Mozilla Attempts to Minimize Firefox Flaws

Mozilla’s security chief Tuesday panned a pair of Firefox bugs revealed Monday as low-level threats, but hours later changed her mind and said that when used together, they could pose a greater risk.

The researcher who disclosed the vulnerabilities agreed with her. Mostly.

Michal Zalewski, who regularly publishes browser flaw findings, on Monday posted details on the full-disclosure mailing list about four browser vulnerabilities, including two affecting Firefox. He categorized one as a “major” threat, and he saw the other as only a “medium” threat.

In an entry on the Mozilla security blog—which debuted last week—Window Snyder, the company’s chief security officer, said the more serious of the two bugs found by Zalewski was no more than a spoofing vulnerability and deserved only a “low” rating. “This is unsafe because it could be used to lure a user to enter content into the spoofed frame, but does not result in code execution,” said Snyder. “[For example], this might be used with phishing attacks.”

Her take doesn’t jibe with Zalewski’s contention that the flaw can be used to stick malicious code onto the victimized computer. “By my book, [this is] more serious than just spoofing, so I marked it as ‘major,’ whereas Mozilla still considers it to be a typical case of spoofing (‘low’),” said Zalewski in an e-mail interview Wednesday. “But it would be inaccurate to say that Window’s assessment contradicts my analysis.”

Later Tuesday, Snyder updated her blog, saying that after further review, “these two bugs may be used together to allow an attacker to access any file the user has access to on the system. If this is the case, that may change the severity rating to ‘medium.’”

Zalewski dismissed the idea that he and Mozilla’s Snyder were at odds, and instead turned attention to what he thinks is most important. “All in all, I think we pretty much agree here,” he said. “The big issue [of the four vulnerabilities] was the Microsoft Internet Explorer flaw. The other three are important, but not critical.”

According to entries in Mozilla’s Bugzilla, the more serious of the two Firefox flaws has not yet been assigned to someone for a fix. Snyder, meanwhile, said that the Mozilla security team is looking into changes to improve content handler management, the root cause of the bug she pegged as “low.”

Zalewski on Monday noted on the full-disclosure mailing list that it appears Apple’s Safari browser is also vulnerable to same bug he found in IE 6 and IE 7 and labeled “critical.” Tuesday, Kevin Finisterre, a researcher known for the “Month of Apple Bugs” project in January, confirmed Zalewski’s Safari suspicions.

Apple officials did not reply to a request for comment.

—Gregg Keizer, Computerworld (US online)