Slashdot Mirror

← Back to Stories (view on slashdot.org)

A Bad Month for Firefox

Posted by CowboyNeal on from the and-its-bugs dept.

marty writes "Februrary is not a good month for Mozilla developers. Infoworld reports about the efforts of Polish researcher Michael Zalewski, who apparently kept finding new vulnerabilities in the popular browser on a daily basis through the month, first postponing the 2.0.0.2 update, and then finding a remotely exploitable flaw in it immediately after its release."

5 of 195 comments (clear)

  1. Bottom line by AndyBassTbn · · Score: 5, Insightful

    Bottom line - the more people use Firefox, the more people look for bugs and vulnerabilities, the more people find them. The same thing happened with IE.

    Granted, I do think Firefox is far superior to other browsers on the market, but I don't think that this should surprise anyone. At least Firefox is being fixed quickly. I suspect other software companies may not have held back their release times on upgrades to fix additional bugs. ("Don't worry now, just get this new version out before the deadline, we'll fix it later...")

    --
    I hope the land around you yields, a crop like all the other fields, and then your waiting might make sense...
  2. Bad month? No... by onion2k · · Score: 5, Insightful

    Good month. Finding lots of bugs, and fixing them, is a good thing. We don't need to pretend it's perfect and rosy and all nicely secure and won't ever need a patch or an update. We're realists on this side of the OSS fence. We know that software is only as good as the people working on it.

    I'd like to extend a hearty thank you to this researcher for making Firefox even better.

    --
    http://twitter.com/onion2k
  3. Bad month ends up with a good product. by SoupIsGood+Food · · Score: 5, Insightful

    Buffer overruns happen. Security models have holes. This is nothing new, and you'll find it in damn near every software project of any complexity.

    The rational ways of dealing with this are a very dictatorial style of project management to get it right the first time (See: OpenBSD) or a quick and responsive way to kill security-affecting bugs dead. Firefox, with its gazillions of volunteer and paid programmers, opt for the latter. Too often, closed source developers just sit on these bugs, or sue the people trying to find and publish them, or use their marketing department to cover for their developers' shortcomings.

    I'm pleased and reassured that Firefox is having these issues. Active and open security research will always result in a stronger product, and delays to deal with them are acceptable so long as the software is better for it. Even OpenBSD's been hacked a few times, and it's how you deal with it that's more important.

    Microsoft's stuff is broken for =years=, which allows a security nightmare. Firefox is broken for a few days, or a month or two... too quick for all but the most dedicated and talented black-hats to take advantage of. Give me this over Internet Exploder any day.

    When will we see a stable and secure project? That's an important question when dealing with closed source products. On something like Mozilla, with an open development model, the project goals and progress aren't company secrets... we actually know exactly why something has been pushed back, and can make reasonable judgements about when it will be back on track for ourselves. This is one of the more important aspects of open source that corporate IT overlooks... the ability to plan for and work around changes in the release schedule.

    So, yeah, setbacks happen. To everyone. How the setbacks are dealt with is where the rubber meets the road. Firefox is generally ahead of the industry here, too.

  4. Re:Your model is bad. by Albanach · · Score: 5, Insightful

    if you disclose the problem to the public, they can't do much apart from switching to another product or wait until microsoft developer finally fix the problem.
    But that's only an issue if you get no response. What if MS email and say thanks, we've looked into this, we need to change x, y and z and it should take about two weeks before we issue a fix. What would be the advantage in going public inside those two weeks?

    I can't see any valid reason for someone not to report to Mozilla first, and to expect a reasonable and speedy response, then oing public if a fix is not in place inside a sensible timescale. To do otherwise suggests the researcher is more interested in self publicity than in protecting users of the browser.
  5. Re:How is this bad? by Cid+Highwind · · Score: 5, Insightful

    In short, Zalewski seems to believe in full disclosure instead of responsible disclosure.

    So do most of us here at /. when it comes to bugs in Windows or IE or Java VM. Why not Firefox?

    Some of these bugs were initially reported in 2001 and were only fixed in Firefox 2.0.0.2, six years later. The lesson here seems clear to me: Reporting security holes on bugzilla get them marked DUPE/WONTFIX/NOTABUG and ignored for 5+ years. Publishing detailed explanations of the exploits on your blog gets them fixed within a few weeks.

    --
    0 1 - just my two bits