Feeds

Netscape blows off new vuln warning

Do not pass Go; do not collect $1000

  • alert
  • submit to reddit

Intelligent flash storage arrays

A recent advisory from GreyMagic Software demonstrates a minor file access vulnerability in Netscape and Mozilla for Windows, very much like the recent one affecting MS Internet Exploder.

No doubt it will be patched soon and without great difficulty. The potential for malicious exploitation is modest, and the installed user base, being a fraction of IE's, makes this item marginally newsworthy. Only Netscape has taken steps to make it particularly interesting by ostentatiously ignoring GreyMagic's attempts to elicit a response, and to claim the $1000 prize they believe they're entitled to according to the terms of the Netscape Bug Bounty program.

According to Netscape, "this bounty applies to only those bugs that are found in Netscape 6 or Netscape Communicator (excluding 3rd party software), and that allow the attacker to run unsafe code on the user's system and/or access files on the user's system."

This particular discovery would seem to satisfy those conditions. But GreyMagic says they contacted Netscape on 24 April through the CGI form on the Bug Bounty Web site and via e-mail memos to security@netscape.com and secure@netscape.com and have heard nothing in reply.

"By completely disregarding our post Netscape has earned themselves $1000 and lost any credibility they might have had. The money is irrelevant, but using such a con to attract researchers into disclosing bugs to Netscape is extremely unprofessional," GreyMagic says.

"Netscape is conning the security community by offering an imaginary $1000 for bugs such as the one we've published."

Or they're using it as a clever means to delay disclosure.

Netscape gives itself some wiggle room, declaring that a qualifying stuff-up must not be "a trivial threat (as judged by Netscape engineers fixing the bug)."

Trivial is a funny word which can mean almost anything. You can look at the script:

var oXML=new XMLHttpRequest();
oXML.open("GET","getFile.asp",false);
oXML.send(null);
alert(oXML.responseText);

and say, of course -- duh! -- and you might say it was trivial following comedian Rick Green's worthy dictum, "I've got a simple rule: if I can do it, it's not art."

But then if it really was trivial, we'd have heard of it long ago. So let's say it's simple, which is entirely different. Personally, I don't think Netscape gets to wiggle out of this with the triviality clause.

As for Mozilla, things have gone somewhat differently. Bugzilla was contacted only hours ago; and while the post was quickly yanked from public view, a Netscape engineer caught it, confirmed it, and has since contacted GMS.

So there might be some hope of claiming that whopping $1000 reward after all. The indictment here may not be of Netscape's response to vulnerabilities, but of the dead ends bug reporters are confronted with.

Yet notification is half the battle. If Netscape can't get that much right, we may have to consider dropping them from the Trustworthy Computing Pantheon. ®

Intelligent flash storage arrays

More from The Register

next story
Nexus 7 fandroids tell of salty taste after sucking on Google's Lollipop
Web giant looking into why version 5.0 of Android is crippling older slabs
Be real, Apple: In-app goodie grab games AREN'T FREE – EU
Cupertino stands down after Euro legal threats
Download alert: Nearly ALL top 100 Android, iOS paid apps hacked
Attack of the Clones? Yeah, but much, much scarier – report
Microsoft: Your Linux Docker containers are now OURS to command
New tool lets admins wrangle Linux apps from Windows
Bada-Bing! Mozilla flips Firefox to YAHOO! for search
Microsoft system will be the default for browser in US until 2020
Facebook, working on Facebook at Work, works on Facebook. At Work
You don't want your cat or drunk pics at the office
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
The Heartbleed Bug: how to protect your business with Symantec
What happens when the next Heartbleed (or worse) comes along, and what can you do to weather another chapter in an all-too-familiar string of debilitating attacks?
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.