Security Information Vulnerability Research Security Blog

The difficulties of (reading) vulnerability severity meters

May 3rd, 2006 by Juha-Matti, Filed under: Web, Commentary, Culture

Assigning a severity meter to security vulnerability is not so unambiguous always. One good real-life example is recently fixed Mozilla Firefox Deleted Object Reference Code Execution Vulnerability (aka “contentWindow.focus()” vulnerability).

Some examples of published advisories and their severity levels in alphabetical order:

Mozilla’s own MFSA 2006-30: Critical (4/4)
Bugzilla entry #334515: critical

Securident Technologies, the researcher: no severity level assigned

CA: Low (2/5), Overall Risk [more info here]
FrSIRT: Critical (4/4)
OSVDB: no severity metric in use
Secunia: Highly Critical (4/5)

SecuriTeam: no severity metric in use
SecurityFocus: no severity metric in use
SecurityTracker: no severity metric in use
US-CERT: 7,87 (0..108)

The CVSS meter of National Vulnerability Database says 3.7, i.e. Low. [more info here]

The variation is huge, very huge. Additionally, Secunia elevated the severity from Not Critical to Highly Critical today.
One short conclusion: How is it possible to assign a ‘Low’ severity when PoC code is publicly available.. Yes, I’m aware that code execution was proved by MFSA recently, but however..

Best,
Juha-Matti

DiggRedditSlashdotTwitThisSphinnStumbleUpondel.icio.usFacebookGoogleTechnoratiE-mail this story to a friend!

-

Is your site safe from SQL Injection? Sign up for an Automated Vulnerability Detection Service today!

6 Comments:

  1. suggest, on May 3rd, 2006 at 1:36 pm Said:

    What would you suggest this vulnerability’s risk factor be? how would you rate vulnerabilities? do you think CVSS is a step in the right direction?

  2. Juha-Matti, on May 3rd, 2006 at 2:27 pm Said:

    It is hard to reply shortly, but the main guidelines are availability of public PoC/exploit code and how difficult is it to exploit the flaw remotely.
    Absolutely CVSS is a good step and normally their update cycle is quick enough.

  3. Duke, on May 3rd, 2006 at 2:39 pm Said:

    I read any Firefox vulnerabilities on Secunia classified as even though who discovered that flaw said there is also a code execution.

  4. Duke, on May 3rd, 2006 at 2:39 pm Said:

    I read any Firefox vulnerabilities on Secunia classified as low even though who discovered that flaw said there is also a code execution.

  5. What’s In A Severity Rating? at the exclamake! blog, on May 3rd, 2006 at 4:49 pm Said:

    […] Nice post here surveying various security organizations and the wide disparity between them.  One will issue a vulnerability as Low while another as Highly Critical.  The lesson, to be serious about security, you have to be reading a lot to keep up with what’s really going on and cannot get comfortable with a particular monitor (Secunia, for example, which in this case was very slow on an accurate severity of this Firefox vulnerability.) […]

  6. bad credit loans, on July 16th, 2006 at 12:43 pm Said:

    bad credit loans

    bad credit loans
    bad credit loans - bad credit loans
    Ships are safe in harbor, but they were never meant to stay there.
    For years a secret shame destroyed my peace–
    I’d not read Eliot, Auden or MacNiece.
    But now I think a thought that brings me hope:…

Leave a Comment

Security RSS Subscribe


Vulnerability Scanner