Mozilla's security chief this week attacked as 'low-level' the Firefox bugs we revealed this week as low-level threats. Hours later Mozilla's chief security officer Window Snyder changed her mind and said that when used together, they could pose a greater risk.
Full story here: Critical bugs found in Firefox and IE
Michal Zalewski, who regularly publishes browser flaw findings, this week posted details on the Full-disclosure mailing list about four browser vulnerabilities, including two affecting Firefox. He categorized one as a "major" threat, and he saw the other as only a "medium" threat.
Syder initially said the more serious of the two bugs found by Zalewski was no more than a spoofing vulnerability and deserved only a "low" rating.
"This is unsafe because it could be used to lure a user to enter content into the spoofed frame, but does not result in code execution," said Snyder. "[For example], this might be used with phishing attacks."
But Zalewski's said that the flaw could be used to stick malicious code onto the victimised computer. "By my book, [this is] more serious than just spoofing, so I marked it as 'major,' whereas Mozilla still considers it to be a typical case of spoofing ('low')," said Zalewski in an email interview yesterday.
"But it would be inaccurate to say that Window's assessment contradicts my analysis."
Snyder later updated her blog, saying that upon further review, "these two bugs may be used together to allow an attacker to access any file the user has access to on the system. If this is the case, that may change the severity rating to 'medium'".
Zalewski dismissed the idea that he and Mozilla's Snyder were at odds, and instead turned attention to what he thinks is most important.
"All in all, I think we pretty much agree here," he said. "The big issue [of the four vulnerabilities] was the Microsoft Internet Explorer flaw. The other three are important, but not critical."
According to entries in Mozilla's Bugzilla, the more serious of the two Firefox flaws has not yet been assigned to someone for a fix. Snyder, meanwhile, said that the Mozilla security team is looking into changes to improve content handler management, the root cause of the bug she pegged as "low."
Zalewski this week also noted on the Full-disclosure mailing list that it appears Apple's Safari browser is also vulnerable to same bug he found in IE6 and IE7 and labelled "critical". Tuesday, Kevin Finisterre, a researcher known for the "Month of Apple Bugs" project in January, confirmed Zalewski's Safari suspicions.
Apple officials did not reply to a request for comment.