Mozilla Security Hole

Tuesday April 30th, 2002

Anonymous reports: "Grey Magic is reporting a minor security hole in Mozilla builds from at least 0.9.2 up to the current trunk and 1.0 branch. A bug has been filed in bugzilla, and will be opened to the public to view once the fix has been made. This also affects Netscape browsers from at least 6.1 on. There are no known uses of the vulnerability at this time." We'll let you know when a patch has been checked in for this.

On a side note, Grey Magic recommends that users "should move to a better performing, less buggy browser," on their vulnerability page. Looking at the open issues for it, IE clearly doesn't seem like the better choice.

UPDATE! A fix has been checked into the trunk, and has been approved for checkin to the 1.0 branch. Expect it to be in nightly builds for both branch and trunk starting tomorrow.

#41 Over-reacting?

by SubtleRebel <>

Wednesday May 1st, 2002 1:41 AM

You are replying to this message

They attempted to contact Netscape less than a week ago and have not heard back yet; from that they assume that Netscape is trying to dodge paying them $1000?

From what I have seen, Netscape has said nothing to them at all. There have been many times that I have sent email to a company or filled out a form on their website and never heard anything from them, but I have never really taken it personally.

I do not know who gets the web form posts or who got the email that was sent, but from the looks of things, it never got to the right people. As soon as a bug was posted to Bugzilla, Netscape developers jumped in and started working to resolve it; all indications are that they had not received any prior notification of the problem.

I do not know why Grey Magic's April 24th attempt to inform Netscape got overlooked (perhaps everyone was busy working on previously defined RC2, adt, nsbeta bugs?) but it seems obvious that that is what happenned. Now Grey Magic and The Register are jumping to conclusions. I would think that they would have made several more attempts to contact Netscape and waited a bit longer before making assumptions and whining about it.