Availability is becoming the poor cousin in security
There have been a few discussions here and there over the last few months as to whether or not a software vulnerability that causes stability problems but does not allow remote code execution is actually a security flaw. There were some good arguments on it, and I think us old schoolers who think a DoS attack is still a security problem made our point. Then I see this post at the Watchfire blog, and I feel the old burn coming back.
Seems like Jonathan Afek over at Watchfire is going to be presenting at BlackHat (congrats). He gives a description of the presentation. Here is part of that description:
Just another day at the office started with scanning a web application with a vulnerability scanner (AppScan of course). The scan resulted in an unexpected crash in a Microsoft IIS server. This discovery was really exciting – a crash might mean a new IIS vulnerability.
A more thorough research concluded that we were facing a “dangling pointer bug” and that it might be remotely exploitable for arbitrary code execution. After a while, an already published advisory of this bug was found on the net. It stated that this was a DoS vulnerability and that it couldn’t be exploited for remote code execution.
We thought differently.
First of all, let me say that I don’t see Jonathan arguing that DoS is not a problem, and the advisory that he points to list the vulnerability as critical. And while I think the presentation is probably going to be very interesting and one I would love to see, it still gives the impression that if the remote code execution is not possible, then there’s not a big danger. When did availability become the poor cousin in security? The availability of a service is JUST as important as the integrity. Plain, simple, end of story.
Vet
