Mozilla downplays Zalewski's Firefox flaws

Mozilla downplays Zalewski's Firefox flaws

Summary: Mozilla security chief Window Snyder is pouring cold water on a claim by an independent researcher that there's a major security hole in the Firefox browser.

TOPICS: Browser, Security

Window SnyderMozilla security chief Window Snyder is pouring cold water on a claim by an independent researcher that there's a major security hole in the Firefox browser.

A day after Michal Zalewski went public with details of Firefox vulnerabilities he thinks could lead to code execution attacks, Snyder responded with a note describing the flaws as "low risk" spoofing/phishing issues.

  • Bug 382686 allows the attacker to spoof content and potentially javascript. The spoofed content would be in the attacker’s domain, not the spoofed domain. This is unsafe because it could be used to lure a user to enter content into the spoofed frame, but does not result in code execution. This might be used with phishing attacks. Spoofing attacks usually generate a Mozilla severity rating of Low.
  • Bug 376473 requires an additional vulnerability in a content handler in order to compromise a user. This alone cannot be used to execute or even place code on the user’s machine. This bug is also rated with a severity of Low. To protect users from potential vulnerabilities in content handlers we are considering ways to improve management of content handlers.

Snyder says prioritizes flaws based on severity to determine which bugs to fix first but stressed that Mozilla's policy is to "fix all bugs with any security risk."

Snyder's statement differs sharply from Zalewski's warning that one of the Firefox bug should be treated as a "major" risk.

Zalewski has a history of reporting serious flaws in Firefox and Internet Explorer and Snyder once told me she is grateful that he spends the time helping Mozilla engineers with the creation of patches. In this case, Zalewski has been commenting in the Bugzilla entries of both bugs.

So far this year, Mozilla has issued shipped fixes for 17 Firefox security issues.

[UPDATE: June 6, 2007 @ 9:42 AM]  Snyder has updated her blog with a note saying the two bugs may be used together to allow an attacker to access any file the user has access to on the  system. If this is the case, that may change the severity rating to "Medium."

Topics: Browser, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Hey zkiwi, how does that crow taste?

    [url=] zkiwi claims that Zalewski can't be wrong [/url]

    [i]I guess you think you are smarter than this guy who rates it as critical[/i]

    Hmm, looks like he was wrong about the Firefox flaws. I guess he isn't so smart after all!
    • Wasn't the ANI vulnerability rated low?

      Don't automatically trust the severity classification of a vendor, no matter who it is.
    • FYI

      I only pointed out that you are not as smart as people out there. Oh, and just in case you never read, or are having a memory lapse, the comment I made that you link to was referring to IE, not Mozilla. Oh, snap, you have no clue once more.
    • Actually I think I would prefer to believe the Zalewski...

      If we were discussing Microsoft coming out and changing risks from "critical" to "low risk", everyone would be chomping at the bit to say that it is Microsoft attempting to downplay the vulnerabilities (which is exactly what I believe Ms Snyder is doing here).

      I'd put my trust in Michal Zalewski any day of the week before I ever trusted the vender of a piece of software to tell me it is "secure".
  • No Problem here

    I ran the test ... whack a mole ... and when I hit 10, my download window appeared asking me what I wanted to do, guess ski didn't add the 'save download' vs. 'run from server' option to this wonderful browser ... three cheers for Firefox!
    • I didn't see one either...

      I clicked the first link in this article to go to then in there clicked the "demo here" (goes to: for the prompt-delay bypass FF bug she's reporting. I did it twice. The first time, the "run or save" came up, then attack_win1.html (I read the source to see the names) and covered the "run or save", keeping it from doing anything. If I hid that page and went to the "run or save" and clicked "cancel" nothing happened. It would only run if I saved then double-clicked to run it. I suppose a user *might* do that, but then, I don't think most who know anything about computers would even think of saving it and then trying to run it, especially when it's a .html. They'd expect Firefox to do it, and if it didn't, declare the site "broken". I only download .html and then double-click because ZDNet's emails don't work (please fix that, guys!) and just show a text/html attachment which I have to download, rename to have .html at the end, and then double click.
      • Ah wait, saw 1 of them

        The iframe one does work though.
  • Firefox Flaws

    I get plenty of warning when someone wants to play games with my computer from the outside world, and I just refuse to let the external site write Java Scripts. So far so go, I have not had a Virus for ages. Being careful where you surf also helps. I also have Netcraft and McAfee Site Advisor on my Browser, and that gives me plenty of warning about sites that I am visiting.
  • USE Opera

    Just use the OPERA browser -- it rocks!