By Carsten Eiram
A month ago, Secunia issued an advisory, SA38608, for a vulnerability reported in Firefox 3.6 by Evgeny Legerov and with an exploit bundled in VulnDisco Pack.
Some people were very eager to claim that this vulnerability report was fake - both on the Mozilla blog and our own forum - but Mozilla has now fixed this vulnerability in their Beta build and it will also be included in the upcoming version 3.6.2.
It was not surprising to see some people claim that the vulnerability report was fake; the very weak arguments being made and assumptions these were based on did, however, surprise and can probably be listed as:
1) The vulnerability report is fake because the researcher has not provided details to Mozilla.
2) The vulnerability report is fake because no public details are available.
3) The vulnerability report is fake because the reporter did not adhere to what is commonly referred to as "responsible" disclosure, hence he is a "blackhat", and hence he is not to be trusted.
At Secunia, we have great respect for Evgeny Legerov as a researcher with a solid track record when it comes to finding vulnerabilities. How he designs his business model or whether or not he chooses to adhere to "responsible" disclosure is not something for us to judge.
We consider Evgeny Legerov a credible source and he has cooperated with us on a number of occasions when we contacted him with questions for additional information during our verification process. He has similarly cooperated with other players in the security industry and software vendors. So far, he has not given us any reason to doubt him and, unless he one day does, we will continue to consider his vulnerability reports credible.
Let me take the opportunity to make it clear that if Secunia publishes an advisory then it's because we consider the vulnerability report valid (many are killed each day because they don't pass the verification process). If a Secunia advisory is published, the information was either confirmed in-house or comes from a trusted source (i.e. when a software vendor like Microsoft issues security bulletins - the fixes are still analysed afterwards to determine if we agree with impact and rating and to add additional information).
We are on a daily basis testing in-house all reported vulnerabilities for which sufficient information is available; for the remaining we contact both software vendors and researchers for additional information and clarification. It should, however, be noted that sometimes this additional information is provided to us in all confidentiality and is, therefore, not included in our advisories nor disclosed to anyone else outside the Secunia Advisories team. Instead, the information is used to confirm the existence of the vulnerability, accurately assess the vulnerability report, and rate our advisory correctly.
There is a reason that Secunia is considered the most reliably source of Vulnerability Intelligence and has an almost flawless track record. So, unless you see hard evidence (not just weak arguments and assumptions) that what we've posted is "fake" or "a hoax", then you can safely trust that since a Secunia advisory was issued, the vulnerability is real.
Chief Security Specialist