[N8 v2.0]

Mozilla Offers Rewards For Security Bugs
The maker of the open-source Firefox Web browser will pay $500 to those who discover and report significant security bugs.
InformationWeek | Aug. 3, 2004 | George V. Hulme

The Mozilla Foundation, makers of the Firefox Web browser, this week unveiled a program aimed at squashing security bugs in its open-source software.

The Mozilla Security Bugs Bounty Program will pay $500 to anyone who reports "significant security bugs" to the foundation. Foundation staff will judge which security bugs are significant enough to earn the cash prize.

The bounty program is seeking financial donations and is being seeded with funding from Linux operating system maker Linspire Inc. and venture capitalist Mark Shuttleworth. The foundation hopes to raise $10,000 in contributions by Sept. 1.

"The goal is pretty simple," says Chris Hofmann, the foundation's director of engineering. "We want to encourage people to find and report potential security issues."

Some security firms such as iDefense Inc. pay security researchers who provide them with newfound software vulnerabilities. But few, if any, nonsecurity software companies have programs designed to pay security researchers who spot vulnerabilities in their products.

Microsoft last year disclosed a cash bounty that would be paid to those who offer the software maker information leading to the arrest and conviction of virus and worm writers.

Security experts say the initiative could encourage more security researchers to comb through Mozilla's Firefox browser to uncover security holes that place Web surfers at risk of attack.

It could also encourage some to divulge the security flaws they uncover to the Mozilla Foundation, rather than simply publishing details about the flaws on the Internet before the foundation has had time to develop a patch to protect users from viruses and hacker attacks.

"This seems sensible. It is an incentive to those otherwise not inclined to disclose vulnerability in a productive manner to now do so," says Pete Lindstrom, director of research for Spire Security. "It provides a controlled process during the patch-creation process."

More information about the Mozilla Security Bugs Bounty Program can be found at www.mozilla.org/security.

 

[N8 v2.0]

Mozilla puts bounty on bugs
CNet News | 2 August 2004 | Robert Lemos

A string of high-profile flaws in browser software prompted the Mozilla Foundation to announce on Monday that it would offer $500 for every serious bug found by security researchers.

The announcement comes a week after the Mozilla Foundation, which directs development of the Mozilla and Firefox browsers and the Thunderbird e-mail client, confirmed that the group's browsers had two serious issues in dealing with digital certificates, the identity cards of the Internet. Last Friday, Microsoft fixed serious vulnerabilities in its Internet Explorer browser, some of which have been widely known since June.

"Recent events illustrate the need for this type of commitment," Mitchell Baker, president of the Mozilla Foundation, said in a statement. "The (program) will help us unearth security issues earlier, allowing our supporters to provide us with a head start on correcting vulnerabilities before they are exploited by malicious hackers."

Linux software maker Linspire and Internet entrepreneur Mark Shuttleworth funded the new initiative, dubbed the Mozilla Security Bug Bounty Program. Linspire seeded the program with $5,000, and Shuttleworth promised to match the first $5,000 in public contributions to the program, the foundation stated.

"We (the Mozilla Foundation) are moving into our second year, and we are going back and reviewing all the programs in place that we had in the past and setting priorities for the next year," said Chris Hofmann, director of engineering for the foundation. "Security is an area that we are serious about, and we wanted to get the ball rolling." He added that the foundation will continue to look for more contributors to the program.

Hofmann said that despite the bugs, Mozilla's security is good. Some critics have maintained that Mozilla's software has at least as many vulnerabilities as Microsoft's and that the only difference between the two applications is that Microsoft is more popular, so more security researchers are trying to break it.

"The conventional wisdom is that if Mozilla had the same market share as Microsoft, we would have as many flaws found--we don't see that as the case," Hofmann said.

A representative of Microsoft could not immediately be reached for comment.

Few companies have offered rewards for pinpointing software vulnerabilities, and the rewards have almost always been paid by security companies for flaws in other companies' software products. The rewards are generally used by security companies to gain a competitive edge over rivals by having their products recognize more vulnerabilities. The rewards also convince some would-be intruders to give up some of the tricks in their tool kit for quick cash.


However, a $500 reward might not be very enticing--a point Hofmann acknowledges. "We don't have any intentions of increasing that amount," he said. "It is mostly a way to thank people who help us further the security of the product."

Microsoft does not give bounties to bug finders but did start a program that has posted three $250,000 rewards for leads on virus writers.

Currently, the Mozilla Web application--which includes a browser, e-mail, chat program, and Web page editing program--has reached version 1.7. The Mozilla Foundation's Firefox stand-alone browser and Thunderbird e-mail client are close to being complete and are already widely used.

 

[N8 v2.0]

Mozilla / Mozilla Firefox User Interface Spoofing Vulnerability
Secunia | 2004-08-03

A vulnerability has been reported in Mozilla and Mozilla Firefox, allowing malicious websites to spoof the user interface.

The problem is that Mozilla and Mozilla Firefox don't restrict websites from including arbitrary, remote XUL (XML User Interface Language) files. This can be exploited to "hijack" most of the user interface (including tool bars, SSL certificate dialogs, address bar and more), thereby controlling almost anything the user sees.

The Mozilla user interface is built using XUL files.

A PoC (Proof of Concept) exploit for Mozilla Firefox has been published. The PoC spoofs a SSL secured PayPal website.

This has been confirmed using Mozilla 1.7 for Linux, Mozilla Firefox 0.9.1 for Linux, Mozilla 1.7.1 for Windows and Mozilla Firefox 0.9.2 for Windows. Prior versions may also be affected.

NOTE: This issue appears to be the same as Mozilla Bug 244965.

More: http://secunia.com/advisories/12188/