2 Firefox Security Flaws Lead to Exploit Potential

Marthisdil points out a News.com story which reports that "Two vulnerabilities in the popular Firefox browser have been rated "extremely critical" because exploit code is now available to take advantage of them." Security firm Secunia reported the vulnerabilities (and the "extremely critical" rating is theirs), but the News.com story points out that thus far, "no known cases have yet emerged where an attacker took advantage of the public exploit code." Update: 05/09 20:20 GMT by T : Rebron of the Mozilla Foundation sends a correction; this is really the same flaw reported yesterday. He suggests that you glance at the Mozilla security alert on this hole (as well other alerts at the Mozilla Security Center), and says "The Mozilla Foundation has made changes to our update servers that will protect users from this arbitrary code execution exploit."

Does this affect Mozilla also?

[llzackll]

I'm a Mozilla user. I don't use Firefox. I'm guessing that Mozilla is affected by this as well, but every time a security flaw is found, only Firefox is mentioned.

Re:The many eyes theory does not hold true

[Master+of+Transhuman]

Red herring.

Nobody has ever said that EVERY OSS project has "many eyes" ON the project.

What has been said is that to the extent that the source code is included, and is available for perusal by those who KNOW how to do so, this is an extra safeguard since SOME people OTHER than the developers will examine the code - possibly for precisely such reason as security.

And that is exactly what is proved by such incidents. Somebody examined the source code and determined there was a problem.

They didn't have to wait on someone at Microsoft to do so.

If anything in OSS can be complained about, it's the relatively poor amount of testing that seems to get done. Things like the dual-boot bug in Fedora last year should not happen.