The Register: "Mozilla riddled with security flaws"

[Gunnar]

The Register has an article up. It has the quite misleading headline "Mozilla riddled with security flaws". Most of these bugs seem to pertain to older (i.e. pre 1.0.1) versions of Mozilla. While I think it is good to be stay on top of things, I absolutely disagree with the headline and style of this article. I mean "riddled" compared to what (IE????)?

You can find the article here The Register: "Mozilla riddled with security flaws"

Gunnar

[johann_p]

It seems the author does not make any false claims - these flaws do exist.
I am puzzled though concerning whether these flaws are fixed and in which
releases. It seems that the most stable+secure version currently available
at mozill.org is 1.0.1 and most of the flaws mentioned are *not* fixed in there,
right?
I also wonder which of these flaws is actually in the NS 7 release?

I think the bottom line is that Mozilla.org should give more attention to these
issues, e.g. by giving clear instructions and information about security issues
and updates on the home page.
Mozilla is used by end users (I believe to a bigger extend than NS7) and it always
will be and I think this is good and in the interest of promoting Mozilla/NS.

Security issues have always been a major argument against IE, with issues like this one
(even if it should be mostly hot air) the public's opinion might change.

It is of course much easier to find out security flaws in an open source program -
I think this should be turned into an asset and clearly pointed out at the mozilla.org
home/download pages, together with other advantages.

[Gunnar]

It seems the author does not make any false claims - these flaws do exist.

That is definitely correct. I do, however, disagree with the headline since most of these flaws seem to affect versions prior to 1.0.1, so the correct headline should be "older Mozilla versions....". Plus, "riddled" is definitely an exaggeration.

I am puzzled though concerning whether these flaws are fixed and in which
releases. It seems that the most stable+secure version currently available
at mozill.org is 1.0.1 and most of the flaws mentioned are *not* fixed in there,
right?

It seems that most (but not all) of these flaws only affect versions prior to 1.0.1.

Versions of Mozilla previous to version 1.0.1 contain multiple security vulnerabilities, so users need to update their browser software

note: boldface by me.

I also wonder which of these flaws is actually in the NS 7 release?

See above. Netscape 7 is based on Mozilla 1.0.1 so it should be mostly fine.

Security issues have always been a major argument against IE, with issues like this one
(even if it should be mostly hot air) the public's opinion might change.

I could not agree with you more. Still, seeing how (relatively) few bugs security flaws there are, especially when compared to IE/Outlook Express and how quickly they usually are fixed, I think Mozilla is still doing fine. What Mozilla should do is keep the page that listst these issues up-to.date and easy to find.

Gunnar

[johann_p]

It seems the author does not make any false claims - these flaws do exist.

That is definitely correct. I do, however, disagree with the headline since most of these flaws seem to affect versions prior to 1.0.1, so the correct headline should be "older Mozilla versions....". Plus, "riddled" is definitely an exaggeration.

I looked <a href="http://www.mozilla.org/projects/security/known-vulnerabilities.html">here</a> and it seems most of the bug are marked as "through 1.0.1" which I understand as "including" 1.0.1 (but maybe my english is poor) - which would be contradicting the article and what you say.
Thats why I asked about the status - is there an updated version of 1.0.1 or are the fixes
only to be seen in 1.0.2?

[michel v]

I do, however, disagree with the headline since most of these flaws seem to affect versions prior to 1.0.1, so the correct headline should be "older Mozilla versions....". Plus, "riddled" is definitely an exaggeration.

<Planet of the Apes>
You Register maniacs! You hired Mangelo! Oh, damn you! God damn you all to hell!
</Planet of the Apes>

[hjarry]

While I think it is good to be stay on top of things, I absolutely disagree with the headline and style of this article. I mean "riddled" compared to what (IE????)?
Gunnar

The Register does, after all, bill itself as "biting the hand that feeds IT." I don't mind the tart tone. Six vulnerabilities is a sufficient number to use "riddled" in my book.

The thing to do now is, as others here have said, to get these recognized and addressed on Mozilla.org forthwith.

[laszlo]

The thing to do now is, as others here have said, to get these recognized and addressed on Mozilla.org forthwith.

To quote the MozillaZine mainpage:

The most remarkable detail [about] these bugs is that most of them are already fixed. In fact, only one [of] the flaws (reported here in September) is present in the latest stable branch and trunk releases (Mozilla 1.0.1 and 1.1 respectively), while the more recent 1.2 Beta isn't vulnerable to any of them.

