RUS-CERT Criticizes Mozilla Security Bugs Policy

Thursday March 11th, 2004

Simon Paquet sent us a link to a German article from the Computer Emergency Response Team of the University of Stuttgart (RUS-CERT) that criticizes Mozilla's security policy.

Simon provides a translation of the key points of the article: "The RUS-CERT criticizes Mozilla's security approach to security leaks. They find fault in the fact that no official security advisories are published by the Mozilla Foundation. Instead security leaks are silently patched and incorporated into newer releases.

"They come to the conclusion, 'At the moment Mozilla is obviously no convincing alternative to the market leader [Microsoft].' In an update to their article, they state that this sentence was interpreted as saying that everyone should refrain from using Mozilla. This is not the case. They only state that Mozilla suffers from the same security problems as all other clients and that the use of Mozilla alone is no solution to those security problems."

The last major update to the Known Vulnerabilities in Mozilla page was in November. The Mozilla Security Bugs Policy explains how security flaws are handled.

#8 Re: Re: Patching not possible

by mlefevre

Friday March 12th, 2004 8:06 AM

You are replying to this message

From discussions about patching before, I think they'd be happy to consider it if someone else contributed the work, but didn't see it as beneficial enough to bother doing the work. Someone guesstimated that to move between releases (even alpha/beta releases), the patch would end up being at least 80-90% the size of the whole thing. So (for Mozilla) you'd have a choice of downloading a 10MB "patch" version instead of a 12MB full version. Hardly worth the effort. For Firefox, it would make even less difference.

There'd be more value in patching to go from a stable release to a stable release to a x.x.1 security fix release, but that hasn't generally happened in the past because there haven't been any security issues that have been both serious and known about beyond a few developers. Of course that's not necessarily a reason not to do something in anticipation of future problems, but...