Browser Security Test
Scanit offers penetration tests, vulnerability assessments and web application audits.
Scanit offers 5-day training on ethical hacking.
A Year Of Bugs
Page 4 out of 5 Previous page Next pageMozilla browsers
Mozilla and the family (including Firefox, Netscape Navigator and Camino browsers) display a much shorter window of opportunity for a prospective attacker. There were 56 days (15%) in 2004 when there was a publicly known remote code execution in Mozilla and no patched release. 30 days in May-June for MacOS arbitrary code execution problem only affecting MacOS users, one day in July between the public report of shell: protocol vulnerability and the fixed Mozilla/Firefox release, one day in August between the disclosure and the fix of libPNG vulnerabilities, and 24 days in October-November between the the Michal Zalewski's announcement of mangleme program and the Firefox 1.0 release incorporating the fixes for publicly announced bugs.
Mozilla is enjoying some advantages concerning the public disclosure of vulnerabilities. Security researchers seem to be more inclined to report vulnerabilities privately to the Mozilla development team rather than publish them immediately. This might be because the Mozilla project produces free open-source software, and being nice to it is considered A Good Thing, or possibly also because of Mozilla's Security Bug Bounty Program that pays 500$ to users reporting critical security bugs.
The Security Bug Bounty Program is a very sensible thing indeed since unpatched vulnerabilities are quickly gaining commercial value. As many researches note, 2004 saw a big change in the motives of computer attackers. Before, virus and worm writers did it mainly for fun and recognition. Today a successful virus is commonly used for installing backdoors on infected computers and creating so-called "botnets". A botnet is a network of compromised computers that can be remotely controlled. A botnet has a lot of exciting uses, such as setting up a distributed denial of service attack against an online business and then blackmailing the business owners, or relaying spam, or serving porn. Obviously an unpatched vulnerability that can be used to distribute a virus or install a backdoor is worth something for the people in botnet business. We have seen this trend in Internet Explorer bugs this year when at least two vulnerabilities were first seen "in the wild" rather then being discovered and reported.
In 2004 Mozilla was not targeted by malware writers, so there are no red lines in the Mozilla timelines. This might change as Mozilla software is gaining popularity. Grey lines in the table below note the dates when vulnerabilities were privately reported to Mozilla development team.
| August 2002 | 9 Aug 2002 | Jesse Ruderman reports bug #162020 - security dialog popup vulnerability | |||||
| January | |||||||
| February | |||||||
| March | |||||||
| 5 Mar | iDefense reports bug #236618 - SOAPParameter integer overflow. | ||||||
| 8 Mar | Patch for bug #236618 - SOAPParameter integer overflow is commited. | ||||||
| April | |||||||
| May | |||||||
| 15 May | A problem in MacOS X that allows arbitrary command execution via a browser is discussed on a public forum. Bug #243699 is submitted to Bugzilla by Mike Calmus | ||||||
| 19 May | Patch for Bug #243699 - arbitrary code execution using disk:// and help:// URLs on MacOS - is commited. | ||||||
| June | 5 Jun | Patch for bug #162020 - security dialog popup vulnerability - is commited | |||||
| 14 Jun | Firefox 0.9 is released fixing bug #236618, Bug #243699 and bug #162020 | ||||||
| 17 Jun | Mozilla 1.7 is released fixing bug #236618, Bug #243699 and bug #162020 | ||||||
| July | |||||||
| 7 Jul, 8 Jul | Windows shell: protocol handler vulnerability is publicly reported and bug #250180 is submitted to Bugzilla by Keith McCanless. Mozilla project releases security advisory, Mozilla 1.7.1, Firefox 0.9.2 and a patch for this vulnerability. | ||||||
| 14 Jul | Bug #251381 LibPNG overlow vulnerabilities is reported | ||||||
| August | 3 Aug, 4 Aug | Bug #251381 LibPNG overlow vulnerabilities is publicly disclosed. Mozilla project releases the security advisory, Mozilla 1.7.2 and Firefox 0.9.3 fixing Bug #251381. | |||||
| 10 Aug | Bug #255067 - BMP integer overflow - is reported by Gael Delalleau | ||||||
| 20 Aug | Bug #256316 - non-ascii hostname heap overrun - is reported by Gael Delalleau. | ||||||
| 24 Aug | Patch for bug #256316 - non-ascii hostname heap overrun - is commited | ||||||
| 27 Aug | Patch for bug #255067 - BMP integer overflow - is commited | ||||||
| 29 Aug | Bug #257314 - VCard buffer overflow - is reported by Georgi Guninski. 30 Aug patch for this problem is commited. | ||||||
| September | |||||||
| 14 Sep | Mozilla project releases the security announcement, Mozilla 1.7.3 and Firefox Preview Release fixing bug #256316, bug #255067, and bug #257314. | ||||||
| October | |||||||
| 14 Oct | Maurycy Prodeus reports an overflow in NNTP protocol handling code in Mozilla - bug #264388 | ||||||
| 18 Oct | Michal Zalewski publishes mangleme program and several examples of HTML code crashing Mozilla discovered using the program, some of them exploitable. Bug #264944 tracking crashes found by mangleme is open. | ||||||
| November | |||||||
| 9 Nov | Firefox 1.0 is released fixing the two bugs noted in Zalewski's mangleme announcement and NNTP handling code overflow. No security announcement was made by Mozilla project. | ||||||
| December | |||||||
| 17 Dec | Mozilla 1.7.5 is released containing fixes for the two bugs noted in Zalewski's mangleme announcement. Bug #264944 tracking mangleme crashes remains open. Bug #265067 is open and probably describes an exploitable problem, since it linked to the mangleme tracking bug and is marked "security-sensitive". |
Page 4 out of 5 Previous page Next page