Full Disclosure mailing list archives
Re: [Advisory] Mozilla Products Remote Crash Vulnerability
From: Heikki Toivonen <heikki () osafoundation org>
Date: Mon, 06 Dec 2004 15:09:23 -0800
This crash was fixed today.FYI - simple unexploitable crashes are generally not considered security issues by mozilla.org. With unexploitable crash I mean something that will only allow you to crash the product. An example of exploitable crash would be a buffer overflow, which often causes crash.
The reason for this is that simply crashing a client product is not that big of a deal, because it is easy to avoid. Crash on evil.com? Don't go there. If it is not easy to avoid, i.e. it is really a permanent DoS, then it will be dealt quickly as a security issue. (Yeah, I do know even a simple crash is annoying even if you know how to avoid it in the future. I'd be happy if someone went and fixed all the obscure crashers in Mozilla.)
Things are different for server products, and some parts of the Mozilla codebase are widely used in servers. In those cases any crash is considered a security issue. An example of such a component is the Network Security Services (NSS) which is used in web servers.
This does not mean crashes will be ignored and will go unfixed. It just means that they do not receive the urgency that exploitable crashes and other vulnerabilities receive.
As a security researcher, I would think it would be your responsibility to determine the seriousness of an issue. Just saying an app crashes does not make a security researcher IMO. Even my mom would be able to report a simple crash.
Niek van der Maas wrote:I'm posting it here, the Mozilla guys didn't want to answer or even confirm this bug. No idea whether this one is exploitable or not, I'll leave that over to the readers of these lists. DESCRIPTIONWhile working on one of my projects I discovered a vulnerability in Firefox, allowing a attacker to crash the browser. Further investigation learned that this vulnerability also applies on other Mozilla products, like Navigator.VENDOR RESPONSE The bug (#272381) was opened 2004-11-30 in Bugzilla.Until now (2004-12-06), no response or confirmation is received. Contacting the Mozilla Security Team on IRC didn't help either, it seems that they'resimply not interested.
-- Heikki Toivonen
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- [Advisory] Mozilla Products Remote Crash Vulnerability Niek van der Maas (Dec 06)
- Re: [Advisory] Mozilla Products Remote Crash Vulnerability Kevin Finisterre (Dec 06)
- Re: [Advisory] Mozilla Products Remote Crash Vulnerability Heikki Toivonen (Dec 06)
- Re: [Advisory] Mozilla Products Remote Crash Vulnerability Juergen Schmidt (Dec 07)
- Re: [Advisory] Mozilla Products Remote Crash Vulnerability Heikki Toivonen (Dec 07)
- Re: [Advisory] Mozilla Products Remote Crash Vulnerability Heikki Toivonen (Dec 06)
- Re: [Advisory] Mozilla Products Remote Crash Vulnerability Kevin Finisterre (Dec 06)
- <Possible follow-ups>
- Re: [Advisory] Mozilla Products Remote Crash Vulnerability Berend-Jan Wever (Dec 06)
- [Advisory] Mozilla Products Remote Crash Vulnerability PERFECT.MATERIAL (Dec 06)