Comments on: Mozilla flaws could allow attacks, data access

Open-source specialist says vulnerabilities affect its namesake suite and the Firefox browser.

[TheMidnightCoder]

Somehow it must still be M$ fault, right?

Where are you OSS guys now...

Flaws in Open Source projects!?! AGAIN?!?

THIS IS AN OUTRAGE!!!!

Whadya mean flaws were found in Mozilla Suite and FireFox? How did those wily MS guys sneak their bugs into these fine products? This can't be true. They took out an ad in the New York Times and everything. Well, at least I have *some* comfort knowing the flaws are all safely covered by the magical GPL so anyone can use them if they want to.

I demand that the EU punish Gates for this cowardly act! Maybe they can fine MS another 100 Billion dollars or something fun like that. Oh, and the folks over at News.com should be punished, too. Didn't they get the super-duper secret memo about keeping Open Source flaws quiet? Tsk. Tsk.

Now where did I put that naughty little toy penguin? He's gonna face the fury of my nerd-boy wrath for this incomprehensible act of injustice!

[cbiltcliffe]

Right here.....

>> Where are you OSS guys now...

Right here. This is a serious flaw in Mozilla products. I'll freely admit that. As serious as some holes in IE? Arguably, but not necessarily. I haven't read the descriptions of everything, but all the ones I did read required some sort of manual intervention on the part of the user, as opposed to the "I'll just install this software for you behind your back." kind of flaws that IE seems to have.

But that's rather irrelevant, really, as any flaw that can allow arbitrary code execution is bad, as far as I'm concerned.

Let's see how the flaw was handled though:

1. First bug reported to Mozilla crew on April 1st, 2005.
2. Bug discussed on Bugzilla, various suggestions and workarounds proposed.
3. Patch produced.
4. Update released on April 15th, 2005.

Total time: Two weeks plus a day for the whole process, beginning to end. Not bad.

Compare this to Microsoft's approach:

1. Bug reported to Microsoft.
2. Microsoft ignores bug report for several weeks.
3. Bug reported again to Microsoft.
4. Microsoft again ignores bug report.
5. Bug discoverer goes public with report.
6. Microsoft complains about bug reporter disclosing bug before a patch was developed. Mentions "irresponsible" bug reporting.
7. Microsoft PR machine kicks in, spewing crap about "mitigating factors", "we don't know of any customer's compromised by this bug", and generally trying to downplay the bug's seriousness.
8. Microsoft develops patch, released during their regular monthly patch cycle, possibly as much as 4 weeks after patch development.
9. Microsoft crows about how they are proactive about security.


Total time: 4 weeks to several years, sometimes approaching infinity.

What I mean by that last statement is this:
There are known security holes in Windows 95 that Microsoft has known about since it's release or shortly thereafter, which have never been fixed, and which now never will be, because that product has been EOL'd.

[Peter Reaper]

This is already fixed in firefox 1.0.3 !!!

This is already fixed in Firefox 1.0.3 !!!

The article title and text are very misleading. It should have made more clear that all the listed vulnerabilities are ALREADY fixed in the current version of Firefox.

[aabcdefghij987654321]

Open Source = Peer Review

Step 1: search bugzilla database
Step 2: write article
Step 3: profit!

Ha Ha Ha Ha.

Reality sucks, doesn't it :-)

act your age

we don't need no one-liners.

[alegr]

Firefox is like a sieve!

Folks,

Download Firefox sources, search for 'sprintf', and behold the wonders of buffer overflows! Pick any 'sprintf' call and figure out how to exploit it.
I haven't even looked for 'strcpy' and 'strcat' flaws yet.

[pcLoadLetter]

Prove it

Lets see some proof No, I am not going to go through all those files. You claim you did, now prove it.

I seriously doubt that an open source project whose code has been seen by thousands has these types of freshman level errors.

[System Tyrant]

No.

They've already got a fix for it.

[catchall]

Yes, but...

Many of the largest worm/virus outbreaks on the Window's platform came from flaws that had already been patched. For several of them, the patches had been out for months. It wasn't an excuse for MS, why should that be an excuse for FireFox?

[M C]

Story mistitled -- should be "Mozilla patches flaws"

This kind of reporting is irresponsible. The reporter has actually withheld information vital to the readers: that a patch has been in existence for days.

Then, at the very end of the article it alludes in the weakest possible terms to the existence of a patch. Readers who get googly-eyed by the techincal stuff in the body of the article will miss it entirely, possibly causing them to run unpatched and vulnerable.

CNet, why don't you try and HELP the computing community sometime?

[drhamad]

I agree - bad report

The only mention of a patch in this whole report is "vulnerable in versions previous to 1.0.3 / 1.7.7), which have been available for days. This report makes it sound like it's the end of the world, when it has already been patched.

[Peter Reaper]

This is already fixed in firefox 1.0.3 !!!

> CNet, why don't you try and HELP the computing community sometime?

Agreed, very irresponsible reporting (again) by CNET. :-(

still not enough to switch to IE

I still think the open method will prevail over anything M$ can buy.

Crap Code

It's not about the Open method VS Proprietary.

It's about crappy code, which can easily exist on any OS, in any programming language, under any model - despite the hype!

As an industry we should focus more on writing solid code, and less on whether or not software is "Open".

- - -

"Beneath the noble birth, between the proudest words, behind the beauty, cracks appear..." - Rush

6 Years in Making and Still...

6 Years in Making (from a failed project's source codes aka netscape & mozilla) and Still Does not Work! :) Stallman & CO, said its will be flawless, solid, best, what happend ?

Get Life, Get IE.
www.microsoft.com/windows/IE

[unknown unknown]

why?

It doesn't matter which browser you use, the finding of a flaw in it is envitable. Software is written by humans and humans make mistakes. Firefox has only been around since late 2002 (called Phoenix then). There have been some significate changes made since Mozilla branched off Netscape and even more changes for Firefox. When make changes to code there is risk of introducing new bugs.

Get a life, drop the fanboy attitude.

[J. Warren]

...And IE is "perfect"?...

Best you check this:
- http://secunia.com/product/11/#advisories

...and make some comparisons first.

[unknown unknown]

They've been patch why report on them now? (not text)

<EOM>

[System Tyrant]

I would like to thank...

Scott Graham for his link. I went over to Secunia to view the 3 non critical Firefox bugs and stayed to view the many more unfixed non critical and critical bugs that IE has left unpatched. I would suggest anybody who wants to learn more go on over there and take a look

http://www.secunia.com

[tlite722]

perspective

oh so true that IE has many more advisories than Firefox but to keep things in perspective lest you give the impression that firefox is bulletproof...

Firefox advisories on Secunia since launch - 15
IE6 advisories in the same period - 22

Firefox advisories in 2005 - 11
IE6 advisories in 2005 - 5

Again, as FF gains in popularity, it will gain the attention of those that would look for ways to do some bad. IE's just got a longer head start than FF in which to point out its flaws so it seems easier. The reality is that all software is flawed and no one can perfectly develop complex software...period.

[Kelson]

So why not focus on the fix instead of the risk?

If people don't update, maybe it's because (a) they don't realize it's important, and (b) they don't realize the fix is available. Stories like this have the opportunity to inform people on both counts. But this story actually manages to *hide* the fact that the update is available. Even allowing for sensationalism, something like "Firefox Security Holes Found, Fixed" with a sidebar pull-out of "Update to 1.0.3 to be protected" could succeed at both sensationalism and responsible reporting.

[Kelson]

That was supposed to be a rely to "JUST LIKE MS"...

I must've clicked on the wrong link or something.