OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: [Full-Disclosure] [Advisory] Mozilla Products Remote Crash Vulnerability

From: Heikki Toivonen (heikkiosafoundation.org)
Date: Tue Dec 07 2004 - 11:28:38 CST


Juergen Schmidt wrote:
> But this means, somebody (from mozilla) checked the urgency and decided,
> that it can wait. It would have been nice and a minimal effort to inform
> the initial reporter about that.

* Reported Tuesday 2004-11-30
* 10 hours later it receives first comment, asking for testcase since
reporters site is unreachable
* On Friday, 3 days later, the reporter thinks he's been ignored
* On Monday, the bug receives second comment, pointing out it is not
really a security issue and subsequently gets fixed. By this time it was
also reported on Bugtraq.

So yeah, it would have been nice if somebody had reported immediately
that it was not exploitable. But it did receive that comment 6 days
later. (In contrast, even when security researchers report confirmed
security issues they are often willing to wait for a week or more.)

Look at it from the developers perspective. They get a report about a
crash where the reporter thinks it is a security issue. They check it
out, and it turns out it is nothing serious, and probably think it can
wait for a bit while they work on something more important.

I think it was good the reporter asked in the bug if he was ignored or
not (because sometimes people do forget).

But posting about a security vulnerability to public lists in less than
a week after report, without actually verifying that it really is a
vulnerability? Come on. This will only get people annoyed at you.

> I do not see Niek claiming to be a security researcher. He stumbled

In that case, my apologies. Somehow I got the impression he was.

> What should he (or your mother) do, if mozilla is crashing on a
> particular web site? Shut up? Learn how to write a buffer overflow
> exploit before reporting it?

People should of course report all the bugs they see. But my point still
stands - a bug report about a crash still does not get the same
attention as a bug report about an exploit. If you can't show it is a
potential security issue, please be a little more patient.

--
   Heikki Toivonen

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html