Thursday, November 2. 2006
Lions, and Tigers, and Firefox DoS .... umm .... oh my?
Slashdot today had an article titled Another Denial of Service Bug Found in Firefox 2. For those of you smart enough not to read the Full Disclosure and Bugtraq mailing lists on a regular basis, there has been quite a bit of Firefox denial of service (DoS) traffic lately. While there's nothing wrong with such information, the amount of attention it's getting is rather misleading.
Red Hat usually doesn't consider client crashes such as this security issues. We call them bugs of the "don't do that" class. While it may be trivial to crash Firefox, you have to convince a user to visit a certain web page to crash their browser. Even then, how many times doesn't Firefox crash for no apparent reason anyhow?
I don't usually expect people posting information to various public lists to fully research every issue they post. Part of the advantage to sharing information with a public list is to get information from others in the know regarding your issue. What annoys me is when an organization such as SANS does a terrible job describing an issue. Anyone who ran Firefox in a debugger and caused that crash would notice that the crash was being caused by a NULL pointer dereference. A NULL pointer dereference is almost never exploitable beyond a DoS (certainly not in this case). The SANS Handler's Diary also specifies that the entry will be updated if more information becomes available, which it never was. The issue was discussed on the Bugtraq mailing list where it was made rather clear that this flaw presents no threat beyond a DoS.
As the volume of possible security issues increases, I worry about the current trend I see. Most organizations are willing to call something a security flaw with no real research into what the actual cause is, or what programs are affected by the issue. At Red Hat we do our best to sort the wheat from the chaf, which I believe is part of the added value the Red Hat Security Response Team lends to our products. I would very much like to see the rest of the security community put an effort forth to help with this effort.
Updated:
I should also add that part of my goal in writing this is to become more involved in the information posted to various public lists. In the past I've been far to willing to just let misleading public information slide. If I'm going to complain, I need to take responsibility for my actions (or lack of action in this instance).
Red Hat usually doesn't consider client crashes such as this security issues. We call them bugs of the "don't do that" class. While it may be trivial to crash Firefox, you have to convince a user to visit a certain web page to crash their browser. Even then, how many times doesn't Firefox crash for no apparent reason anyhow?
I don't usually expect people posting information to various public lists to fully research every issue they post. Part of the advantage to sharing information with a public list is to get information from others in the know regarding your issue. What annoys me is when an organization such as SANS does a terrible job describing an issue. Anyone who ran Firefox in a debugger and caused that crash would notice that the crash was being caused by a NULL pointer dereference. A NULL pointer dereference is almost never exploitable beyond a DoS (certainly not in this case). The SANS Handler's Diary also specifies that the entry will be updated if more information becomes available, which it never was. The issue was discussed on the Bugtraq mailing list where it was made rather clear that this flaw presents no threat beyond a DoS.
As the volume of possible security issues increases, I worry about the current trend I see. Most organizations are willing to call something a security flaw with no real research into what the actual cause is, or what programs are affected by the issue. At Red Hat we do our best to sort the wheat from the chaf, which I believe is part of the added value the Red Hat Security Response Team lends to our products. I would very much like to see the rest of the security community put an effort forth to help with this effort.
Updated:
I should also add that part of my goal in writing this is to become more involved in the information posted to various public lists. In the past I've been far to willing to just let misleading public information slide. If I'm going to complain, I need to take responsibility for my actions (or lack of action in this instance).
Calendar
|
November '06 |
|
||||
| Sun | Mon | Tue | Wed | Thu | Fri | Sat |
| 1 | 2 | 3 | 4 | |||
| 5 | 6 | 7 | 8 | 9 | 10 | 11 |
| 12 | 13 | 14 | 15 | 16 | 17 | 18 |
| 19 | 20 | 21 | 22 | 23 | 24 | 25 |
| 26 | 27 | 28 | 29 | 30 | ||
Quicksearch
Categories
Syndicate This Blog
Blog Administration
Powered by
