RSSMozilla challenges security researchers, says Firefox exploit reports are false
By Scott M. Fulton, III | Published July 20, 2009, 10:33 AM
If a bug in a program makes it possible for that program to crash, is that a vulnerability? Mozilla is saying "no" to that this morning, claiming that recent warnings, including one issued Friday by the US Dept. of Homeland Security, are exaggerations.
"While these strings can result in crashes of some versions of Firefox, the reports by press and various security agencies have incorrectly indicated that this is an exploitable bug," reads a blog post yesterday from Mozilla Vice President of Engineering Mike Shaver. "Our analysis indicates that it is not, and we have seen no example of exploitability."
There's definitely a problem, says Mozilla, on account of a string buffer overflow in Windows-based Firefox browsers, including both 3.0.x and 3.5.x series. That problem can cause browsers to crash, but Mozilla says there is no proof anywhere that the browser can be exploited. This despite IBM ISS's "High" severity rating for the alleged exploit, and a proof of concept published by SecurityFocus, that can trigger the crash.
Trigger the crash, yes, but that's all. By definition, Mozilla is arguing, an exploit should be something that is triggered by a crash -- for instance, the ability to run any executable code without obtaining privilege. And that's not what's happening here. Indeed, all the researchers' code does is trigger the crash.
Last Friday, Mozilla rushed to distribute its first 3.5 bug fix, in the wake of proof-of-concept code that actually did run executable code -- a true exploit. Sources noted that the bug in question that triggered the code was actually on the Bugzilla database for several days, and some argued that Mozilla should therefore have already known about the vulnerability. But the exploit was not known or available that long ago, and there's the difference.
It's a bloomin' good job most folk don't read about the problems Firefox is experiencing at the moment. They just browse the web, do a bit of banking, perhaps a little shopping on the way, and then at the end of the week the stuff we all revel in will be fixed, and another browser will be found wanting. But the majority of folk who have lives that don't involve posting here will not give a rats, they'll still be shopping, and banking, and having fun silly people. Just like to say in parting, Opera rocks bro !
Score: 0
|Firefox 3.7 redesign (only for Windows) screen shots: http://www.neowin.net/ne...gn-screenshots-released
Looks great!
Score: 0
|you mean looks like safari and chrome, and hide all the options menus for the non-geek, i hope it doesn't actually turn out looking like this but hey thats why we have themes
my current theme? LittleFox has been forever
Score: 0
|Let the kids play with there firefox, we adults get the seamonkey :)
Score: -1
|Suck it up Mozilla. I'm switching back to IE8. :-)
Score: -1
|was it exploited remotely? if so it may be a bug but also a vulnerability, denial of service is as bad as anything else
Score: 1
|No, there is no remote exploit. "Denial of Service" is a misnomer....sure a site operator could put the offending code on their site and make your browser crash on _their_ site, but that would not be a very bright idea, now would it?
Score: -2
|i just think all holes, bugs should be patched as they arise, 3.5.1b should be available this second to folks that want it as opposed to waiting for 3.5.2, not pushed automatically but at least available via a manual update
Score: 1
|Haven't done any software development with hundreds of files, have you? If it was just that simple, it would be great, but it's one function in one file may be the point for 1, 10, or 100 bugs, depending on how commonly it's used.
You can always go to http://ftp.mozilla.org/p...lla.org/firefox/nightly/ and download the latest nightly and keep updated whenever updates are available. Of course, nothing is to say that it's not going to break and be non-functional either. That's why having another browser like Opera is a good idea.
Score: -1
|