RE: What is a security bug?
Jasper,
It's pretty much open for debate.
The subtlety lies in the "certain input" mentioned by Florian. For the
sake of argument, imagine you can create a webpage which when rendered
will make the browser crash.
You could trick users into surfing to your page, by e.g. spam mailing your
URL around or even the page itself.
Somehow you've succeeded into making a remote browser perform an undesired
(and controlled by you!) action: crashing.
And I thought CIA (confidentiality - integrity - AVAILABILITY ) was key in
InfoSec? ;-)
Just my 0.02EUR
Kind regards,
Roger
On Wed, November 23, 2005 12:15 pm, Jasper Filon said:
> Well, obviously it is not a _security_ bug, since it has nothing to do
> with security. However, it is a bug, maybe even a critical one.
> As long as the bug does not compromise the security of the system
> (enables unauthorised execution of code, access to memory of other
> process of manipulating the content of the other tabs or something like
> that) is has nothing to do with security and hence not with this list
> (debian-security).
>
> well, that's obviously for me, but maybe someone else has a different
> opion about this issue?
>
> regards, Jasper
>
> -----Original Message-----
> From: Florian Weimer [mailto:fw@deneb.enyo.de]
> Sent: woensdag 23 november 2005 11:15
> To: debian-security@lists.debian.org
> Subject: What is a security bug?
>
> It seems that I have difficulty understanding what constitutes a
> security bug in a web browser.
>
> Suppose that the web browser always crashes when confronted with certain
> input, losing all of its state. With tabbed browsing, multiple browser
> opened by the same process etc., this means that potentially important
> work is lost.
>
> Is this a security bug? Or is this more in the category of "don't do
> that, then"?
>
> I used to laugh at office regulations which recommend closing all
> applications (including internal web applications) when browsing the
> Internet, but if software vendors don't consider such crash bugs a
> priority issue, they do make sense.
>
>
> --
> To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
>
>
--
Life is 10 percent what you make it and 90 percent how you take it. -
Irving Berlin
Reply to: