If at first you don't succeed; call it version 1.0
Tuesday, 07 February 2006

A week ago, Mozilla Foundation released a new security update which included 8 advisories.
4 of the advisories were rated with 'Moderate' severity. At least 3 of them, IMHO, are exploitable for remote code execution with no user interaction.

Today, HD Moore, the author of Metasploitpublished a remote code execution exploit for one of the 'Moderate' severity rated vulnerabilities.

This again shows you that Mozilla Foundation are not learning from past mistakes and are still downplaying vulnerabilities.

My guess is that they are waiting for an exploit in the wild before they are going to rate any exploitable memory corruption vulnerability as 'Critical'.


Tuesday, 07 February 2006 08:23:18 UTC | Comments [5] | Security#
Tuesday, 07 February 2006 22:35:50 UTC
Hi, I'm interested in writing about this for the IDG News Service. Which one of the vulnerabilities does this code target? What is so serious about the vulnerability that Mozilla is not addressing? I'm just trying to get more info. Thanks.

Liz
Wednesday, 08 February 2006 12:27:51 UTC
Hi Liz,

The vulnerability this code target is "Memory corruption via QueryInterface on Location, Navigator objects" (http://www.mozilla.org/security/announce/mfsa2006-04.html).
By now, Mozilla Foundation updated the severity of this advisory to 'Critical'.
The problem is that there are at-least 2 more advisories in this security update (2006-01, 2006-06) which are also rated with 'Moderate' severity and which still can be exploited for remote code execution.
People will assume those vulnerabilities are not so critical to update their browsers, although they are.
It's also a way for Mozilla Foundation to play with their "secured product" statistics, but this is for another story...
Thursday, 09 February 2006 01:35:55 UTC
Keep in mind that Mozilla takes faster action than Microsoft does. Microsoft often leaves things unpatched for good or for unpatched for months. Mozilla gets down to business within a few days or less. I recommend Firefox over Internet Explorer any day of the week! Security vulnerabilities according to PC World = IE 91, FF 26.


Nick
Nick
Friday, 10 February 2006 01:00:35 UTC
How old are you Aviv Raff ? And HD Moore ?

I think you do not even know what is a security risk. Publishing an unpatched or "just patched" exploit just to increase the risk level is a stupid behavior which can only help cybercrime. That also encourages editors to publish less information about vulnerabilities, thus to prefer security by obscurity...

"If a security measure increases the risk level, it is not a security measure"
Paris
Saturday, 11 February 2006 03:00:21 UTC
Thank you very much for publishing, and also alerting the general public to the problems and their reoccurences, for which their computer sytems have simply been layed bare, and privy to unauthorized access. I can not possibly imagine why anyone, or any entity would try to hide or conceal such a thing. The word "nihilist" would apply so very well here. It would do the public an unforgivable disservice to sway or dismay, anyone attempting to offer any such alert. Roll your sleeves up, and off to work I say, in an effort to deliver a "PROPER" product. Hats off to you there...you are class! What are they? Touche' mon ami!
Comments are closed.     
Send me an Email
Follow me on Twitter
RSS Feeds
  
Blogroll
Archive
Admin Login
Sign In
Disclaimer
The opinions expressed herein are my own personal opinions and do not represent my employer's view in anyway.