Linked by Thom Holwerda on Thu 15th Sep 2005 12:20 UTC
Mozilla & Gecko clones The Mozilla Foundation plans to "shortly" release new versions of its Firefox and Mozilla Web browsers to address a recently disclosed serious security bug as well as several additional flaws, a representative said Wednesday.
Thread beginning with comment 31810
To read all comments associated with this story, please click here.
insecurity by
by butters on Thu 15th Sep 2005 20:00 UTC
butters
Member since:
2005-07-08

We can agree that web browsers are complex and that by their very nature, they allow remote parties to make inputs to your computer. This makes them a target for malicious agents. This is what all web browsers have in common.

But the difference between firefox vulnerabilities and IE vulnerabilities is that the latter are found through blindly attacking the system as if it were a black box. If you get some unexpected behavior when clicking on a particularly formatted link or displaying a particularly contructed image, then explore variations until you find the pattern.

Firefox vulnerabilities are most often found through code inspection and/or automated analysis. You can write a perl script to look for candidate buffer overflow situations in any language that allows them. Or you can use more powerful tools like Uno (Uninitialized variables, Null dereferences, and buffer Overflows).

Security researchers (that's what they call hackers these days) do more harm that good when they act like this guy did. If you discover a vulnerability, you shouldn't write about it on your blog and post a proof-of-concept exploit until you give the software developers a reasonable amount of time to fix the problem. As we've seen, Mozilla was able to respond very quickly to this vulnerability, issuing a workaround within 24 hours and testing a new release within a few days. I can understand acting this way in response to developers ignoring your reported vulnerability for over a month, but this was not the case.

At the end of the day, Firefox developers should be looking for these buffer overflows. However, publicizing vulnerabilities before the developers have a chance to respond runs contrary to the advancement of computing, whether they be in open or proprietary software.

Reply Score: 0