Out of Sync

By Larry Seltzer  |  Posted 2008-10-14 Print this article Print


So don't get me wrong, I think all of these vulnerabilities are properly rated, but it's the definition that's out of sync with reality. Microsoft's real definition of critical seems to be what they define as Important: "A vulnerability whose exploitation could result in compromise of the confidentiality, integrity, or availability of user's data, or of the integrity or availability of processing resources." Once again, it depends on how you define terms like "integrity," but I think it fits. And given the limitation for which Microsoft rated MS08-049 Important, I think its definition of Moderate applies well: "Exploitability is mitigated to a significant degree by factors such as default configuration, auditing or difficulty of exploitation."

I said before that there are no hard standards for severity ratings, but there are those of NIST, the National Institute of Standards and Technology for the NVD (National Vulnerability Database). The NIST/NVD standards, which are used in calculating CVSS scores, are broken down by a group of metrics, such as Au for the level of authentication needed for exploitation. Au can have the value N for None required, S for Single instance required or M for requires Multiple instances. Other metrics are more qualitative, such as AC for Access Complexity (required attack complexity), where the possible values are H for High, M for Medium or L for Low.

Linux vendors increase security features. Click here to find out more.

I can see the value in the NIST approach. In the end it is used to calculate a CVSS score that could serve the same simple rating role that vendor assertions of severity serve. For instance, the CVSS score for MS08-049, the one Microsoft rated Important, is 9.0 which NIST calls "High."

The Mozilla definitions can be found at the top of their advisory page. These are easier to understand, but probably a little too specific and simplistic. They have to do a lot of interpretation at times to shoe-horn a vulnerability into one of the definitions. They deal with this by thinking worst-case, which is the right way to do it given their definitions.

Mozilla is often in the habit of noting crash bugs with evidence of memory corruption such as these. They say they have no evidence of exploitability, but neither can they rule out the possibility. They rate these critical, thinking worst-case scenario, as I just said. I've never seen another prominent vendor word it this way. I like the honesty of admitting the situation is technically unclear at this point. Microsoft, to my knowledge, doesn't do that. It would probably just call it a Remote Code Execution vulnerability and decline to elaborate further. Neither vendor, to be sure, is very specific about vulnerabilities in their advisories.

This month Microsoft began providing not just ratings for each vulnerability, but an "exploitability index" score, to show that 1) consistent exploit code is likely, 2) inconsistent exploit code is likely or 3) functional exploit code is unlikely. This adds more detail for those who look at and analyze details, but if it doesn't feed back into the ratings it may get overlooked.

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel