Download Index

In-Depth Reviews

Tips & Tutorials

Updates

News

Browsers

Chat / Conferencing

Desktop Utilities

Development

Internet Apps

Multimedia

OS Service Packs

Productivity Tools

Download of the day • Internet Explorer 8

Most Popular Software Downloads • Mozilla Firefox 3.0 • Adobe Reader • Ad-Aware 2008 Free • QuickTime for Windows • Internet Explorer 7 • Paint Shop Pro • Windows Live Suite • AVG Anti-Virus Free • Opera • CCleaner (Crap Cleaner) Most Popular Software Articles • Windows Vista Tips & Tricks, Part 1 • Windows Vista: Worthy of the Hype? • Windows Wireless Zero Configuration: Five Steps to Sanity

Mozilla: Dollars for Security Bugs
Bounty for Newly Discovered Critical Security Flaws
Ryan Naraine

With the threat of malicious intrusion escalating, the open source Mozilla Foundation is putting a price tag on the discovery of critical security flaws in its browser projects.

With financial backing from Linux vendor Linspire (formerly Lindows) and South African venture capitalist Mark Shuttleworth, Mozilla has launched the "Mozilla Security Bug Bounty Program" to dole out a $500 cash prize to users reporting critical security bugs.

Information about which bugs are eligible and how to claim the bounty has been posted to the security section of Mozilla's Web site.

The Mozilla Foundation, launched by Netscape in 1998 as a distributor of open source software, is responsible for the creation of the Mozilla Web and e-mail applications suite that includes the flagship Firefox browser and Thunderbird email client.

"Identifying software security vulnerabilities requires constant vigilance, and preventing those issues from becoming problems necessitates a dedicated effort to provide quick and effective responses," Mozilla said.

"Recent events illustrate the need for this type of commitment. While no software is immune from security vulnerabilities, bugs in open source projects are often identified and fixed more quickly," said Mozilla president Mitchell Baker.

Baker was referring to the spate of malicious hacker exploits targeting Web browsers like Microsoft's (IE) and Firefox.

"The [bounty program] will help us unearth security issues earlier, allowing our supporters to provide us with a head start on correcting vulnerabilities before they are exploited by malicious hackers."

He described the bounty program as an "additional mechanism" for identifying potential vulnerabilities in Mozilla's products.

The launch of the bounty program comes on the heels of a public warning that a "highly critical" security hole in the Netscape and Mozilla browsers could put users at risk of computer takeover.

Security research firm Secunia has also issued an advisory for a separate flaw with a "moderately critical" rating that could lead to URL spoofing, exposure of sensitive information, denial-of-service (define) and system access via the Mozilla, Firefox, and Thunderbird products.

The latest batch of flaws could open the door for malicious POP3 mail servers to cause heap overflows in Mozilla to obtain system access. Attackers can also manipulate Web pages to appear to be encrypted and present the certificate of another site.

"Mozilla doesn't verify if stored credentials should be used for an HTTPS or HTTP connection. This can potentially lead to the password being sent over an unencrypted HTTP connection," Secunia said in its alert.

The Mozilla Foundation has fixed all identified vulnerabilities in Mozilla 1.7 and higher, Firefox 0.9 and higher, and Thunderbird 0.7 and higher, according to the company.

News courtesy of internetnews.com

August 5, 2004

Download Mozilla Now!

Download Mozilla Firefox Now!

Download Mozilla Thunderbird Now!

View All Web Browsers

Contents:
1. Bounty for Newly Discovered Critical Security Flaws

Additional Articles: