the debate whether browser crash bugs are security issues

Tyler Reguly over at nCircle posted about IE choosing to label browser crash issues as stability issues and not security issues. This has come up before on Farnum’s blog.

I have a somewhat subtle approach to defending the “not always a security issue” position, but it doesn’t always come to me quickly. So this post is just here for future inspirational reference for myself on where to jog my thought juices.

In a nutshell, I play devil’s advocate towards saying browser crashes are not always security issues. This is a security issue when your site has malicious code embedded in it that prevents users from using your site (a security issue from the POV of the site owner). Or when the users have a legitimate purpose to be on the site which has malicious code embedded in it (a security issue from the POV of the user).

Anything else really is a stability issue. Besides, do your users really need to get to that malicious site that crashed their browser?

Caveat? Yes. When a piece of crash code can be reproduced and embedded quickly in sites all over the place. At which point this maybe affects enough people to be an actual security concern?