RUS-CERT Criticizes Mozilla Security Bugs Policy

Thursday March 11th, 2004

Simon Paquet sent us a link to a German article from the Computer Emergency Response Team of the University of Stuttgart (RUS-CERT) that criticizes Mozilla's security policy.

Simon provides a translation of the key points of the article: "The RUS-CERT criticizes Mozilla's security approach to security leaks. They find fault in the fact that no official security advisories are published by the Mozilla Foundation. Instead security leaks are silently patched and incorporated into newer releases.

"They come to the conclusion, 'At the moment Mozilla is obviously no convincing alternative to the market leader [Microsoft].' In an update to their article, they state that this sentence was interpreted as saying that everyone should refrain from using Mozilla. This is not the case. They only state that Mozilla suffers from the same security problems as all other clients and that the use of Mozilla alone is no solution to those security problems."

The last major update to the Known Vulnerabilities in Mozilla page was in November. The Mozilla Security Bugs Policy explains how security flaws are handled.

#27 I prefer the no patch system (2)

by smkatz

Saturday March 13th, 2004 6:10 PM

You are replying to this message

A version number lets me know exactly what I have, and why I have it (by looking at release notes.) A version number means testing and stability. With Microsoft, a patch (to IE 5.01 from 5.0) causes a bug (iilegal operation that requires reboot). A security patch may eventually fix it, or make it more stable. My father and I both had this happen to us, and I reproduced the 5.01 bug on two seperate machines. A compiled release makes deployment and technical support easier. As multiple posts have demonstrated, patching really wouldn't be faster, and it would (for the reasons I have outlined) provide a false sense of security.

That said, the known vulnerabilities page needs to be updated. Ideally, Bugzilla should incorporate a module for security patches where if the patch is marked confidential, it is published on close. If the patch is open, and security-related, it is published immediately.

I assumed, because the security policy said so, that a notice is given only if the bug team thinks its warranted *before* it is fixed. After it is fixed, it can be found in Bugzilla, so it's a moot point. It's more a matter of organization (notice placement) and clarity of policy I think.