A remotely triggerable DoS condition is a security issue per se, my
opinion about the trend to remove the A in CIA for statisitca reasons
can be read here :
http://blog.zoller.lu/2009/01/open-letter-remove-a-in-cia-or-venting.html


--
http://secdev.zoller.lu
Thierry Zoller

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: