[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20050107010157.O37734@dekadens.coredump.cx>
Date: Fri, 7 Jan 2005 01:21:29 +0100 (CET)
From: Michal Zalewski <lcamtuf@...ttot.org>
To: Maurycy Prodeus <z33d@...c.pl>
Cc: bugtraq@...urityfocus.com, full-disclosure@...ts.netsys.com
Subject: Re: Heap overflow in Mozilla Browser <= 1.7.3 NNTP
code.
On Wed, 29 Dec 2004, Maurycy Prodeus wrote:
> On my RedHat 9.0 with Mozilla 1.7.3 attached proof of concept code
> overflows the buffer using attacker-supplied data. I decided to make
> this bug public because Mozilla Team hasn't warned users.
As much as I respect what Mozilla folks are doing for the community, I
find their security response to be, ahem, lacking. Given their increasing
userbase, this is a bad omen.
They seldom reply, and very often adequately follow up, on reports sent to
security@...illa.org; and when they actually learn about a problem, they
do not seem to reach out to those of their users who do not happen to
browse Bugzilla daily.
Judging from reports such as this, they also routinely downplay serious
threats, perhaps to discourage people from claiming a prize they once
established for spotting a remote security bug in the browser. Uh-oh.
Oh, last but not least, my personal complaint: they are taking some three
months to fix publicly disclosed mangleme vulnerabilities in their
browsers - no single vendor advisory was released, despite of 20+ problems
being reported, some of which apparently remotely exploitable. In that
regard, they managed to beat Microsoft, who took "only" several weeks to
fix mangleme IFRAME (Bofra) vulnerability.
Their stagnant mangleme vulnerability / bug queue:
https://bugzilla.mozilla.org/showdependencytree.cgi?id=264944
Not that Mozilla is any worse than other open source browser developers in
that regard. IIRC, we did not see advisories or vendor fixes for mangleme
flaws in Konqueror / Safari, [e]links, lynx, elvis, w3m and other
browsers... the difference is, Mozilla/Firefox is becoming a mainstream
tool.
--
------------------------- bash$ :(){ :|:&};: --
Michal Zalewski * [http://lcamtuf.coredump.cx]
Did you know that clones never use mirrors?
--------------------------- 2005-01-07 01:01 --
http://lcamtuf.coredump.cx/photo/current/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists