A Bad Month for Firefox

marty writes "Februrary is not a good month for Mozilla developers. Infoworld reports about the efforts of Polish researcher Michael Zalewski, who apparently kept finding new vulnerabilities in the popular browser on a daily basis through the month, first postponing the 2.0.0.2 update, and then finding a remotely exploitable flaw in it immediately after its release."

Bottom line

[AndyBassTbn]

Bottom line - the more people use Firefox, the more people look for bugs and vulnerabilities, the more people find them. The same thing happened with IE.

Granted, I do think Firefox is far superior to other browsers on the market, but I don't think that this should surprise anyone. At least Firefox is being fixed quickly. I suspect other software companies may not have held back their release times on upgrades to fix additional bugs. ("Don't worry now, just get this new version out before the deadline, we'll fix it later...")

Re:Bottom line

[Mateo_LeFou]

"the more people use Firefox, the more people look for bugs and vulnerabilities, the more people find them. The same thing happened with IE." Except that with the Fox, half of the people looking for and finding bugs are doing so in order to help get them fixed.

Re:Bottom line

[Tiger4]

("Don't worry now, just get this new version out before the deadline, we'll fix it later...")?

As much as I am annoyed by MS for their practices, that particular one is perfectly reasonable and acceptable.

If the overall program was not managed that way, they would have chaos. Every potential change to the main configuration has to be assigned to a given build and release. The place to attack the "problem" is in how they assign priorities to problems and bug fixes. The criteria for Critical and Non-Critical bugs, for High, Medium, and Low Risk threat and fixes are where software quality hinges. MS does it one way, Mozilla a different way. To some extent they will converge. Hopefully for us all, not too much. But definitely they will converge. If they don't do effective Configuration Management, they don't know what they have, and they can't be sure about what results they will get. The development process is tricky enough without deliberately adding random uncertainty to the process. If it means delaying a given fix for some period of time, so be it.

I would not be at all surprised to see Mozilla eventually adopt a variant of the MS "Update Tuesday" model. For all but the Most Critical changes, just hold all updates them bundle them and push them at the end of the next week/month/quarte. One thing they already do better than MS is to fully declare a new revision, rather than just issues a patch and updat a table with the information. Makes it easy for humans to know at a glance what revision they are at. (By the way, I got 1.5.0.10 shoved at me last night)

A bad model?

[Lord+Satri]

Well, such headlines won't stop me from using FF. At least vulnerabilities are attended to in a way I believe (wrongly?) faster than most mammoth companies would. That said, this point from the article is interesting, making me believe researchers should (?) have incentives to disclose security bugs to Mozilla first and to the public only when the fix is distributed:
"Although Snyder said she would prefer it if Zalewski and other researchers would disclose vulnerabilities to Mozilla before taking them public, she said the company relies on such experts to help it keep customers protected from attacks, as painful as the reports may be."

What's worse?

[tomstdenis]

As the author of security software, I'm not happy to find flaws in my code, but I'd rather find them then not.

The measure of success is whether the bug(s) found in Feb are new additions added by sloppy coders, or legacy bugs that have so far escaped notice?

Tom

Re:What's worse?

[kjamez]

The measure of success is whether the bug(s) found in Feb are new additions added by sloppy coders, or legacy bugs that have so far escaped notice?

i've been following this guy's postings on SF and bugtrac, and it's ridiculous. Some of the stuff he's finding are bugs in bugzilla from 2001 that keep getting shifted around and reassigned and marked as duplicates of other bugs ... the remote file upload keypress trap example comes to mind, and was an interesting POC to say the least. Some of the stuff is trivial and only comes with 'theoretical exploits', but are still potentially dangerous none the less. I was just thinking yesterday "wow, this guy really has it out for mozilla..." but like you said, it's good someone is finding these things now as compared to a 'blackhat' 0-day'er. And it's even better they are getting fixed, delayed release and all.

Re:What's worse?

[tomstdenis]

Well yeah that's the flipside. Some people report "bugs" which are things that cannot really be exploited in the field [e.g. unreachable exploits]. I deal with that in my OSS work as well. Though, usually I fix them anyways just for completeness. In fact, a non-trivial amount of bugs I've fixed have been of that sort [I wouldn't say a majority but definitely not just a few].

Some people like the press it gets for finding them too.

That being said, some projects react bad to bugs. GCC is an example of a group who react well to them. I've had several PR's fixed because of a simple ICE or asm dump I sent in. Whereas in the Linux camp, bug fixing is a royal right only a few can have. When I wanted to add device IDs for Intel NICs to the 2.6.18.2 [iirc] kernel I submitted a patch which added them. It was refused saying that they would be added in the next major release cycle. Even after I told them that they could trivially be added to the next point release they still refused. Oddly enough the maintainer, a Gentoo developer, added them to the gentoo brand of the kernel anyways. Go co-operation!

