Slashdot Mirror

← Back to Stories (view on slashdot.org)

Netscape Nondisclosing Mozilla Security Bugs?

Posted by timothy on from the how-best-to-best-the-kiddies dept.

AP writes: "Mozilla developers are contemplating disclosing Mozilla security bugs only to a limited group of people, unavailable to the public until a fix is found, as indicated in this news post and the discussion thread. Are Mozilla developers missing the point of open source (implying open security bugs) or are they under pressure from Netscape? Tell Mozilla developers what you think." Please read this post from MozillaZine, in which it is explained that there is mere open /discussion/ about security and disclosure in the mozilla security newsgroup. Thanks to Hard_Code for the hook-up.

9 of 123 comments (clear)

  1. Sounds sensible, provided it is bounded. by Paul+Johnson · · Score: 4
    I think this is a good idea, provided that limits are placed on this non-disclosure. For example an embargo of 48 hours to give the security people a head start over the script kiddies could be a very good idea.

    On the other hand if the script kiddies already have an exploit for a hole then not telling sysadmins about the problem is obviously counterproductive.

    So, limit it to 48 hours, and only apply the embargo if the knowledge is not already available in the cracker community.

    Paul.

    --
    You are lost in a twisty maze of little standards, all different.
  2. Re:You're right, but wrong Cryptogram. by thogard · · Score: 4

    You find a bug that is a security risk and its either:
    A) a major hole (lets a remote user run any code as root)
    B) a minor hole (you build a stack frame that may get called one time in a billion only if syslog times out when the moon is full)

    Then you can tell the development team which can:
    A) ignore you
    B) start working on a quick fix
    C) start working on complete fix

    The bug is like A:A then some script kiddie will find it and make your day worse but things like B:C are a real pain to fix correctly and they may need time to think about the situation and then take corrective measures while discussing solutions that don't open up other holes.

    I think they are right in holding back major security holes but when you report the bug you should get a message back saying:
    "Your bug has a number of security related issues and we feel that telling the world at this time will result in a number of systems being compromised therefore we ask you to please wait till [a date a few days away] before disclosing this to sources that may result in a exploits becoming widely available. We have set up a special open mailing list for this bug at bug76347634@just.a.dot.com."

    I would accept that as reasonable.

  3. This isn't unusual... by FooBarSmith · · Score: 4

    I think this is behaving in a responsible way towards users of the software. The Apache group work in a similar fashion; from the Apache website:

    Reporting Security Problems with Apache
    The Apache Group takes a very active stance in eliminating security problems and denial of service attacks against the Apache web server. We strongly encourage folks to report such problems to our private security mailing list first, before disclosing them in a public forum. The mailing address is: I-found-a-security-problem-in-the-apache-source-co de@apache.org. We cannot accept regular bug reports or other queries at this address, we ask that you use our bug reporting page for those. All mail sent to this address that does not relate to security issues will be ignored.

    Note that all networked servers are subject to denial of service attacks, and we cannot promise magic workarounds to generic problems (such as a client streaming lots of data to your server, or re-requesting the same URL repeatedly). In general our philosophy is to avoid any attacks which can cause the server to consume resources in a non-linear relationship to the size of inputs.

    --
    stty erase ^H
  4. Re:Netscape missing the point. (BzzzT! WRONG!) by *borktheork* · · Score: 4
    You just said that to get a fast first post without troll factor, right?

    Anyway, this isn't anything to get upset about. If you actually bothered to read Bugtraq, you'd see that this is pretty standard practice.

    Most of the time, when an exploitable bug is found, the vendor is contacted first and is given some time to come up with a fix. Sometimes a workaround is posted along with the exploit.

    Bottom line : making the world aware of a problem there isn't a fix for is usually bad policy. Don't give me that 'we have a right to know' crap. If you want to know, go and find the bugs yourself. Because otherwise, if you know so do a million script kiddies. And telling people not to use Netscape whilst a fix is being worked on is hardly doable.

    --
    *borkborkbork*
  5. BETTER than open source! by Anonymous Coward · · Score: 5

    Look, the point of open source software is that it is analagous to the scientific concept of "peer review". You'll notice that there is no scientific concept of "review by every lugnut who knows ftp". That's because scientists aren't prey to these libertarian/egalitarian visions in which "everyone can contribute". The fact is that the marginal contribution beyond the first hundred or so developers is pretty negligible.

    You have to think in terms of marginal benefit versus marginal cost. The Mozilla developers may not be super l33to sk33to, but they're at least competent to work on Mozilla. The various long-haired lugnuts, slashbots and script kiddies who will be filling up this thread with karma-whoring sermons on "give us the source!" are massively unlikely to add anything to the exercise but noise.

    This is the way forward. Open source, but peer review only during development. With a defined way to get into the "peer group". Thus shutting out the whiners and lamers, and not letting the whole product be compromised by someone's exploitation of a bug that they had no business seeing.

  6. Re:Limited disclosure is totally appropriate by arcade · · Score: 5

    What if someone found a hole in Apache? Should they post it far and wide, or should they quitely pass it along to the main developers so that the hole can be closed before half the world's websites are replaced by "ThiZ Site HAXed by KeWl d00d"?

    It should be openly published. Nobody can know for sure that they are the first to discover the bug. It could've been circulating in hidden circles for years - without anybody knowing.

    It is blatantly disrespectful to the customers not to open the bugs to the community. Only that way they may secure themselves.

    --
    Rune Kristian Viken
    --
    "Rune Kristian Viken" - arcade@kvine-nospam.sdal.com - arcade@efnet

    --
    "Rune Kristian Viken" - http://www.nwo.no - arca
  7. Security disclosure by Minupla · · Score: 5

    *sighs* OK, here we go again.

    1) Not disclosing a security hole does NOT make it go away.
    2) Software developers don't always know all the security holes being actively exploited. It is entirely possible that the hole we're being 'protected' from is in fact being exploited in the wild, and the only thing that's accomplished is we're not being careful in our use of the product until it can be patched.
    3) Non-disclosure tends to slow the repair of security holes in any environment, never mind open source, where your very strength is in your userbase.

    I personally would be in favor of draconian disclosure. When a security bug is discovered, pop up a dialog box, forcing me to read about the advisory and 'continue at own risk' until a fix can be developed and a notice of said fix distributed using the same draconian alert box.

    That way everyone who uses the product (rather then just those of us who read full disclosure lists like Bugtraq) knows what exactly is going on and can change their habits accordingly. Additionally you'll have every open source programmer on the planet competing to squash the bug.

    Seems like a no brainer to me people.

    ---
    Remove the rocks from my head to send email.
    ----
    Remove the rocks from my head to send email

    --
    On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before
  8. Limited disclosure is totally appropriate by kevin805 · · Score: 5

    Everyone is whining about "security through obscurity". Well, sorry, the other forms of security are already gone -- that's what it means that there's a security bug. Security through obscurity is better than nothing.

    Unlike closed source projects, even a general description of the problem might be enough to find the exact bug, and to develop an exploit for an open source project. This means that it's even more critical that the nature of the bug isn't leaked until a solution or work-around is known.

    What if someone found a hole in Apache? Should they post it far and wide, or should they quitely pass it along to the main developers so that the hole can be closed before half the world's websites are replaced by "ThiZ Site HAXed by KeWl d00d"?

    Bruce Schneier addressed this in a recent cryptogram. See: http://www.counterpane.com/crypto- gram-0001.html

    Of course, there is the possibility of Netscape taking the microsoft approach -- just ignore it until actual damage is caused -- but I think this is unlikely. They are already agreeing that the bugs need to have a distribution other than netscape only. I think it's pretty unlikely they would let security bugs be swept under the rug.

    --Kevin

  9. Mozilla is still under development by zesnark · · Score: 5

    Mozilla is still under development and should not be treated as a release product. Security bugs should be published openly to ensure the fastest and most robust fix possible. There is no sense in concealing information about a product still under development. z