mailing list archives
Re: [Advisory] Mozilla Products Remote Crash Vulnerability
From: Heikki Toivonen <heikki () osafoundation org>
Date: Mon, 06 Dec 2004 15:09:23 -0800
This crash was fixed today.
FYI - simple unexploitable crashes are generally not considered security
issues by mozilla.org. With unexploitable crash I mean something that
will only allow you to crash the product. An example of exploitable
crash would be a buffer overflow, which often causes crash.
The reason for this is that simply crashing a client product is not that
big of a deal, because it is easy to avoid. Crash on evil.com? Don't go
there. If it is not easy to avoid, i.e. it is really a permanent DoS,
then it will be dealt quickly as a security issue. (Yeah, I do know even
a simple crash is annoying even if you know how to avoid it in the
future. I'd be happy if someone went and fixed all the obscure crashers
Things are different for server products, and some parts of the Mozilla
codebase are widely used in servers. In those cases any crash is
considered a security issue. An example of such a component is the
Network Security Services (NSS) which is used in web servers.
This does not mean crashes will be ignored and will go unfixed. It just
means that they do not receive the urgency that exploitable crashes and
other vulnerabilities receive.
As a security researcher, I would think it would be your responsibility
to determine the seriousness of an issue. Just saying an app crashes
does not make a security researcher IMO. Even my mom would be able to
report a simple crash.
Niek van der Maas wrote:
I'm posting it here, the Mozilla guys didn't want to answer or even
confirm this bug. No idea whether this one is exploitable or not, I'll
leave that over to the readers of these lists.
While working on one of my projects I discovered a vulnerability in
allowing a attacker to crash the browser. Further investigation
this vulnerability also applies on other Mozilla products, like
The bug (#272381) was opened 2004-11-30 in Bugzilla.
Until now (2004-12-06), no response or confirmation is received.
the Mozilla Security Team on IRC didn't help either, it seems that
simply not interested.
Description: OpenPGP digital signature