full-disclosure-uk May 2007 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: Re: [Full-disclosure] Month of ActiveX Bug

Re: [Full-disclosure] Month of ActiveX Bug

From: Goetz Von Berlichingen <goetzvonberlichingen_at_nospam>
Date: Sun May 06 2007 - 16:02:06 GMT
To: steven@securityzone.org


Steven Adair wrote:
> However, regardless of whether it results in remote code execution, I
> don't think a DoS should necessarily be discounted as frivolous or
> irrelevant. It might not rank up there with critical or high
> vulnerabilities, but it is a vulnerability nonetheless.

   The severity of a DOS is entirely context dependent. That's why software users need to informed about the DOS so they can decide how critical it is in their context. A home user who rarely uses an ActiveX .ocx may consider a DOS of that feature negligible. If that ocx (probably not a PowerPoint viewer) is used in controlling a catalytic cracker, then a DOS is a lot more serious.

Goetz



Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/