Disclosing Firefox add-on vulnerabilities - why this week?
May 31st, 2007 by Juha-Matti, Filed under: Web, Commentary, Culture, Corporate Security
Background:
A vulnerability related to commercial add-ons (or extensions) of software vendors, which do not have their extensions hosted on https://addons.mozilla.org, was reported on 30th May.
The answer is simple, the final release week of Firefox 2.0.0.4 and 1.5.0.12 was publicly reported by Mozilla Foundation and several news sources in April. This was expected, because the supported state of FF 1.5.x reportedly ends in May too. I.e. there is no security and stability updates coming for versions 1.5.x any more.
There is no updated add-ons available from these vendors mentioned by Mr. Soghoian. So, the researcher possibly decided that disclosing this problem before the major security release of Firefox will help to notice the importance of this issue.
BTW, the response of Mozilla developers released yesterday is located here.
The following statement is a good signal from Mozilla developers:
For Firefox 3 we are considering ways to prevent add-on developers from using insecure channels…
-
Find security holes before hackers do. Sign up for a Vulnerability Assessment now!
Subscribe
Subscribe
It appears that he was following the “All vulnerabilities reported to the CERT/CC will be disclosed to the public 45 days after the initial report, regardless of the existence or availability of patches or workarounds from affected vendors” guideline from CERT/CC since the “Mozilla Security Team was notified of this on April 16th” as opposed to trying to make a statement to coincide with a release date. (quotes from Notification of Vendors section of the advisory)