Mozilla cross-site scripting vulnerability

I’ve been taken to task on occasion for only reporting Windows issues. Well, the fact is, that’s what concerns me the most. But this Secunia advisory got my attention because I use Mozilla (well, Firefox) a lot. Not to the exclusion of IE but a lot.

The flaw’s supposedly caused by a race condition which will allow a script from a previous page to be executed in the current page’s context. It’s supposed to be fixed in V1.6b of the Mozilla Suite.

I notice that the Mozilla site doesn’t say anything about the flaw or its resolution and the current full Win32 download is tagged as being version 1.6 (note, no “b”). Matter of fact, 1.6b was released BEFORE the current release, back in December. The bug was reported on December 2 and a fix was submitted on the 3rd but there was a lot of discussion in the bug report about whether it should be “revealed” until all versions are fixed. Then, on Feb. 25, they finally say it’s fixed and we get the security alert. Isn’t that backward? Aren’t we supposed to know about these things earlier?

(OK, Chuck, you happy now?)

2 thoughts on “Mozilla cross-site scripting vulnerability”

  1. Actually, I understand and agree with the process (to not disclose the bug until it is fixed) no sense in giving the virus jerks a head start.

Leave a Comment