lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <fc76c6280902260846o31b0aaa2k9246bed68994bb94@mail.gmail.com>
Date: Thu, 26 Feb 2009 10:46:33 -0600
From: Michael Krymson <krymson@...il.com>
To: full-disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: Apple Safari ... DoS Vulnerability

The fun times of security semantics! I'd have to argue that DoS conditions
have the potential to be security issues. Then again, I'd also prefer not to
remove A from CIA, but this is not from the standpoint of a developer or
software vendor. I understand how that opinion changes based on
perspective...  Maybe someone will be interested in some non-technical
discussion! =)

Three examples:
A- A DoS condition is discovered in Apache. I can trigger it by sending a
specially crafted packet to Apache. Apache crashes. I can do this many times
until you stop me or Apache fixes it.

B- A DoS condition is discovered in Safari. I can trigger it by getting you
to go to my web page www.youhavenobusinessreasontobehere.com/goats.blah. You
hit my site, you decide not to come back after your browser bombs.

C- A DoS condition is discovered in Safari, the same as before. I can
trigger it by editing your intranet portal and inserting my lovely code. All
of your internal users need to use your intranet portal, but they all keep
crashing, crashing, crashing. Yikes!

I would suggest that DoS conditions are not a priori security issues, but it
certainly depends on the context and whether security has or could have an
*interest* in them.

I would suggest A is a security issue because more power is in the hands of
the attacker than the user. (Yeah, what a horrible definition that will be
once someone tears it up!)

I would suggest B is simply a bug and not something that really affects the
world too much.

I would suggest C is a security bug in the intranet portal, but the browser
crash is of a concern to security as well. It might not specifically be a
security issue in the browser, but the effect of it is a concern to
security.





On Thu, Feb 26, 2009 at 9:21 AM, Thierry Zoller <Thierry@...ler.lu> wrote:

>
> > Just because a bug class can crash an application
> > doesn't make it a security issue.
> A remotely triggerable DoS condition is a security issue per se, my
> opinion about the trend to remove the A in CIA for statisitca reasons
> can be read here :
> http://blog.zoller.lu/2009/01/open-letter-remove-a-in-cia-or-venting.html
>
>
> --
> http://secdev.zoller.lu
> Thierry Zoller

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