The difficulties of (reading) vulnerability severity meters

Assigning a severity meter to security vulnerability is not so unambiguous always. One good real-life example is recently fixed Mozilla Firefox Deleted Object Reference Code Execution Vulnerability (aka “contentWindow.focus()” vulnerability).

Some examples of published advisories and their severity levels in alphabetical order:

Mozilla’s own MFSA 2006-30: Critical (4/4)
Bugzilla entry #334515: critical

Securident Technologies, the researcher: no severity level assigned

CA: Low (2/5), Overall Risk [more info here]
FrSIRT: Critical (4/4)
OSVDB: no severity metric in use
Secunia: Highly Critical (4/5)

SecuriTeam
: no severity metric in use
SecurityFocus: no severity metric in use
SecurityTracker: no severity metric in use
US-CERT: 7,87 (0..108)

The CVSS meter of National Vulnerability Database says 3.7, i.e. Low. [more info here]

The variation is huge, very huge. Additionally, Secunia elevated the severity from Not Critical to Highly Critical today.
One short conclusion: How is it possible to assign a ‘Low’ severity when PoC code is publicly available.. Yes, I’m aware that code execution was proved by MFSA recently, but however..

Best,
Juha-Matti

DiggRedditSlashdotTwitThisSphinnStumbleUpondel.icio.usFacebookGoogleTechnoratiE-mail this story to a friend!

-

Is your site safe from SQL Injection? Sign up for an Automated Vulnerability Detection Service today!

6 Comments:

  1. What would you suggest this vulnerability’s risk factor be? how would you rate vulnerabilities? do you think CVSS is a step in the right direction?

  2. It is hard to reply shortly, but the main guidelines are availability of public PoC/exploit code and how difficult is it to exploit the flaw remotely.
    Absolutely CVSS is a good step and normally their update cycle is quick enough.

  3. I read any Firefox vulnerabilities on Secunia classified as even though who discovered that flaw said there is also a code execution.

  4. I read any Firefox vulnerabilities on Secunia classified as low even though who discovered that flaw said there is also a code execution.

  5. […] Nice post here surveying various security organizations and the wide disparity between them.  One will issue a vulnerability as Low while another as Highly Critical.  The lesson, to be serious about security, you have to be reading a lot to keep up with what’s really going on and cannot get comfortable with a particular monitor (Secunia, for example, which in this case was very slow on an accurate severity of this Firefox vulnerability.) […]

  6. bad credit loans

    bad credit loans
    bad credit loans - bad credit loans
    Ships are safe in harbor, but they were never meant to stay there.
    For years a secret shame destroyed my peace–
    I’d not read Eliot, Auden or MacNiece.
    But now I think a thought that brings me hope:…

Leave a Comment


Vulnerability Scanner