Mozilla Security Hole

Tuesday April 30th, 2002

Anonymous reports: "Grey Magic is reporting a minor security hole in Mozilla builds from at least 0.9.2 up to the current trunk and 1.0 branch. A bug has been filed in bugzilla, and will be opened to the public to view once the fix has been made. This also affects Netscape browsers from at least 6.1 on. There are no known uses of the vulnerability at this time." We'll let you know when a patch has been checked in for this.

On a side note, Grey Magic recommends that users "should move to a better performing, less buggy browser," on their vulnerability page. Looking at the open issues for it, IE clearly doesn't seem like the better choice.

UPDATE! A fix has been checked into the trunk, and has been approved for checkin to the 1.0 branch. Expect it to be in nightly builds for both branch and trunk starting tomorrow.

#79 re

by leahcim

Wednesday May 1st, 2002 10:36 PM

You are replying to this message

When you start mozilla it displays a web page from a trusted site (well I think it's trusted) that could warn (or even offer the patch)

Sure, people can change that page, but equally people could not apply a patch - if the front page of mozilla had the info you'd be daft to ignore it (plus the sidebar / tabbed browser could do both anyway)

When you start exim, it's typically used in a way that allows remote connections like other daemons (of course, not always, but then it's not exploitable) it doesn't have a user interface - the fact that already chooses to advertise bug reporting and out of date browsers shows that mozilla are well aware of the differences to.

The fact that currently claims there are no known security holes on its page at all, let alone this one, or any previous versions, shows that the policy runs a little longer than "until a fix is ready" anyway. It's a crap policy and you aren't even following it.

Of course it is worth being positive - your policy didn't work anyway and is unlikely to - as good sites are showing you can't hide info - so at least these issues are getting well reported (even by even if doesn't bother.