MozillaZine

Mozilla Security Hole

Tuesday April 30th, 2002

Anonymous reports: "Grey Magic is reporting a minor security hole in Mozilla builds from at least 0.9.2 up to the current trunk and 1.0 branch. A bug has been filed in bugzilla, and will be opened to the public to view once the fix has been made. This also affects Netscape browsers from at least 6.1 on. There are no known uses of the vulnerability at this time." We'll let you know when a patch has been checked in for this.

On a side note, Grey Magic recommends that users "should move to a better performing, less buggy browser," on their vulnerability page. Looking at the open issues for it, IE clearly doesn't seem like the better choice.

UPDATE! A fix has been checked into the trunk, and has been approved for checkin to the 1.0 branch. Expect it to be in nightly builds for both branch and trunk starting tomorrow.


#64 Warning

by SubtleRebel <mark@ky.net>

Wednesday May 1st, 2002 1:00 PM

You are replying to this message

> A public announcement on or near the home page would easily allow me to > not use mozilla until it is fixed or a patch available (or at least > restrict my surfing) thus making these exploits impotent regardless of > whether millions of sites suddenly decide to write them -

News of security flaws travel fast among those looking to exploit; announcing the flaw publicly almost instantly makes all Mozilla users more vulnerable than they were before. Unless you can guarantee that the majority of users will see the announcement, it is safer for the majority if the flaw is kept quiet until there is a fix.

Most users do not have mozilla.org as their home page, so making an announcement there would not be a very effective warning for the masses; however, it would be an effective means of spreading the news of the vulnerability to the malicious individuals who might develop exploits.

>unless you're suggesting mozilla.org will exploit me? I don't expect that, >hence I see less risk in seeing the info.

That makes absolutely no sense at all.

First of all, there is no way that you could possibly derive that from anything that I said.

Secondly, whether or not there is a warning on Mozilla.org's home page has no affect on Mozilla.org's ability to exploit you.

Thirdly, you are never at risk because you heard about the flaw, you are at risk because others have heard about it.

>Remember mozilla is an interactive program, not a service. I can well >understand why your statements make sense for a program like sshd, >exim, sendmail.

I do not see the difference.

>If you read the bug report, you'll see that a few at mozilla didn't even believe your guff.

I read the bug report yesterday and I just re-read it right now; I do not see where anyone, from mozilla or otherwise, made any reference to me or my "guff" anywhere. I also do not see any comments that contradict anything that I have said. Perhaps you are looking at a different bug?