What is a security bug?

classic Classic list List threaded Threaded
34 messages Options
12
Reply | Threaded
Open this post in threaded view
|

What is a security bug?

Florian Weimer
It seems that I have difficulty understanding what constitutes a
security bug in a web browser.

Suppose that the web browser always crashes when confronted with
certain input, losing all of its state.  With tabbed browsing,
multiple browser opened by the same process etc., this means that
potentially important work is lost.

Is this a security bug?  Or is this more in the category of "don't do
that, then"?

I used to laugh at office regulations which recommend closing all
applications (including internal web applications) when browsing the
Internet, but if software vendors don't consider such crash bugs a
priority issue, they do make sense.


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

RE: What is a security bug?

Jasper Filon
Well, obviously it is not a _security_ bug, since it has nothing to do
with security. However, it is a bug, maybe even a critical one.
As long as the bug does not compromise the security of the system
(enables unauthorised execution of code, access to memory of other
process of manipulating the content of the other tabs or something like
that) is has nothing to do with security and hence not with this list
(debian-security).  

well, that's obviously for me, but maybe someone else has a different
opion about this issue?

regards, Jasper

-----Original Message-----
From: Florian Weimer [mailto:[hidden email]]
Sent: woensdag 23 november 2005 11:15
To: [hidden email]
Subject: What is a security bug?

It seems that I have difficulty understanding what constitutes a
security bug in a web browser.

Suppose that the web browser always crashes when confronted with certain
input, losing all of its state.  With tabbed browsing, multiple browser
opened by the same process etc., this means that potentially important
work is lost.

Is this a security bug?  Or is this more in the category of "don't do
that, then"?

I used to laugh at office regulations which recommend closing all
applications (including internal web applications) when browsing the
Internet, but if software vendors don't consider such crash bugs a
priority issue, they do make sense.


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact
[hidden email]

Reply | Threaded
Open this post in threaded view
|

RE: What is a security bug?

Sels, Roger
Jasper,

It's pretty much open for debate.

The subtlety lies in the "certain input" mentioned by Florian. For the
sake of argument, imagine  you can create a webpage which when rendered
will make the browser crash.
You could trick users into surfing to your page, by e.g. spam mailing your
URL around or even the page itself.

Somehow you've succeeded into making a remote browser perform an undesired
(and controlled by you!) action: crashing.

And I thought CIA (confidentiality - integrity - AVAILABILITY ) was key in
InfoSec? ;-)

Just my 0.02EUR

Kind regards,

Roger

On Wed, November 23, 2005 12:15 pm, Jasper Filon said:

> Well, obviously it is not a _security_ bug, since it has nothing to do
> with security. However, it is a bug, maybe even a critical one.
> As long as the bug does not compromise the security of the system
> (enables unauthorised execution of code, access to memory of other
> process of manipulating the content of the other tabs or something like
> that) is has nothing to do with security and hence not with this list
> (debian-security).
>
> well, that's obviously for me, but maybe someone else has a different
> opion about this issue?
>
> regards, Jasper
>
> -----Original Message-----
> From: Florian Weimer [mailto:[hidden email]]
> Sent: woensdag 23 november 2005 11:15
> To: [hidden email]
> Subject: What is a security bug?
>
> It seems that I have difficulty understanding what constitutes a
> security bug in a web browser.
>
> Suppose that the web browser always crashes when confronted with certain
> input, losing all of its state.  With tabbed browsing, multiple browser
> opened by the same process etc., this means that potentially important
> work is lost.
>
> Is this a security bug?  Or is this more in the category of "don't do
> that, then"?
>
> I used to laugh at office regulations which recommend closing all
> applications (including internal web applications) when browsing the
> Internet, but if software vendors don't consider such crash bugs a
> priority issue, they do make sense.
>
>
> --
> To UNSUBSCRIBE, email to [hidden email]
> with a subject of "unsubscribe". Trouble? Contact
> [hidden email]
>
>


--
Life is 10 percent what you make it and 90 percent how you take it. -
Irving Berlin


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: What is a security bug?

Rolf Kutz
In reply to this post by Jasper Filon
* Quoting Jasper Filon ([hidden email]):

> Well, obviously it is not a _security_ bug, since it has nothing to do
> with security. However, it is a bug, maybe even a critical one.
> As long as the bug does not compromise the security of the system
> (enables unauthorised execution of code, access to memory of other
> process of manipulating the content of the other tabs or something like
> that) is has nothing to do with security and hence not with this list
> (debian-security).  

Security is not just related to execution of
malicious code. It also has to do with data
integrity or usability of software. A vulerability
to a DoS-Attack is IMHO a security bug. If it
justifies a security update is another question,
but IIRC every security bug does.

