A Bad Month for Firefox

marty writes "Februrary is not a good month for Mozilla developers. Infoworld reports about the efforts of Polish researcher Michael Zalewski, who apparently kept finding new vulnerabilities in the popular browser on a daily basis through the month, first postponing the 2.0.0.2 update, and then finding a remotely exploitable flaw in it immediately after its release."

Compelling reasons to switch to 2?

[soupforare]

I'm still running 1.5.0.9 and it works a treat. Am I missing something besides, apparently, h4x?

Bottom line

[AndyBassTbn]

Bottom line - the more people use Firefox, the more people look for bugs and vulnerabilities, the more people find them. The same thing happened with IE.

Granted, I do think Firefox is far superior to other browsers on the market, but I don't think that this should surprise anyone. At least Firefox is being fixed quickly. I suspect other software companies may not have held back their release times on upgrades to fix additional bugs. ("Don't worry now, just get this new version out before the deadline, we'll fix it later...")

A bad model?

[Lord Satri]

Well, such headlines won't stop me from using FF. At least vulnerabilities are attended to in a way I believe (wrongly?) faster than most mammoth companies would. That said, this point from the article is interesting, making me believe researchers should (?) have incentives to disclose security bugs to Mozilla first and to the public only when the fix is distributed:
"Although Snyder said she would prefer it if Zalewski and other researchers would disclose vulnerabilities to Mozilla before taking them public, she said the company relies on such experts to help it keep customers protected from attacks, as painful as the reports may be."

What's worse?

[tomstdenis]

As the author of security software, I'm not happy to find flaws in my code, but I'd rather find them then not.

The measure of success is whether the bug(s) found in Feb are new additions added by sloppy coders, or legacy bugs that have so far escaped notice?

Tom

Re:Bottom line

[Mateo_LeFou]

"the more people use Firefox, the more people look for bugs and vulnerabilities, the more people find them. The same thing happened with IE." Except that with the Fox, half of the people looking for and finding bugs are doing so in order to help get them fixed.

How is this bad?

[El Cubano]

Could someone please explain how finding and fixing bugs/issues/problems/whatever is bad? Now, I understand that it is not particularly good from a PR perspective. However, it is not like they are ignoring these things or trying to spin it like they are not real problems (as certain commercial and proprietary software vendors are prone to do). This is, in fact, quite good for the users.

Bad month? No...

[onion2k]

Good month. Finding lots of bugs, and fixing them, is a good thing. We don't need to pretend it's perfect and rosy and all nicely secure and won't ever need a patch or an update. We're realists on this side of the OSS fence. We know that software is only as good as the people working on it.

I'd like to extend a hearty thank you to this researcher for making Firefox even better.

Javascript

[Neuropol]

I hardly see this as being Firefox's fault. It's been a more common denominator to have Javascript as the culprit. There's always been some "handling" issue in just about every browser ever coded. So with this continuing, I'd be pointing all fingers at Javascript and nothing else.

Compliance should be the next target of finger pointing too. If Firefox seems have its act together and it keeps falling prey to, and having to adapt to, issues of external development, I really think it's time for an overhaul on some highly exploitable Javascript code.

Bad month, but...

[bgfay]

I don't know anyone who has lost faith in Firefox or switched back to anything else. It's still a great browser and seems to be getting better. There will always be problems with software. The thing that's interesting here is that all of Firefox's good aspects and bad aspects are out in the open. That's what makes it work.

Your model is bad.

[DrYak]

researchers should (?) have incentives to disclose security bugs to Mozilla first and to the public only when the fix is distributed

No. It's how it work with microsoft, it's not how it works with open source software.

With Firefox, if you disclose a hole to the public there's also a higher chance that someone outside the foundation, from the public, could try to fix the hole. (Which could be not to much difficult for an outsider if the fix is just adding a check to avoid invalid input). If you only disclose to Mozilla, the list of potential patcher is small and most of these are already busy fixing the other holes and developing, and you take the risk that in the meantime some cracker group discovers the problem independently and write an exploit script.

Whereas with microsoft products, if you disclose the problem to the public, they can't do much apart from switching to another product or wait until microsoft developer finally fix the problem. So from the company's view point, there're no usefullness to disclose a hole to the public. ...in fact, because the source is open, researcher could even fix the bugs themselves as those are discovered.

Bad month ends up with a good product.

[SoupIsGood Food]

Buffer overruns happen. Security models have holes. This is nothing new, and you'll find it in damn near every software project of any complexity.

The rational ways of dealing with this are a very dictatorial style of project management to get it right the first time (See: OpenBSD) or a quick and responsive way to kill security-affecting bugs dead. Firefox, with its gazillions of volunteer and paid programmers, opt for the latter. Too often, closed source developers just sit on these bugs, or sue the people trying to find and publish them, or use their marketing department to cover for their developers' shortcomings.

I'm pleased and reassured that Firefox is having these issues. Active and open security research will always result in a stronger product, and delays to deal with them are acceptable so long as the software is better for it. Even OpenBSD's been hacked a few times, and it's how you deal with it that's more important.

Microsoft's stuff is broken for =years=, which allows a security nightmare. Firefox is broken for a few days, or a month or two... too quick for all but the most dedicated and talented black-hats to take advantage of. Give me this over Internet Exploder any day.

When will we see a stable and secure project? That's an important question when dealing with closed source products. On something like Mozilla, with an open development model, the project goals and progress aren't company secrets... we actually know exactly why something has been pushed back, and can make reasonable judgements about when it will be back on track for ourselves. This is one of the more important aspects of open source that corporate IT overlooks... the ability to plan for and work around changes in the release schedule.

So, yeah, setbacks happen. To everyone. How the setbacks are dealt with is where the rubber meets the road. Firefox is generally ahead of the industry here, too.

Re:What's worse?

[TheRaven64]

Some of the stuff he's finding are bugs in bugzilla from 2001 that keep getting shifted around and reassigned and marked as duplicates of other bugs

There is something I picked up from the OpenBSD guys, which I think should be repeated more:

The only difference between a bug and a security flaw is the intelligence of the attacker

In something like Mozilla that connects to remote machines and receives badly-formed data as a regular operation, every single bug should be treated as a potential security hole (with the possible exception of w3c spec violations).

Re:Your model is bad.

[Albanach]

if you disclose the problem to the public, they can't do much apart from switching to another product or wait until microsoft developer finally fix the problem.

But that's only an issue if you get no response. What if MS email and say thanks, we've looked into this, we need to change x, y and z and it should take about two weeks before we issue a fix. What would be the advantage in going public inside those two weeks?

I can't see any valid reason for someone not to report to Mozilla first, and to expect a reasonable and speedy response, then oing public if a fix is not in place inside a sensible timescale. To do otherwise suggests the researcher is more interested in self publicity than in protecting users of the browser.

Re:How is this bad?

[Cid Highwind]

In short, Zalewski seems to believe in full disclosure instead of responsible disclosure.

So do most of us here at /. when it comes to bugs in Windows or IE or Java VM. Why not Firefox?

Some of these bugs were initially reported in 2001 and were only fixed in Firefox 2.0.0.2, six years later. The lesson here seems clear to me: Reporting security holes on bugzilla get them marked DUPE/WONTFIX/NOTABUG and ignored for 5+ years. Publishing detailed explanations of the exploits on your blog gets them fixed within a few weeks.

Re:Bottom line

[Tiger4]

("Don't worry now, just get this new version out before the deadline, we'll fix it later...")?

As much as I am annoyed by MS for their practices, that particular one is perfectly reasonable and acceptable.

If the overall program was not managed that way, they would have chaos. Every potential change to the main configuration has to be assigned to a given build and release. The place to attack the "problem" is in how they assign priorities to problems and bug fixes. The criteria for Critical and Non-Critical bugs, for High, Medium, and Low Risk threat and fixes are where software quality hinges. MS does it one way, Mozilla a different way. To some extent they will converge. Hopefully for us all, not too much. But definitely they will converge. If they don't do effective Configuration Management, they don't know what they have, and they can't be sure about what results they will get. The development process is tricky enough without deliberately adding random uncertainty to the process. If it means delaying a given fix for some period of time, so be it.

I would not be at all surprised to see Mozilla eventually adopt a variant of the MS "Update Tuesday" model. For all but the Most Critical changes, just hold all updates them bundle them and push them at the end of the next week/month/quarte. One thing they already do better than MS is to fully declare a new revision, rather than just issues a patch and updat a table with the information. Makes it easy for humans to know at a glance what revision they are at. (By the way, I got 1.5.0.10 shoved at me last night)

Re:Bad month ends up with a good product.

[Anonymous Brave Guy]

Buffer overruns happen.

Not if you use proper design techniques, or programming languages where they aren't a possibility. Saying "buffer overruns happen" is just a concession to current poor programming practices. Better ways to do things have been known for a long time, it just requires more effort to use them when most of the world isn't yet.

Security models have holes. This is nothing new, and you'll find it in damn near every software project of any complexity.

That's true, but not every software project makes grand claims about having better security than the opposition. There is little text on the Firefox home page, but one of the three big headings is "Stay secure on the web". "Firefox continues to lead the way in online security," it tells us. Clicking through the link finds explicit claims about the open source model and the use of "security experts".

Microsoft's stuff is broken for =years=, which allows a security nightmare. Firefox is broken for a few days, or a month or two... too quick for all but the most dedicated and talented black-hats to take advantage of.

And how do you know that all of these Firefox bugs have only been added recently, and haven't already been exploited by black hats before they were announced? Do you personally check into the background of every bug report in Firefox? Do you think everyone who uses it does? How many serious vulnerabilities in IE are really open for years? Do you have stats to back this up, or are you just a Firefox fanboy spreading FUD? These are, after all, exactly the criticisms commonly levelled at IE.

When will we see a stable and secure project? That's an important question when dealing with closed source products. On something like Mozilla, with an open development model, the project goals and progress aren't company secrets...

So all security bugs in the Mozilla family are immediately and openly disclosed to the public?

Re:How is this bad?

[bunratty]

Reporting security holes on bugzilla get them marked DUPE/WONTFIX/NOTABUG and ignored for 5+ years. Publishing detailed explanations of the exploits on your blog gets them fixed within a few weeks.

If you know of any such security holes, report them publicly or privately, and you will get a $500 bounty [mozilla.org]. If reporting them privately doesn't get them fixed, you can always go public later without losing your bounty. If responsible disclosure doesn't get bugs fixed, then I would agree that full disclosure is needed. Go ahead and report these bugs and collect your fame and riches!

Re:Compare against the best.

[SirTalon42]

Konqueror will also run natively on OS X. Also when ran along side other KDE apps and the DE, Konqueror's memory usage (because of shared libraries) is most likely lower than Opera's, though it can still use some work to become even more efficient. Firefox developers will have an INCREDIBLY hard time making the Firefox UI as fast as Konqueror/Safari/Opera because of their extensive use of XUL.

Just for full disclosure, I use Konqueror as my primary browser on all *nix systems, and Opera everywhere Konqueror won't run. Several revisions of Konqueror ago and back before Opera's free version removed the ads I used Firefox primarily but as Konqueror matured and Opera removed the ads I moved away. I've never really been much of a fan of the software thats released as OSS to try and save its self and as part of its dying breath, the code base is generally pretty ugly and brittle, also it often steals resources away from good projects that have been OSS from the start.

WARNING: Firefox 1.5 vs. 2.0 :: Old vs. New

[reporter]

New software and new cars generally have more defects than old software and old cars. The first-year release of a Toyota Camry relies on customers to find and report the defects. The defect information is fed back to the Toyota engineers, and they redesign the defective parts of the Camry. The third-year release of the Camry should be quite reliable. (Toyota [msn.com] has some of the highest rates of recalls [thestar.com] in the automotive industry. Toyota typically recalls nearly 10% of its vehicles -- versus "only" 7% for General Motors.)

Software works in the same way.

If you are using your Web browser to do critical jobs like online banking, you should continue to use the latest iteration of Firefox 1.5 [mozilla.com]. The latest iteration is version 1.5.0.10 [mozilla.org]. If you are still using Firefox 1.5, look under the "Help" option to find the option, "Check for Updates", which will enable your to upgrade to 1.5.0.10.

Continue using version 1.5 until 2007 April 24. On that date, Mozilla programmers will cease fine-tuning version 1.5.

After April 24, switch to version 2 of Firefox. Waiting 2 more months before using version 2 will give vital time to Mozilla programmers to fix any critical problems in the new version.

Re:What's worse?

[tomstdenis]

Whatever. This is why newbs mock OSS. If a one line trivial change causes WW3 between developers, just because Intel decided to up a PCI devid value ... we have problems.

Out of the box, the latest kernel wouldn't work on my mobo [when I got it]. That means LINUX IS BROKEN. The fix? Add one line to a eth device drivers list of recognized device IDs. What does the community do? Reject it until MONTHS LATER. Many newcomers would look at that and say "fine I'll go to Windows or BSD."

How are we supposed to build a community of trust and co-operation if we can't resolve single line fixes to code that enable hardware to work?

Tom

This reminds me. . .

[Hamoohead]

. . .of pharmaceutical ads. Before the FDA allowed ads on TV in the US, the only way most people became aware of a drugs side effects or dangers was if enough people started exibiting symptoms to cause a newsworthy event. Now that the drug companies are required to give full disclosure, everyone has a knee-jerk reaction to the cautionary statements on pharmaceutical drugs, even to the point of arguing with their doctor on the merits of the drug in question.

Every time Firefox vulnerabilities are found, it seems people are falling prey to this same mentality. "It's got an exploitable security bug! OMFG! F'ing programmers! Firefox is a piece of shit!" The bottom line is: Everything made that is made has defect(s). FF is no exception. For my part, I would much rather be informed of possible pitfalls, however remote, than be kept in the dark until the horse is already out of the barn. I feel much safer surfing with FF and noscript than IE any day. When was the last time MS took a reported IE exploit that didn't come from their own camp seriously? Kudo's to Mr. Zalewski for his efforts. Kudo's to the Mozilla team for their efforts in tightening up security on the best browser that has ever been written.

Re:What's worse?

[tomstdenis]

This isn't about adding a new device driver. It's about having the device driver detect a revision of a chipset. It's fairly easy to test and a very LOW risk change. Not doing so means an entire line of motherboards are not supported.

You have to use your brain to determine what's a high and low risk change. Adding an entirely new driver, high risk. Adding a device ID to a list for an existing driver? Low risk. *NOT ADDING* the driver? High risk of user unsatisfaction.

Tom