a potentially exploitable buffer overflow in Firefox this week and the
discussion surrounding the flaw has focused on the nature of the
announcement more than the bug itself. Advocates of full disclosure
and those opposed to it have clashed on various internet sites.
The bug is in the handling of international domain names (IDN) and
the proof of concept released by Ferris is
a specially crafted URL that will cause Firefox 1.0.6 and earlier to crash.
Unlike other similar bugs, the user does not need to actually follow
the link, just parsing the URL in the page will cause Firefox to crash.
It is not yet known whether a malicious person can exploit this
to execute arbitrary code on the host but Ferris claims that it can be
in his bug
that disables IDN parsing was quickly released by the Mozilla team, and
both Red Hat and Fedora released
updates to fix the
Complaints have been heard about the amount of time Ferris gave to
the Mozilla team to fix the problem before he announced the flaw on
the full-disclosure mailing list. His report states that he reported
the problem on September 4, but the entry in bugzilla was made on
September 6. He disclosed the problem on September 8 before a fix was
available and many people find that to be irresponsible.
Full disclosure is a contentious issue and many people argue that security
flaws should be reported to the author of the software, and that they should
be given a 'reasonable' amount of time to investigate and fix the problem
before it is announced to the world. The presumption is that the delay
reduces or eliminates the possibility of an exploit being crafted while
the program is vulnerable. The proponents of disclosure point out that
it is quite possible that other people, possibly having bad intentions,
know about the flaw already and
are working on exploits or have already deployed them. Even if there is
no known exploit 'in the wild', security conscious users may wish to
stop using the affected program until it can be fixed, and without disclosure
they do not have the information necessary to take that step.
An additional complication arises
because Firefox has been touted as a more secure alternative to Internet
Explorer and many less than technically savvy people have installed it.
These users do not tend to frequent LWN or other sites that
report on security issues and, unfortunately, are likely to ignore
the problem even if they do find out about it. This problem is not
unique to Firefox, of course, nor to free software in general, but as
free software extends its reach, it is a problem that needs to be
addressed. A widespread exploit in a free software package, even if
the vulnerability has already been fixed, will provide the competition
with ample opportunities to suggest that all free software is insecure.
to post comments)