New Architect Interview with Gervase Markham

Sunday July 14th, 2002

New Architect has an interview with Gervase Markham, the youngest staff member. The interview touches on 1.0 and standards compliance but mainly concentrates on Mozilla's quality assurance effort.

#8 Re: Good security process?

by leafdigital

Monday July 15th, 2002 10:21 AM

You are replying to this message

I don't think Mozilla has any incremental update method, which is a bit of a problem since it means whenever they discover a security bug, you have to download a huge-ass entire new browser...

The particular bug you mention doesn't seem to be a terribly serious security risk: I don't see any immediately obvious way to exploit the crash, so at present it looks to me like only DoS. On a trivial level, any crash bug in Mozilla is a potential DoS (although normally of just the browser and not the entire OS/GUI) but unless there is an interesting way to exploit it into running code or something then it's not a major security issue. (IMO.)

Worst-case for this particular bug is, as far as I can see, if somebody sends out spam mails that exploit it. I'm not sure whether anyone would bother because (a) there is no potential gain and (b) there is no target audience - Linux (etc.) is a tiny minority operating system on the client, and Mozilla is a tiny minority browser (with even fewer people using it for email). Combine those two, and...

So basically it looks to me like the worst thing possible is to irritate someone (probably someone you know). There are numerous other ways to do that, so...