MozillaZine

Mozilla Security Hole

Tuesday April 30th, 2002

Anonymous reports: "Grey Magic is reporting a minor security hole in Mozilla builds from at least 0.9.2 up to the current trunk and 1.0 branch. A bug has been filed in bugzilla, and will be opened to the public to view once the fix has been made. This also affects Netscape browsers from at least 6.1 on. There are no known uses of the vulnerability at this time." We'll let you know when a patch has been checked in for this.

On a side note, Grey Magic recommends that users "should move to a better performing, less buggy browser," on their vulnerability page. Looking at the open issues for it, IE clearly doesn't seem like the better choice.

UPDATE! A fix has been checked into the trunk, and has been approved for checkin to the 1.0 branch. Expect it to be in nightly builds for both branch and trunk starting tomorrow.


#58 re:

by leahcim

Wednesday May 1st, 2002 10:43 AM

You are replying to this message

>If Mozilla.org were to announce the bug on their homepage before a fix was available then they >would essentially be inviting people to develop exploits to take advantage of the flaw.

You'll see my comments elsewhere in the thread concerning this. A public announcement on or near the home page would easily allow me to not use mozilla until it is fixed or a patch available (or at least restrict my surfing) thus making these exploits impotent regardless of whether millions of sites suddenly decide to write them - unless you're suggesting mozilla.org will exploit me? I don't expect that, hence I see less risk in seeing the info.

Remember mozilla is an interactive program, not a service. I can well understand why your statements make sense for a program like sshd, exim, sendmail. If you read the bug report, you'll see that a few at mozilla didn't even believe your guff.

>If you are going to stop using Mozilla until Netscape is not involved, then I am curious about >which browser you are going to use instead.

Is that because you could only think of one other? - btw, IE doesn't run on my OS, so I'm neither affected by nor concerned with IE security bugs, nor with comparisons between Mozilla's security record / procedures and MSs.