lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20050107010157.O37734@dekadens.coredump.cx>
Date: Fri, 7 Jan 2005 01:21:29 +0100 (CET)
From: Michal Zalewski <lcamtuf@...ttot.org>
To: Maurycy Prodeus <z33d@...c.pl>
Cc: bugtraq@...urityfocus.com, full-disclosure@...ts.netsys.com
Subject: Re: Heap overflow in Mozilla Browser <= 1.7.3 NNTP
	code.


On Wed, 29 Dec 2004, Maurycy Prodeus wrote:

> On my RedHat 9.0 with Mozilla 1.7.3 attached proof of concept code
> overflows the buffer using attacker-supplied data. I decided to make
> this bug public because Mozilla Team hasn't warned users.

As much as I respect what Mozilla folks are doing for the community, I
find their security response to be, ahem, lacking. Given their increasing
userbase, this is a bad omen.

They seldom reply, and very often adequately follow up, on reports sent to
security@...illa.org; and when they actually learn about a problem, they
do not seem to reach out to those of their users who do not happen to
browse Bugzilla daily.

Judging from reports such as this, they also routinely downplay serious
threats, perhaps to discourage people from claiming a prize they once
established for spotting a remote security bug in the browser. Uh-oh.

Oh, last but not least, my personal complaint: they are taking some three
months to fix publicly disclosed mangleme vulnerabilities in their
browsers - no single vendor advisory was released, despite of 20+ problems
being reported, some of which apparently remotely exploitable. In that
regard, they managed to beat Microsoft, who took "only" several weeks to
fix mangleme IFRAME (Bofra) vulnerability.

Their stagnant mangleme vulnerability / bug queue:

  https://bugzilla.mozilla.org/showdependencytree.cgi?id=264944

Not that Mozilla is any worse than other open source browser developers in
that regard. IIRC, we did not see advisories or vendor fixes for mangleme
flaws in Konqueror / Safari, [e]links, lynx, elvis, w3m and other
browsers... the difference is, Mozilla/Firefox is becoming a mainstream
tool.

-- 
------------------------- bash$ :(){ :|:&};: --
 Michal Zalewski * [http://lcamtuf.coredump.cx]
    Did you know that clones never use mirrors?
--------------------------- 2005-01-07 01:01 --

   http://lcamtuf.coredump.cx/photo/current/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