In three days Firefox was patched and released, in 10 days Microsoft acknowledged the message and gave a workaround, and Opera hasn't written back yet. Way to go Mozilla!
Subscribe to:
Post Comments (Atom)
In three days Firefox was patched and released, in 10 days Microsoft acknowledged the message and gave a workaround, and Opera hasn't written back yet. Way to go Mozilla!
The date Jesse opened the bug 162020 in bugzilla was August 2002 ... The case is more representative of how security bug that don't have an immediate solution can get burried in dust in bugzilla until there is more pression to get them fixed.
ReplyDeleteI was reading per his comments, and bug 246448 was opened a few days ago. The bug reported two years ago was indeed long standing but in my opinion the threat wasn't high.
ReplyDeleteI'm not happy about how long it took bug 162020 to be fixed in Mozilla. It's an arbitrary code execution vulnerability. While it requires user interaction, it doesn't require user *cooperation*. There's nothing about a captcha that would make even a security-conscious developer suspicious. Have you tried the demos?
ReplyDelete- Jesse
When I try the captcha demo I get "A script from http://bugzilla.mozilla.org was denied UniverslXPConnect privileges." when I hit the letter n (both in Firefox 20040430 and Mozilla 1.6). Same thing happens in the double-click game. Maybe I was mistaken and the threat is real, although I haven't felt it.
ReplyDeleteYou have to save the demo and load it from disk or use about:config to set signed.applets.codebase_principal_support to true. A real attack would use ActiveX or XPIs instead of pure JavaScript and would not be subject to that restriction.
ReplyDelete- Jesse