Slashdot Mirror

← Back to Stories (view on slashdot.org)

A Bad Month for Firefox

Posted by CowboyNeal on from the and-its-bugs dept.

marty writes "Februrary is not a good month for Mozilla developers. Infoworld reports about the efforts of Polish researcher Michael Zalewski, who apparently kept finding new vulnerabilities in the popular browser on a daily basis through the month, first postponing the 2.0.0.2 update, and then finding a remotely exploitable flaw in it immediately after its release."

7 of 195 comments (clear)

  1. Re:How is this bad? by bunratty · · Score: 5, Informative

    The only bad thing is that Michael Zalewski is not following Mozilla policy for reporting security bugs. He should first report them to Mozilla privately and give them some time to fix the problems. Instead, he publicly announces the vulnerabilities so the bad guys can exploit them before Mozilla has any chance to fix the problems. In short, Zalewski seems to believe in full disclosure instead of responsible disclosure.

    --
    What a fool believes, he sees, no wise man has the power to reason away.
  2. Re:What's worse? by kjamez · · Score: 4, Informative

    The measure of success is whether the bug(s) found in Feb are new additions added by sloppy coders, or legacy bugs that have so far escaped notice?
    i've been following this guy's postings on SF and bugtrac, and it's ridiculous. Some of the stuff he's finding are bugs in bugzilla from 2001 that keep getting shifted around and reassigned and marked as duplicates of other bugs ... the remote file upload keypress trap example comes to mind, and was an interesting POC to say the least. Some of the stuff is trivial and only comes with 'theoretical exploits', but are still potentially dangerous none the less. I was just thinking yesterday "wow, this guy really has it out for mozilla..." but like you said, it's good someone is finding these things now as compared to a 'blackhat' 0-day'er. And it's even better they are getting fixed, delayed release and all.
    --
    you can't have everything, where would you put it?
  3. Re:Compelling reasons to switch to 2? by kv9 · · Score: 5, Informative

    You're also missing the annoying UI design and worse performance.

    I agree that the UI is not the most pretty thing ever envisioned (why does everyone go for ROUND shit now? let me guess, the UI designers have Macs) but performance wise it got better. also it's more stable and the integrated session management allows you to get rid of all the clunky extensions that tried to provide sessions (along with the kitchen sink)

    there's also tabbed browsing improvements and other features. GP, check the changelogs.

    --
    Stop Computers/Cars Analogies on S
  4. Re:No we're not by Mateo_LeFou · · Score: 5, Informative

    "Conclusion? Apache has predictably shown more vulnerabilities than IIS versions over the same time period"

    Conclusion? Apache has predictably reported more vulnerabilities than IIS versions over the same time period

    FYP

    --
    My turnips listen for the soft cry of your love
  5. Re:Compare against the best. by omeomi · · Score: 5, Informative

    But compared to Opera, Konqueror and Safari, it's still quite slow and extremely bloated.

    I use Firefox and Opera on Windows, Safari on OSX, and I have occasionally used Konqueror, but I'll admit, not as frequently. However, I've never noticed a perceptible difference in speed or obvious bloat between Firefox, Opera, and Safari. "quite slow" and "extremely bloated" are obviously complete fabrications...

    --
    ZuluPad, the wiki notepad on crack
  6. Re:How is this bad? by tetromino · · Score: 5, Informative
    In short, Zalewski seems to believe in full disclosure instead of responsible disclosure.
    So do most of us here at /. when it comes to bugs in Windows or IE or Java VM. Why not Firefox?

    No. I would venture to say that most people here believe in giving Windows/IE/Java/Firefox devs a couple of weeks to fix a bug before going public. Coming up with a patch is the easy part. Any large project will need to look for related issues in the rest of the code, to do QA work to make sure the patch doesn't introduce new bugs or vulnerabilities, and to package the updates for all the different architectures and products that happen to be vulnerable. That process takes time; it is physically impossible for the Windows/IE/Java/Firefox team to release an update the same day you informed them about the issue. If you go public on the first day, you are just being an asshole.
  7. Slight correction by jesser · · Score: 4, Informative

    first postponing the 2.0.0.2 update, and then finding a remotely exploitable flaw in it immediately after its release

    The remotely exploitable flaw, bug 371321, was reported at 5:35 pm (California time) on Thursday. We had been planning to release Firefox 2.0.0.2 on Friday morning. After some discussion, we decided to go ahead with the release and then follow up with a quick 2.0.0.3 once we had a patch for the newly discovered hole.

    After releasing Firefox 2.0.0.2, we realized that bug 371321 didn't affect it, thanks to another patch that went into Firefox 2.0.0.2 for non-security reasons. So although we didn't know it at the time, we released a fixed version of Firefox about 16 hours after the most serious hole was reported.

    The testcase in bug 371321 did lead to a fix for a similar bug that existed on trunk, though.

    --
    The shareholder is always right.