MozillaZine

Mozilla Security Hole

Tuesday April 30th, 2002

Anonymous reports: "Grey Magic is reporting a minor security hole in Mozilla builds from at least 0.9.2 up to the current trunk and 1.0 branch. A bug has been filed in bugzilla, and will be opened to the public to view once the fix has been made. This also affects Netscape browsers from at least 6.1 on. There are no known uses of the vulnerability at this time." We'll let you know when a patch has been checked in for this.

On a side note, Grey Magic recommends that users "should move to a better performing, less buggy browser," on their vulnerability page. Looking at the open issues for it, IE clearly doesn't seem like the better choice.

UPDATE! A fix has been checked into the trunk, and has been approved for checkin to the 1.0 branch. Expect it to be in nightly builds for both branch and trunk starting tomorrow.


#14 Bug Bounty

by sgifford <sgifford@suspectclass.com>

Tuesday April 30th, 2002 2:33 PM

You are replying to this message

GreyMagic also say in their post to BugTraq:

> Important notes: > ================ > > Netscape was contacted on 24 Apr 2002 through a form on their web site and > through email to <security@netscape.com> and <secure@netscape.com>. > > They did not bother to respond AT ALL, and we think we know why. > > A while ago Netscape started a "Bug Bounty" program, which entitles > researchers who find a bug that allows an attacker to run unsafe code or > access files to a $1000 reward. > > By completely disregarding our post Netscape has earned themselves a $1000 > and lost any credibility they might have had. The money is irrelevant, but > using such a con to attract researchers into disclosing bugs to Netscape is > extremely unprofessional. > > Netscape's faulty conducts made us rethink our disclosure guidelines and we > came to the following decisions: > > * Release all future Netscape advisories without notifying Netscape at all. > > * Advise the security community to do the same. Netscape is deceiving > researchers and should not be rewarded. > > * Advise customers to stop using Netscape Navigator through our security > advisories and business contacts. > > > [1] <http://home.netscape.com/security/bugbounty.html>

Does anybody know about the validity of these accusations?