navigation bar left navigation bar right

Secunia CSI7
navigation left tab Advisories navigation right tab
navigation left tab Research navigation right tab
navigation left tab Forums navigation right tab
navigation left tab Create Profile navigation right tab
navigation left tab Our Commitment navigation right tab
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: Mozilla To Fix Vulnerability Claimed To Be Fake...

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
Open Discussions

See the original Secunia blog entry:
Mozilla To Fix Vulnerability Claimed To Be Fake...

Secunia Mozilla To Fix Vulnerability Claimed To Be Fake...
Secunia Official 19th Mar, 2010 17:49
Ranking: 0
Posts: 0
User Since: -
System Score: -
Location: Copenhagen, DK
Some people were very eager to claim that this vulnerability report was fake - both on the Mozilla blog and our own forum - but Mozilla has now fixed this vulnerability in their Beta build and it will also be included in the upcoming version 3.6.2.

Dr Zen RE: Mozilla To Fix Vulnerability Claimed To Be Fake...
Member 19th Mar, 2010 17:49
Score: 1
Posts: 8
User Since: 2nd Nov 2009
System Score: N/A
Location: US
Last edited on 19th Mar, 2010 17:49
What a firefox/storm this issue has created. When will it end. March 30? I sure hope so.

--
Dr Zen
Was this reply relevant?
+2
-0
bjm__ RE: Mozilla To Fix Vulnerability Claimed To Be Fake...
Member 19th Mar, 2010 18:23
Score: 64
Posts: 374
User Since: 9th Mar 2009
System Score: 100%
Location: US
Last edited on 19th Mar, 2010 18:23
It took all these weeks for Secunia to explain .... gee wizz... I wish Secunia would have just posted this info weeks ago ... who knew Evgeny Legerov is a credible source with a solid track record...
well, better late than never...I appreciate Secunia finally sharing the content of this message. Why Secunia had to wait until Evgeny Legerov reached out to Mozilla...to clarify this threat. Maybe as Secunia has now explained[...]sometimes information is provided to us (Secunia) in confidentiality [...]
Thank you Carsten Eiram, Chief Security Specialist
Your words are so very important...the intent and content behind your words should be posted as a "sticky" somewhere. The body of this message answers all of my questions....Thank you!
Was this reply relevant?
+4
-0
ch3kan RE: Mozilla To Fix Vulnerability Claimed To Be Fake...
Member 19th Mar, 2010 20:11
Score: 3
Posts: 2
User Since: 19th Mar 2010
System Score: N/A
Location: ID
If all those people who claimed the vulnerability to be fake would have done their homework and looked up who the reporter was then such a circus would not have happened. From EL's previous research it's obvious that he does not make empty claims so I don't understand why all the fuss.

To all those noise makers: If you get the urge to whine then research what you're whining about more thoroughly. If, at this point, you still have the urge then know that there are smarter people then you who would have discussed the issue intelligently if it was warranted. So, please, think of the "Reply" button as a gun trigger and the barrel is at your temple.

--
Akademik
Was this reply relevant?
+5
-2
bjm__ RE: Mozilla To Fix Vulnerability Claimed To Be Fake...
Member 20th Mar, 2010 00:24
Score: 64
Posts: 374
User Since: 9th Mar 2009
System Score: 100%
Location: US
Last edited on 20th Mar, 2010 00:28
@ ch3kan ~ Akademik

We can always use another noise maker....as this is your first post.
Please permit this whining noise maker to respectfully welcome you aboard!
What may be obvious to you...may not be obvious to us whining noise makers.
Since you knew of EL's previous research....help a whining noise maker out next time and share your vast knowledge and great wisdom with those of us that are less worldly.

This whining noise maker will strive to make you proud. When I grow up...I want to be just like you. I sincerely apologize for having offended thee.

