thr3ads.net - Secure testing team - [Secure-testing-team] Severity for browser-based attacks [Apr 2006]

If this information is useful, please help other people find it:
Share via:

Florian Weimer

2006-Apr-14 11:43 UTC

[Secure-testing-team] Severity for browser-based attacks

Are browser bugs which can result in arbitrary code execution after
visting a web page still "medium", or should we assign
"high" to them?

My hunch is that the free lunch is over as far as Mozilla''s code base
is concerned, and that these bugs begin to pose real risks (soon
comparable to those PHP application bugs).

Moritz Muehlenhoff

2006-Apr-14 12:08 UTC

head link

[Secure-testing-team] Severity for browser-based attacks

Florian Weimer wrote:> Are browser bugs which can result in arbitrary code execution after
> visting a web page still "medium", or should we assign
"high" to them?
>
> My hunch is that the free lunch is over as far as Mozilla''s code
base
> is concerned, and that these bugs begin to pose real risks (soon
> comparable to those PHP application bugs).
We should use "high", although we still have the benefit, that
nowadays
the Windows Firefoxen exceed the installed base on GNU/Linux, so attacks
are still more likely to be slainted at Windows.

Cheers,
        Moritz

Secure testing team - Apr 2006 - Severity for browser-based attacks

[Secure-testing-team] Severity for browser-based attacks

[Secure-testing-team] Severity for browser-based attacks