lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
From: lists.netsys.com at jscript.dk (Thor Larholm)
Subject: Mozilla vulnerabilities, an update

On September 9th I wrote the following to security@...illa.org

-- START --
I noticed that you have published a list (
http://mozilla.org/releases/mozilla1.0.1/security-fixes-1.0.1.html ) of
security issues that have been fixed in Mozilla 1.0.1

I would recommend posting this list to the Bugtraq mailinglist,
bugtraq@...urityfocus.com, so that the secinfo industry and the public in
general becomes aware of these. This would help raise the awareness of your
security efforts, as well as urge users of older versions to upgrade and
provide hints to other software products that embed Gecko, or other parts of
Mozilla, that they should consider getting fresh sources for their projects.

In case you feel that this is not a necessary action, I would like to
personally make the list aware of these security fixes in a matter of 5
working days.
--   END   --

At first I received a reply from Asa Dotzler, which among others mentioned
that the list was far from comprehensive and

"It would be much better if someone (mitch) updated the real page at
http://www.mozilla.org/projects/security/known-vulnerabilities.html"

So I forwarded and wrote to Mitch:

"May I recommend updating the official list of known vulnerabilities in
Mozilla to include the vulnerabilities that have been fixed, such as XMLHTTP
and the many on Asas list?"

And received a short reply last thursday:

"Yes, that page will be updated soon. Thanks for letting me know."

Since nothing has happened, I thought I would pass this on to the list. This
is a short list of issues fixed between the 1.0 and 1.0.1 version of
Mozilla. As Asa mentioned, this list was just put together from some queries
on Bugzilla. Undoubtedly, there will be many more vulnerabilities that have
been fixed, and it would be a welcome change to let the public know about
these.


BUG ID Product Component Summary
88183 Browser  Plug-ins  navigator.plugins leaks path names
104472 Browser  Security  execution of scripts in the file: protocol from
XUL using cgi
125583 Browser  Security  Disable automatic XLinks in Mail
135267 Browser  Security  Reading files cross-host using styles
144228 MailNews  Security  Malicious email breaks POP server connection
146094 Browser  Networking  Stealing third-party cookies through a proxy
147754 Browser  Security  XMLSerializer needs same-origin check
148256 Browser  XML  flawfinder warnings in XML Extras
148269 NSS  Libraries  flawfinder warnings in mozilla/security
148520 Browser  Password Manager window.prompt is returning a saved password
instead of prompting.
149777 Browser  Security  Node cloned from external, untrusted document and
appended to chrome document.
149943 Browser  Security  Princeton-like exploit may be possible
150339 Browser  Internationalization huge font crashes X Windows
151933 Browser  XML  xml:base should not allow setting chrome URLs
152697 Browser  Networking  no limit on the size of a HTTP header
152725 Browser  Cookies  Possible cookie stealing using javascript: URLs
154030 Browser  Security  HTML directory indexer doesn't html-escape url
154240 PSM  Client Libraries  No warning when redirecting https-http-https
at http protocol level
154930 Browser  Security  document.domain abused to access hosts behind
firewall
155222 Browser  Security  Heap corruption in PNG library
157202 Browser  Security  Exploitable (?) heap overrun in PNG
157652 Browser  JavaScript Engine  Crash, possible heap corruption in JS
Array.prototype.sort
157845 Browser  DOM Events  Crash involving document.open()
157989 Browser  ImageLib  Possible heap corruption with 0-width GIF
161721 Browser  Installer  install in onkeypress for space key bypasses
warning dialog


To put it shortly, I do appreciate the efforts put forth by the Mozilla.org
team, I just wish they could be more communicative instead of hiding the
fact that Mozilla, like most any other software product, has had and will
have a long number of security vulnerabilities. Undoubtedly, this gives a
different view on the security of Mozilla than one would get by reading the
official list of vulnerabilities (listing just 1 vulnerability). Again, the
above was just an incomplete list of security issues that were fixed between
the minor version change 1.0 to 1.0.1, I have no idea about the amount of
issues that remain or that has been fixed so far.


Regards
Thor Larholm, Security Researcher
PivX Solutions, LLC

Are You Secure?
http://www.PivX.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