Mozilla challenges security researchers, says Firefox exploit reports are false
If a bug in a program makes it possible for that program to crash, is that a vulnerability? Mozilla is saying "no" to that this morning, claiming that recent warnings, including one issued Friday by the US Dept. of Homeland Security, are exaggerations.
"While these strings can result in crashes of some versions of Firefox, the reports by press and various security agencies have incorrectly indicated that this is an exploitable bug," reads a blog post yesterday from Mozilla Vice President of Engineering Mike Shaver. "Our analysis indicates that it is not, and we have seen no example of exploitability."
There's definitely a problem, says Mozilla, on account of a string buffer overflow in Windows-based Firefox browsers, including both 3.0.x and 3.5.x series. That problem can cause browsers to crash, but Mozilla says there is no proof anywhere that the browser can be exploited. This despite IBM ISS's "High" severity rating for the alleged exploit, and a proof of concept published by SecurityFocus, that can trigger the crash.
Trigger the crash, yes, but that's all. By definition, Mozilla is arguing, an exploit should be something that is triggered by a crash -- for instance, the ability to run any executable code without obtaining privilege. And that's not what's happening here. Indeed, all the researchers' code does is trigger the crash.
Last Friday, Mozilla rushed to distribute its first 3.5 bug fix, in the wake of proof-of-concept code that actually did run executable code -- a true exploit. Sources noted that the bug in question that triggered the code was actually on the Bugzilla database for several days, and some argued that Mozilla should therefore have already known about the vulnerability. But the exploit was not known or available that long ago, and there's the difference.