Friday, July 02, 2004

Mozilla most security conscious organization

Jesse Ruderman has a comment on Slashdot and on his blog where he compares the responses to a common security bug shared between Firefox/Mozilla, Opera and Internet Explorer.

In three days Firefox was patched and released, in 10 days Microsoft acknowledged the message and gave a workaround, and Opera hasn't written back yet. Way to go Mozilla!


At 5:22 PM, Anonymous said...

The date Jesse opened the bug 162020 in bugzilla was August 2002 ... The case is more representative of how security bug that don't have an immediate solution can get burried in dust in bugzilla until there is more pression to get them fixed.

At 5:40 PM, Seb said...

I was reading per his comments, and bug 246448 was opened a few days ago. The bug reported two years ago was indeed long standing but in my opinion the threat wasn't high.

At 6:25 PM, Anonymous said...

I'm not happy about how long it took bug 162020 to be fixed in Mozilla. It's an arbitrary code execution vulnerability. While it requires user interaction, it doesn't require user *cooperation*. There's nothing about a captcha that would make even a security-conscious developer suspicious. Have you tried the demos?

- Jesse

At 10:43 PM, Seb said...

When I try the captcha demo I get "A script from was denied UniverslXPConnect privileges." when I hit the letter n (both in Firefox 20040430 and Mozilla 1.6). Same thing happens in the double-click game. Maybe I was mistaken and the threat is real, although I haven't felt it.

At 7:49 PM, Anonymous said...

You have to save the demo and load it from disk or use about:config to set signed.applets.codebase_principal_support to true. A real attack would use ActiveX or XPIs instead of pure JavaScript and would not be subject to that restriction.

- Jesse


Post a Comment

Links to this post:

Create a Link

<< Home