- Rolf


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: What is a security bug?

Florian Weimer
In reply to this post by Jasper Filon
* Jasper Filon:

> Well, obviously it is not a _security_ bug, since it has nothing to do
> with security.

Availability is typically considered one aspect of security (and
arguably the hardest one to get right in networked applications).

For example, here's a quote from FIPS 199:

| Security Objectives
|
| The FISMA defines three security objectives for information and
| information systems:
|
| CONFIDENTIALITY
|
| "Preserving authorized restrictions on information access and
| disclosure, including means for protecting personal privacy and
| proprietary information..." [44 U.S.C., Sec. 3542]
|
| A loss of confidentiality is the unauthorized disclosure of information.
|
| INTEGRITY
|
| "Guarding against improper information modification or destruction,
| and includes ensuring information non-repudiation and authenticity..."
| [44 U.S.C., Sec. 3542]
|
| A loss of integrity is the unauthorized modification or destruction of
| information.
|
| AVAILABILITY
|
| "Ensuring timely and reliable access to and use of information..." [44
| U.S.C., SEC. 3542]
|
| A loss of availability is the disruption of access to or use of
| information or an information system.

As far as as I know, these definitions are widely accepted and guide
most vendor security efforts.

Maybe the example I gave is not a security bug, but I think you need a
more convincing argument than "it's just a crash".


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: What is a security bug?

Steve Kemp
In reply to this post by Jasper Filon
On Wed, Nov 23, 2005 at 12:15:35PM +0100, Jasper Filon wrote:
> Well, obviously it is not a _security_ bug, since it has nothing to do
> with security. However, it is a bug, maybe even a critical one.

  I filed a couple of bugs on Mozilla relating to DOS attacks,
 crashing the browser on some badly formed input HTML.

  They were not treated as security bugs.... which suprised me at
 the time.

Steve
--

signature.asc (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: What is a security bug?

Noah Meyerhans-3
In reply to this post by Florian Weimer
On Wed, Nov 23, 2005 at 12:59:02PM +0100, Florian Weimer wrote:
> Availability is typically considered one aspect of security (and
> arguably the hardest one to get right in networked applications).

I tend to consider it the other way around.  Security is a subset of
availability.  Availability must also take in to account things like
hardware failures, network problems, software configuration, etc.  It
also must account for security.  As a sysadmin, my primary interest is
not in the security of my services (if it was, I'd unplug them all!),
but in the availability.  Because security is one aspect of
availability, I must account for it when designing and maintaining
systems, but it can't be the ultimate goal, since a truly secure system
provides no availability.

noah


signature.asc (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: What is a security bug?

Bernd Eckenfels
In reply to this post by Jasper Filon
In article <[hidden email]> you wrote:
> Well, obviously it is not a _security_ bug, since it has nothing to do
> with security.
...
> well, that's obviously for me, but maybe someone else has a different
> opion about this issue?

Your definition and mine of security are not compatible :)

(availability is a security discipline and a DOS is a security attack for
me). But I think we had this discussion before on this list...

However it doesnt matter, you are right: critical application crashes
(especially if triggerable by untrusted peers) are critical enough to be
fixed anyway. AND crashes often have the potential to be exploitable
(stacksmashing?).

Gruss
Bernd


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: What is a security bug?

Mark Seaborn
In reply to this post by Florian Weimer
Florian Weimer <[hidden email]> wrote:

> It seems that I have difficulty understanding what constitutes a
> security bug in a web browser.
>
> Suppose that the web browser always crashes when confronted with
> certain input, losing all of its state.  With tabbed browsing,
> multiple browser opened by the same process etc., this means that
> potentially important work is lost.

A really broad definition of security is that a system is secure if it
does what the user expects it to do.

If you apply this at the level of the interactions between
reasonably-sized entities, this definition is usable: You don't expect
clicking on a link in one browser window to cause other windows to
disappear without trace.

Besides the problem of losing your work in one browser window, this
sort of bug raises more security questions:

 * Why are multiple browser windows implemented by the same process?
   Does it really save that much resources?  Why not run them in
   separate processes?
 * Why is the browser process runnning with the user's full authority,
   including access to all the user's files?  If you run it with
   access to only the files it needs, the risk from buffer overruns
   will be greatly reduced.

Mark


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: What is a security bug?

Thomas Bushnell, BSG-2
In reply to this post by Florian Weimer
Florian Weimer <[hidden email]> writes:

> Suppose that the web browser always crashes when confronted with
> certain input, losing all of its state.  With tabbed browsing,
> multiple browser opened by the same process etc., this means that
> potentially important work is lost.

