Mozilla most security conscious organization
Jesse Ruderman has a comment on Slashdot and on his blog where he compares the responses to a common security bug shared between Firefox/Mozilla, Opera and Internet Explorer.
In three days Firefox was patched and released, in 10 days Microsoft acknowledged the message and gave a workaround, and Opera hasn't written back yet. Way to go Mozilla!
5 Comments:
The date Jesse opened the bug 162020 in bugzilla was August 2002 ... The case is more representative of how security bug that don't have an immediate solution can get burried in dust in bugzilla until there is more pression to get them fixed.
I was reading per his comments, and bug 246448 was opened a few days ago. The bug reported two years ago was indeed long standing but in my opinion the threat wasn't high.
I'm not happy about how long it took bug 162020 to be fixed in Mozilla. It's an arbitrary code execution vulnerability. While it requires user interaction, it doesn't require user *cooperation*. There's nothing about a captcha that would make even a security-conscious developer suspicious. Have you tried the demos?
- Jesse
When I try the captcha demo I get "A script from http://bugzilla.mozilla.org was denied UniverslXPConnect privileges." when I hit the letter n (both in Firefox 20040430 and Mozilla 1.6). Same thing happens in the double-click game. Maybe I was mistaken and the threat is real, although I haven't felt it.
You have to save the demo and load it from disk or use about:config to set signed.applets.codebase_principal_support to true. A real attack would use ActiveX or XPIs instead of pure JavaScript and would not be subject to that restriction.
- Jesse
Post a Comment
Links to this post:
Create a Link
<< Home