Slashdot Mirror


A Security Bug In Mozilla - The Human Perspective

xslf writes "Alex Vincent, the reporter of the data-loss security bug 259708, writes about the behind the scene process of reporting it, casting light on the problems of dealing with security related bugs reported by the community, which isn't always aware of the security implications of the bugs reported. The issues with the FLOSS process shown in this bug might get worse, once more and more people use FLOSS and add to the process, without being full fledged coders, and rely on binary releases of software." (Note, you'll have to copy and paste that link to view the bug report, or click through from the linked story.)

3 of 321 comments (clear)

  1. Give us CHROOT! by freelunch · · Score: 4, Interesting

    Running Mozilla or Firefox in a chroot environment would greatly enhance security.

    I recently tried to get this working but didn't have much luck (haven't given up yet). There isn't much info on the web.

    I currently run Firefox under a separate user ID, which is better than the default.

    Any suggestions to get chroot working with Firefox?

  2. Re:IAAPST (I am a professional software tester) by jesser · · Score: 4, Interesting

    Allowing votes might encourage "advocating" bugs, but at least the noise is in forums and in vote counts, not in bug comments. And since I seem to be the only person working on Firefox who looks at vote counts, noise in vote counts isn't a big deal. (I use vote counts to speed up searches for common/popular bugs, and sometimes to decide what to work on.)

    --
    The shareholder is always right.
  3. Re:Hypocrisy by The+Bungi · · Score: 4, Interesting
    Now, this is a problem because many Windows users use versions of Windows which are obsolete: 98SE, ME, 2000. When Longhorn comes, this trend will of course hold true: people don't rush to the stores to buy the newest Operating System version. This means that people will be using still old versions of MSIE long after IE7 comes, which will, of course, be unsupported by MS because they don't want to trail support for 5 or 10 different versions of a single product

    I don't contest what you're saying, and personally I think it's a bad idea from Microsoft, assuming it actually happens. But I find this argument quite interesting.

    Let's assume for a second that Mozilla becomes the most widely used browser in the world (for whatever operating system). 100 million people download and install it. And then someone finds another serious vulnerability with it. The Mozilla folks patch it. Then what? 20 million people upgrade, and 80 million don't. What then? The exploits come. How does Mozilla handle this? Because they're going to have exactly the same type of problem Microsoft has today: people who just don't give a damn if their computers are turned into spam zombies or get bogged down with malware. These are the people from whose machines you and I still get those stupid mass-mailing worm messages, and of course spam.

    Mozilla can very well damn rewrite the entire Gecko codebase and it will do them absolutely no good. Just like Microsoft with IE. With the small distinction that Microsoft does still support three versions of IE, while Mozilla likely won't even go there.

    Today you can find thousands of Linux machines out there that have year-old holes in Sendmail, SSH and the kernel itself. It's just that very few of them are being run off Comcast cable modems and virus writers just don't see much value in taking them over. It's no different from Windows.

    Even if Microsoft decided to bite the bullet and support seven versions of IE, I doubt it would do much good. What they can do is "force" users to upgrade to minimize the problem, which is what people around here call "the upgrade train" and is exactly what RedHat started doing with their corporate customers because support costs are prohibitive. And that's what Mozilla will have to do ("we don't support version X anymore, sorry. Upgrade to Y now!") because there's no other way to approach it.

    And BTW, the fact that some obscure company decided to "support" older versions of RHEL means nothing in the desktop/home user space, so "having the source" is useless.

    The people who write free software seem to think they can engineer all these problems away by writing "cool code" and making it "absolutely secure" from the get-go. That's not going to happen. They're still finding bufer overflows in Sendmail, for crying out loud. No, they're going to be in the same situation as Microsoft is today and they're going to get the same beatings left and right. I really hope I get to see that, if only for the chuckles.