Mozilla Security Hole
Tuesday April 30th, 2002
Anonymous reports: "Grey Magic is reporting a minor security hole in Mozilla builds from at least 0.9.2 up to the current trunk and 1.0 branch. A bug has been filed in bugzilla, and will be opened to the public to view once the fix has been made. This also affects Netscape browsers from at least 6.1 on. There are no known uses of the vulnerability at this time." We'll let you know when a patch has been checked in for this.
On a side note, Grey Magic recommends that users "should move to a better performing, less buggy browser," on their vulnerability page. Looking at the open issues for it, IE clearly doesn't seem like the better choice.
UPDATE! A fix has been checked into the trunk, and has been approved for checkin to the 1.0 branch. Expect it to be in nightly builds for both branch and trunk starting tomorrow.
Well, yes - of course a binary patch (just replacing the lib that had the broken code in it) would be preferable. Its not so much that *I* want it since I am using nightlies anyway. But I believe most potential users of NS would like to see NS react to these kind of things in a reasonable, user-firendly way. MS *does* release security patches now and then and you dont have to install a new version of IE (even if some patches are nearly as big anyways). MS has had a way of not reacting to security issues or more or less ignoring them officially and they have received a lot of bashing and bad press for it - and I wonder why NS would want to choose the same route. MS is in a position where they essentially can ignore the uproar of informed or security-aware users. Netscape certainly is not in that position.