I dunno, for me it's a sense of responsibility. If I'm going to release software that can potentially cause problems for others, I make sure I respond to valid reports as soon as possible. I don't look at it as a negative experience because for me the alternative is to stop sharing the code alltogether.

Tom

Re:What's worse?

[TheRaven64]

Some of the stuff he's finding are bugs in bugzilla from 2001 that keep getting shifted around and reassigned and marked as duplicates of other bugs There is something I picked up from the OpenBSD guys, which I think should be repeated more:

The only difference between a bug and a security flaw is the intelligence of the attacker In something like Mozilla that connects to remote machines and receives badly-formed data as a regular operation, every single bug should be treated as a potential security hole (with the possible exception of w3c spec violations).

Re:What's worse?

[gmack]

My complaint isn't that they weren't added, it's that the maintainer refused to add them to the vanilla kernel [e.g. at kernel.org] and instead horded them for Gentoo-sources [even though I run gentoo I still feel this is wrong]. Eventually at the next major release they were added. So it's not that the device IDs were wrong or caused problems. It's that the developer didn't want to share them with the rest of the Linux crowd.

Or more to the point: the maintainer knew they would never be accepted into the stable branch kernel until, at the very least, they were tested in the dev branch first.

The maintainer doesn't have the final say. It's the stable team that decides in the end and they have only gotten more strict now that there are shorter dev cycles. Also, I didn't say that they did cause problems I said they could in theory cause problems and there is no way to know for sure until the new ids have been well tested. The change was quite probably safe but I'm astounded your whining that they would not throw improperly tested code right into the stable branch. I've seen simple device ID additions cause crashes. I've had them crash MY system. It's rare but it happens. That's why I update my servers with the stable branch and run my personal stuff on the more cutting edge devel kernels.

You should ask Jean-Luc Cooke about his experience trying to replace the horrible /dev/random device with one based on Fortuna. He got the same royal decreed from Ted T'so about "who owns the kernel" and who doesn't. In the end, Jean-Luc just gave up and withdrew the patches.

/dev/random has to be as hard to predict as possible. You claim it's horrible but there are whole papers on how to random generate numbers and even seasoned kernel devs have had patches refused patches because they weren't able to justify them properly.

The kernel is, for the most part, a horribly written, and poorly maintain piece of code. The maintainers are selfish ego-hording losers and have to really learn there is more people willing to contribute then just them.

Translation: They didn't let me do what I want to they are a bunch of jerks

There are people who dedicate themselves to teaching new people how to add patches to the kernel. The whole kernel newbies project and the kernel janitors project exist to provide developers who new to kernel programming an easy way to learn their way around and get patches accepted. There have been hundreds of patches in the past few months that were accepted from people who were previously unknown to kernel programming. So it really is open to others but only people willing to follow the rules. Those rules are there for a reason.

Re:What's worse?

[tomstdenis]

Whatever. This is why newbs mock OSS. If a one line trivial change causes WW3 between developers, just because Intel decided to up a PCI devid value ... we have problems.

Out of the box, the latest kernel wouldn't work on my mobo [when I got it]. That means LINUX IS BROKEN. The fix? Add one line to a eth device drivers list of recognized device IDs. What does the community do? Reject it until MONTHS LATER. Many newcomers would look at that and say "fine I'll go to Windows or BSD."

How are we supposed to build a community of trust and co-operation if we can't resolve single line fixes to code that enable hardware to work?

Tom

How is this bad?

[El+Cubano]

Could someone please explain how finding and fixing bugs/issues/problems/whatever is bad? Now, I understand that it is not particularly good from a PR perspective. However, it is not like they are ignoring these things or trying to spin it like they are not real problems (as certain commercial and proprietary software vendors are prone to do). This is, in fact, quite good for the users.

Re:How is this bad?

[bunratty]

The only bad thing is that Michael Zalewski is not following Mozilla policy for reporting security bugs. He should first report them to Mozilla privately and give them some time to fix the problems. Instead, he publicly announces the vulnerabilities so the bad guys can exploit them before Mozilla has any chance to fix the problems. In short, Zalewski seems to believe in full disclosure instead of responsible disclosure.

Re:How is this bad?

[Cid+Highwind]

In short, Zalewski seems to believe in full disclosure instead of responsible disclosure.