Think I'll pass on the gun and temple thing. It might make too much noise.
Cheers
bjm- ~ Aka wnm- (whining-noise-maker)
Was this reply relevant?
+2
-0
0puns0r3s RE: Mozilla To Fix Vulnerability Claimed To Be Fake...
Member 20th Mar, 2010 10:01
Score: -5
Posts: 22
User Since: 27th Feb 2010
System Score: N/A
Location: IN
Last edited on 20th Mar, 2010 10:15
We "noisemakers" could be the reason why Secunia actually took the trouble to create this blog post:). We might not be "security professionals" or even "IT professionals", but we do have "common sense":).

Eugene took four long weeks to disclose this vulnerability. Mozilla refused that there was a vulnerability. Going by the words of the hacker alone, Secunia gave ratings to the vulnerability.

The least Secunia and Mozilla could have done was to have clarified and given out appropriate statements at the right time.

Mozilla appears to have not had a clue at all about this initially. Check out their initial blog post:

http://blog.mozilla.com/security/2010/02/22/secuni...

Then check out the latest blog post:

http://blog.mozilla.com/security/2010/03/18/update...

and Thomas Kristensen, the CSO of Secunia admitted that " ďThis particular report is a bit special because of the lack of information available. Normally, we do not write about vulnerabilities unless certain details are available and / or we can test it. (Ö) and previous vulnerabilities reported by this company / person has proved to be reliable. "

http://blog.psi2.de/en/2010/02/20/going-commercial...

He's admitted that Secunia had no idea about the vulnerability due to "lack of information".

Today it is Firefox. Supposing tomorrow another hacker says "sorry. We will not release any details of the vulnerability for free. You'll have to pay up. Period". What then would a so called non profit organization like Mozilla do then?

The fact that (any) software company/entity/organization can be taken "hostage" by the words of a professional hacker is a very scary thought!

best,
0puns0r3s anm (another noise maker:)
Was this reply relevant?
+3
-2

bjm__

RE: Mozilla To Fix Vulnerability Claimed To Be Fake...
[+]
This reply has been minimised due to a negative Relevancy Score.
thedillpickl RE: Mozilla To Fix Vulnerability Claimed To Be Fake...
Contributor 20th Mar, 2010 19:09
Score: 376
Posts: 872
User Since: 3rd May 2009
System Score: 100%
Location: US
Hi All;

First, I do not use Firefox, yet. I usually do some digging before trying out a new (to me) product. This vulnerability issue caught my interest. More importantly, this discussion has provoked a response.

I have copied from the "New Forum Features" thread http://secunia.com/community/forum/thread/show/372... which I posted this to on 16th Mar, 2010 03:30 . I feel compelled to repeat myself here.

"Two quick observations;

1) The thing that made this forum unique (for myself, at least) was that anyone could & usually would try to help. Some with better success than others, but
most always with the best of intentions. Unlike other 'Help me!' forums that are full of stuffy, pretentious know-it-alls. That time may now be over.

2) It does not matter if a person knows how to solve a problem, if he/she cannot relate the solution to the one requesting help.
..."

As a "noise maker" of note, let me say that currently I have given maybe two or three 'thumbs up' and no 'thumbs down'. I am now reconsidering my decision to limit my use of "Was this reply relevant?"

No one here is seeking help with a particular problem, but we are seeking useful input just the same. I was content to be a passive observer. Now that I have 'pulled the trigger', let us see if my head gets blown off.

@ ch3kan, no one person knows everything. With due respect for your knowledge of Mr. Evgeny Legerov's expertise and of vulnerabilities, I quite possibly know more of catching fish than you. Both equally important for different jobs. You understand the complexities of computer security and may help us on the forum to be better informed. If you came to my home I could feed you all the fish you wanted.

@ bjm-, please don't use bold text for your whole post, thank you. We all get frustrated when things don't work the way we expected. This Firefox issue is a prime example. People are upset because a major browser vendor had/has a problem. Read the forum more closely, this happens all the time. It will be resolved. It is our duty to have a knowledgeable understanding of the situation to help those who don't or can't. If ch3kan is a bit brash on his first post, it is possible he expected 'experts' here. :) As I said above, no one knows everything.