In the case of galeon, for example, there is no bug, because it can
restart with the old state.


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: What is a security bug?

Marc Haber-9
On Wed, Nov 23, 2005 at 10:53:46PM -0800, Thomas Bushnell BSG wrote:
> Florian Weimer <[hidden email]> writes:
> > Suppose that the web browser always crashes when confronted with
> > certain input, losing all of its state.  With tabbed browsing,
> > multiple browser opened by the same process etc., this means that
> > potentially important work is lost.
>
> In the case of galeon, for example, there is no bug, because it can
> restart with the old state.

And galeon saves current state, including form entries done by the
user, before it segfaults?

Greetings
Marc

--
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: What is a security bug?

Thomas Bushnell, BSG-2
Marc Haber <[hidden email]> writes:

> On Wed, Nov 23, 2005 at 10:53:46PM -0800, Thomas Bushnell BSG wrote:
>> Florian Weimer <[hidden email]> writes:
>> > Suppose that the web browser always crashes when confronted with
>> > certain input, losing all of its state.  With tabbed browsing,
>> > multiple browser opened by the same process etc., this means that
>> > potentially important work is lost.
>>
>> In the case of galeon, for example, there is no bug, because it can
>> restart with the old state.
>
> And galeon saves current state, including form entries done by the
> user, before it segfaults?

It seems it does not save form entries (which was not mentioned
explicitly in Florian's post above), but it certainly does save the
tabs and multiple windows information and such.

Thomas


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: What is a security bug?

Javier Fernandez-Sanguino-2
In reply to this post by Bernd Eckenfels
On Wed, Nov 23, 2005 at 07:07:21PM +0100, Bernd Eckenfels wrote:
> In article <[hidden email]> you wrote:
> > Well, obviously it is not a _security_ bug, since it has nothing to do
> > with security.
> ...

Without looking at the bug in detail you cannot tell for sure. A DoS
condition can become a remote exploit.

(...)

> However it doesnt matter, you are right: critical application crashes
> (especially if triggerable by untrusted peers) are critical enough to be
> fixed anyway. AND crashes often have the potential to be exploitable
> (stacksmashing?).

Indeed (to the last sentence) for a recent example take a look at
CAN-2005-1790, which was a DoS condition for IE 5.5 and 6.x, it was initially
labeled as "DoS - low risk" and has been later found to be exploitable
and allow for remote compromise:
http://www.computerterrorism.com/research/ie/ct21-11-2005

Regards

Javier

signature.asc (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: What is a security bug?

Dale Amon
In reply to this post by Thomas Bushnell, BSG-2
On Wed, Nov 23, 2005 at 11:10:25PM -0800, Thomas Bushnell BSG wrote:
> It seems it does not save form entries (which was not mentioned
> explicitly in Florian's post above), but it certainly does save the
> tabs and multiple windows information and such.

Galeon and firefox have *always* had this sort of
crash problem. It is especially apparent when printing
ps to file. There are some **major** sites which will
reliably crash your browser.

--
------------------------------------------------------
             Artemis Systems Development
   Dale Amon     [hidden email]    +44-7802-188325
       International linux systems consultancy
     Hardware & software system design, security
    and networking, systems programming and Admin
              "Have Laptop, Will Travel"
------------------------------------------------------


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: What is a security bug?

Michael Stone-2
In reply to this post by Thomas Bushnell, BSG-2
On Wed, Nov 23, 2005 at 10:53:46PM -0800, Thomas Bushnell BSG wrote:
>In the case of galeon, for example, there is no bug, because it can
>restart with the old state.

Of course, if there's a page that causes the browswer to crash
repeatedly, won't it just crash when it restarts?

Mike Stone


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: What is a security bug?

Micah Anderson-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Michael Stone wrote:
> On Wed, Nov 23, 2005 at 10:53:46PM -0800, Thomas Bushnell BSG wrote:
>
>> In the case of galeon, for example, there is no bug, because it can
>> restart with the old state.
>
>
> Of course, if there's a page that causes the browswer to crash
> repeatedly, won't it just crash when it restarts?

Yep, thats why Galeon gives you the option to save your previous tabs
into a bookmark group, or to restore it before it starts loading crashed
tabs. This way if you have a site that is causing a crash you can edit
out that bookmark, then open that bookmark group in separate tabs and be
back to normal.

The sane way Galeon manages crashes is the reason why I don't use
Firefox. Yes it has a tab-browser extention that is supposed to do this,
but my last exploration into the exciting random world of extentions for
firefox showed me that this extention was highly inadequite comparably.

micah
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDhf5A9n4qXRzy1ioRAj4vAJ9R0LkrGvVTbEawGHI/RGZGwCeqsACgqjTe
OkN+3cUQZD2ecy6RgnEanAQ=
=5ln7
-----END PGP SIGNATURE-----


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: What is a security bug?

