Are we taking vulnerabilities less seriously?
The OpenBSD IPv6 Remote DoS vulnerability has striked debate and strong reaction on whether denial-of-service is a security vulnerability or not. Let’s go back to the fundamentals we all learned early on: C-I-A, Confidentiality, Integrity and Availability. We can have the most secure systems in the world by disconnecting them from everything and making them unavailable, both on the internet and physically. What good does this do for us?
Some may not see a DoS as serious as say remote execution or privilege escalation, but in many industries, availability is more important than confidentiality or integrity. What happens when medical systems are unavailable, or an online store’s web site goes down? Availability of the systems is just as important as the confidentiality and integrity, and for us to think of availability as some luxury we can do without… makes having confidentiality and integrity pretty pointless.
Michael Howard posted his thoughts on judging Windows Vista security which has received criticism from Slashdot, ComputerWorld and MSRC stated it will not change how it rates vulnerabilities because of underlying technology. Lowering the criticality of a vulnerability because of some preventative technique in use, is a bad idea in my opinion. Richard Bejtlich stresses the fact, and Joanna Rutkowska stated it in her recent Dark Reading interview, “prevention eventually fails.” These technologies in Vista supposed to prevent such vulnerabilities from happening, will eventually be exploited. The question then becomes, what do we do next? Let’s not play the semantics game and just stick to fixing the issues in a timely manner.
Noone at OpenBSD is treating availability as unimportant, but it is a lesser concern, they are classifying crashes as an issues outside of security.
It is a thing they mark on their Errata, but it is marked as reliability rather than security, because they are two different things.
Yes, the Integrety of the data is the most important thing to a security minded individual, but those people do not ignore Availabilty, they would just rather have that Integrety if they are forced to choose between the two, would you rather have invalid data availabile to you?
The OpenBSD team did fix the issue in a timely manner, and they classified it how they judged it and moved on, it is random analysts who are sitting around muttering. That their quick evaluation proved to be false is a suprise, but not something I am concern with - they have never once told people to not keep their system up to date, quite the opposite, they always say to run -stable.