@ 0puns0r3s, if I were to give a 'thumbs up' it would be for bringing up how the situation was mishandled. Thank you.

@ Dr Zen, no 'thumbs up' or 'thumbs down' but feel free to 'vent'. If you get too frustrated, shut the box off and take a walk, it works for me. :)


Regards;

Fred

--
XP Home
Chrome, Firefox, IE8
--
consilio et animis
Was this reply relevant?
+4
-2
bjm__ RE: Mozilla To Fix Vulnerability Claimed To Be Fake...
Member 20th Mar, 2010 19:27
Score: 64
Posts: 374
User Since: 9th Mar 2009
System Score: 100%
Location: US
@ thedillpickl

thedillpickl wrote: @ bjm-, please don't use bold text for your whole post, thank you.

My use of bold text is not meant as "shouting" or "frustration".
I use bold text just simply because I find it easier to read.
I'll try to respect your comment.

Cheers
bjm-
Was this reply relevant?
+0
-0
thedillpickl RE: Mozilla To Fix Vulnerability Claimed To Be Fake...
Contributor 20th Mar, 2010 19:46
Score: 376
Posts: 872
User Since: 3rd May 2009
System Score: 100%
Location: US
@bjm-, bit off topic but oh well. I too have this problem. It helps to make use of the 'zoom' feature of your browser. Someone should invent a monitor with a magnifying glass glued to the screen for us! :)

Fred

--
XP Home
Chrome, Firefox, IE8
--
consilio et animis
Was this reply relevant?
+1
-0
0puns0r3s RE: Mozilla To Fix Vulnerability Claimed To Be Fake...
Member 22nd Mar, 2010 08:53
Score: -5
Posts: 22
User Since: 27th Feb 2010
System Score: N/A
Location: IN
Last edited on 22nd Mar, 2010 08:53
@ Secunia: The Mozilla team says that they contacted you through e-mail and your response was "the reporter had a good track record (and they were right) but that didnít help us figure out what needed fixing."

Reference: http://blog.mozilla.com/security/2010/03/18/update...

The least (again!) you could have done was to say something like this in your advisory "We've also received an e-mail from the Mozilla team. Currently, there is no information available about this exploit.

We'll update our users when we have more information available."

How difficult would that have been?:) Just saying....
Was this reply relevant?
+2
-0
coopa RE: Mozilla To Fix Vulnerability Claimed To Be Fake...
Member 22nd Mar, 2010 18:21
Score: 2
Posts: 7
User Since: 9th Mar 2010
System Score: N/A
Location: US
Last edited on 22nd Mar, 2010 18:21
Hear me out before giving me thumbs down. I'm acknowledging that Secnuia was right and that trusting a security researcher wasn't a bad move.

Secunia could have avoided a lot of ill will had they simply explained this earlier. And given Secunia's track record & Mr. Legerov's track record, would it have been so difficult to shoot an email off to Mr. Legerov after his blog & Twitter account (his blog being one of Secunia's sources?)

Secunia should mention whether or not the author is being taken at their word, whether the vendor has verified the bug, or Secunia has tested it themselves on advisory reports. I'm not saying that it's unacceptable to trust a security researcher, just that being more transparent with advisories would prevent the distrust and name calling that occurred with this vulnerability.
Was this reply relevant?
+4
-0
davidows RE: Mozilla To Fix Vulnerability Claimed To Be Fake...
Member 22nd Mar, 2010 20:41
Score: 16
Posts: 30
User Since: 24th Apr 2008
System Score: 100%
Location: US
Last edited on 22nd Mar, 2010 20:41
Regardless of any reasonable doubts or conspiracy theories....

When in doubt, the simplest temporary (if not permanent) workaround is to protect yourself via SandBoxie, DropMyRights, or any other method that keeps the potential exploit from gaining Admin access.

