Critical Mozilla, Thunderbird Vulnerabilities 596
d3ik writes "An advisory has been issued on several buffer overflow exploits in the Mozilla and Thunderbird code. Coincidentally, one of the exploits takes advantage of a unchecked buffer in the bitmap parser, very similar to recent Microsoft JPEG vulnerability.
The good news is that if you have an updated version (Mozilla 1.7.3, Firefox 1.0PR, Thunderbird 0.8) you won't be affected."
So will it be Mozilla's fault... (Score:5, Insightful)
Afterall, it's Microsoft's fault when their users don't keep up to date with security patches.
Re:So will it be Mozilla's fault... (Score:5, Funny)
Re:So will it be Mozilla's fault... (Score:5, Funny)
Re:So will it be Mozilla's fault... (Score:4, Funny)
Besides, Microsoft is pure evil. Everyone knows that Netscape Communicator Gold 4.0 was the best software ever produced.
Re:So will it be Mozilla's fault... (Score:5, Insightful)
Re:So will it be Mozilla's fault... (Score:5, Funny)
Re:So will it be Mozilla's fault... (Score:4, Funny)
Doh.
Re:So will it be Mozilla's fault... (Score:5, Informative)
1) Software designers should be more careful when using buffers, so that over runs don't occur is it really that hard to keep a counter around to make sure your don't overrun? I guess developers want their code to run fast and I suppose it doesn't help that C offers absolutely no protection from such problems. [Pascal and other strongly typed languages sure help in this regard it's alot harder to make this type of mistake].
2) OS designers should do more through checking to make sure data pages are never executed. [and a data write can't write into an application memeory page!]. While it SHOULD be caught above, the OS should be looking out for requests to write into pages not assigned as data for a particular application.
3) Hardware designers should implement features to optimize #1 and #2. [eg. noexecute flags. Harvard Architecture, etc. I can easily see a architecture that looks like a Harvard in normal mode and then turns into our traditional von neumann architecture in privledged mode.]
It's really quite simple concept to have a no execute flag associated with a memory page that can only be changed in privledged mode. And such coding techniques should work fine for day to day computer use [self modifying code could be problem , etc].
Re:So will it be Mozilla's fault... (Score:5, Insightful)
"2) OS designers should do more through checking to make sure data pages are never executed"
Great idea. Now minor problem, how do you make sure your software and OS designers are 100% competent, never have a bad day, never arrive with a hangover, never have a bitter argument with spouse/partner.
I see no evidence that this is possible with the current crop of earth's inhabitants.
Re:So will it be Mozilla's fault... (Score:3, Insightful)
Re:So will it be Mozilla's fault... (Score:5, Informative)
Re:So will it be Mozilla's fault... (Score:4, Interesting)
At least I'm not the only one. I upgraded yesterday and then spent close to two hours trying to get the damn search box back to the size it was with .9.x but no luck. I really wish you could just right click the search box and set the properties for it. Would be so much easier.
Re:So will it be Mozilla's fault... (Score:5, Informative)
http://bugzilla.mozilla.org/show_bug.cgi?id=258
The summary: put this in your userChrome.css.
#search-container {
-moz-box-flex: 200 !important;
}
#searchbar {
-moz-box-flex: 200 !important;
}
Hope this works for you!
Re:So will it be Mozilla's fault... (Score:5, Informative)
Why is this so hard for people:
Upgrade Firefox.
Your extensions will get disabled because they have a MaxVersion lower than the Firefox version.
Let it happen. DON'T FREAK OUT.
Go to the extension manager.
Right click all the disabled extensions and select Enable.
Restart Firefox.
Woo hoo. Barring any changes in the code that genuinely make your old extensions incompatible, your world keeps on turning.
Re:So will it be Mozilla's fault... (Score:3, Funny)
(In any case, use Tabbrowser Extensions instead. It's more powerful and didn't have any problems with the upgrade to 1.0PR.)
Really? Mine is not working. It claims that the version number (0.10) is not new enough.
Re:So will it be Mozilla's fault... (Score:5, Insightful)
Re:So will it be Mozilla's fault... (Score:5, Funny)
But Mozilla and Firefox are so much better than IE! Isn't that what you fuckers claim everytime there's an IE vunerability?
So now that the tables are turned little baby Firefox/Moz is just a beta so it doesn't matter.
Stay on the fence or fall the fuck off.
Sincerely,
Kings Men.
Re:So will it be Mozilla's fault... (Score:3, Insightful)
Any software will have bugs and holes in, the difference is the frequency and the rate of fixing - note that this is ALREADY FIXED.
Re:So will it be Mozilla's fault... (Score:5, Interesting)
Also, in Wired a short time ago, they tried to claim that Firefox had a vulnerability that had to be patched (which it did 0.9 - 0.9.1) but the vulnerability was with the Windows OS, and blocking access to a Windows OS function was what was required to fix it.
FF is still a better browser - no question about it.
Re:So will it be Mozilla's fault... (Score:5, Insightful)
Re:So will it be Mozilla's fault... (Score:5, Funny)
Re:So will it be Mozilla's fault... (Score:5, Insightful)
No. Then it'll be the stupid user's fault. Only MS is at fault for not actively coming to each users' house and business and physically installing the update for them, even though MS's Automatic Update feature works great. Even though Firefox/Thunderbird/SunBird's manual "check for updates" feature doesn't even work, it's definitely the *stupid* user's problem when it comes to any non-MS program.
Re: (Score:3, Insightful)
Re:So will it be Mozilla's fault... (Score:5, Insightful)
Mozilla has the same problems as Microsoft as far as breaking things. The reason you notice it more in Microsoft's code is that they write things like operating systems, which tens of thousands of different applications run on top of. Only a handful of things run on top of your web browser.
Re:So will it be Mozilla's fault... (Score:5, Funny)
To my knowledge, Mozilla has never done that.
Re:So will it be Mozilla's fault... (Score:5, Funny)
"He was referring to MS's history of... and kicking your dog. To my knowledge, Mozilla has never done that."
No, but Mozilla once tried to *eat* my dog.
Re:So will it be Mozilla's fault... (Score:5, Funny)
To my knowledge, Mozilla has never done that.
Fucking complainers. Mozilla is still beta. Vase-throwing will be in the next version, and dog-kicking can already be done with a third-party extension. If you really want brakeline-cutting, why don't you go code it yourself?
Re:So will it be Mozilla's fault... (Score:4, Interesting)
That is a matter of opinion. I haven't upgraded Moz on my home machine since the 1.5->1.6 switch took out my whole e-mail store, address book, and other profile information. Fortunately I'd had the sense to back up, so 1.5 was restored with the only loss several hours of my time. It does make the argument that Mozilla doesn't have to provide security patches for older versions because of the rapid upgrade cycle rather thin, though.
I've been waiting for TBird to import Moz e-mail properly, and now that it does, I'll be shifting away from the Mozilla suite to Firefox and Thunderbird imminently. The latter seem to be far more robust than Mozilla itself, which sadly has become ever more feature-loaded and bug-ridden with the passage of time.
Re:So will it be Mozilla's fault... (Score:3, Insightful)
Re:So will it be Mozilla's fault... (Score:3)
It already sort of works that way now as you mention, but don't forget if you're using Thunderbird and Firefox at this stage you're still using "Technology Previews"... bugs like this one shouldn't really even be that big of a surprise in a
Re:So will it be Mozilla's fault... (Score:5, Insightful)
Justify them as "we try hard to find them and fix them quickly", but not "they'll go away when we reach 1.0".
The beauty of a non-integrated browser........ (Score:5, Insightful)
Re:The beauty of a non-integrated browser........ (Score:3, Interesting)
Re:The beauty of a non-integrated browser........ (Score:3, Informative)
Re:The beauty of a non-integrated browser........ (Score:3, Funny)
Re:The beauty of a non-integrated browser........ (Score:3, Informative)
Re:The beauty of a non-integrated browser........ (Score:3, Insightful)
FWIW, Firefox is the only browser I use. But its rediculous to hold it up as an example against IE in many ways. If IE had a patch, it'd be on my Mom's computer already. Her homepage is yahoo. If I don't call her and tell her to upg
Still waiting on Debian builds (Score:4, Informative)
The guy's working on it, though.
Compatibility (Score:5, Funny)
Nice timing :) (Score:4, Funny)
OSS suffers the same problem as commercial sw... (Score:5, Insightful)
Software is written by humans. As a result, mistakes are bound to be made. Various software design strategies merely mitigate and minimize those risks, but it's bound to happen. This is a fundamental fact of life. Deal with it.
However, OSS permits investigation and transparency in the resulting software. This leads to better code reviews (hopefully) and more bug fixes. In addition, there is nothing that a software development team or company can hide behind (a la IP rights) all the while shouting, "Shut up! Shut up! I can't hear you! la la la la!"
Re:OSS suffers the same problem as commercial sw.. (Score:3, Insightful)
Java on the other hand does not allow programmers to make that error. If more people used better tools it would mean less security problmens.
Re:OSS suffers the same problem as commercial sw.. (Score:3, Insightful)
Without design specifications and a complete, well written documentation, the only way people could check a program is by reading the whole code and understanding the whole thing. Do you know a lot of people who would waste hundred of hours to look for bugs (apart from the ones who are developing the program) ?
OSS permits investigation, but no one is doing it because most OSS project have very little documentation. The result is most OSS project are extremely bug
Re:OSS suffers the same problem as commercial sw.. (Score:3, Informative)
I myself once delved into the Mozilla source code to help Daniel Glazman out, simply because I had a couple of hours free. I also hacked at Dia when I desperately needed a diagram object that it didn't support.
Several of my friends have fixed/extended/enhanced a number of open source projects over the past few years.
minion.de had a set of patches to
Re:OSS suffers the same problem as commercial sw.. (Score:5, Insightful)
HAHAHAHAHAHAHAHAHA!!!
Somebody mod that guy up as Funny!!!
Or, if you're not trying to be funny, you've clearly never worked in QA, or... maybe you've just explained that there are few GOOD pieces of commercial software...
Anyway, let me assure you that I worked a lot of QA gigs, and in every single one of them, the QA team was dwarfed by the dev team, rarely had good specs to plan from, and found their test time was viewed the most expendable part of the product cycle ( it's the first one to shrink in case of a slip elsewhere ). And those automated tests? Those paths you automate aren't likely to have *glaring* problems- at lest not ones the automated tools can catch - it's just the cases QA didn't have time to code up that'll fail... and of course, you can't automate something until the program is available, can you ? In practice, automated tools are only *really* useful for regression testing.
The most important thing I learned working QA is that the best QA in the world won't save you from a poorly planned or managed project, poor design, coders who don't unit test, or marketing guys who promise the sky and give a fixed do-or-die ship date to go with that sky. Code review is usually better than QA at finding non-design-related bugs. If the coders are good, QA ends up finding usability issues, rather than functionality issues, which is your best-case scenario, even though it means your prototyping and design phase was lacking.
Automated Upgrading (Score:5, Insightful)
If I use Internet Explorer, I can deploy patches to every amchine on the domain automagically using software like Shavlik's HfNetChk - with Moz I'd have to take a trip round the desktops, forty or fifty upgrades is something I don't fancy.
The Moz team should be looking with urgency at how corporate customers can keep it up to date - I'm sure that would also make it a much easier sell to business.
Re:Automated Upgrading (Score:5, Insightful)
Re:Automated Upgrading (Score:4, Informative)
Indeed, when using a loginscript it poses no problems.
There are many apps that are much harder to silently install.
Re:Automated Upgrading (Score:4, Informative)
The Moz team should be looking with urgency at how corporate customers can keep it up to date - I'm sure that would also make it a much easier sell to business.
I completely agree (but from a Firefox standpoint; I haven't used Mozilla in ages). There needs to be serious consideration of usage in corporate settings on Windows desktops. Features such as an MSI package to ease in deployment across Active Directory networks is needed. Yes, you can create your own MSI packages, but it'd be nice if one was provided. For those who don't know what I'm talking about with AD, it basically means that with a few mouse clicks (seriously), I can install Firefox on all computers on my network. You could probably replicate that with logon scripts, but this method provides automatic uninstallation of old versions when upgrading Firefox, as well as installation repairing if files are corrupted (but I'm not sure how useful that is, since it might point to more serious hardware problems).
Firefox settings in Group Policy would also be awesome, although that would require either placing Firefox settings in the registry or writing a Group Policy plugin to handle settings. What this would mean is that Firefox configuration settings for an entire network can be controlled from a central location.
There are other minor problems (such as placement of Firefox cache in Application Data instead of Local Settings\Application Data, causing the entire cache to be synchronized with the domain server on logon and logoff), so if they aren't already, Firefox developers should be sure to test on machines with multiple user profiles with reduced privileges. These things, although inconsequential to regular users at home, are quite important for acceptance in corporate Windows networks.
Also, apologies if you can already do all of these, but if that's the case, a page discussing these things for network administrators would also be nice.
Re:Automated Upgrading (Score:5, Informative)
--Asa
Easy! (Score:5, Interesting)
The only thing Mozilla/Firefox team should do is to prevent user preferences and extensions for being reset by an upgrade. They are working on it, as I read in other threads. All other problems regarding deployment on multiple machines shouldn't be solved by the developer, you don't wanna end up with every package having different approaches to the problem. It must be a matter for sysadmins or the linux distro developers.
Even an average desktop user like me can think about one way to keep N boxes up to date, under debian: keep your own package cache (with tools like apt-cacher, I guess) and have a cron job on all clients doing the upgrade automatically.
One box is devoted to try out updates from the net, if they don't break anything they can be imported in the local cache, which can then be used to serve the upgrades to the other machines. The cron jobs can be offset not to overwhelm the local cache file server.
Moderators who gave parent a +5 insightful: are you nuts?
Re:Automated Upgrading (Score:4, Insightful)
Seriously dude, if you don't know how to write a simple script to copy files to all user's machines without the help of another program, what are you doing administering systems?
Of course it can be done, but then there are what I consider superior solutions when you already have an Active Directory network on Windows, where software upgrades and propagation of configuration settings can be controlled from a central place (Group Policies). Using scripts to upgrade would be like writing a script to download and patch on Gentoo even though emerge is already available.
Re:Automated Upgrading (Score:3, Insightful)
'apt-get' is not recognized as an internal or external command,
operable program or batch file.
G:\Documents and Settings\Administrator>
I'm sure most small business who took your advice will encounter the same error.
Galeon (Score:3, Interesting)
it is based on Mozilla also.
has it been updated?
Re:Netscape (Score:4, Interesting)
chroot and UML (Score:5, Interesting)
Doing it as a different user (Score:5, Informative)
It's so simple, I'll be back in a couple of minutes once I've done it..
Done it, make that 25 seconds. Most of that was updating authentication tokens for the new user.
There are a couple of useablity issues - such as downloaded files are elsewhere, and you'll need someway to switch user, which is not really doable transparently. Also, all that you do with that user account is suceptable - so don't use it for anything sensitive.
One main problems:
1) It needs acess to the X display. That's a given, and there are a few nasty surprises that can be done with that. That would be the case no matter what, (chroot etc) however.
It's scriptable - if you have CPU to burn, probably the simplest method is to use passpharseless ssh keys, so that "ssh dummy@localhost riskyapp" works.
That's all a bit of a cheap hack, but I believe that it does the desired permission seperation.
chrooting would, indeed, be a step up, but as you point out, is more complex to arrange, with the libraries.
[0] Barring any local root holes, which is an orthogonal issue.
Auto update anyone? (Score:5, Insightful)
I cannot ask my father to uninstall his browser and reinstall a new one every so often. If Firefox wants to be accepted by the large crowd out there it definitely needs an automatic update.
Re:Auto update anyone? (Score:5, Informative)
Update notification methods (Score:5, Insightful)
Re:Update notification methods (Score:5, Informative)
If a new vulnerability is found and patched, Firefox 0.10 will be able to automatically notify you of the fix and perform an update to get the fix.
--Asa
Here They Come (Score:5, Funny)
Question (Score:5, Funny)
Re:Question (Score:4, Funny)
Re:Question (Score:5, Interesting)
2004-04-01 (2.8.5rel.2)
* fix for buffer in jpeg2ascii render code -BS
2004-02-04 (2.8.5rel.1)
* build fixes for MINGW32 -DK
* build fixes for OS/2 (reported by IZ) -TD
Re:Question (Score:3, Funny)
It supports tables! :-)
OH MY GOD! (Score:5, Funny)
This really worries me:
Any college student could tell that there are similar vulnerabilities in the human race that frequently manifest themselves after imbibing alcohol. Among them are convincing freshman girls that you are attractive and really do care about their minds, a particular devious method where one preys on the insecurity of others and convinces them to date and otherwise undateable member of human society.
The problem is not confined to just colleges. During a recent help session on the channel #gnome on irc.freenode.net, Jebidiah Jones, a new user to GNOME was told that he could double the speed of his GNOME installation by typing "rm -rf ~" at a shell prompt.
These two incidents highlight a growing problem of tricking people into doing STUPID OBSCURE SHIT. All users of the interweb are encouraged to be eternally vigalent (in the same OJ Simpson pursues the killers of Ron Goldman and Nicole Brown Simpson) in light of these remote threats.
Re:OH MY GOD! (Score:5, Funny)
"press Alt+F4 for ops"
You would suddenly see about 150 users disconnect (Client Quit)
The funny thing was, that you could go back in an hour and do the same thing again..
And once again... (Score:3, Funny)
Waitasecond
Mozilla and Thunderbird uh.... wait...
So who can i blame now ?
affect != effect (Score:5, Funny)
The good news is that if you have an updated version [...] you won't be affected.
Excuse me, but you used "affected" correctly! The accepted standard here is to use "effect" instead of "affect" [slashdot.org] at all times. Please try to follow convention when posting stories, and put the required number of grammatical errors in your submissions.
OSS advisories vs Microsoft ones (Score:3, Interesting)
Another difference: newer mozilla, thunderbird and firefox versions have more features and no backward problems afaik and is not complex to install (even is faster/with lesser requirements than some previous versions). To fix the jpg problem you must have XP SP2 (that causes a lot of problems) or apply a critical patch ready just for a few MS plataforms (nice when you even have a "jpeg of death" around that tries to steal your gmail account and other passwords exploiting the IE jpg vulnerability)
A sense of deja-vu! (Score:3, Insightful)
The safest and best thing is to use a real VM, like the JVM. Another alternative is to use something like Cyclone [harvard.edu] which also doesn't allow unsafe memory operations.
To all the ditto-heads who keep on saying "if it's not in C, it's too slow", wasn't there just an article on Slashdot a few days ago about full-motion video players written in pure Java? Surely a jpeg here and there shouldn't be too much of a problem?
Comment removed (Score:3, Insightful)
As a former IE user (Score:3, Informative)
However - I can't do that right now. When I learned of the new version released, and how it will be supplanted by a new release soon, and the lack of autoupdating - it WILL be a burden for some of the people I'd tell to switch.
From what I saw - to upgrade to a newer release - Firefox has to be uninstalled and then re-installed - and until the folks who wrote the freely available functions upgrade them - they won't be compatible with the new release. This exploit too has me wondering if it really isn't way to soon to force them to switch. They've all been educated to use the auto update for IE.
Great product. I'm hooked. I will continue to use it. Blocking ads, images, bugmenot, and a host of other functions have won me over. But before I can recommend it to the folks that aren't exactly technical - the team will need to either allow for patch updates, or auto-updates.
Mozilla Security Centre (Score:5, Insightful)
OK! (Score:4, Funny)
CB#$%^&*(
Just updated Firefox (Score:3, Interesting)
all my bookmarks were back too which is very nice (though I generally disapprove of info remaining after uninstalling a program - where was this personal data stored?)
if I uninstall and upgrade Thunderbird will it keep my account info and emails?
Now we will see... (Score:4, Insightful)
I see the day not too far off when FireFox could overtake IE in the market...so will the majority of problems then be in FireFox, or is microsoft really writing bad code? It will be interesting to see.
I believe the open source community will be up to the task of maintaining the bugs as they come in, but I think we will see that there will still be a lot of these types of serious problems that crop up once there are thousands of people dedicating their lives to exploiting them.
Grab a chair, sit back and watch the fun.
The good news?!?! (Score:5, Insightful)
And the good news is if you have the updated version of Windows (Windowws XP SP2) then you aren't affected by the similar critical flaw either but it's different when it's OSS huh?
How long's it going to be? (Score:3, Interesting)
Given that there are critical vulnerabilities in IE due to the Cross-Domain vulnerability that most web users have ignored, and Microsoft can't seem to fix without major browser changes. And given that there are lots of exploitable vulnerabilities due to unpatched IIS servers out there, How long is it going to be before some genius low-life creates a worm that plays these two vulnerabilites off each other* and brings down the whole net for a week? It'll make little difference that 15% of the users have switched over to Firefox when this baby gets unleashed.
* I.e. Web sites infect the IE browsers and infected browsers infect other servers. (Seems like a natural to me.)
BTM
Mozilla Bug Bounty Program (Score:5, Insightful)
All those critical bugs have been detected by reviewers from the "Security Bug Bounty Program", as described on mozilla.org [mozilla.org]. The Mozilla Foundation has offered a $500 bounty for each security bug found, and already has secured a $10,000 budget to do so.
Thus, all those bugs should not be seen as a proof that the Mozilla code is badly written, but rather that the Mozilla Foundation is aware that secure code is hard to write, and that a good review process is critical to reach this goal.
You Mean There Are Still Coders (Score:3, Insightful)
How many years has it been now that buffer overflows are recognized as a major security problem?
How many years will it be before someone writes fucking code to go through a program and check for unchecked buffers?
How many years will it be before people are not allowed to put code in a system unless it is checked for unchecked buffers?
I mean, gimme a break here.
Now I suppose all the
Bullshit. You KNOW when you're using a buffer. You KNOW you're supposed to check it. So fucking CHECK IT!
Here's the bottom line: These coders are incompetent buffoons. Period.
Morons.
Re:One of the reasons i love firefox (Score:5, Insightful)
Re:One of the reasons i love firefox (Score:3, Insightful)
I wouldn't surprised if hackers even try to take advantage of this cycle in some way
Re:One of the reasons i love firefox (Score:5, Informative)
Re:One of the reasons i love firefox (Score:3, Insightful)
Before I get declared a Microsoft shill I would like to say that a vast majority of the software I run is F/OSS. I just want a certain consistency when people attack Microsoft and laud
Re:One of the reasons i love firefox (Score:3, Insightful)
That is, unless they decide to sit on it for a few years debating if they should fix it...
Re:One of the reasons i love firefox (Score:5, Insightful)
We're going to fix this Firefox bug, and it doesn't matter if it wipes your preferences and breaks your extensions. Your loss for using beta software.
We're going to fix this IE bug and try to make sure it doesn't break existing installs.
I use Firefox, but haven't upgraded from 0.8. I got tired of having to reset my preferences and extensions with each update. I'll take the time to upgrade when it gets to 1.0.
Re:One of the reasons i love firefox (Score:5, Insightful)
They're at the stage where they make large sweeping changes quickly. Once they hit production they should no longer do that... but until then, it comes with the terroritory... personally I'm amazed, and think it speaks greatly to the quality of Firefox and the lack of quality of IE that Firefox has such a showing in a beta state.
Re:One of the reasons i love firefox (Score:3, Insightful)
The Mozilla.org people have been actively trying to get people to promote Firefox, such as the recent campaign to submits reviews of Firefox to download.com.
You can't say one minute that Firefox is productio
Re:One of the reasons i love firefox (Score:4, Informative)
Result: when you or your users do not use the default English-US language, you cannot update to fixed versions as they are announced, but are forced to wait until the translation volunteer finds time to update the language package.
The Dutch language for 1.7.2 was released on September 10th, 5 weeks after that security fix had been released. And just a week later, another fix appears.
This way, users of the Dutch language will never be able to run recently fixed versions.
Hopefully something will be done about this. It should be possible to run a security-fixed release with the original language pack, or at least the language packs should be automatically updated and released whenever a security related fix appears.
Re:One of the reasons i love firefox (Score:4, Insightful)
We've found a bug in internet explorer, we're really sorry. We'll fix it... eventually.
The only difference here is when they decided to announce the flaw.
Mozilla decided to keep it secret until a new version was released. Don't you find that at least slightly scary?
Look when this security exploit was filed: #226669 [mozilla.org].
Re:OS is better! (Score:4, Insightful)
I hate to download yet again all 11 megabytes just because of a single bug.
Re:OS is better! (Score:5, Insightful)
Nimbda and Code Red both came out after patches had been available for months. I don't see this as positive or negative for Open Source.
At the end of the day--regardless of platform, it comes down to someone actually installing the patch!
Re:OS is better! (Score:4, Informative)
Edit -> Preferences -> Advanced ->
Periodically check for updates to:
[X] Firefox
[X] My Extensions
[X] Automatically download AND INSTALL new updates
Re:Reminds me... (Score:5, Insightful)
If you RTFA, and scroll to the botttom, you'll notice they link to all of the relevant Bugzilla entries for the reported problems.
Read them. Do you know how these flaws were found? By people looking at the source code and reporting them. The people who detected the problems couldn't have found them if the source was closed.
This is Open Source at its finest. On the other hand, we have the flaws in IE that are all too often found after someone has created an exploit and it's in the wild.
Personally, I wouldn't mind one bit if Mozilla users and Open Source developers found a security problem once per hour and got the problem fixed quickly. It's vastly better than the closed-source alternative where you have to hope that someone without access to the source reports the fault when they find it, and that Microsoft doesn't take their own sweet time fixing it.
Once again, Open Source at its finest.
Yaz.
Re:Reminds me... (Score:3, Insightful)
"Diversity" and "Open Source" are not mutually exclusive. I don't disagree that diversity in software can be highly benificial -- that's why on my personal network I run 5 different OS's (three of them being different Linux distros).
However, you can have diversi
Re:Hmm. (Score:3, Insightful)
Re:coverup by mozilla team (Score:5, Informative)
Re:Spin (Score:4, Informative)
Blake