Security is an interesting thing... it's a field that leaves a lot open to interpretation and in many ways each vendor is allowed to answer the same question differently. Today we'll ask the question, "What warrants a security advisory?" That seems like a straight forward question, so let's put it to the test with two popular browsers: Microsoft Internet Explorer and Mozilla Firefox. Now I feel as though I should preface this by saying that I use Firefox on a daily basis, but that is only because it is cross platform and I have Windows and Linux at work, and Windows, Linux and OS X at home. However, I'm also a big fan of Microsoft as I think previous posts here, and on my personal blog, have demonstrated. So we're not making war with either side here... we're just examining the different responses to the same question. (Note: Neither Microsoft nor Mozilla were consulted, the responses are just my interpretation of their action/inaction.)

So back to the question, "What warrants a security advisory?"

Let's take a look first at Mozilla Firefox. The Mozilla Products Known Vulnerabilities page is one that I am quite familiar with, and a huge fan of. I love the presentation and the layout. What's interesting is that nearly every release contains a very familiar security advisory title, "Crashes with evidence of memory corruption." When you look inside these, they are essentially stability improvements. Yet Mozilla acknowledges that they can crash the browser and they recognize a crash as a security related issue. Another example, to pick one at random, is "Persistent AutoComplete Denial of Service." In this example, millions of characters typed into a form and stored can cause the browser to hang. Not even a crash this time, simply a hung browser and again Mozilla has decided to address this with a security advisory. It seems to me that Mozilla accepts that a Denial of Service warrants a security advisory.

Next up to bat... Microsoft Internet Explorer. Microsoft seems to have taken a very different approach; Microsoft considers a Denial of Service (or "crash") to be a stability issue. These stability issues are not security issues but rather bugs. I know what you're thinking, quite a few security issues are bugs and I would tend to agree... Microsoft, however, would not. Now you are probably asking what evidence I have that Microsoft considers stability issues to simply be bugs that aren't security related. That's simple. I contacted Microsoft security to report a crash condition with regards to IE7. The crash condition can be reproduced reliably and happens to be discussed (briefly) on a few pages regarding web development. Microsoft's response (paraphrased), "This is a bug, report it to the IE team." (Note: this may actually be an Adobe issue in the end; I didn't pinpoint the line of code in the pages responsible for the crash. However it is specific to IE7, in a specific situation. Which at the very least warrants investigation in my eyes.)

This strikes me as a pretty big distinction between what two vendors warrant worthy of a security advisory versus non-security bugs. For the most part, this isn't the sort of thing that would get under my skin if others in the industry weren't drawing misleading conclusions from it.

In a recent article, a claim was made that IE was the most secure browser of 2007. From what I can see, this was based mostly on the number of vulnerabilities reported in various browsers last year. As a Security Researcher, this irks me to no end to see such a sweeping conclusion thrown out for public consumption without first doing research. I can't imagine someone making such a claim based on a simple vuln count if they knew that Microsoft had redefined DoS conditions as non-Security issues - and I can't imagine someone claiming to be an expert on browser Security without knowing this.

Some may say that this is an isolated case by Microsoft with their browser, but the same trend seems to have emerged in other Microsoft technologies - including XP. The only difference in this case is that the author has web technology tunnel vision. At least in this case, their short sightedness limited how much misleading information they put out there.

At the end of the day, DoS is DoS. If one vendor redefines DoS as a non-security issue, those dishing out Security advice need to apply the same definition to competing products. The last time I checked, Security included consideration of confidentiality, integrity, and availability. Agree or disagree, but apply your definition to all products in the space.

My advice is to be careful about taking opinions from "Security Experts" as gospel. If our ramblings inspire you to dig deeper, then we're doing some good. If they don't, we're all worse off.