Mozilla Cross-Site Scripting Vulnerability Reported and Fixed

Saturday February 28th, 2004

roseman wrote in to tell us about a cross-site scripting vulnerability in Mozilla, which was discovered and fixed in December last year. An advisory from Secunia refers to the flaw as "Less critical", while a SecurityTracker note gives more precise details of the bug, which could allow a malicious site to read another site's cookies or access other data recently submitted by the user. Both advisories note that a fix is available in Mozilla 1.6 Beta, though Secunia confusing also states that the issue has been patched in 1.4.2, which worried roseman as he could not find any links to this release. What Secunia should have said is that a fix for the flaw has been checked in to the 1.4 branch and that it will be available in Mozilla 1.4.2 when it is released.

The bug was handled in line with the Mozilla security bug policy, with reporter Andreas Sandblad emailing on December 2nd and members of the Mozilla security bug group filing a confidential bug report the next day (bug 227417). A fix was developed and checked in to both the trunk and the baseline 1.4 branch the same day. Sites such as Secunia and SecurityTracker only publicised the flaw after the bug report was opened to the public on Wednesday.

In this case, the vulnerability was relatively minor and a fix was applied before knowledge of it became widespread. It is not the sort of issue that MozillaZine would normally report on but we do so to address the concerns of worried users such as roseman and because it is a near-textbook example of the correct use of the Mozilla security bug policy.

#1 What about firefox?

by jsebrech

Sunday February 29th, 2004 2:12 AM

Is this fixed in firefox 0.8? Is firefox even affected (I assume so)? If it isn't fixed, when will it be?

Mozilla and the new separate apps really need a framework for updating part of the browser, so you could put out these security updates the day they are fixed, instead of having to wait for the next major release (which could take months, in true microsoft security fix style). I realise that if a really critical security bug was found, an interim release would be made to fix it, but still, a lot of people are on modem (for which mozilla and firefox are good browsers), and don't want to redownload the entire browser for just a small security fix, regardless of how critical it is.

#4 Re: What about firefox?

by leet

Sunday February 29th, 2004 2:47 PM

I agree. Most people really won't update their browsers. I assume the devs are waiting for near-1.0 to do it, hopefully.

#2 a few points

by smkatz

Sunday February 29th, 2004 3:30 AM

1. Firebird 0.8 is not affected. You can tell by going to about in the help menu. rv:1.6 tells us that Firebird 0.8 is based on Mozilla 1.6. 2. 0.9 will feature "smartupdate". However, the Mozilla security team may choose not to use it. As scary as this is to Microsoft customers, it is in Mozilla's best interest to build the patch into a build and test for stability and so forth before simply rolling out a patch. Due to that reason, I would assume 1.4.2 will be out tommorow, and that the patch is checked into tonight's nightly builds. I am guessing on this. By the way, that only affects 1.4 builds. (you are not running a 1.4 build.) Note that 1.4.2 is a *minor* release. Mozilla would never wait for a major build unless it was iminent.

What we could use is: a) a Netscape update --> are Netscape builds affected? (Would anybody be willing to sue AOL class-action style for their ridiculous update policy? They are essentially knowingly shipping defective and outdated software.) b) a security detection page that asks the browser to identify itself and declares whether there are any secuity issues and how critical they are. This would fix some confusion.


#3 Re: a few points

by mlefevre

Sunday February 29th, 2004 5:46 AM

Yes, Netscape (up to and including the latest 7.1) will obviously be affected. There have at least 2 other serious security bugs (listed on the known vulnerabilities page) in Mozilla 1.4 and Netscape 7.1 which were fixed back in Mozilla 1.4.1 and 1.5. If someone suffered some damage from any of these, they might well have a case. Of course, you'd need a pile of cash to throw at lawyers as well.

#5 Re: Re: a few points

by maniac

Sunday February 29th, 2004 8:38 PM

What case would anyone have for suing AOL? Was there a warranty that came with Netscape that I didn't know about?

#6 very slight correction

by roseman

Monday March 1st, 2004 9:10 AM

in my original message, i had thought that Secunia had said it was fixed in 1.4.2 -- upon closer inspection they had actually stated: "The vulnerability has been fixed in version 1.6b and will also be addressed in version 1.4.2." notice the word "will" (be addressed). they never said that 1.4.2 was yet available; i simply got panicky because i had never heard of 1.4.2 yet. sorry for any confusion that i may have added to, and thanx for making the best browser around :)

#7 [nt] want your favorites--mozilla 1.5a and above.

by smkatz

Monday March 1st, 2004 1:55 PM

deceptive marketing practices.. at no point does it say that development has discontinued.. on the contrary, they imply that there are trained technicians ready to speak to you. (the elements of tort--useful when determining whether someone has done you damage.)

I think Netscape/AOL had a duty to warn customers that they are no longer developing or supporting the browser.

I've set Netscape as my homepage and have signed the petition at --Sam