Hubert Chathi-2
In reply to this post by Marc Haber-9
On 2005-11-24 02:03:31 -0500 Marc Haber
<[hidden email]> wrote:

> On Wed, Nov 23, 2005 at 10:53:46PM -0800, Thomas Bushnell BSG wrote:

>> In the case of galeon, for example, there is no bug, because it can
>> restart with the old state.
>
> And galeon saves current state, including form entries done by the
> user, before it segfaults?

Or, even more annoying, session cookies.  If I'm half-way through
booking my flight, or making a purchase, and some random site crashes
my browser, and I have to restart, I'll be pretty annoyed.

Also, POST data: if I'm viewing a page that I got to due a POST
request, when Galeon restarts, I won't get back to the right page.  
(Should Galeon remember the POST data and resubmit when it restarts?  
What if the POST data was my credit card information, and resubmitting
results in my credit card being charged twice?)

Remembering state certainly alleviates the problem.  But it's not a
complete solution.

--
Hubert Chan <[hidden email]> - http://www.uhoreg.ca/
PGP/GnuPG key: 1024D/124B61FA
Fingerprint: 96C5 012F 5F74 A5F7 1FF7  5291 AF29 C719 124B 61FA
Key available at wwwkeys.pgp.net.   Encrypted e-mail preferred.


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: What is a security bug?

Florian Weimer
In reply to this post by Noah Meyerhans-3
* Noah Meyerhans:

> On Wed, Nov 23, 2005 at 12:59:02PM +0100, Florian Weimer wrote:
>> Availability is typically considered one aspect of security (and
>> arguably the hardest one to get right in networked applications).
>
> I tend to consider it the other way around.  Security is a subset of
> availability.

A loss of confidentiality or integrity does not mean you can't use
that particular service anymore.  This backed by industry practice:
potentially compromised systems are taken off the network for detailed
analysis only if they aren't too important. 8-/

> Because security is one aspect of availability, I must account for
> it when designing and maintaining systems, but it can't be the
> ultimate goal, since a truly secure system provides no availability.

Well, it's pointless to argue about definitions.  But the C/I/A
definition of security is consistent with that as well: since
availability is part of the goal, you cannot sacrifice it in favor of
confidentiality and integrity in a secure system.

But of course, your observation is correct that security in the
service provider business is mostly measured in terms of availability.
That's why those probabilistic "make C safer" approaches
(non-executable stack etc.) aren't very effective in the end.  A
compromise might be worse than a crash, but a potential compromise and
a potential remotely triggered DoS condition are similar in severity.

(Security of end user systems seems to be very, very different,
though.)


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: What is a security bug?

Florian Weimer
In reply to this post by Thomas Bushnell, BSG-2
* Thomas Bushnell:

> Florian Weimer <[hidden email]> writes:
>
>> Suppose that the web browser always crashes when confronted with
>> certain input, losing all of its state.  With tabbed browsing,
>> multiple browser opened by the same process etc., this means that
>> potentially important work is lost.
>
> In the case of galeon, for example, there is no bug, because it can
> restart with the old state.

I would still consider it a bug, but clearly a less severe one.


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: What is a security bug?

linux4michelle
In reply to this post by Steve Kemp
Hi Steve,

Am 2005-11-23 13:03:40, schrieb Steve Kemp:
> On Wed, Nov 23, 2005 at 12:15:35PM +0100, Jasper Filon wrote:
> > Well, obviously it is not a _security_ bug, since it has nothing to do
> > with security. However, it is a bug, maybe even a critical one.
>
>   I filed a couple of bugs on Mozilla relating to DOS attacks,
>  crashing the browser on some badly formed input HTML.
>
>   They were not treated as security bugs.... which suprised me at
>  the time.

Me too.

I am working daily with a Database which I access via Intranet
and Mozilla.  The data are most sensitive and it occures more
then once, that I open a website in the Internet and Mozilla
crashed immediatly.

Because i am working for the french governement it is a potential
security bug for me.

Unfortunatly it is not possibel to open two instances of mozilla.
( Which may crash seperatly :-/ )

Greetings
Michelle

--
Linux-User #280138 with the Linux Counter, http://counter.li.org/
Michelle Konzack   Apt. 917                  ICQ #328449886
                   50, rue de Soultz         MSM LinuxMichi
0033/3/88452356    67100 Strasbourg/France   IRC #Debian (irc.icq.com)


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

12