Feeds

Netscape blows off new vuln warning

Do not pass Go; do not collect $1000

  • alert
  • submit to reddit

3 Big data security analytics techniques

A recent advisory from GreyMagic Software demonstrates a minor file access vulnerability in Netscape and Mozilla for Windows, very much like the recent one affecting MS Internet Exploder.

No doubt it will be patched soon and without great difficulty. The potential for malicious exploitation is modest, and the installed user base, being a fraction of IE's, makes this item marginally newsworthy. Only Netscape has taken steps to make it particularly interesting by ostentatiously ignoring GreyMagic's attempts to elicit a response, and to claim the $1000 prize they believe they're entitled to according to the terms of the Netscape Bug Bounty program.

According to Netscape, "this bounty applies to only those bugs that are found in Netscape 6 or Netscape Communicator (excluding 3rd party software), and that allow the attacker to run unsafe code on the user's system and/or access files on the user's system."

This particular discovery would seem to satisfy those conditions. But GreyMagic says they contacted Netscape on 24 April through the CGI form on the Bug Bounty Web site and via e-mail memos to security@netscape.com and secure@netscape.com and have heard nothing in reply.

"By completely disregarding our post Netscape has earned themselves $1000 and lost any credibility they might have had. The money is irrelevant, but using such a con to attract researchers into disclosing bugs to Netscape is extremely unprofessional," GreyMagic says.

"Netscape is conning the security community by offering an imaginary $1000 for bugs such as the one we've published."

Or they're using it as a clever means to delay disclosure.

Netscape gives itself some wiggle room, declaring that a qualifying stuff-up must not be "a trivial threat (as judged by Netscape engineers fixing the bug)."

Trivial is a funny word which can mean almost anything. You can look at the script:

var oXML=new XMLHttpRequest();
oXML.open("GET","getFile.asp",false);
oXML.send(null);
alert(oXML.responseText);

and say, of course -- duh! -- and you might say it was trivial following comedian Rick Green's worthy dictum, "I've got a simple rule: if I can do it, it's not art."

But then if it really was trivial, we'd have heard of it long ago. So let's say it's simple, which is entirely different. Personally, I don't think Netscape gets to wiggle out of this with the triviality clause.

As for Mozilla, things have gone somewhat differently. Bugzilla was contacted only hours ago; and while the post was quickly yanked from public view, a Netscape engineer caught it, confirmed it, and has since contacted GMS.

So there might be some hope of claiming that whopping $1000 reward after all. The indictment here may not be of Netscape's response to vulnerabilities, but of the dead ends bug reporters are confronted with.

Yet notification is half the battle. If Netscape can't get that much right, we may have to consider dropping them from the Trustworthy Computing Pantheon. ®

SANS - Survey on application security programs

More from The Register

next story
Android engineer: We DIDN'T copy Apple OR follow Samsung's orders
Veep testifies for Samsung during Apple patent trial
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
Batten down the hatches, Ubuntu 14.04 LTS due in TWO DAYS
Admins dab straining server brows in advance of Trusty Tahr's long-term support landing
Microsoft lobs pre-release Windows Phone 8.1 at devs who dare
App makers can load it before anyone else, but if they do they're stuck with it
Half of Twitter's 'active users' are SILENT STALKERS
Nearly 50% have NEVER tweeted a word
Internet-of-stuff startup dumps NoSQL for ... SQL?
NoSQL taste great at first but lacks proper nutrients, says startup cloud whiz
Windows 8.1, which you probably haven't upgraded to yet, ALREADY OBSOLETE
Pre-Update versions of new Windows version will no longer support patches
Microsoft TIER SMEAR changes app prices whether devs ask or not
Some go up, some go down, Redmond goes silent
Red Hat to ship RHEL 7 release candidate with a taste of container tech
Grab 'near-final' version of next Enterprise Linux next week
Ditch the sync, paddle in the Streem: Upstart offers syncless sharing
Upload, delete and carry on sharing afterwards?
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.