Risk
7/30/2008
07:56 PM
George V. Hulme
George V. Hulme
Commentary
50%
50%

Radware Reveals Critical Vulnerability In Firefox 3

Well, not exactly "critical." But there is a flaw. And there is no patch. And so Radware demonstrates how many security vendors push their gear by spreading fear, uncertainty, and doubt on the user community.

Well, not exactly "critical." But there is a flaw. And there is no patch. And so Radware demonstrates how many security vendors push their gear by spreading fear, uncertainty, and doubt on the user community.Radware's bug find, according to Radware, is a "vulnerability that may cause application Denial of Service (DoS) in Firefox 3, Mozilla's latest Web browser application."

This sounds very scary, huh? A critical DoS in Firefox. And Radware's PR firm wanted to make certain that I understood the world was coming to an end. Here's how they introduced the criticality of the issue before us today:

"While we often like to assume there is safety in numbers, such an argument may not apply for today's Web browser environment. In their ongoing security efforts, Radware announced that it has discovered a critical vulnerability in the Firefox 3 Web browser application by Mozilla. Firefox 3 recently set a new Guinness world record for the most software downloads in a 24-hour period with 8,002,530 downloads of the software upon its launch this summer.

Upon reading this, I immediately rushed out to see if there was a patch. Nothing. I then went to some security bulletin boards. Again, Nothing.

The only fixed proffered by Radware was to, and this is a shocker, use its security gear:

Immediate protection from this vulnerability is available as part of Radware's Security Update Service (SUS), which seeks to safeguard customer infrastructures in advance of public disclosure of the flaw.

I sat at my desk, and I wondered for awhile: should I yank my modem cable out the wall?

Nah.

It was some time later in the morning when Mozilla spoke up, and they labeled the vulnerability as being low. From Mozilla's Security Blog:

Impact: If a user browses to a malicious page that takes advantage of this vulnerability, the browser will crash. A feature in Firefox called Session Restore will restore the browser session when Firefox is restarted and will likely save user-typed content in text areas as well. This feature is designed to save users' work in the event of a crash or browser restart.

Status: This issue is currently under investigation. Mozilla has assigned this bug an initial severity rating of low because of the minimal security risk to users.

So what we have here is a flaw in Firefox that could crash the browser, and any data managed by the browser in RAM may go poof. But that data would be restored, according to Mozilla, by its Session Restore feature.

So where's the criticality? Where's the big-time remote insertion of code? Authentication escalation? Folks, it doesn't seem to be there.

In fact, I just haven't been able to find anything in this vulnerability find worth causing a ruckus about, let alone announcing to the world.

What Radware has done is serve us a bad dish of fear, uncertainty, and doubt; aka: FUD. And it's a marketing tactic designed to sell equipment, or influence the market by muddying facts and spreading fear. And this vulnerability announcement, dubbed "critical" and dumped on the industry without a patch, work-around, or co-coordinated disclosure with Mozilla, is FUD at its worst, and a marketing cheap shot.

And Radware chose -- a security company actually thought it through and consciously decided -- to hype up a low-risk flaw as a critical flaw without offering any fix. And they did this on the very same week that organizations and ISPs are rushing to fix and patch a real risk, the DNS vulnerability. And they chose to do this a day after Oracle users had to start grappling with the full disclosure and exploit-code release against their WebLogic Servers.

Vendors that act this way care more about their marketing efforts than they care about their customers and prospects.

And when I approached Radware to substantiate why their press release is more than FUD, this was their response:

"Radware has no further comment beyond what's in the press release."

Wow.

Seems, to me at least, to be pretty shabby form for a company that purports to help companies better secure their infrastructure.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.