The difficulties of (reading) vulnerability severity meters

Assigning a severity meter to security vulnerability is not so unambiguous always. One good real-life example is recently fixed Mozilla Firefox Deleted Object Reference Code Execution Vulnerability (aka “contentWindow.focus()” vulnerability).

Some examples of published advisories and their severity levels in alphabetical order:

Mozilla’s own MFSA 2006-30: Critical (4/4)
Bugzilla entry #334515: critical

Securident Technologies, the researcher: no severity level assigned

CA: Low (2/5), Overall Risk [more info here]
FrSIRT: Critical (4/4)
OSVDB: no severity metric in use
Secunia: Highly Critical (4/5)

SecuriTeam
: no severity metric in use
SecurityFocus: no severity metric in use
SecurityTracker: no severity metric in use
US-CERT: 7,87 (0..108)

The CVSS meter of National Vulnerability Database says 3.7, i.e. Low. [more info here]

The variation is huge, very huge. Additionally, Secunia elevated the severity from Not Critical to Highly Critical today.
One short conclusion: How is it possible to assign a ‘Low’ severity when PoC code is publicly available.. Yes, I’m aware that code execution was proved by MFSA recently, but however..

Best,
Juha-Matti

Share
  • suggest

    What would you suggest this vulnerability’s risk factor be? how would you rate vulnerabilities? do you think CVSS is a step in the right direction?

  • http://networksecurity.typepad.com/ Juha-Matti

    It is hard to reply shortly, but the main guidelines are availability of public PoC/exploit code and how difficult is it to exploit the flaw remotely.
    Absolutely CVSS is a good step and normally their update cycle is quick enough.

  • Duke

    I read any Firefox vulnerabilities on Secunia classified as even though who discovered that flaw said there is also a code execution.

  • Duke

    I read any Firefox vulnerabilities on Secunia classified as low even though who discovered that flaw said there is also a code execution.

  • Pingback: What’s In A Severity Rating? at the exclamake! blog

  • Pingback: bad credit loans