MozillaZine

Mozilla Security Hole

Tuesday April 30th, 2002

Anonymous reports: "Grey Magic is reporting a minor security hole in Mozilla builds from at least 0.9.2 up to the current trunk and 1.0 branch. A bug has been filed in bugzilla, and will be opened to the public to view once the fix has been made. This also affects Netscape browsers from at least 6.1 on. There are no known uses of the vulnerability at this time." We'll let you know when a patch has been checked in for this.

On a side note, Grey Magic recommends that users "should move to a better performing, less buggy browser," on their vulnerability page. Looking at the open issues for it, IE clearly doesn't seem like the better choice.

UPDATE! A fix has been checked into the trunk, and has been approved for checkin to the 1.0 branch. Expect it to be in nightly builds for both branch and trunk starting tomorrow.


#13 Re: Two more

by AlexBishop <alex@mozillazine.org>

Tuesday April 30th, 2002 2:21 PM

You are replying to this message

The Thor Larholm vulnerabilities are posted in a reply to the GreyMagic report on the BugTraq mailing list. This version of the GreyMagic report contains extra information that isn't on the page <http://sec.greymagic.com/adv/gm001-ns/> - specifically, it sheds a little light on the reasoning behind the harsh "better performing, less buggy browser" statement.

GreyMagic states that they contacted Netscape on Wednesday 24th April. They go on to say, "They did not bother to respond AT ALL, and we think we know why." Then they launch into some conspiracy theory where Netscape is covering up bugs to avoid paying out $1,000 rewards as part of their Bug Bounty <http://home.netscape.com/security/bugbounty.html> program. Then they decide that in future they will:

"* Release all future Netscape advisories without notifying Netscape at all.

"* Advise the security community to do the same. Netscape is deceiving researchers and should not be rewarded.

"* Advise customers to stop using Netscape Navigator through our security advisories and business contacts."

Obviously, not telling Netscape about security bugs is going to help them get fixed. And they call Netscape "extremely unprofessional"!

If GreyMagic had bothered to read Netscape's security bug report form <http://help.netscape.com/forms/bug-security.html> they would have noticed the bit that says, "We read all of the bug reports we receive, but we will only contact you if we need more details about your bug. We appreciate your feedback!" So basically, the reason GreyMagic didn't get a response is because they wrote a good bug report. Ironic? Yes. A conspiracy? No.

As for the Thor Larholm vunerabilities, I can't get the IRC one to work (but then I can't connect to external IRC servers from behind this firewall and a crash isn't really a security vunerability anyway) but I can get the second one to work. Which is bad.

Alex