So do most of us here at /. when it comes to bugs in Windows or IE or Java VM. Why not Firefox?

Some of these bugs were initially reported in 2001 and were only fixed in Firefox 2.0.0.2, six years later. The lesson here seems clear to me: Reporting security holes on bugzilla get them marked DUPE/WONTFIX/NOTABUG and ignored for 5+ years. Publishing detailed explanations of the exploits on your blog gets them fixed within a few weeks.

Re:How is this bad?

[tetromino]

In short, Zalewski seems to believe in full disclosure instead of responsible disclosure.

So do most of us here at /. when it comes to bugs in Windows or IE or Java VM. Why not Firefox?

No. I would venture to say that most people here believe in giving Windows/IE/Java/Firefox devs a couple of weeks to fix a bug before going public. Coming up with a patch is the easy part. Any large project will need to look for related issues in the rest of the code, to do QA work to make sure the patch doesn't introduce new bugs or vulnerabilities, and to package the updates for all the different architectures and products that happen to be vulnerable. That process takes time; it is physically impossible for the Windows/IE/Java/Firefox team to release an update the same day you informed them about the issue. If you go public on the first day, you are just being an asshole.

Bad month? No...

[onion2k]

Good month. Finding lots of bugs, and fixing them, is a good thing. We don't need to pretend it's perfect and rosy and all nicely secure and won't ever need a patch or an update. We're realists on this side of the OSS fence. We know that software is only as good as the people working on it.

I'd like to extend a hearty thank you to this researcher for making Firefox even better.

Internet Explorer

[bitsformoney]

Solution: Stick with IE. Shoudda known.

Bad month ends up with a good product.

[SoupIsGood+Food]

Buffer overruns happen. Security models have holes. This is nothing new, and you'll find it in damn near every software project of any complexity.

The rational ways of dealing with this are a very dictatorial style of project management to get it right the first time (See: OpenBSD) or a quick and responsive way to kill security-affecting bugs dead. Firefox, with its gazillions of volunteer and paid programmers, opt for the latter. Too often, closed source developers just sit on these bugs, or sue the people trying to find and publish them, or use their marketing department to cover for their developers' shortcomings.

I'm pleased and reassured that Firefox is having these issues. Active and open security research will always result in a stronger product, and delays to deal with them are acceptable so long as the software is better for it. Even OpenBSD's been hacked a few times, and it's how you deal with it that's more important.

Microsoft's stuff is broken for =years=, which allows a security nightmare. Firefox is broken for a few days, or a month or two... too quick for all but the most dedicated and talented black-hats to take advantage of. Give me this over Internet Exploder any day.

When will we see a stable and secure project? That's an important question when dealing with closed source products. On something like Mozilla, with an open development model, the project goals and progress aren't company secrets... we actually know exactly why something has been pushed back, and can make reasonable judgements about when it will be back on track for ourselves. This is one of the more important aspects of open source that corporate IT overlooks... the ability to plan for and work around changes in the release schedule.

So, yeah, setbacks happen. To everyone. How the setbacks are dealt with is where the rubber meets the road. Firefox is generally ahead of the industry here, too.

Re:Bad month ends up with a good product.

[Anonymous+Brave+Guy]

Buffer overruns happen.

Not if you use proper design techniques, or programming languages where they aren't a possibility. Saying "buffer overruns happen" is just a concession to current poor programming practices. Better ways to do things have been known for a long time, it just requires more effort to use them when most of the world isn't yet.

Security models have holes. This is nothing new, and you'll find it in damn near every software project of any complexity.

That's true, but not every software project makes grand claims about having better security than the opposition. There is little text on the Firefox home page, but one of the three big headings is "Stay secure on the web". "Firefox continues to lead the way in online security," it tells us. Clicking through the link finds explicit claims about the open source model and the use of "security experts".

Microsoft's stuff is broken for =years=, which allows a security nightmare. Firefox is broken for a few days, or a month or two... too quick for all but the most dedicated and talented black-hats to take advantage of.

And how do you know that all of these Firefox bugs have only been added recently, and haven't already been exploited by black hats before they were announced? Do you personally check into the background of every bug report in Firefox? Do you think everyone who uses it does? How many serious vulnerabilities in IE are really open for years? Do you have stats to back this up, or are you just a Firefox fanboy spreading FUD? These are, after all, exactly the criticisms commonly levelled at IE.

When will we see a stable and secure project? That's an important question when dealing with closed source products. On something like Mozilla, with an open development model, the project goals and progress aren't company secrets...

So all security bugs in the Mozilla family are immediately and openly disclosed to the public?

Re:Your model is bad.

