Zalewski reports bugs in Firefox

Window Snyder

10

The bugs Michael Zalewski posted to full-disclosure yesterday are getting some attention in the press. The information below is intended to provide some clarity on the severity of these issues and how they impact users.

Bug 382686 allows the attacker to spoof content and potentially javascript. The spoofed content would be in the attacker’s domain, not the spoofed domain. This is unsafe because it could be used to lure a user to enter content into the spoofed frame, but does not result in code execution. This might be used with phishing attacks. Spoofing attacks usually generate a Mozilla severity rating of Low.

Bug 376473 requires an additional vulnerability in a content handler in order to compromise a user. This alone cannot be used to execute or even place code on the user’s machine. This bug is also rated with a severity of Low. To protect users from potential vulnerabilities in content handlers we are considering ways to improve management of content handlers.

Mozilla prioritizes bugs based on severity to help us figure out which bugs to fix first. Just because a bug has a lower severity rating does not mean we dismiss it. We fix all bugs with any security risk as part of our commitment to security.

UPDATE 06/05/2007 2:27 PDT: These two bugs may be used together to allow an attacker to access any file the user has access to on the system. If this is the case, that may change the severity rating to Medium.

10 responses

  1. Cameron wrote on ::

    Could you guys get a new theme please? It seems like a dozen people on planet use this one…

  2. Pingback from » Mozilla downplays Zalewski’s Firefox flaws | Zero Day | ZDNet.com on ::

    [...] went public with details of Firefox vulnerabilities he thinks could lead to code execution attacks, Snyder responded with a note describing the flaws as “low risk” spoofing/phishing [...]

  3. Pingback from Firefox responde a los problemas de seguridad de ayer : on ::

    [...] hacerse público una serie de vulnerabilidades en el popular navegador Firefox, el blog de seguridad de Firefox responde con su clarificaciones para hacer conocer el impacto para los [...]

  4. SC Magazine wrote on ::

    http://scmagazine.com/us/news/article/662560/pairs-internet-explorer-firefox-flaws-revealed-mailing-list/

  5. Pingback from Techzi » Blog Archive » Mozilla disputes Firefox flaws on ::

    [...] an entry on the Mozilla security blog — which debuted last week — Window Snyder, the company’s chief security officer, [...]

  6. Pingback from [SSD] Security & Development Blog » Mozilla rectifica y reconoce más peligrosidad a los dos últimos bugs de Firefox on ::

    [...] a los dos últimos bugs de Firefox reportados por Zalewski, pocas horas después ha publicado una actualización a su post inicial, donde reconoce que ambos pueden ser usados conjuntamente por un atacante para [...]

  7. Pingback from Be:Fox » Les dernières failles sont jugées critiques - Le blog belge sur Firefox on ::

    [...] tard dans la journée de mardi, un billet de blog a été mis à jour par Window Snyder. Après de plus mûres réflexions “il s’avère que ces deux failles [...]

  8. Pingback from PCNiche » Mozilla disputes Firefox flaws on ::

    [...] an entry on the Mozilla security blog — which debuted last week — Window Snyder, the company's chief security officer, [...]

  9. Pingback from Mozilla disputes Firefox flaws on ::

    [...] an entry on the Mozilla security blog — which debuted last week — Window Snyder, the company’s chief security officer, [...]

  10. maç sonuçları wrote on ::

    went public with details of Firefox vulnerabilities he thinks could lead to code execution attacks, Snyder responded with a note describing the flaws as “low risk” spoofing/phishing