In-Reply-To: <20040730210508.GT19188 (at) securityfocus (dot) com [email concealed]>
"The security implications of
this trick were considered as early as 1999 in Mozilla Bug 22183
(http://bugzilla.mozilla.org/show_bug.cgi?id=22183). However, the
Mozilla Foundation has kept the Bug confidential until recently,
when a researcher noted the problem and published a
particularly-effective demonstration, spoofing a "PayPal" login
site (see http://www.nd.edu/~jsmith30/xul/test/spoof.html)."
5 Years to fix a vuln? I am not sure if even Microsoft has been that slow to confront a security flaw. Has anyone heard an explanation as to why this was kept confidential and swept under the rug until now?
"The security implications of
this trick were considered as early as 1999 in Mozilla Bug 22183
(http://bugzilla.mozilla.org/show_bug.cgi?id=22183). However, the
Mozilla Foundation has kept the Bug confidential until recently,
when a researcher noted the problem and published a
particularly-effective demonstration, spoofing a "PayPal" login
site (see http://www.nd.edu/~jsmith30/xul/test/spoof.html)."
5 Years to fix a vuln? I am not sure if even Microsoft has been that slow to confront a security flaw. Has anyone heard an explanation as to why this was kept confidential and swept under the rug until now?
BTW: Thank you Mr. Smith for an excellent page.
Jo
[ reply ]