Re: Reading local files in Netscape 6 and Mozilla (GM#001-NS)

From: Sam Greenfield (sam_greenfield@SIMAIL.COM)
Date: 05/01/02


Date:         Tue, 30 Apr 2002 20:14:09 -0400
From: Sam Greenfield <sam_greenfield@SIMAIL.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

GreyMagic Software writes:
> Discovery date: 30 Mar 2002.
[...]
> Netscape was contacted on 24 Apr 2002 through a form on their web
> site and through email to security@netscape.com and
> secure@netscape.com. They did not bother to respond AT ALL, and we
> think we know why.

It seems a bit irresponsible to report a bug in a product to the
vendor almost one calendar month after discovering a security
hole. Is there any reason why GreyMagic decided not to report this
bug sooner?

For what it's worth, according to the Bugzilla database, this was
entered as a bug in the underlying Mozilla code on April 29, the third
business day after GreyMagic reported the bug.

For full details, see
http://bugzilla.mozilla.org/show_bug.cgi?id=141061 (When it was
created, the bug report was marked "Security-Sensitive" due to the
fact that this was a security issue.) The bug is marked as a
critical, high severity bug, and a fix is desired for the first full release
of Mozilla.

> Users of Netscape Navigator should move to a better performing, less
> buggy browser.

What browser GreyMagic does recommend?

> By completely disregarding our post Netscape has earned themselves a
$1000
> and lost any credibility they might have had. The money is
irrelevant, but
> using such a con to attract researchers into disclosing bugs to
Netscape is
> extremely unprofessional.

I'm also a little surprised that GreyMagic expected an immediate
response and an immediate payoff. It has only been four business days
since they reported this bug to Netscape.

                                                                Sam
Greenfield

n.b. I have no affiliation with the Mozilla projects--all of my
information is gleaned from the public Bugzilla website.



Relevant Pages

  • Re: [patch] scsi: revert "[SCSI] Get rid of scsi_cmnd->done"
    ... Noone knows how many thousand bug reports have never reached lkml ... filing or get back to terminate the report. ... But I would like kernel people to become less egocentric ... Send _one_ email to lkml and you'll get forever spam to this address. ...
    (Linux-Kernel)
  • Re: 2.6.25-rc8: FTP transfer errors
    ... Yes, Mark, we used to do things that way for every bug in the kernel. ... We should be very careful about git-bisect. ... the developers, because when they think they might have fixed it, ... But I know that a report is a report, and even if I have a ...
    (Linux-Kernel)
  • Re: [patch] scsi: revert "[SCSI] Get rid of scsi_cmnd->done"
    ... Noone knows how many thousand bug reports have never reached lkml ... filing or get back to terminate the report. ... But I would like kernel people to become less egocentric ... Send _one_ email to lkml and you'll get forever spam to this address. ...
    (Linux-Kernel)
  • Bugfix(59/8=APNIC), math jobs (was: JDEE/CGI/flashcards ...)
    ... bug report so I could fix the problem quickly. ... > Note that I said it "looks" incomplete and buggy, ... > high math skills. ...
    (comp.lang.lisp)
  • Re: Linux 2.6.21
    ... The kernel Bugzilla currently contains 1600 open bugs. ... Adrian, why do you keep harping on this, and ignoring reality? ... I suspect some bug reports get ignored deliberately. ... engage some developers on a bug report. ...
    (Linux-Kernel)