MozillaZine

Mozilla Security Hole

Tuesday April 30th, 2002

Anonymous reports: "Grey Magic is reporting a minor security hole in Mozilla builds from at least 0.9.2 up to the current trunk and 1.0 branch. A bug has been filed in bugzilla, and will be opened to the public to view once the fix has been made. This also affects Netscape browsers from at least 6.1 on. There are no known uses of the vulnerability at this time." We'll let you know when a patch has been checked in for this.

On a side note, Grey Magic recommends that users "should move to a better performing, less buggy browser," on their vulnerability page. Looking at the open issues for it, IE clearly doesn't seem like the better choice.

UPDATE! A fix has been checked into the trunk, and has been approved for checkin to the 1.0 branch. Expect it to be in nightly builds for both branch and trunk starting tomorrow.


#68 re: Warning

by leahcim

Wednesday May 1st, 2002 1:44 PM

You are replying to this message

> I do not see the difference.

Ok, I have a copy of the exploitable mozilla, please exploit it. What? You need me to visit your site, how so? But you saw no difference between mozilla and exim? Does exim open a page at mozilla.org by default before connecting to the internet?

So, think outside the box, I start the browser and it naviagates to mozilla.org/start and instead of saying daft things like "You must now report bugs" (some weird license condition is this?) or "You've got an old browser..." it says "we fscked up again chaps, upgrade here (if there is a fix) or be careful"

At this point I don't visit h4x0r.com, I most likely click 'x' and wait for a fix.

The alternative h4x0r.com, theregister.co.uk and everywhere reports the bug and knows about it, the so-called masses visit a site and unwittingly get exploited.

If the developers can't see that you're probably right, there is no browser worth using. This one especially.