Timeline of Mozilla shell: Security Vulnerability

Friday July 9th, 2004

Adam Sacarny writes: "I have created a timeline of the latest security bug. It shows how quickly the Mozilla developers handled the problem, tracking from the first mention in Bugzilla to the last CVS commit to the webpage. Readers get a peak into how development works over at, in particular into how security issues get resolved."

We reported on the shell: security vulnerability yesterday. A NewsForge commentary also praises the speed with which the exploit was patched. A slightly more pessimistic view can be found in an article from Enterprise Security Today (part of the NewsFactor Network) entitled Mozilla Security Nightmare Begins (according to Bart Decrem, the author of the article did contact the Mozilla Foundation for comments but they lost his number and could not return the call).

Update: Adam, author of the timeline, has written a followup post with further commentary on the bug and its fix.

#1 Alarmist "Enterprise Security Today"

by pro2k <>

Friday July 9th, 2004 7:48 PM

You are replying to this message

One of the things that many people don't seem to understand is that the virtue of Mozilla and free software in general, is not that all free software and open source is absolutely flawless and perfect. There have been instances where Mozilla has had security vulnerabilities before (just as every software has). But the virtue of Mozilla is that since the code is free for everyone to use and modify, these vulnerabilities are quickly fixed, even sometimes before crackers have an opportunity to exploit them. This is what makes free software and open source software very secure and very reliable.

Apparently the author of the article "Mozilla Security Nightmare Begins", Jay Wrolstad, doesn't understand the dynamics of free software and open source and creates almost an alarm where there is none. Although he mentions the fact that the patch is already available, he neglects to mention that such a patch was available very quickly, even far more quickly than the speed in which Microsoft provides its patches to Internet Explorer. According to Newsforge, it took just a minute (about 60) seconds for the patch to be available to the public: <http://software.newsforge…re/04/07/08/2327246.shtml> .

So .... please Mr. Wrolstad, don't create unnecessary alarm where there is no problem!