Mozilla Security Hole

Tuesday April 30th, 2002

Anonymous reports: "Grey Magic is reporting a minor security hole in Mozilla builds from at least 0.9.2 up to the current trunk and 1.0 branch. A bug has been filed in bugzilla, and will be opened to the public to view once the fix has been made. This also affects Netscape browsers from at least 6.1 on. There are no known uses of the vulnerability at this time." We'll let you know when a patch has been checked in for this.

On a side note, Grey Magic recommends that users "should move to a better performing, less buggy browser," on their vulnerability page. Looking at the open issues for it, IE clearly doesn't seem like the better choice.

UPDATE! A fix has been checked into the trunk, and has been approved for checkin to the 1.0 branch. Expect it to be in nightly builds for both branch and trunk starting tomorrow.

#49 Can't write or execute...

by leafdigital

Wednesday May 1st, 2002 7:42 AM

You are replying to this message

Well, I agree that it's a fairly serious problem, but frankly, these days, anything that doesn't let you write to user hard disk or execute arbitrary software is 'minor'. Also, this can't easily be exploited by email (since Mozilla iirc has javascript off for email by default), which is the more serious delivery method.

It could also be argued that ANY security hole in Mozilla is 'minor'. I mean what's the point in exploiting mozilla? With around 1% share you are missing out on the 85% of your potential victims who use versions of MSIE (probably in most cases old, unpatched versions of IE).

Anyway I'm glad they've fixed this bug and I hope they catch the other ones too. The only fly in the ointment is that I'm a little concerned that Mozilla perhaps hasn't had the kind of scrutiny from within the security community that IE regularly benefits from. It's likely that there are a good deal more bugs like these lurking beneath the surface; I hope this announcement attracts more attention from hackers so that exploits can be quickly found and then fixed.