RUS-CERT Criticizes Mozilla Security Bugs Policy

Thursday March 11th, 2004

Simon Paquet sent us a link to a German article from the Computer Emergency Response Team of the University of Stuttgart (RUS-CERT) that criticizes Mozilla's security policy.

Simon provides a translation of the key points of the article: "The RUS-CERT criticizes Mozilla's security approach to security leaks. They find fault in the fact that no official security advisories are published by the Mozilla Foundation. Instead security leaks are silently patched and incorporated into newer releases.

"They come to the conclusion, 'At the moment Mozilla is obviously no convincing alternative to the market leader [Microsoft].' In an update to their article, they state that this sentence was interpreted as saying that everyone should refrain from using Mozilla. This is not the case. They only state that Mozilla suffers from the same security problems as all other clients and that the use of Mozilla alone is no solution to those security problems."

The last major update to the Known Vulnerabilities in Mozilla page was in November. The Mozilla Security Bugs Policy explains how security flaws are handled.

#14 Re: I supported Mozilla's policy..

by CNeb96 <>

Friday March 12th, 2004 12:06 PM

You are replying to this message

"You shouldn't be able to do that. In theory, all security bugs should be secret."

There are probably serveral crasher bugs (or parser bugs) which are security sensitive, but no-one took the time figure out if they could be exploited. They just fix them and move on. I read somewhere (slashdot post so your guess is as good as mine whether its accurate) that OpenBSD assumes all bugs are security bugs until a security expert descides otherwise, not the other way around.

Also the CVS checkins for a security bug are public. So users of the next nightly may be secure, but not the milestone builds. It wouldn't be too hard to figure out a vunerablity by looking at the fix.

In short I would guess that the main reason Mozilla is hacked less (That's a guess, where could I find stat's on this?) is because

A.) It's probably coded more sanely than IE. (Again just a guess, but since so many of MS's publicly released or reverse engineered protocols are so messy, I'm assuming there code must be as well).

B.) It's a smaller target. - If you want to make money, fame, or just be malicios write a tool to attack the most people possible.

C.) Mozilla exploits rarely make the press. Perception is reality and attacking MS has become sport for the press recently.

Mozilla may be more secure than IE, but for the common user who only uses milestones its still vulnerable.