October 25, 2006 6:25 PM PDT

Mozilla rebuts Firefox 2 bug reports

A day after shipping Firefox 2, Mozilla on Wednesday largely rebutted two claims of security flaws in the latest version of the Web browser.

Bug hunters appear to be in a race to uncover new security flaws in both Firefox 2 and Internet Explorer 7, which Microsoft released last week. Word of what appears to be the first publicly disclosed IE 7 vulnerability came Wednesday.

At least two bug reports that indicated they affected the new Firefox release crossed over popular security mailing lists this week. But Mozilla on Wednesday downplayed those claims.

"I would call it just noise," said Window Snyder, Mozilla's security chief. The two issues don't present any real risk to Firefox users, she said.

One of the problems is related to a vulnerability that was patched in an earlier version of Firefox. A report on the Bugtraq mailing list suggested that the issue, labeled "critical" by Mozilla, resurfaced in Firefox 2.

The report is incorrect, Snyder said. "The vulnerabilities that were identified were actually fixed."

However, there is a related problem that can cause Firefox to crash. "The exploitable issues are fixed. There is a crash, but it is a denial of service," Snyder said. "We're going to look at it and make sure there is really nothing there."

Another report on the Full Disclosure mailing list suggested that there is a flaw in Firefox 2 that could be exploited to aid in cyberscams. The report included some computer code, but not enough for Mozilla to determine whether there is a problem, Snyder said.

"We don't have enough information to identify it. If we get more information, then we will investigate," she said.

Mozilla shipped Firefox 2 on Tuesday, nearly a week after Microsoft released IE 7. Both browsers have an emphasis on security and include features such as phishing shields to protect against fraudulent, data-thieving Web sites.

"This is one of the highest-quality Firefox releases to date," said Mike Schroepfer, vice president of engineering at Mozilla. "We fixed more issues than we ever have before. All empirical and anecdotal evidence so far shows that this is one of the most solid and stable Firefox releases."

Security researchers are welcome to hunt for bugs in Firefox, Snyder said, adding that those bugs should be reported responsibly to Mozilla, instead of disclosed publicly.

"We think it is great that the security community is working so hard to help us identify bugs," Snyder said. "Once they are identified, we're able to fix them and we fix them quickly and that means customers are less at risk."

See more CNET content tagged:
Firefox 2.0, Mozilla Corp., security flaw, Firefox, Microsoft Internet Explorer 7

11 comments

Join the conversation!
Add your comment
corporate spin?
> "This is one of the highest quality Firefox
> releases to date," said Mike Schroepfer, vice
> president of engineering at Mozilla. "We fixed
> more issues than we ever have before. All
> empirical and anecdotal evidence so far shows that
> this is one of the most solid and stable Firefox
> releases."

What a load of self-gratifying corporate spin. It reminds me of when Steve Ballmer said that Windows XP was the most stable release ever and that security was their top priority.
Posted by nrlz (98 comments )
Reply Link Flag
You don't like spin?
Windows XP IS the most stable CONSUMER OS that MS has made.

YOU might not like its stability but it doesn't change the facts.
Posted by KsprayDad (375 comments )
Link Flag
normal MR - incremental improvement
Firefox 2.0 is incremental release to 1.5 - there is nothing revolutionary here, just lots of little things done here and there.

More features for extensions, stability and speed improvements in many edge cases.

In the end, the main feature of Firefox - that it just works, easy/fast to install, easily extendable and has portable version.

P.S. That's funny thing called IE - even in incarnation 7 - takes *15* minutes and one reboot to install. Version 1 probably required to have computer turned off for a days. ;)
Posted by Philips (400 comments )
Reply Link Flag
Very secure - It locks my PC
Security flaws or not. My PC locked up 3 times and required 2 reboots in the first hour of trying to run the new code (v 2.0). I have been a Firefox fan for sometime and contributed to the foundation, but I reinstalled v 1.5.0.7 today and all is well. I hope the first patch makes v 2.0 a viable brower.
Posted by Im-Not-TED (21 comments )
Reply Link Flag
Me too....
Although not as often, it has caused 3 system freezes that required a hard reboot.
Posted by Jim Hubbard (326 comments )
Link Flag
Do pple put as much effort on e police
and armed forces' flaws? Is e bugs finding making things more secure?
Posted by pjianwei (206 comments )
Reply Link Flag
truth over hype
Some of these guys are looking for a name boost from with in their group as "this weeks super hack" rather than actual concern for any product or it's security flaws. It marginalizes the good work of the others in this regard. Accuracy in reporting is important in maintaining the integrity and value of such reports.
Posted by aqvarivs (38 comments )
Reply Link Flag
Well sure but
Whatever the motives happn to be if they uncover valid flaws and problems *and* disclose them then that fine. Let them get their little ego boost - it keeps the rest of us safer.

As for security issue - there will be problems with FireFox2. Thats just a given - any sufficient complex piece of code will likely be riddled with flaws. Hell, even a 'hello world' program can be a security hole if the underlying language is a disaster. This is especially true with web stuff where you have multilayered and complex interactions between languages, OSes, applications, and protocols.
Posted by rapier1 (2722 comments )
Link Flag
A hole is a whole
How can they downplay any security flaw? I have used firefox enough to be assured most issues will be fixed, but in the todays world of anti-privacy from big corporations, the big question that should be asked is, How much of our information is being sent back to the browser provider? A hole is a hole, but maybe we should look whole picture.
Posted by theinstallguy (2 comments )
Reply Link Flag
A hole is a whole
How can they downplay any security flaw? I have used firefox enough to be assured most issues will be fixed, but in the todays world of anti-privacy from big corporations, the big question that should be asked is, How much of our information is being sent back to the browser provider? A hole is a hole, but maybe we should look at the whole picture.
Posted by theinstallguy (2 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.