lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 2 Mar 2009 18:13:16 -0800
From: Chris Evans <scarybeasts@...il.com>
To: Thierry Zoller <Thierry@...ler.lu>
Cc: full-disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: Apple Safari ... DoS Vulnerability

On Fri, Feb 27, 2009 at 5:36 AM, Thierry Zoller <Thierry@...ler.lu> wrote:
>
> Hi,
>
> Michal with all due respect I'd like to beg to differ (and maybe be
> too nitpicky here).
>
> MZ> Vulnerabilities are a subset of software engineering bugs.
> I do not think this is the case (lack of the term software). How's
> this for being nitpicky ? ;)
>
> In my book, maybe only in mine, a software bug is security relevant
> (sorry for the lack of clarity - it's late over here) as soon as
> Integrity / Availabilty / Confidentiality are under arbritary direct
> or indirect control of a another entity  (i.e attacker). Period,
> personaly this represents the ultima ratio
>
> After this - it's just a measure of _how much_. And the question of how much
> is a completely other one.
>
> Example
> If a chrome tab can be crashed arbritarely (remotely) it is a DoS attack
> but with ridiculy low impact to the end-user as it only crashes the tab
> it was subjected to, and not the whole browser or operation system.
> But the fact remains that this was the impact of a DoS condition,
> the tab crashes arbritarily.

Eh? If you visit www.evil.com and your tab crashes, that's no
different from www.evil.com closing its own tab with Javascript.

Cheers
Chris

>
>
> MZ> As the name
> MZ> implies, they are defined strictly by the impact they have; if a bug
> MZ> does not render the victim appreciably susceptible to anything that
> MZ> would be of value to external attackers, it is not a security problem.
> You define vulnerability like a boolean that is true when the impact is of
> value to the attacker. "would be of value to external attacker" - I
> cleary disgress, I don't think that a the nature/ of a bug
> (vulnerability) can be defined by the "value" it has for the attacker.
> What about damage to the victim ? What about lost revenue, agreement
> breaches etc pp. I'd not recommend to measure security from the perspective
> of the attacker, but rather the (potential) loss of the entity that tries to
> measure.
>
> MZ> Anyway... bottom line is, any attempts to formalize the criteria are
> MZ> bound to fail (and have mostly failed in the past), and common sense
> MZ> is the best tool we have.
>
> If we want to arrive at a state where risk can be managed, it needs
> to be measured. And if we aren't that far in 2009 I pity us all.
>
> --
> http://secdev.zoller.lu
> Thierry Zoller
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists