Comments on: Firefox 3 suffers its first vulnerability

Zero Day Initiative reports that a vulnerability it deems critical was found five hours after the release of the new browser.

[sanenazok]

That's what happens with popularity.

This flaw existed in Mozilla Beta Relate 0.1 from 1999 and nobody cared about it. When products are popular then security flaws will always be found (*cough Mac cough*), even if it's a well-maintained open source project.

[Seaspray0]

I'm not laughing, even though I use IE. Lets take a look at the big picture... This bug existed in FF2, but was it reported? No. So the only way it could have been fixed is if the FF team stumbled accross it. That's how many people versus the rest of the world? If it was reported last week as a vulnerability in FF2, you wouldn't be reading these headlines, would you? I'd say some timing in the release of FF3 was involved here and Cnet went for the "flash" story. People, you should realize that "security" is an illusion. It doesn't really exist. As technology advances, everything we think of as secure finally gets broken like the german enigma from WW2 or the WEP protocol for wireless. If you want to judge how "secure" your software is, go look at the vulnerabilities and what steps had to be taken to exploit it. You'll find that most exploits today (and this includes FF, IE, Safari) require extensive work to exploit a bug (meaning it's not obvious or easily exploitable and no doubt difficult to find). Then look at how long it takes to patch that bug. Days? Months? Years? FF has a good record of patching bugs rather quickly. You won't find me "throwing stones" at it. Security? It doesn't truely exist anywhere, but the FF team is atleast trying hard to achieve it. Give them credit for that.

[no2cats]

It is ironic that the OS the bug afflicts is not mentioned. Does this affect Windows, Mac, Linux or a combination of the three? Without this information the advisory is not very seful.

[TheManInDboX]

This is nothing new... Firefox sux.... IE sux... Want to be 100% safe? unplug your Cable, dsl, or dial up modem... Those who think firefox is better should go here... bugzilla.mozilla.org and look through the millions of bugs found in firefox.. as of right now, just today their is 274 bugs reported... Safe.,.. right!

[hounddoglgs]

Something like 10 million users and 300 bugs reported- That's about 3/1000 of a percent. If you think that is a bad record, you have no idea what you are talking about. The big difference is that Mozilla is open with their bug reports. Think you can get the same info from Microsoft? Think they aren't getting thousands of bug reports every day???

[TheManInDboX]

Actually there is a public list of bugs in IE... Well in IE7 anyway... They are located here-- http://support.microsoft.com/search/default.aspx?query=ie%20bugs&catalog=LCID%3d1033&spid=&mode=r&lsc=0&range=1-200 There are currently 200+ listed.. that would mean that Mozilla's firefox 3 got more in one day, then have been reported to MS since the release of IE7... Hmm that would be 2/1000... so to that sir, you dont know what you are talking about...

[aJanuary]

The KB articles aren't quite the same as the bugzilla reports. The KB are largely bugs reports that have been received, verified and then posted wheras bugzilla opens up unvetted reports meaning there will be substantially more.

Also bear in mind FF3 has had an open beta for a long time, so it's not that they for 300 in one day.

[clsmithj]

People forget the same programmers that developed Netscape 1-7.2 all work for Firefox.
Firefox is about as secure as it predecessor now dead Netscape.