Is a denial-of-service a vulnerability?

I always like to ask questions that make everyone answer immediately with what they are sure is the right answer, and then tell them that they haven't thought it through.

The title of this post is one such question. The answer is "yes", right?

Sometimes, yes, but sometimes, no.

Let's think about it a little.

The obvious vulnerability related to a denial-of-service is when you're trying to provide a service to numerous users, and an outage will cost you (money, usually).

But what about a browser denial-of-service?

If I visit some hacker's web site, and it closes my browser, what happens, really?

Unless you're particularly hard of thinking, you simply don't visit that web site again.

Yes, you have to go further into that "it closes my browser" mention, because that might just be a null-pointer dereference, which just stops the browser cold, or it might be an exploitable buffer overflow that you can only exploit occasionally.

But if it's really just a denial-of-service - and the only thing it does is to stop or close the browser - it's not really a security issue. It's a pain, and a reminder not to visit that site again, but it's not a threat to your security, and you can wait to apply that patch.

Am I wrong?

Published Sat, Jul 15 2006 21:40 by Alun Jones
Filed under: , ,

Comments

# re: Is a denial-of-service a vulnerability?

Is it a vulnerability? Yes. Do all vulnerabilities have the same severity? No.

Factors to consider are the criticality of the service affected, other services or programs dependant upon the affected service, and the initiating requirements.

If I can send Out Of Band (OOB) data to BSOD your machine then yes, I’d consider that a severe vulnerability. If however I’m browsing and a site closes my browser window I’d consider it an annoyance vulnerability. External vs Internal causes goes a long way towards my opinion as to the severity of Denial of Service vulnerabilities.

Monday, July 17, 2006 3:57 PM by Bucky

# re: Is a denial-of-service a vulnerability?

Obviously, I'm with you in that "if I provide a service to others, that you can deny, it's a vulnerability", because you'll deny that service over and over again.
And apparently, you're with me on the idea that if I choose to download your site and it's a DoS attack on my ability to further download web sites, it's nothing more than an annoyance.
I don't think it's even a vulnerability - because I'm no longer vulnerable to your site once I figure out which site to avoid (which shouldn't take me long!)

Monday, July 17, 2006 6:04 PM by Alun Jones

# re: Is a denial-of-service a vulnerability?

yes it is.  Why?

1)  DoS is just like a bad virus.  your computer is rendered inoperable until u are released.

2)  DoS could be a buffer overflow and the person doesnt even know it.

off thee top of my head, there ya go

Tuesday, August 08, 2006 7:52 PM by Michael Evanchik

Leave a Comment

(required) 
(required) 
(optional)
(required) 
If you can't read this number refresh your screen
Enter the numbers above: