A Bad Month for Firefox

marty writes "Februrary is not a good month for Mozilla developers. Infoworld reports about the efforts of Polish researcher Michael Zalewski, who apparently kept finding new vulnerabilities in the popular browser on a daily basis through the month, first postponing the 2.0.0.2 update, and then finding a remotely exploitable flaw in it immediately after its release."

Re:What's worse?

[tomstdenis]

Well yeah that's the flipside. Some people report "bugs" which are things that cannot really be exploited in the field [e.g. unreachable exploits]. I deal with that in my OSS work as well. Though, usually I fix them anyways just for completeness. In fact, a non-trivial amount of bugs I've fixed have been of that sort [I wouldn't say a majority but definitely not just a few].

Some people like the press it gets for finding them too.

That being said, some projects react bad to bugs. GCC is an example of a group who react well to them. I've had several PR's fixed because of a simple ICE or asm dump I sent in. Whereas in the Linux camp, bug fixing is a royal right only a few can have. When I wanted to add device IDs for Intel NICs to the 2.6.18.2 [iirc] kernel I submitted a patch which added them. It was refused saying that they would be added in the next major release cycle. Even after I told them that they could trivially be added to the next point release they still refused. Oddly enough the maintainer, a Gentoo developer, added them to the gentoo brand of the kernel anyways. Go co-operation!

I dunno, for me it's a sense of responsibility. If I'm going to release software that can potentially cause problems for others, I make sure I respond to valid reports as soon as possible. I don't look at it as a negative experience because for me the alternative is to stop sharing the code alltogether.

Tom

Re:How is this bad?

[Kjella]

Could someone please explain how finding and fixing bugs/issues/problems/whatever is bad? Now, I understand that it is not particularly good from a PR perspective. However, it is not like they are ignoring these things or trying to spin it like they are not real problems (as certain commercial and proprietary software vendors are prone to do). This is, in fact, quite good for the users.

It's quite hard to tell for the user if they're fixing many bugs because they have a high attention to security or if their code is a stinking pile of shit. Ideally, not a single bug should get through to the end user but they do, in that sense every bug that needs fixing is an imperfection in the development process. The users don't have any omniscent metric of which browser is the most secure and bugfree. So, the user is trying to figure out some sort of substitute metric. The most typical one used is to assume that "number of bugs fixed" is proportional to "number of bugs to fix". Of course, that's not true because "number of bugs to fix" is "public bugs and to be fixed" + "bugs to be silently fixed" + "bugs that aren't found yet", possibly because noone's looking.

To take the typical slashdot meme:
IE fixes a dozen bugs: "Whaaaaaaaaaa! IE is such a pile of steaming shit"
FF fixes a dozen bugs: "Yeeeeeeeeeey! FF is showing their attention to security"

Perhaps you "know" this to be the truth, but there's no facts to back you up. If on the other hand you can point to "There has consistently been fewer bugs to fix in Firefox compared to IE" along with "There has consistantly been fewer actual exploits in Firefox compared to IE" (ie, we're not just ignoring the problem) then you'll have a much better case. Of course that would require honestly in numbers, plus all the FUD about market share == target and so on, but one thing remains certain. If there weren't any bugs to fix, that'd be the best both technically and for PR.

Hard to reproduce

[mw22]

There is one problem with the flaw, it's very hard to reproduce, I think I reproduced it once in a 1.8 branch build, but not afterwards.
If anyone can reproduce it consistently, and has a 1.8 debug branch build, it would be great if he could try and give a useful stacktrace in the bug.

Re:Bad month ends up with a good product.

[kestasjk]

I don't know where people get the idea that closed source apps are invulnerable to hackers checking them for holes. With a firm grasp of tools like IDA pro you can easily analyze closed source apps.

I like and use Firefox too, but I don't think security is a good reason to like Firefox. The great plugins are what puts it head+shoulders above anything else, imho. And with NoScript, AdBlock, etc, it makes it much easier to avoid malicious sites.

Anyway, It's not right to be so complacent, when a hole is found in MS software it's terrible, but when holes are found day after day in Firefox it's progress. It's the same with Apple and MS; the double standards some posters have can make /. look pretty hypocritical sometimes..

Re:What's worse?

[gmack]

My complaint isn't that they weren't added, it's that the maintainer refused to add them to the vanilla kernel [e.g. at kernel.org] and instead horded them for Gentoo-sources [even though I run gentoo I still feel this is wrong]. Eventually at the next major release they were added. So it's not that the device IDs were wrong or caused problems. It's that the developer didn't want to share them with the rest of the Linux crowd.

Or more to the point: the maintainer knew they would never be accepted into the stable branch kernel until, at the very least, they were tested in the dev branch first.

The maintainer doesn't have the final say. It's the stable team that decides in the end and they have only gotten more strict now that there are shorter dev cycles. Also, I didn't say that they did cause problems I said they could in theory cause problems and there is no way to know for sure until the new ids have been well tested. The change was quite probably safe but I'm astounded your whining that they would not throw improperly tested code right into the stable branch. I've seen simple device ID additions cause crashes. I've had them crash MY system. It's rare but it happens. That's why I update my servers with the stable branch and run my personal stuff on the more cutting edge devel kernels.

You should ask Jean-Luc Cooke about his experience trying to replace the horrible /dev/random device with one based on Fortuna. He got the same royal decreed from Ted T'so about "who owns the kernel" and who doesn't. In the end, Jean-Luc just gave up and withdrew the patches.

/dev/random has to be as hard to predict as possible. You claim it's horrible but there are whole papers on how to random generate numbers and even seasoned kernel devs have had patches refused patches because they weren't able to justify them properly.

The kernel is, for the most part, a horribly written, and poorly maintain piece of code. The maintainers are selfish ego-hording losers and have to really learn there is more people willing to contribute then just them.

Translation: They didn't let me do what I want to they are a bunch of jerks

There are people who dedicate themselves to teaching new people how to add patches to the kernel. The whole kernel newbies project and the kernel janitors project exist to provide developers who new to kernel programming an easy way to learn their way around and get patches accepted. There have been hundreds of patches in the past few months that were accepted from people who were previously unknown to kernel programming. So it really is open to others but only people willing to follow the rules. Those rules are there for a reason.

Re:Bottom line

[H8X55]

Except that with the Fox, half of the people looking for and finding bugs are doing so in order to help get them fixed.

(insert devil's advocate)
But for how much longer? the more positive attention fox draws from the unwashed masses, the more negative attention will turn in that direction from malware developers. If you go from 5% marketshare to 25% marketshare - your percentage of people looking for and finding bugs for good would drop through the floor. Think of it like this - Maybe one out of every ten of my FFX using friends actually do any app-dev work. Is that accurate? Maybe 10% of all users? If more 'regular people' started using FFX, ditching IE, you think you're still going to have 10%? Safari and FFx are safe for now, because they're not being targeted by hundreds/thousands/millions.

Compare against the best.

[Anonymous Coward]

When it comes to software performance, it's pretty useless to compare the performance of your software to a previous version of that same software. You need to compare your performance to that of the current leader in the same market.

Maybe Firefox 2 is faster than Firefox 1.5. But compared to Opera, Konqueror and Safari, it's still quite slow and extremely bloated. Apparently it's also quite insecure, too.

KDE 4 is getting very close to being released. It's native support for Windows will bring Konqueror to a whole new audience, thus drastically changing the Windows browser landscape. Unless the Firefox developers really get their asses in gear, which apparently isn't happening, Konqueror will come along and smite Firefox.

If the beta released today is any indication of what the final KDE 4 release will be like, then Firefox had better watch out. This new version of Konqueror already has the speed. It has the stability. It has extremely low memory usage (but still higher than Opera). I don't know if Firefox will be able to compete unless a massive rewrite is undertaken. But if they do wish to remain competitive, they'd better get going.

just rude

[towsonu2003]

Why did the summary skipped this part I wonder:

vulnerabilities in Firefox disclosed by a researcher who makes his work public before informing Mozilla of the problems.

hmm

Most Critical Firefox Flaw Remains Unzapped

[BSDetector]

Most Critical Firefox Flaw Remains Unzapped!!!

Interesting read at http://securitywatch.eweek.com/open_source/all_the _firefox_flaws_hunted_down_1.html [eweek.com]

Re:Compare against the best.

[nutshell42]

I think the "which browser is faster" comparisons are (or should be) a thing of the past. If you didn't buy your PC last century there's not much of a speed difference to be had. Some browsers might cache better than others but if I think I'm gonna need that page again, I generally just open the link in a new tab anyway.

Nowadays if some page's slow to load I think "slow page" instead of "slow browser".

OTOH I use *lots* of tabs and there are major differences in memory consumption. On my PC Opera needs about 250-350MB of RAM for 100 tabs, Konqueror 400 and Firefox between 800 and 1.5GB.

Re:Bad month, but...

[arth1]

You don't know me, true, but I'm one of those who switched from Firefox. Before y'all start foaming at the mouth, let me qualify that by saying that I switched back from Firefox to Mozilla, because Mozilla was much faster, with a smaller memory footprint. After security bugs appeared that afflicted all Mozilla-sourced browsers, and Mozilla was dead, I gave Firefox another try, and then switched again -- this time to Seamonkey. Which again has less bloat (in the browser-only install) and is faster than Firefox. Oh, and it hasn't been dumbed down as much as Firefox -- it doesn't hide most options from users to protect the users from themselves, like Firefox does.
Yes, the codebase for Seamonkey will be slightly behind that for Firefox. I see that as a good thing, as it weeds out most of the x.0 type bugs, and makes Seamonkey a more mature product.

Regards,
--
*Art