Mozilla downplays Zalewski's Firefox flaws

A day after Michal Zalewski went public with details of Firefox vulnerabilities he thinks could lead to code execution attacks, Snyder responded with a note describing the flaws as "low risk" spoofing/phishing issues.

• Bug 382686 allows the attacker to spoof content and potentially javascript. The spoofed content would be in the attacker’s domain, not the spoofed domain. This is unsafe because it could be used to lure a user to enter content into the spoofed frame, but does not result in code execution. This might be used with phishing attacks. Spoofing attacks usually generate a Mozilla severity rating of Low.
• Bug 376473 requires an additional vulnerability in a content handler in order to compromise a user. This alone cannot be used to execute or even place code on the user’s machine. This bug is also rated with a severity of Low. To protect users from potential vulnerabilities in content handlers we are considering ways to improve management of content handlers.

Snyder says prioritizes flaws based on severity to determine which bugs to fix first but stressed that Mozilla's policy is to "fix all bugs with any security risk."

Snyder's statement differs sharply from Zalewski's warning that one of the Firefox bug should be treated as a "major" risk.

Zalewski has a history of reporting serious flaws in Firefox and Internet Explorer and Snyder once told me she is grateful that he spends the time helping Mozilla engineers with the creation of patches. In this case, Zalewski has been commenting in the Bugzilla entries of both bugs.

So far this year, Mozilla has issued shipped fixes for 17 Firefox security issues.

[UPDATE: June 6, 2007 @ 9:42 AM]  Snyder has updated her blog with a note saying the two bugs may be used together to allow an attacker to access any file the user has access to on the  system. If this is the case, that may change the severity rating to "Medium."