[Alex Bishop]

The most remarkable detail [about] these bugs is that most of them are already fixed. In fact, only one [of] the flaws (reported here in September) is present in the latest stable branch and trunk releases (Mozilla 1.0.1 and 1.1 respectively), while the more recent 1.2 Beta isn't vulnerable to any of them.

Argh! Is my typing really that bad? Thanks, I'll update the article.

[johann_p]

I still dont get it - the link given in the register to <a href="http://www.mozilla.org/projects/security/known-vulnerabilities.html">here</a> shows
a list of flaws of which most seem to be in 1.0.1 ("though 1.0.1"). This is the latest
release of what is supposed to stable and secure branch of mozilla, right? And it
is what NS 7 is based on so these things are in NS7 too.
So if you argue that these things are fixed in the recent builds, why should anyone
bother to use the recommended stable release 1.0.1 or even NS7?
Dont get me wrong, I have been using current builds all along, but I dont really see
how you would sell 1.0.1 given these facts?
Why havent there been security fixes for that "stable production" release? Wouldnt
that release be the one that needs those fixes most?

[michel v]

Johann, there's a last column "Date Fixed".
My limited comprehension of English makes me read the issues have been fixed. Else, what would these dates mean?
All I see there, is that the most recently fixed security flaw was in September, so in the worse case scenario, this flaw and the previous one from August are in 1.0.1 and NS7.

[johann_p]

My question was NOT about the date fixed, but about whether it is true that
these bugs are in version 1.0.1, which seems to be the case. 1.0.1 is the
version that is recommended as the most stable and secure one and it is
the one NS 7 is based on. It is also the one that is probably distributed with most
current Linux distros and which will be used by those who are concerned about
stability and security. And as it seems, if you donwload 1.0.1 which is the latest
stable release NOW from mozilla.org you will still get these problems.
And if all this is the case, the statement about these issues being fixed in 1.0.1
is simply not true. Or are there different builds of 1.0.1? Is the 1.0.1 you download
now different from the original one? (I would assume that no),

[mfk]

Of course Mozilla has security flaws. Big surprise there.

However, how many people are using NS 6.x? I know that many people are slow to upgrade, will this affect NS 6.x users as well?

[Gunnar]

Johann,

this is SecurityFocus' vulnerability list for Mozilla 1.0:

2002-11-01: Multiple Browser Zero Width GIF Image Memory Corruption Vulnerability 2002-11-01: Mozilla OnUnload Referer Information Leakage Vulnerability 2002-11-01: Mozilla Browser HTTP/HTTPS Redirection Weakness 2002-11-01: Mozilla document.open() Memory Corruption Denial of Service Vulnerability 2002-11-01: Mozilla Space Key XPI Installation Vulnerability 2002-11-01: Mozilla XMLSerializer Same Origin Policy Violation Vulnerability 2002-09-18: Mozilla Multiple Vulnerabilities 2002-08-06: Mozilla FTP View Cross-Site Scripting Vulnerability 2002-07-29: Multiple Browser Vendor Same Origin Policy Design Error Vulnerability 2002-07-24: Mozilla JavaScript URL Host Spoofing Arbitrary Cookie Access Vulnerability 2002-06-12: Netscape / Mozilla Malformed Email POP3 Denial Of Service Vulnerability

whereas this is their vulnerabilities list for 1.0.1:

2002-11-01: Mozilla OnUnload Referer Information Leakage Vulnerability

and this vulnerability is no longer present for Mozilla 1.1, so it seems that you should be on the safe side using the recommended stable branch.

You can see the vulnerabilities list for yourself here

I hope this helps address your concerns.

Gunnar

[redvine]

I think the "Milestones Affected" column on the "Known Vulnerabilities" page must mean "until" instead of "though". This should be corrected by Mozilla.org as it is very confusing. But it makes no sense for security flaws corrected in May and June to still be in 1.0.1 which was released toward the end of August.

What's more, the list of "25 security fixes" that were made fore 1.0.1 (available <a href="http://www.mozilla.org/releases/mozilla1.0.1/security-fixes-1.0.1.html">here</a>) lists the same bug numbers as in the "Known Vulnerabilites" page. So it seems clear that when "Milestones Affected" = "Through 1.0.1" they mean 1.0.1 is the first milestone not affected. They should have said "Milstones Affected" = "Until 1.0.1".

[feepcreature]

...it seems most of the bug are marked as "through 1.0.1" which I understand as "including" 1.0.1 (but maybe my english is poor) - which would be contradicting the article and what you say.

Your English is fine - it's just that the author was using a dialect of American