[<prev] [next>] [day] [month] [year] [list]
Message-ID: <022601c25fa5$79fb9a90$858370d4@thor2k>
From: lists.netsys.com at jscript.dk (Thor Larholm)
Subject: Mozilla vulnerabilities, an update
On September 9th I wrote the following to security@...illa.org
-- START --
I noticed that you have published a list (
http://mozilla.org/releases/mozilla1.0.1/security-fixes-1.0.1.html ) of
security issues that have been fixed in Mozilla 1.0.1
I would recommend posting this list to the Bugtraq mailinglist,
bugtraq@...urityfocus.com, so that the secinfo industry and the public in
general becomes aware of these. This would help raise the awareness of your
security efforts, as well as urge users of older versions to upgrade and
provide hints to other software products that embed Gecko, or other parts of
Mozilla, that they should consider getting fresh sources for their projects.
In case you feel that this is not a necessary action, I would like to
personally make the list aware of these security fixes in a matter of 5
working days.
-- END --
At first I received a reply from Asa Dotzler, which among others mentioned
that the list was far from comprehensive and
"It would be much better if someone (mitch) updated the real page at
http://www.mozilla.org/projects/security/known-vulnerabilities.html"
So I forwarded and wrote to Mitch:
"May I recommend updating the official list of known vulnerabilities in
Mozilla to include the vulnerabilities that have been fixed, such as XMLHTTP
and the many on Asas list?"
And received a short reply last thursday:
"Yes, that page will be updated soon. Thanks for letting me know."
Since nothing has happened, I thought I would pass this on to the list. This
is a short list of issues fixed between the 1.0 and 1.0.1 version of
Mozilla. As Asa mentioned, this list was just put together from some queries
on Bugzilla. Undoubtedly, there will be many more vulnerabilities that have
been fixed, and it would be a welcome change to let the public know about
these.
BUG ID Product Component Summary
88183 Browser Plug-ins navigator.plugins leaks path names
104472 Browser Security execution of scripts in the file: protocol from
XUL using cgi
125583 Browser Security Disable automatic XLinks in Mail
135267 Browser Security Reading files cross-host using styles
144228 MailNews Security Malicious email breaks POP server connection
146094 Browser Networking Stealing third-party cookies through a proxy
147754 Browser Security XMLSerializer needs same-origin check
148256 Browser XML flawfinder warnings in XML Extras
148269 NSS Libraries flawfinder warnings in mozilla/security
148520 Browser Password Manager window.prompt is returning a saved password
instead of prompting.
149777 Browser Security Node cloned from external, untrusted document and
appended to chrome document.
149943 Browser Security Princeton-like exploit may be possible
150339 Browser Internationalization huge font crashes X Windows
151933 Browser XML xml:base should not allow setting chrome URLs
152697 Browser Networking no limit on the size of a HTTP header
152725 Browser Cookies Possible cookie stealing using javascript: URLs
154030 Browser Security HTML directory indexer doesn't html-escape url
154240 PSM Client Libraries No warning when redirecting https-http-https
at http protocol level
154930 Browser Security document.domain abused to access hosts behind
firewall
155222 Browser Security Heap corruption in PNG library
157202 Browser Security Exploitable (?) heap overrun in PNG
157652 Browser JavaScript Engine Crash, possible heap corruption in JS
Array.prototype.sort
157845 Browser DOM Events Crash involving document.open()
157989 Browser ImageLib Possible heap corruption with 0-width GIF
161721 Browser Installer install in onkeypress for space key bypasses
warning dialog
To put it shortly, I do appreciate the efforts put forth by the Mozilla.org
team, I just wish they could be more communicative instead of hiding the
fact that Mozilla, like most any other software product, has had and will
have a long number of security vulnerabilities. Undoubtedly, this gives a
different view on the security of Mozilla than one would get by reading the
official list of vulnerabilities (listing just 1 vulnerability). Again, the
above was just an incomplete list of security issues that were fixed between
the minor version change 1.0 to 1.0.1, I have no idea about the amount of
issues that remain or that has been fixed so far.
Regards
Thor Larholm, Security Researcher
PivX Solutions, LLC
Are You Secure?
http://www.PivX.com
Powered by blists - more mailing lists