A Bad Month for Firefox 195
marty writes "Februrary is not a good month for Mozilla developers. Infoworld reports about the efforts of Polish researcher Michael Zalewski, who apparently kept finding new vulnerabilities in the popular browser on a daily basis through the month, first postponing the 2.0.0.2 update, and then finding a remotely exploitable flaw in it immediately after its release."
Compelling reasons to switch to 2? (Score:3, Insightful)
Bottom line (Score:5, Insightful)
Granted, I do think Firefox is far superior to other browsers on the market, but I don't think that this should surprise anyone. At least Firefox is being fixed quickly. I suspect other software companies may not have held back their release times on upgrades to fix additional bugs. ("Don't worry now, just get this new version out before the deadline, we'll fix it later...")
A bad model? (Score:5, Insightful)
"Although Snyder said she would prefer it if Zalewski and other researchers would disclose vulnerabilities to Mozilla before taking them public, she said the company relies on such experts to help it keep customers protected from attacks, as painful as the reports may be."
What's worse? (Score:5, Insightful)
The measure of success is whether the bug(s) found in Feb are new additions added by sloppy coders, or legacy bugs that have so far escaped notice?
Tom
Re:Bottom line (Score:5, Insightful)
How is this bad? (Score:5, Insightful)
Could someone please explain how finding and fixing bugs/issues/problems/whatever is bad? Now, I understand that it is not particularly good from a PR perspective. However, it is not like they are ignoring these things or trying to spin it like they are not real problems (as certain commercial and proprietary software vendors are prone to do). This is, in fact, quite good for the users.
Bad month? No... (Score:5, Insightful)
I'd like to extend a hearty thank you to this researcher for making Firefox even better.
Javascript (Score:2, Insightful)
Compliance should be the next target of finger pointing too. If Firefox seems have its act together and it keeps falling prey to, and having to adapt to, issues of external development, I really think it's time for an overhaul on some highly exploitable Javascript code.
Bad month, but... (Score:3, Insightful)
Your model is bad. (Score:3, Insightful)
No. It's how it work with microsoft, it's not how it works with open source software.
With Firefox, if you disclose a hole to the public there's also a higher chance that someone outside the foundation, from the public, could try to fix the hole. (Which could be not to much difficult for an outsider if the fix is just adding a check to avoid invalid input). If you only disclose to Mozilla, the list of potential patcher is small and most of these are already busy fixing the other holes and developing, and you take the risk that in the meantime some cracker group discovers the problem independently and write an exploit script.
Whereas with microsoft products, if you disclose the problem to the public, they can't do much apart from switching to another product or wait until microsoft developer finally fix the problem. So from the company's view point, there're no usefullness to disclose a hole to the public.
Bad month ends up with a good product. (Score:5, Insightful)
The rational ways of dealing with this are a very dictatorial style of project management to get it right the first time (See: OpenBSD) or a quick and responsive way to kill security-affecting bugs dead. Firefox, with its gazillions of volunteer and paid programmers, opt for the latter. Too often, closed source developers just sit on these bugs, or sue the people trying to find and publish them, or use their marketing department to cover for their developers' shortcomings.
I'm pleased and reassured that Firefox is having these issues. Active and open security research will always result in a stronger product, and delays to deal with them are acceptable so long as the software is better for it. Even OpenBSD's been hacked a few times, and it's how you deal with it that's more important.
Microsoft's stuff is broken for =years=, which allows a security nightmare. Firefox is broken for a few days, or a month or two... too quick for all but the most dedicated and talented black-hats to take advantage of. Give me this over Internet Exploder any day.
When will we see a stable and secure project? That's an important question when dealing with closed source products. On something like Mozilla, with an open development model, the project goals and progress aren't company secrets... we actually know exactly why something has been pushed back, and can make reasonable judgements about when it will be back on track for ourselves. This is one of the more important aspects of open source that corporate IT overlooks... the ability to plan for and work around changes in the release schedule.
So, yeah, setbacks happen. To everyone. How the setbacks are dealt with is where the rubber meets the road. Firefox is generally ahead of the industry here, too.
Re:What's worse? (Score:4, Insightful)
Re:Your model is bad. (Score:5, Insightful)
I can't see any valid reason for someone not to report to Mozilla first, and to expect a reasonable and speedy response, then oing public if a fix is not in place inside a sensible timescale. To do otherwise suggests the researcher is more interested in self publicity than in protecting users of the browser.
Re:How is this bad? (Score:5, Insightful)
So do most of us here at
Some of these bugs were initially reported in 2001 and were only fixed in Firefox 2.0.0.2, six years later. The lesson here seems clear to me: Reporting security holes on bugzilla get them marked DUPE/WONTFIX/NOTABUG and ignored for 5+ years. Publishing detailed explanations of the exploits on your blog gets them fixed within a few weeks.
Re:Bottom line (Score:4, Insightful)
As much as I am annoyed by MS for their practices, that particular one is perfectly reasonable and acceptable.
If the overall program was not managed that way, they would have chaos. Every potential change to the main configuration has to be assigned to a given build and release. The place to attack the "problem" is in how they assign priorities to problems and bug fixes. The criteria for Critical and Non-Critical bugs, for High, Medium, and Low Risk threat and fixes are where software quality hinges. MS does it one way, Mozilla a different way. To some extent they will converge. Hopefully for us all, not too much. But definitely they will converge. If they don't do effective Configuration Management, they don't know what they have, and they can't be sure about what results they will get. The development process is tricky enough without deliberately adding random uncertainty to the process. If it means delaying a given fix for some period of time, so be it.
I would not be at all surprised to see Mozilla eventually adopt a variant of the MS "Update Tuesday" model. For all but the Most Critical changes, just hold all updates them bundle them and push them at the end of the next week/month/quarte. One thing they already do better than MS is to fully declare a new revision, rather than just issues a patch and updat a table with the information. Makes it easy for humans to know at a glance what revision they are at. (By the way, I got 1.5.0.10 shoved at me last night)
Re:Bad month ends up with a good product. (Score:5, Insightful)
Not if you use proper design techniques, or programming languages where they aren't a possibility. Saying "buffer overruns happen" is just a concession to current poor programming practices. Better ways to do things have been known for a long time, it just requires more effort to use them when most of the world isn't yet.
That's true, but not every software project makes grand claims about having better security than the opposition. There is little text on the Firefox home page, but one of the three big headings is "Stay secure on the web". "Firefox continues to lead the way in online security," it tells us. Clicking through the link finds explicit claims about the open source model and the use of "security experts".
And how do you know that all of these Firefox bugs have only been added recently, and haven't already been exploited by black hats before they were announced? Do you personally check into the background of every bug report in Firefox? Do you think everyone who uses it does? How many serious vulnerabilities in IE are really open for years? Do you have stats to back this up, or are you just a Firefox fanboy spreading FUD? These are, after all, exactly the criticisms commonly levelled at IE.
So all security bugs in the Mozilla family are immediately and openly disclosed to the public?
Re:How is this bad? (Score:3, Insightful)
Re:Compare against the best. (Score:3, Insightful)
Just for full disclosure, I use Konqueror as my primary browser on all *nix systems, and Opera everywhere Konqueror won't run. Several revisions of Konqueror ago and back before Opera's free version removed the ads I used Firefox primarily but as Konqueror matured and Opera removed the ads I moved away. I've never really been much of a fan of the software thats released as OSS to try and save its self and as part of its dying breath, the code base is generally pretty ugly and brittle, also it often steals resources away from good projects that have been OSS from the start.
WARNING: Firefox 1.5 vs. 2.0 :: Old vs. New (Score:1, Insightful)
Software works in the same way.
If you are using your Web browser to do critical jobs like online banking, you should continue to use the latest iteration of Firefox 1.5 [mozilla.com]. The latest iteration is version 1.5.0.10 [mozilla.org]. If you are still using Firefox 1.5, look under the "Help" option to find the option, "Check for Updates", which will enable your to upgrade to 1.5.0.10.
Continue using version 1.5 until 2007 April 24. On that date, Mozilla programmers will cease fine-tuning version 1.5.
After April 24, switch to version 2 of Firefox. Waiting 2 more months before using version 2 will give vital time to Mozilla programmers to fix any critical problems in the new version.
Re:What's worse? (Score:4, Insightful)
Out of the box, the latest kernel wouldn't work on my mobo [when I got it]. That means LINUX IS BROKEN. The fix? Add one line to a eth device drivers list of recognized device IDs. What does the community do? Reject it until MONTHS LATER. Many newcomers would look at that and say "fine I'll go to Windows or BSD."
How are we supposed to build a community of trust and co-operation if we can't resolve single line fixes to code that enable hardware to work?
Tom
This reminds me. . . (Score:1, Insightful)
. . .of pharmaceutical ads. Before the FDA allowed ads on TV in the US, the only way most people became aware of a drugs side effects or dangers was if enough people started exibiting symptoms to cause a newsworthy event. Now that the drug companies are required to give full disclosure, everyone has a knee-jerk reaction to the cautionary statements on pharmaceutical drugs, even to the point of arguing with their doctor on the merits of the drug in question.
Every time Firefox vulnerabilities are found, it seems people are falling prey to this same mentality. "It's got an exploitable security bug! OMFG! F'ing programmers! Firefox is a piece of shit!" The bottom line is: Everything made that is made has defect(s). FF is no exception. For my part, I would much rather be informed of possible pitfalls, however remote, than be kept in the dark until the horse is already out of the barn. I feel much safer surfing with FF and noscript than IE any day. When was the last time MS took a reported IE exploit that didn't come from their own camp seriously? Kudo's to Mr. Zalewski for his efforts. Kudo's to the Mozilla team for their efforts in tightening up security on the best browser that has ever been written.
Re:What's worse? (Score:3, Insightful)
You have to use your brain to determine what's a high and low risk change. Adding an entirely new driver, high risk. Adding a device ID to a list for an existing driver? Low risk. *NOT ADDING* the driver? High risk of user unsatisfaction.
Tom