[Albanach]

if you disclose the problem to the public, they can't do much apart from switching to another product or wait until microsoft developer finally fix the problem.

But that's only an issue if you get no response. What if MS email and say thanks, we've looked into this, we need to change x, y and z and it should take about two weeks before we issue a fix. What would be the advantage in going public inside those two weeks?

I can't see any valid reason for someone not to report to Mozilla first, and to expect a reasonable and speedy response, then oing public if a fix is not in place inside a sensible timescale. To do otherwise suggests the researcher is more interested in self publicity than in protecting users of the browser.

Hard to reproduce

[mw22]

There is one problem with the flaw, it's very hard to reproduce, I think I reproduced it once in a 1.8 branch build, but not afterwards.
If anyone can reproduce it consistently, and has a 1.8 debug branch build, it would be great if he could try and give a useful stacktrace in the bug.

Re:Compelling reasons to switch to 2?

[kv9]

You're also missing the annoying UI design and worse performance.

I agree that the UI is not the most pretty thing ever envisioned (why does everyone go for ROUND shit now? let me guess, the UI designers have Macs) but performance wise it got better. also it's more stable and the integrated session management allows you to get rid of all the clunky extensions that tried to provide sessions (along with the kitchen sink)

there's also tabbed browsing improvements and other features. GP, check the changelogs.

Compare against the best.

When it comes to software performance, it's pretty useless to compare the performance of your software to a previous version of that same software. You need to compare your performance to that of the current leader in the same market.

Maybe Firefox 2 is faster than Firefox 1.5. But compared to Opera, Konqueror and Safari, it's still quite slow and extremely bloated. Apparently it's also quite insecure, too.

KDE 4 is getting very close to being released. It's native support for Windows will bring Konqueror to a whole new audience, thus drastically changing the Windows browser landscape. Unless the Firefox developers really get their asses in gear, which apparently isn't happening, Konqueror will come along and smite Firefox.

If the beta released today is any indication of what the final KDE 4 release will be like, then Firefox had better watch out. This new version of Konqueror already has the speed. It has the stability. It has extremely low memory usage (but still higher than Opera). I don't know if Firefox will be able to compete unless a massive rewrite is undertaken. But if they do wish to remain competitive, they'd better get going.

Re:Compare against the best.

[omeomi]

But compared to Opera, Konqueror and Safari, it's still quite slow and extremely bloated.

I use Firefox and Opera on Windows, Safari on OSX, and I have occasionally used Konqueror, but I'll admit, not as frequently. However, I've never noticed a perceptible difference in speed or obvious bloat between Firefox, Opera, and Safari. "quite slow" and "extremely bloated" are obviously complete fabrications...

Re:Compare against the best.

[nutshell42]

I think the "which browser is faster" comparisons are (or should be) a thing of the past. If you didn't buy your PC last century there's not much of a speed difference to be had. Some browsers might cache better than others but if I think I'm gonna need that page again, I generally just open the link in a new tab anyway.

Nowadays if some page's slow to load I think "slow page" instead of "slow browser".

OTOH I use *lots* of tabs and there are major differences in memory consumption. On my PC Opera needs about 250-350MB of RAM for 100 tabs, Konqueror 400 and Firefox between 800 and 1.5GB.

just rude

[towsonu2003]

Why did the summary skipped this part I wonder:

vulnerabilities in Firefox disclosed by a researcher who makes his work public before informing Mozilla of the problems.

hmm

Re:No we're not

[Mateo_LeFou]

"Conclusion? Apache has predictably shown more vulnerabilities than IIS versions over the same time period"

Conclusion? Apache has predictably reported more vulnerabilities than IIS versions over the same time period

FYP

Ruh-roh!

[authority69]

Is Scobby Doo writing the posts these days? What's "Februrary?" The month after "Janrurary?" Right before "Marrrrrch?"

Slight correction

[jesser]

first postponing the 2.0.0.2 update, and then finding a remotely exploitable flaw in it immediately after its release

The remotely exploitable flaw, bug 371321, was reported at 5:35 pm (California time) on Thursday. We had been planning to release Firefox 2.0.0.2 on Friday morning. After some discussion, we decided to go ahead with the release and then follow up with a quick 2.0.0.3 once we had a patch for the newly discovered hole.

After releasing Firefox 2.0.0.2, we realized that bug 371321 didn't affect it, thanks to another patch that went into Firefox 2.0.0.2 for non-security reasons. So although we didn't know it at the time, we released a fixed version of Firefox about 16 hours after the most serious hole was reported.

The testcase in bug 371321 did lead to a fix for a similar bug that existed on trunk, though.