The document discusses three questions related to software and application security. Question 1 analyzes the criticality and impact of a vulnerability in Mozilla Firefox, including its high CVSS score due to factors like network access vector and lack of authentication. Question 2 compares the timeliness and detail of virus listings from four top anti-virus companies. Question 3 evaluates the criticality and impact of a vulnerability in the Microsoft Windows DNS server, also resulting in a high CVSS score, and proposes network access restrictions and logging as solutions.

1. Assignment 1 – Security In Computing & IT(COSC 2538)
Question 1
Criticality Level of the Application
Vulnerability - Mozilla Firefox 4.x through 5 does not properly implement JavaScript
The critical level is high of the application because its prone to provide the useful information to the
outsiders especially attackers or hackers. Furthermore, the specialized access is not required, thus
the attacking would be possible from anonymous and untrusted organizations.
Impact including CVSS Score (10.0)
According to the Base Score Metrics, the results for Exploitability shows that the application has
the chance of being attacked or for the thread from attacker or hacker. For example, the access
vector for this application is network, that means person who are not in the organisation related to
this application may corrupt the memory or get the application to crash. Attackers may attack from
anywhere without using local access too. The access complexity also results low for this application
may cause the attack from anonymous and the configuration also ubiquitous. The authentication is
not required for this application. Moreover, seeing the condition of Impact Metrics as
confidentiality, Integrity, and Availability also, its not secured application by having complete
result for mentioned options increased the vulnerability score.
Purpose of CVSS Score
Each group(Base, Environmental, Temporal) produces a numeric score ranging from 0 to 10, and a
Vector, a compressed textual representation that reflects the values used to derive the score. The
purpose of the CVSS base group is to define and communicate the fundamental characteristics of a
vulnerability. This objective approach to characterizing vulnerabilities provides users with a clear
and intuitive representation of a vulnerability.
Proposed Solution
− Block external access at the network boundary.
− The authentication is required for this application to reduce the number of attacks at one
time.
Australian DSD '35 Strategies
Minimise the number of users with domain or local administrative privileges, and Application
whitelisting to help prevent malicious software and other unapproved programs from runningThis
can prevent unauthorized or anonymous to have control on the application to get the memory
corrupt and any malware software from attackers.
Network segmentation and segregation into security zones to protect sensitive information and
critical services such as user authentication and user directory information in the trem of
confidentiality and integrity impact of application. Attckers can read all the information and data
and may modify it, this will prevent those actions.
Centralised and time-synchronised logging of allowed and blocked network activity, with regular
log analysis, storing logs for at least 18 months. This will identify the anonymous and untrusted
people who are using the application illegally. The application required unspecialized access that
enables access to a wide range of systems and users.
1

2. Question 2
I had selected four top anti-virus companies that are McAfee, Avira, Symantec, Trend Micro. These
sites offer virus listings till the latest but the information is differ from one another. The most up-to-
date company is McAfee, because there are numbers of threat types on a day unlike other sites.
Symantec also deliver the listings about threats with discovered and updated equipped with time,
but it lacks of the information of the up-to-date threat listings compared to McAfee. Avira and
Trend Micro seems like providing similar data but they do not provide updated virus listings as
McAfee. The similarity of all sites are they are giving summary, characteristics of the threat, and
removal instructions.However, Symantec only provide threat summary included time but other
companies does not provide the detail about time of the threat,thus we cannot compare the time
difference. Moreover, McAfee also had tracked Top Virus Listing and Regioanl Virus Tracker that
can track viruses which could attack in 24 hours, and so on according continents.
2

3. Question 3
Criticality Level of the Software
Vulnerability - Microsoft Windows DNS Server NAPTR Query Remote Heap Memory Corruption.
An attacker can exploit this issue to execute arbitrary code with SYSTEM-level privileges.
Successful exploits will result in the complete compromise of affected computers, hence the
severity is high too.
Impact including CVSS Score (10.0)
According to the Base Score Metrics, the results for Exploitability shows that the application has
the chance of being attacked or for the thread from hacker. For example, the access vector for this
application is network, that means outsider or people who are not in the organisation related to this
application may corrupt the memory or get the software to crash. Attackers may attack from
anywhere without using local access too. The access complexity also results low for this application
may cause the attack from anonymous and the configuration also ubiquitous. The authentication is
not required for this software. Moreover, seeing the condition of Impact Metrics as confidentiality,
Integrity, and Availability, its not secured application by having complete result. Furthermore, the
attacker can have control over the files by having chance to read all the system's data, and able to
modify the data or files in order to corrupt the memory or system.In the term of availability, there
will be a total shutdown of the resource may be done by possible attacker.
Purpose of CVSS Score
Each group(Base, Environmental, Temporal) produces a numeric score ranging from 0 to 10, and a
Vector, a compressed textual representation that reflects the values used to derive the score. The
purpose of the CVSS base group is to define and communicate the fundamental characteristics of a
vulnerability. This objective approach to characterizing vulnerabilities provides users with a clear
and intuitive representation of a vulnerability.
Proposed Solution
− Block external access at the network boundary, unless external parties require service.
− Deploy network intrusion detection systems to monitor network traffic for malicious
activity.
Australian DSD '35 Strategies
Minimise the number of users with domain or local administrative privileges, and Application
whitelisting to help prevent malicious software and other unapproved programs from running.This
can prevent unauthorized or anonymous to have control on the application to get the memory
corrupt and any malware software from attackers.
Network segmentation and segregation into security zones to protect sensitive information and
critical services such as user authentication and user directory information in the trem of
confidentiality and integrity impact of application. Attckers can read all the information and data
and may modify it, this will prevent those actions.
Centralised and time-synchronised logging of allowed and blocked network activity, with regular
log analysis, storing logs for at least 18 months. This will identify the anonymous and untrusted
people who are using the application illegally. The application required unspecialized access that
enables access to a wide range of systems and users.
3