Alex K. wrote: > There are some very old (> 2 years) security bugs in Bugzilla that have > been publicly accessible for over a year, but their proofs of concept > (exploit testcases) are still not publicly accessible. > > I assume this is an oversight, because the testcases were added as > attachments to individual comments.
No oversight, we keep some testcases private on purpose. We have an overwhelming bias toward openness in the Mozilla project, so we don't do it lightly. That bias for openness is why, for instance, we don't also hide the comments that mention the testcases. We're not hiding the fact that we're hiding something, we can defend it and are open to people keeping us honest by questioning it. 1) we will never release a full working exploit. We've learned the hard way that when we do we end up seeing them used in the wild. 2) sometimes the testcases are provided by people or organizations who don't want us to publish their work. This is mostly the same as reason 1 except it's their judgment rather than ours. 3) Since people don't upgrade immediately (although it is pretty quick to get 90% of people) we sometimes keep proofs-of-concept private for a few weeks after the release to give people a chance to upgrade before the black-hats can figure out how to graft on an exploit. Once most people have upgraded there's not a lot of motivation for the black-hats to work up the exploit. Sometimes we get busy and forget to go back and unhide this class later. If the way to use a vulnerability is obvious from the patch or bug description we'll usually publish the testcase with the release anyway. If hiding doesn't given any actual benefit then openness wins. 4) if the testcase embodies a unique, generally unknown technique that might apply to other vulnerabilities we try to keep that quiet until we can make sure we don't have other problems in that area, and to prevent giving new tools to black-hats. Even though _most_ people upgrade immediately, we still appear to have a million or so users on Firefox 1.5.0.x and two million or so on down-rev versions of Firefox 2. As a percentage of Firefox users that's fairly small, but it represents a lot of at-risk people if we start handing presents out to the black-hats. > 1. Mozilla Foundation Security Advisory 2006-05 > https://bugzilla.mozilla.org/show_bug.cgi?id=319847 > Reported December 2005, security tag removed April 2007 > Exploit test cases as attachments in comments #1,2,6,9,15 This is a working exploit, although it was fixed way back for Firefox 1.5.0.1 and could probably be opened on that grounds. But it also has implications on still-secure https://bugzilla.mozilla.org/show_bug.cgi?id=295994 > 2. Mozilla Foundation Security Advisory 2006-24 > https://bugzilla.mozilla.org/show_bug.cgi?id=327126 > Reported February 2006, security tag removed April 2007 > Exploit testcases as attachments in comments #1,24 Only one testcase, the attachment numbers are the same. It's a working exploit, but old and fairly isolated. I'll look into whether we can safely open this one. -Dan Veditz _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
