Fog Creek Software
Discussion Board

When does a "bug" become a "security issue"?

This recently reported "security issue" in FireFox reported:


seems to do nothing more than opens up a "Windows Explorer" window at the specified folder location. (or in the case of the last example they say it can crash the system, but this didn't happen on my version of FireFox which was supposedly an affected version)

Can somebody please explain to me how this can possibly be interpreted as anything more than a simple bug in the case that it crashes the system, because I have failed to think of any possible ways that a malicious user could gain anything by putting a link to shell:windows on their homepage.

At first I thought his example of putting a document in a IFrame on the page would allow the site to use JavaScript to read the contents of that document, but on my system (FireFox 0.9) that page actually causes an instance of IE6 to open with the specified page. So obviously that isn't possible.

So please tell me why this is classified/reported as a security issue when it is simply a bug?

Saturday, July 10, 2004

Here's a simple test:

1)  Are people going to ignore it because they're too lazy to download the patch?
2)  Can it make it onto the nightly news?
3)  Will it start a flame war on JOS or Slashduh?

If you can answer 'yes' to those questions, you've got a security issue, and not a bug.

Cap'n Kirk
Sunday, July 11, 2004

It's a security issues when it compromises your security.

This issue can allow a server to run arbitrary code on your machine.

Ori Berger
Sunday, July 11, 2004

If it can open IE that is  security issue :)

Stephen Jones
Sunday, July 11, 2004

Yes, once something manages to open an IE window, considering how troublesome IE is, it is now a security issue.

Sunday, July 11, 2004

*  Recent Topics

*  Fog Creek Home