A Bad Month for Firefox

marty writes "Februrary is not a good month for Mozilla developers. Infoworld reports about the efforts of Polish researcher Michael Zalewski, who apparently kept finding new vulnerabilities in the popular browser on a daily basis through the month, first postponing the 2.0.0.2 update, and then finding a remotely exploitable flaw in it immediately after its release."

Re:How is this bad?

[bunratty]

The only bad thing is that Michael Zalewski is not following Mozilla policy for reporting security bugs. He should first report them to Mozilla privately and give them some time to fix the problems. Instead, he publicly announces the vulnerabilities so the bad guys can exploit them before Mozilla has any chance to fix the problems. In short, Zalewski seems to believe in full disclosure instead of responsible disclosure.

Re:What's worse?

[kjamez]

The measure of success is whether the bug(s) found in Feb are new additions added by sloppy coders, or legacy bugs that have so far escaped notice?

i've been following this guy's postings on SF and bugtrac, and it's ridiculous. Some of the stuff he's finding are bugs in bugzilla from 2001 that keep getting shifted around and reassigned and marked as duplicates of other bugs ... the remote file upload keypress trap example comes to mind, and was an interesting POC to say the least. Some of the stuff is trivial and only comes with 'theoretical exploits', but are still potentially dangerous none the less. I was just thinking yesterday "wow, this guy really has it out for mozilla..." but like you said, it's good someone is finding these things now as compared to a 'blackhat' 0-day'er. And it's even better they are getting fixed, delayed release and all.

Re:Compelling reasons to switch to 2?

[kv9]

You're also missing the annoying UI design and worse performance.

I agree that the UI is not the most pretty thing ever envisioned (why does everyone go for ROUND shit now? let me guess, the UI designers have Macs) but performance wise it got better. also it's more stable and the integrated session management allows you to get rid of all the clunky extensions that tried to provide sessions (along with the kitchen sink)

there's also tabbed browsing improvements and other features. GP, check the changelogs.

Re:What's worse?

[gmack]

In the case of my patches, they were against [iirc] 2.6.18.2 not 2.6.19-rc2 or something. The last "." is supposed to be for incremental changes to reduce the time between major releases. It gives users a chance to try a work-in-progress kernel that has been through at least some testing. Otherwise, why even have the fourth level of releases?

That's not even close to correct. The last "." is so bug fixes can be added to a known stable branch. The shorter RC cycle (a month or two instead of a year or two) is what was supposed to reduce the time between major releases.

Re:No we're not

[Mateo_LeFou]

"Conclusion? Apache has predictably shown more vulnerabilities than IIS versions over the same time period"

Conclusion? Apache has predictably reported more vulnerabilities than IIS versions over the same time period

FYP

Re:Compare against the best.

[omeomi]

But compared to Opera, Konqueror and Safari, it's still quite slow and extremely bloated.

I use Firefox and Opera on Windows, Safari on OSX, and I have occasionally used Konqueror, but I'll admit, not as frequently. However, I've never noticed a perceptible difference in speed or obvious bloat between Firefox, Opera, and Safari. "quite slow" and "extremely bloated" are obviously complete fabrications...

Re:How is this bad?

[tetromino]

In short, Zalewski seems to believe in full disclosure instead of responsible disclosure.

So do most of us here at /. when it comes to bugs in Windows or IE or Java VM. Why not Firefox?

No. I would venture to say that most people here believe in giving Windows/IE/Java/Firefox devs a couple of weeks to fix a bug before going public. Coming up with a patch is the easy part. Any large project will need to look for related issues in the rest of the code, to do QA work to make sure the patch doesn't introduce new bugs or vulnerabilities, and to package the updates for all the different architectures and products that happen to be vulnerable. That process takes time; it is physically impossible for the Windows/IE/Java/Firefox team to release an update the same day you informed them about the issue. If you go public on the first day, you are just being an asshole.

That's a Live Bookmark

[ravenlock]

You've got a Live Bookmark to "Latest BBC Headlines." It's in the default installation. A live bookmark is basically the subject lines from an RSS feed in a submenu. Not very useful, but not exactly a bug either -- technically, you are subscribed to a feed, you just don't know it.

It's located in Bookmarks -> Bookmarks toolbar folder (at least on my installation), and in the bookmarks toolbar.

Re:WARNING: Firefox 1.5 vs. 2.0 :: Old vs. New

[suv4x4]

The defect information is fed back to the Toyota engineers, and they redesign the defective parts of the Camry. The third-year release of the Camry should be quite reliable. (Toyota [msn.com] has some of the highest rates of recalls [thestar.com] in the automotive industry. Toyota typically recalls nearly 10% of its vehicles -- versus "only" 7% for General Motors.)

If you are using your Web browser to do critical jobs like online banking, you should continue to use the latest iteration of Firefox 1.5. The latest iteration is version 1.5.0.10. If you are still using Firefox 1.5, look under the "Help" option to find the option, "Check for Updates", which will enable your to upgrade to 1.5.0.10.

Don't you find your advice and your example conflicting. You're urging us to use the second-year release of Camry versus the third-year release.

Just because it was called "2.0" doesn't mean it's really that new compared to 1.5. In fact there were more changes to the core of Firefox between 1.0 and 1.5, than 1.5 and 2.0.

What you see are mostly changes on the surface: new (uglier) icons, new (uglier) tabs, couple of usability changes to the UI. The core is virtually unchanged (except the regular minor patches).

http://www.kb.cert.org/vuls/id/393921 is fixed!!!!

[mw22]

Ok, so it appears to be that bug is already fixed on the 2.0.0.2 release of Firefox.
So maybe the post can be updated?

Slight correction

[jesser]

first postponing the 2.0.0.2 update, and then finding a remotely exploitable flaw in it immediately after its release

The remotely exploitable flaw, bug 371321, was reported at 5:35 pm (California time) on Thursday. We had been planning to release Firefox 2.0.0.2 on Friday morning. After some discussion, we decided to go ahead with the release and then follow up with a quick 2.0.0.3 once we had a patch for the newly discovered hole.

After releasing Firefox 2.0.0.2, we realized that bug 371321 didn't affect it, thanks to another patch that went into Firefox 2.0.0.2 for non-security reasons. So although we didn't know it at the time, we released a fixed version of Firefox about 16 hours after the most serious hole was reported.

The testcase in bug 371321 did lead to a fix for a similar bug that existed on trunk, though.