I've been very vocal against Microsoft's move to label Denial of Service as a stability issue rather than a security issue. I fully disagree with this idea, as availability should be just as important as any other security issue. I will say that they appear to have a sliding scale... where some Denial of Service issues are patched and treated as security issues, however I can't help but feel these should all be treated equally. This is something I've addressed in the past (here and here), however I feel the need to bring it up again.
Twice I've contact Microsoft regarding Internet Explorer. Twice I've been told that DoS isn't a security issue... I thought about writing up each issue, but instead I feel that a video may better represent these issues.
Crash 1
In this video we have a IE7 install and when we visit the page IE crashes. In this case, too much input submitted to a form is the cause of the problem. To accomplish this I've simply created a long string, and used some onload javascript to set a form text input to the value of the long string and then submit the form. This causes a "non-exploitable stack exhaustion" according to Microsoft. However, I consider the browser crashing to be an exploit.
Crash 2
In this video, IE7 has been installed immediately after the SP2 install, then we install the latest updates. As you can see, IE crashes when the page is loaded. The page I visit actually wraps a popular website which causes the crash to occur (it requires being loaded a couple of times to induce the crash, so we use a iframe set to width=0 and height=0 and a meta refresh tag). These seem to be Flash related, however I can't visit the Flash website to grab the latest version (it's the page causing the crash).
I'll concede that remote code execution is more serious than denial of service, but that doesn't mean we should discount the seriousness of denial of service. As Microsoft has told me these aren't security issues, I felt I wouldn't be remiss in disclosing them now, in fact, I felt that I should disclose them. With more and more people making use of Web 2.0 applications even denial of service to a browser could have disastrous results.
As I've mentioned before... Mozilla fixes issues of this nature under a security advisory (example). If Microsoft's primary competition can do it... why can't they?
Comments (4)
I've seen this topic come up before elsewhere. And I'll approach it from a slightly subtle direction.
When securiy talks about CIA, it is talking about the availability of assets or information or everything in between the user and those objects.
When you browse out to a web page that crashes your browser, what exactly is becoming unavailable? The user's browser session to a malicious page.
Is that really a security issue? Should they have been going to that page anyway, or do they have some valuable need to be on that site?
Now, this can be a security issue in some situations.
1) You're the webmaster of a site. Someone puts up some content on your site that is denying access by affected IE users because they keep crashing. Big issue! Think: CNN.com has that POC embedded in the front page.
2)Users at your company utilize an internal web server for business reasons. Sadly, something worked its way into your network and has defaced this site with code that crashes your company browsers. Big issue!
(Of course, there is the bigger issue of how malicious code got on those pages...)
To everyone else, this is most likely a stability issue.
Posted by LonerVamp | June 30, 2008 9:25 AM
Posted on June 30, 2008 09:25
Of course availability is a security issue. It's the "A" in the "AIC triad" (along with integrity and confidentiality), which is the very core of most security issue classification systems.
Posted by Dustin D. Trammell | July 3, 2008 3:25 PM
Posted on July 3, 2008 15:25
@Dustin
I agree with you completely, however someone needs to tell that to Microsoft because they are slowly (and for the most part, silently) phasing DoS out of their security cycle.
Posted by Tyler Reguly | July 3, 2008 3:47 PM
Posted on July 3, 2008 15:47
@LonerVamp
I apologize for a delayed response (your comment was swallowed by our spam filter, although so was my last one).
This is also my second attempt at commenting (our captcha system killed my last post), so here we go.
There are times when it is indeed a stability issue instead of a security issue, however in a Web 2.0 world when you are talking about browsers... it becomes a security issue.
What if you were performing word processing or data entry in a Web 2.0 app and in another tab browse to a page with the DoS code... suddenly it's impacting business. That makes it a security issue.
To pass it off as "the user can reopen their browser" and ignore it, is to say you don't respect the user.
My previous IPv6 post is another great example. As we move towards IPv6 this could become a serious issue, yet Microsoft has chosen to ignore it. At least, however, they responded to me... the Ubuntu security team didn't even reply to my email.
To cast aside denial of service, especially when you have the resources that Microsoft has, is simply foolish. It doesn't benefit anyone.
Posted by Tyler Reguly | July 3, 2008 4:08 PM
Posted on July 3, 2008 16:08