Justin Polazzo wrote:
5 Years to fix a vuln? I am not sure if even Microsoft has been that
slow to confront a security flaw. Has anyone heard an explanation as
to why this was kept confidential and swept under the rug until now?
BTW: Thank you Mr. Smith for an excellent page.
Sounds to me like sensationalist hyperbole more than it does that this
was "kept confidential". (I hardly call bugzilla confidential.)
This is not a vulnerability. This is an interface option that can be
used to carry out a forgery. The same can be done using the IMG tag.
Since I can use another company's logo on my "forged" site using the
IMG tag, are you then going to ask why it took the w3c over a decade
to remove the IMG tag vulnerability?
Give me a break...
-Barry
p.s. Don't get me wrong, this is a security issue that should be
fixed. At the very least, it should be possible to disable XUL or
limit it's usage. However, comparing this to the recent IE
vulnerabilities is poor judgement to say the least.