Zalewski reports bugs in Firefox

06.05.07 - 11:14am

The bugs Michael Zalewski posted to full-disclosure yesterday are getting some attention in the press. The information below is intended to provide some clarity on the severity of these issues and how they impact users.

Bug 382686 allows the attacker to spoof content and potentially javascript. The spoofed content would be in the attacker’s domain, not the spoofed domain. This is unsafe because it could be used to lure a user to enter content into the spoofed frame, but does not result in code execution. This might be used with phishing attacks. Spoofing attacks usually generate a Mozilla severity rating of Low.

Bug 376473 requires an additional vulnerability in a content handler in order to compromise a user. This alone cannot be used to execute or even place code on the user’s machine. This bug is also rated with a severity of Low. To protect users from potential vulnerabilities in content handlers we are considering ways to improve management of content handlers.

Mozilla prioritizes bugs based on severity to help us figure out which bugs to fix first. Just because a bug has a lower severity rating does not mean we dismiss it. We fix all bugs with any security risk as part of our commitment to security.

UPDATE 06/05/2007 2:27 PDT: These two bugs may be used together to allow an attacker to access any file the user has access to on the system. If this is the case, that may change the severity rating to Medium.

Category: Security, Vulnerabilities |

Building and Breaking the Browser at Blackhat Time to Deploy improvement of 25 percent

The Buzz {7 trackbacks/pingbacks}

  1. Pingback: » Mozilla downplays Zalewski’s Firefox flaws | Zero Day | ZDNet.com on June 5, 2007
  2. Pingback: Firefox responde a los problemas de seguridad de ayer : on June 6, 2007
  3. Pingback: Techzi » Blog Archive » Mozilla disputes Firefox flaws on June 6, 2007
  4. Pingback: [SSD] Security & Development Blog » Mozilla rectifica y reconoce más peligrosidad a los dos últimos bugs de Firefox on June 6, 2007
  5. Pingback: Be:Fox » Les dernières failles sont jugées critiques - Le blog belge sur Firefox on June 7, 2007
  6. Pingback: PCNiche » Mozilla disputes Firefox flaws on June 7, 2007
  7. Pingback: Mozilla disputes Firefox flaws on June 10, 2007

The Conversation {3 comments}

  1. Cameron {Tuesday June 5, 2007 @ 11:52 am}

    Could you guys get a new theme please? It seems like a dozen people on planet use this one…

  2. SC Magazine {Wednesday June 6, 2007 @ 1:30 pm}

    http://scmagazine.com/us/news/article/662560/pairs-internet-explorer-firefox-flaws-revealed-mailing-list/

  3. maç sonuçları {Tuesday December 18, 2007 @ 1:07 pm}

    went public with details of Firefox vulnerabilities he thinks could lead to code execution attacks, Snyder responded with a note describing the flaws as “low risk” spoofing/phishing

Speak Your Peace

  • Comment Policy:Could go here if there's a nagging need Login Instructions: Would go here if there's a desire.