Full Disclosure mailing list archives
RE: Mozilla Firefox "Host:" Buffer Overflow
From: Roberto Gomez Bolaños <wari00 () gmail com>
Date: Fri, 9 Sep 2005 19:36:01 -0300
And how exactly do you propose to "leave out the details and PoC" when the presence of the bug and the steps taken to fix it can not be concelaed from public view given that the source code and the entire CVS entries are freely available for anyone to browse? Mozilla users are getting the consideration they deserve. They deserve to know what code they are running whenver the feel like doing so and to know what the mozilla team is doing with the code. That's probably one of the reasons why they run Firefox in the first place (but not necesarily the only or more important one). The proposal for obscurity serves well closed-source innitiatives and development processes that have limited or no public visibility but it fails in the presence of OSS. The "responsible disclosure" advocates act as if Linux,*BSD,Mozilla and a zillion other open source projects did not exist in reality. Perhaps what was needed was to report the IE and SP2 vulnerabilities in a similar fashion and not the opposite, but alas the reported probably did not want the MSRC meat-grinding PR machinery going after him. ---- Two interesting points: 1) It took several minutes and more browsing elsewhere (in Bugzilla) before my browser blew up after testing the POC. 2) When you reported a "Windows XP SP2 IE 6.0 Vulnerability" (http://security-protocols.com/modules.php?name=News&file=article&sid=2891) and a "Windows XP SP2 Remote Kernel DoS" (http://security-protocols.com/modules.php?name=News&file=article&sid=2783) you left the details of the bug and the POC out. Personally, I generally approve of that, but why don't Mozilla users deserve as much consideration? Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blog.ziffdavis.com/seltzer Contributing Editor, PC Magazine larryseltzer () ziffdavis com
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Mozilla Firefox "Host:" Buffer Overflow, (continued)
- Re: Mozilla Firefox "Host:" Buffer Overflow Andrew R. Reiter (Sep 09)
- Re: Mozilla Firefox "Host:" Buffer Overflow Dave Aitel (Sep 09)
- Re: Mozilla Firefox "Host:" Buffer Overflow Andrew R. Reiter (Sep 09)
- Re: Mozilla Firefox "Host:" Buffer Overflow milw0rm Inc. (Sep 09)
- Re: Mozilla Firefox "Host:" Buffer Overflow Adam Polkosnik (Sep 09)
- RE: Mozilla Firefox "Host:" Buffer Overflow Larry Seltzer (Sep 09)
- RE: Mozilla Firefox "Host:" Buffer Overflow Larry Seltzer (Sep 09)
- RE: Mozilla Firefox "Host:" Buffer Overflow Larry Seltzer (Sep 10)