Mozilla Security Hole

Tuesday April 30th, 2002

Anonymous reports: "Grey Magic is reporting a minor security hole in Mozilla builds from at least 0.9.2 up to the current trunk and 1.0 branch. A bug has been filed in bugzilla, and will be opened to the public to view once the fix has been made. This also affects Netscape browsers from at least 6.1 on. There are no known uses of the vulnerability at this time." We'll let you know when a patch has been checked in for this.

On a side note, Grey Magic recommends that users "should move to a better performing, less buggy browser," on their vulnerability page. Looking at the open issues for it, IE clearly doesn't seem like the better choice.

UPDATE! A fix has been checked into the trunk, and has been approved for checkin to the 1.0 branch. Expect it to be in nightly builds for both branch and trunk starting tomorrow.

#57 Re: I beg to differ....

by SubtleRebel <>

Wednesday May 1st, 2002 10:29 AM

You are replying to this message

When a security problem is discovered, the most important thing to do is find a fix.

Launching a campaign to make the world aware of the security flaw should not be done until the patch has been developed.

If were to announce the bug on their homepage before a fix was available then they would essentially be inviting people to develop exploits to take advantage of the flaw. You think that is the best way to protect you? Personally I am glad that they try to keep security flaws quiet until they have a fix. The reason that they made the Bugzilla bug public was so that people who had already heard about the problem could see that work was being done to resolve it.

If you are going to stop using Mozilla until Netscape is not involved, then I am curious about which browser you are going to use instead. I seriously doubt that anyone is going to provide fixes faster than Mozilla. The Mozilla team delivered a temporary fix almost immediately and then had a real patch within hours; when a similar bug was found in IE, it took Microsoft a few months to get a patch out.

As for the $1000, that is a Netscape issue and really has no bearing on Mozilla.