Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Google Chrome Browser Vulnerability
From: redb0ne () hush com
Date: Wed, 03 Sep 2008 22:50:36 -0400

Hash: SHA1

My judgment is telling me to just ignore this, but I'll entertain
it with one response.

On Wed, 03 Sep 2008 20:04:34 -0400 Shyaam <shyaam () gmail com> wrote:
This is a healthy discussion. This topic leads to a very good
question. When
do we call a bug as a vulnerability and when does an issue really
turn out
to be a security issue. When we have memory index out of bound
error or when
we have a OS level code having a out of bound memory error or when
reference an index value that doesn't exist  or in many other
cases, we do
reference it as a vulnerability.

Out of bound array accesses can be vulnerabilities because they can
in some cases result in code execution, but not in this case. In
this case, it is just an integer underflow that causes a
conditional to evaluate to true that shouldn't have and a byte or
two of memory being read out of bounds. There is no write, the
memory can't be leaked by an attacker, it is simply a crash.

You can't even begin to compare a kernel denial of service to a
browser crash, killing a browser is a world away from taking down
an entire system. Let's face it, the last thing we need is someone
whoring out attention for every browser crash they come across.
Report it and be done with it, no one cares.
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]