| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 03 Mar 2009 15:28:17 +1300 From: Nick FitzGerald <nick@...us-l.demon.co.uk> To: full-disclosure <full-disclosure@...ts.grok.org.uk> Subject: Re: Apple Safari ... DoS Vulnerability Chris Evans to Thierry Zoller: > > Example > > If a chrome tab can be crashed arbritarely (remotely) it is a DoS attack > > but with ridiculy low impact to the end-user as it only crashes the tab > > it was subjected to, and not the whole browser or operation system. > > But the fact remains that this was the impact of a DoS condition, > > the tab crashes arbritarily. > > Eh? If you visit www.evil.com and your tab crashes, that's no > different from www.evil.com closing its own tab with Javascript. But what if www.evil.com has run an injection attack of some kind (SQL, XSS in blog comments, etc, etc) against www.stupid.com? Visitors to stupid.com then suffer a DoS... Yes, stupid.com should run their site better, fix their myriad XSS holes, etc, etc. But this is the Internet, so this "software flaw" can be leveraged as security vulnerability. I'm with Thierry on this... Regards, Nick FitzGerald _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists