Mozilla security chief Window Snyder is pouring cold water on a claim by an independent researcher that there's a major security hole in the Firefox browser.
A day after Michal Zalewski went public with details of Firefox vulnerabilities he thinks could lead to code execution attacks, Snyder responded with a note describing the flaws as "low risk" spoofing/phishing issues.
- Bug 376473 requires an additional vulnerability in a content handler in order to compromise a user. This alone cannot be used to execute or even place code on the user’s machine. This bug is also rated with a severity of Low. To protect users from potential vulnerabilities in content handlers we are considering ways to improve management of content handlers.
Snyder says prioritizes flaws based on severity to determine which bugs to fix first but stressed that Mozilla's policy is to "fix all bugs with any security risk."
Snyder's statement differs sharply from Zalewski's warning that one of the Firefox bug should be treated as a "major" risk.
Zalewski has a history of reporting serious flaws in Firefox and Internet Explorer and Snyder once told me she is grateful that he spends the time helping Mozilla engineers with the creation of patches. In this case, Zalewski has been commenting in the Bugzilla entries of both bugs.
So far this year, Mozilla has issued shipped fixes for 17 Firefox security issues.
[UPDATE: June 6, 2007 @ 9:42 AM] Snyder has updated her blog with a note saying the two bugs may be used together to allow an attacker to access any file the user has access to on the system. If this is the case, that may change the severity rating to "Medium."