Archive

Archive for June 4th, 2007

Availability is becoming the poor cousin in security

June 4th, 2007 Michael Farnum

There have been a few discussions here and there over the last few months as to whether or not a software vulnerability that causes stability problems but does not allow remote code execution is actually a security flaw.  There were some good arguments on it, and I think us old schoolers who think a DoS attack is still a security problem made our point.  Then I see this post at the Watchfire blog, and I feel the old burn coming back.

Seems like Jonathan Afek over at Watchfire is going to be presenting at BlackHat (congrats).  He gives a description of the presentation.  Here is part of that description:

Just another day at the office started with scanning a web application with a vulnerability scanner (AppScan of course). The scan resulted in an unexpected crash in a Microsoft IIS server. This discovery was really exciting – a crash might mean a new IIS vulnerability.

A more thorough research concluded that we were facing a “dangling pointer bug” and that it might be remotely exploitable for arbitrary code execution. After a while, an already published advisory of this bug was found on the net. It stated that this was a DoS vulnerability and that it couldn’t be exploited for remote code execution.

We thought differently.

First of all, let me say that I don’t see Jonathan arguing that DoS is not a problem, and the advisory that he points to list the vulnerability as critical.  And while I think the presentation is probably going to be very interesting and one I would love to see, it still gives the impression that if the remote code execution is not possible, then there’s not a big danger.  When did availability become the poor cousin in security?  The availability of a service is JUST as important as the integrity.  Plain, simple, end of story.

Vet

Categories: Security

Baghdad US embassy plans appeared on architect’s website

June 4th, 2007 Michael Farnum

This is not good at all.

Vet

Categories: Security