Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: [Advisory] Mozilla Products Remote Crash Vulnerability
From: Heikki Toivonen <heikki () osafoundation org>
Date: Tue, 07 Dec 2004 09:28:38 -0800

Juergen Schmidt wrote:
But this means, somebody (from mozilla) checked the urgency and decided,
that it can wait. It would have been nice and a minimal effort to inform
the initial reporter about that.

* Reported Tuesday 2004-11-30
* 10 hours later it receives first comment, asking for testcase since reporters site is unreachable
* On Friday, 3 days later, the reporter thinks he's been ignored
* On Monday, the bug receives second comment, pointing out it is not really a security issue and subsequently gets fixed. By this time it was also reported on Bugtraq.

So yeah, it would have been nice if somebody had reported immediately that it was not exploitable. But it did receive that comment 6 days later. (In contrast, even when security researchers report confirmed security issues they are often willing to wait for a week or more.)

Look at it from the developers perspective. They get a report about a crash where the reporter thinks it is a security issue. They check it out, and it turns out it is nothing serious, and probably think it can wait for a bit while they work on something more important.

I think it was good the reporter asked in the bug if he was ignored or not (because sometimes people do forget).

But posting about a security vulnerability to public lists in less than a week after report, without actually verifying that it really is a vulnerability? Come on. This will only get people annoyed at you.

I do not see Niek claiming to be a security researcher. He stumbled

In that case, my apologies. Somehow I got the impression he was.

What should he (or your mother) do, if mozilla is crashing on a
particular web site? Shut up? Learn how to write a buffer overflow
exploit before reporting it?

People should of course report all the bugs they see. But my point still stands - a bug report about a crash still does not get the same attention as a bug report about an exploit. If you can't show it is a potential security issue, please be a little more patient.

  Heikki Toivonen

Attachment: signature.asc
Description: OpenPGP digital signature

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]