[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] [Advisory] Mozilla Products Remote Crash Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxx
Subject: Re: [Full-Disclosure] [Advisory] Mozilla Products Remote Crash Vulnerability
From: Heikki Toivonen <heikki@xxxxxxxxxxxxxxxxx>
Date: Tue, 07 Dec 2004 09:28:38 -0800

Juergen Schmidt wrote:

But this means, somebody (from mozilla) checked the urgency and decided,
that it can wait. It would have been nice and a minimal effort to inform
the initial reporter about that.

* Reported Tuesday 2004-11-30 * 10 hours later it receives first comment, asking for testcase since reporters site is unreachable * On Friday, 3 days later, the reporter thinks he's been ignored * On Monday, the bug receives second comment, pointing out it is not really a security issue and subsequently gets fixed. By this time it was also reported on Bugtraq.

So yeah, it would have been nice if somebody had reported immediately that it was not exploitable. But it did receive that comment 6 days later. (In contrast, even when security researchers report confirmed security issues they are often willing to wait for a week or more.)

Look at it from the developers perspective. They get a report about a crash where the reporter thinks it is a security issue. They check it out, and it turns out it is nothing serious, and probably think it can wait for a bit while they work on something more important.

I think it was good the reporter asked in the bug if he was ignored or not (because sometimes people do forget).

But posting about a security vulnerability to public lists in less than a week after report, without actually verifying that it really is a vulnerability? Come on. This will only get people annoyed at you.

I do not see Niek claiming to be a security researcher. He stumbled

In that case, my apologies. Somehow I got the impression he was.

What should he (or your mother) do, if mozilla is crashing on a
particular web site? Shut up? Learn how to write a buffer overflow
exploit before reporting it?

People should of course report all the bugs they see. But my point still stands - a bug report about a crash still does not get the same attention as a bug report about an exploit. If you can't show it is a potential security issue, please be a little more patient.

--
  Heikki Toivonen

Attachment: signature.asc
Description: OpenPGP digital signature

References:
- [Full-Disclosure] [Advisory] Mozilla Products Remote Crash Vulnerability
  - From: Niek van der Maas
- Re: [Full-Disclosure] [Advisory] Mozilla Products Remote Crash Vulnerability
  - From: Kevin Finisterre
- Re: [Full-Disclosure] [Advisory] Mozilla Products Remote Crash Vulnerability
  - From: Heikki Toivonen
- Re: [Full-Disclosure] [Advisory] Mozilla Products Remote Crash Vulnerability
  - From: Juergen Schmidt

Prev by Date: Re: [Full-Disclosure] I'm calling for LycosEU heads and team to resign or be sacked
Next by Date: [Full-Disclosure] MaxDB WebTools <= 7.5.00.18 buffer overflow and Denial of Service
Previous by thread: Re: [Full-Disclosure] [Advisory] Mozilla Products Remote Crash Vulnerability
Next by thread: [Full-Disclosure] [Advisory] Mozilla Products Remote Crash Vulnerability
Index(es):
- Date
- Thread