Netscape blows off new vuln warning !!!

Discussion in 'other security issues & news' started by Technodrome, Apr 30, 2002.

Thread Status:
Not open for further replies.
  1. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    "A recent advisory from GreyMagic Software demonstrates a minor file access vulnerability in Netscape and Mozilla for Windows, very much like the recent one affecting MS Internet Exploder.

    No doubt it will be patched soon and without great difficulty. The potential for malicious exploitation is modest, and the installed user base, being a fraction of IE's, makes this item marginally newsworthy. Only Netscape has taken steps to make it particularly interesting by ostentatiously ignoring GreyMagic's attempts to elicit a response, and to claim the $1000 prize they believe they're entitled to according to the terms of the Netscape Bug Bounty program.

    According to Netscape, "this bounty applies to only those bugs that are found in Netscape 6 or Netscape Communicator (excluding 3rd party software), and that allow the attacker to run unsafe code on the user's system and/or access files on the user's system."

    This particular discovery would seem to satisfy those conditions. But GreyMagic says they contacted Netscape on 24 April through the CGI form on the Bug Bounty Web site and via e-mail memos to security@netscape.com and secure@netscape.com and have heard nothing in reply.

    "By completely disregarding our post Netscape has earned themselves $1000 and lost any credibility they might have had. The money is irrelevant, but using such a con to attract researchers into disclosing bugs to Netscape is extremely unprofessional," GreyMagic says.

    "Netscape is conning the security community by offering an imaginary $1000 for bugs such as the one we've published."

    Or they're using it as a clever means to delay disclosure.

    Netscape gives itself some wiggle room, declaring that a qualifying stuff-up must not be "a trivial threat (as judged by Netscape engineers fixing the bug)."

    Trivial is a funny word which can mean almost anything. You can look at the script:

    var oXML=new XMLHttpRequest();
    oXML.open("GET","getFile.asp",false);
    oXML.send(null);
    alert(oXML.responseText);

    and say, of course -- duh! -- and you might say it was trivial following comedian Rick Green's worthy dictum, "I've got a simple rule: if I can do it, it's not art."

    But then if it really was trivial, we'd have heard of it long ago. So let's say it's simple, which is entirely different. Personally, I don't think Netscape gets to wiggle out of this with the triviality clause.

    As for Mozilla, things have gone somewhat differently. Bugzilla was contacted only hours ago; and while the post was quickly yanked from public view, a Netscape engineer caught it, confirmed it, and has since contacted GMS.

    So there might be some hope of claiming that whopping $1000 reward after all. The indictment here may not be of Netscape's response to vulnerabilities, but of the dead ends bug reporters are confronted with.

    Yet notification is half the battle. If Netscape can't get that much right, we may have to consider dropping them from the Trustworthy Computing Pantheon. "

    source: http://www.theregister.co.uk

    Technodrome
     
  2. Mike_Healan

    Mike_Healan Registered Member

    Joined:
    Mar 6, 2002
    Posts:
    302
    Location:
    USA
    :mad:

    Now that's just sleazy.
    Yet another reason to choose Mozilla over AOLscape.
     
  3. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    I can't begin to tell you how pzzzzzd I was when I heard that AOHell had taken over Netscape. When Mozilla came into being I thought, aha, a chance to get away from IE on those rare occasions that Opera won't work.
    It's been a long wait, and I hope Mozilla does what I hope it will do, and I hope that the seperation between Netscape and Mozilla takes a hard line.
    I tried Netscapes last version one more time, and it was still buggy as hell. Super bloatware! Wouldn't even handle bookmarks properly.
    Please, please, let Mozilla be the answer to my prayers.
    BTW, whats Mozilla have to do with this Netscape challange?
     
  4. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    Mozilla's code is used in the latest Netscape browser. That's why !!!

    Technodrome
     
  5. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    Here is more:

    A bug in the Mozilla code, which is used in the latest Netscape browser, allows a Web page to list directories and read files from the users' computer
    An Israeli software firm has discovered a flaw in Netscape and Mozilla software that allows code hidden in a Web page to read files from the user's PC. The bug is a more serious variant of one patched in Microsoft's Internet Explorer in February.

    GreyMagic Software on Monday reported that the problem affects XMLHttpRequest, which allows Web pages in the browser to send and receive XML data via HTTP, the standard Web transfer protocol. XML is an Internet language for describing just about any sort of data.


     
    According to the report, verified by other developers, XMLHttpRequest doesn't properly check the security settings for some types of data requests in a Web page, allowing them, if properly disguised, to request data from the user's hard drive. The Internet Explorer bug required an attacker to know the name of a file on the user's PC in order to exploit that file, but the Mozilla bug also allows the contents of directories on the local drive to be listed.

    GreyMagic created a demonstration of the bug that allows a Web page to display a window for exploring the viewer's own hard drive.

    The bug is found in versions of Mozilla from 0.9.7 to 0.9.9 on various operating system platforms, and in Netscape versions 6.1 and higher. The flaw doesn't affect Mozilla 1.0 release candidate 1 because XMLHttpRequest appears to be broken in that release, according to Mozilla developers.

    A patch for the bug was not available as of late morning on Wednesday.

    GreyMagic also criticised Netscape's system for reporting bugs, saying a 24 April attempt to report the bug was not acknowledged. Following the firm's public report of the bug, another developer reported the bug to Mozilla's bug-tracking system, whose developers have confirmed the flaw. The flaw has also been distributed on the BugTraq security mailing list.

    source: http://news.zdnet.co.uk/

    Technodrome
     
Loading...
Thread Status:
Not open for further replies.