http://www.theregister.co.uk/content/4/25079.html
By Thomas C Greene in Washington
Posted: 30/04/2002 at 07:35 GMT
A recent advisory from GreyMagic Software demonstrates a minor file
access vulnerability in Netscape and Mozilla for Windows, very much
like the recent one affecting MS Internet Exploder.
No doubt it will be patched soon and without great difficulty. The
potential for malicious exploitation is modest, and the installed user
base, being a fraction of IE's, makes this item marginally newsworthy.
Only Netscape has taken steps to make it particularly interesting by
ostentatiously ignoring GreyMagic's attempts to elicit a response, and
to claim the $1000 prize they believe they're entitled to according to
the terms of the Netscape Bug Bounty program.
According to Netscape, "this bounty applies to only those bugs that
are found in Netscape 6 or Netscape Communicator (excluding 3rd party
software), and that allow the attacker to run unsafe code on the
user's system and/or access files on the user's system."
This particular discovery would seem to satisfy those conditions. But
GreyMagic says they contacted Netscape on 24 April through the CGI
form on the Bug Bounty Web site and via e-mail memos to
securityat_private and secureat_private and have heard nothing
in reply.
"By completely disregarding our post Netscape has earned themselves
$1000 and lost any credibility they might have had. The money is
irrelevant, but using such a con to attract researchers into
disclosing bugs to Netscape is extremely unprofessional," GreyMagic
says.
"Netscape is conning the security community by offering an imaginary
$1000 for bugs such as the one we've published."
Or they're using it as a clever means to delay disclosure.
Netscape gives itself some wiggle room, declaring that a qualifying
stuff-up must not be "a trivial threat (as judged by Netscape
engineers fixing the bug)."
Trivial is a funny word which can mean almost anything. You can look
at the script:
var oXML=new XMLHttpRequest();
oXML.open("GET","getFile.asp",false);
oXML.send(null);
alert(oXML.responseText);
and say, of course -- duh! -- and you might say it was trivial
following comedian Rick Green's worthy dictum, "I've got a simple
rule: if I can do it, it's not art."
But then if it really was trivial, we'd have heard of it long ago. So
let's say it's simple, which is entirely different. Personally, I
don't think Netscape gets to wiggle out of this with the triviality
clause.
As for Mozilla, things have gone somewhat differently. Bugzilla was
contacted only hours ago; and while the post was quickly yanked from
public view, a Netscape engineer caught it, confirmed it, and has
since contacted GMS.
So there might be some hope of claiming that whopping $1000 reward
after all. The indictment here may not be of Netscape's response to
vulnerabilities, but of the dead ends bug reporters are confronted
with.
Yet notification is half the battle. If Netscape can't get that much
right, we may have to consider dropping them from the Trustworthy
Computing Pantheon.
-
ISN is currently hosted by Attrition.org
To unsubscribe email majordomoat_private with 'unsubscribe isn'
in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue Apr 30 2002 - 13:06:20 PDT