Mozilla downplays Zalewski's Firefox flaws

Summary:Mozilla security chief Window Snyder is pouring cold water on a claim by an independent researcher that there's a major security hole in the Firefox browser.

Window Snyder
Mozilla security chief Window Snyder is pouring cold water on a claim by an independent researcher that there's a major security hole in the Firefox browser.

A day after Michal Zalewski went public with details of Firefox vulnerabilities he thinks could lead to code execution attacks, Snyder responded with a note describing the flaws as "low risk" spoofing/phishing issues.

  • Bug 382686 allows the attacker to spoof content and potentially javascript. The spoofed content would be in the attacker’s domain, not the spoofed domain. This is unsafe because it could be used to lure a user to enter content into the spoofed frame, but does not result in code execution. This might be used with phishing attacks. Spoofing attacks usually generate a Mozilla severity rating of Low.
  • Bug 376473 requires an additional vulnerability in a content handler in order to compromise a user. This alone cannot be used to execute or even place code on the user’s machine. This bug is also rated with a severity of Low. To protect users from potential vulnerabilities in content handlers we are considering ways to improve management of content handlers.

Snyder says prioritizes flaws based on severity to determine which bugs to fix first but stressed that Mozilla's policy is to "fix all bugs with any security risk."

Snyder's statement differs sharply from Zalewski's warning that one of the Firefox bug should be treated as a "major" risk.

Zalewski has a history of reporting serious flaws in Firefox and Internet Explorer and Snyder once told me she is grateful that he spends the time helping Mozilla engineers with the creation of patches. In this case, Zalewski has been commenting in the Bugzilla entries of both bugs.

So far this year, Mozilla has issued shipped fixes for 17 Firefox security issues.

[UPDATE: June 6, 2007 @ 9:42 AM]  Snyder has updated her blog with a note saying the two bugs may be used together to allow an attacker to access any file the user has access to on the  system. If this is the case, that may change the severity rating to "Medium."

Topics: Enterprise Software, Security


Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.