Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: [Advisory] Mozilla Products Remote Crash Vulnerability
From: Heikki Toivonen <heikki () osafoundation org>
Date: Mon, 06 Dec 2004 15:09:23 -0800

This crash was fixed today.

FYI - simple unexploitable crashes are generally not considered security issues by mozilla.org. With unexploitable crash I mean something that will only allow you to crash the product. An example of exploitable crash would be a buffer overflow, which often causes crash.

The reason for this is that simply crashing a client product is not that big of a deal, because it is easy to avoid. Crash on evil.com? Don't go there. If it is not easy to avoid, i.e. it is really a permanent DoS, then it will be dealt quickly as a security issue. (Yeah, I do know even a simple crash is annoying even if you know how to avoid it in the future. I'd be happy if someone went and fixed all the obscure crashers in Mozilla.)

Things are different for server products, and some parts of the Mozilla codebase are widely used in servers. In those cases any crash is considered a security issue. An example of such a component is the Network Security Services (NSS) which is used in web servers.

This does not mean crashes will be ignored and will go unfixed. It just means that they do not receive the urgency that exploitable crashes and other vulnerabilities receive.

As a security researcher, I would think it would be your responsibility to determine the seriousness of an issue. Just saying an app crashes does not make a security researcher IMO. Even my mom would be able to report a simple crash.

Niek van der Maas wrote:
I'm posting it here, the Mozilla guys didn't want to answer or even
confirm this bug. No idea whether this one is exploitable or not, I'll
leave that over to the readers of these lists.
While working on one of my projects I discovered a vulnerability in Firefox, allowing a attacker to crash the browser. Further investigation learned that this vulnerability also applies on other Mozilla products, like Navigator.
  The bug (#272381) was opened 2004-11-30 in Bugzilla.
Until now (2004-12-06), no response or confirmation is received. Contacting the Mozilla Security Team on IRC didn't help either, it seems that they're
  simply not interested.

  Heikki Toivonen

Attachment: signature.asc
Description: OpenPGP digital signature

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]