Mozilla's security chief this week attacked as 'low-level' the Firefox bugs we revealed this week as low-level threats. Hours later Mozilla's chief security officer Window Snyder changed her mind and said that when used together, they could pose a greater risk.
Full story here: Critical bugs found in Firefox and IE
Michal Zalewski, who regularly publishes browser flaw findings, this week posted details on the Full-disclosure mailing list about four browser vulnerabilities, including two affecting Firefox. He categorized one as a "major" threat, and he saw the other as only a "medium" threat.
Syder initially said the more serious of the two bugs found by Zalewski was no more than a spoofing vulnerability and deserved only a "low" rating.
"This is unsafe because it could be used to lure a user to enter content into the spoofed frame, but does not result in code execution," said Snyder. "[For example], this might be used with phishing attacks."
But Zalewski's said that the flaw could be used to stick malicious code onto the victimised computer. "By my book, [this is] more serious than just spoofing, so I marked it as 'major,' whereas Mozilla still considers it to be a typical case of spoofing ('low')," said Zalewski in an email interview yesterday.
"But it would be inaccurate to say that Window's assessment contradicts my analysis."
Snyder later updated her blog, saying that upon further review, "these two bugs may be used together to allow an attacker to access any file the user has access to on the system. If this is the case, that may change the severity rating to 'medium'".