I do that all the time, except when Iím trying to make modifications to FF or TB that require admin access themselves. When Iím done with those changes, I close it and open FF or TB with restrictions in place.

99% of the time, the limited rights allow me to browse in the same manner as I would with Admin rights. I also use NoScript and only allow whatever is necessary for my browsing.

Whatís the BFD?
Was this reply relevant?
+1
-0
thedillpickl RE: Mozilla To Fix Vulnerability Claimed To Be Fake...
Contributor 23rd Mar, 2010 04:33
Score: 376
Posts: 872
User Since: 3rd May 2009
System Score: 100%
Location: US
Last edited on 23rd Mar, 2010 04:36
No BFD, unless you are a Mozilla or Evgeny Legerov fan.

Oops, did I say that out loud?

This ought to be good for a few 'thumbs down'.


F

--
XP Home
Chrome, Firefox, IE8
--
consilio et animis
Was this reply relevant?
+1
-0
bjm__ RE: Mozilla To Fix Vulnerability Claimed To Be Fake...
Member 23rd Mar, 2010 05:04
Score: 64
Posts: 374
User Since: 9th Mar 2009
System Score: 100%
Location: US
FF 3.6.2
http://www.mozilla.com/en-US/firefox/3.6.2/release...
Was this reply relevant?
+0
-0
0puns0r3s RE: Mozilla To Fix Vulnerability Claimed To Be Fake...
Member 23rd Mar, 2010 08:31
Score: -5
Posts: 22
User Since: 27th Feb 2010
System Score: N/A
Location: IN
Last edited on 23rd Mar, 2010 08:31
Glad that the Mozilla team realized the importance of security and released a quick patch after the exploit was available:)...

"No Script" seems to protect from this vulnerability:

http://hackademix.net/2010/03/22/firefox-36s-0-day...

How would this exploit work? Details are here:

http://www.mozilla.org/security/announce/2010/mfsa...

But I still don't get it:(

Anyone?
Was this reply relevant?
+2
-0
bjm__ RE: Mozilla To Fix Vulnerability Claimed To Be Fake...
Member 23rd Mar, 2010 15:58
Score: 64
Posts: 374
User Since: 9th Mar 2009
System Score: 100%
Location: US
@ 0puns0r3s

Have your Add-ons all settled in with ver 3.6.2

bjm-
Was this reply relevant?
+0
-0
0puns0r3s RE: Mozilla To Fix Vulnerability Claimed To Be Fake...
Member 24th Mar, 2010 08:17
Score: -5
Posts: 22
User Since: 27th Feb 2010
System Score: N/A
Location: IN
Last edited on 24th Mar, 2010 08:27
@ bjm-Yes, amazingly all of my addons have settled with Firefox 3.6.2:)....The update was quite smooth. It installed, checked my addon compatibility and everything is back to normal.

At the risk of getting a few thumbs down:), my addons are concerned with privacy and security like Noscript, Secure login, cs lite, SSL blacklist etc...All are working fine.
Was this reply relevant?
+1
-0
taffy078 RE: Mozilla To Fix Vulnerability Claimed To Be Fake...
Contributor 24th Mar, 2010 12:22
Score: 408
Posts: 1,352
User Since: 26th Feb 2009
System Score: 100%
Location: UK
Last edited on 24th Mar, 2010 12:24
3.6.2 update is now available. Click on Help in Firefox to get it

Sorry - didn't see the earlier notes!

--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003
Was this reply relevant?
+1
-0


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


Secunia is a member of FIRST Secunia is a member of EDUcause Secunia is a member of The Open Group Secunia is a member of FS-ISAC
 
Secunia © 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability - Disclaimer
follow Secunia on Facebook follow Secunia on Twitter follow Secunia on LinkedIn follow Secunia on YouTube follow Secunia Xing follow Secunias RSS feed follow Secunia on Google+