MozillaZine

Timeline of Mozilla shell: Security Vulnerability

Friday July 9th, 2004

Adam Sacarny writes: "I have created a timeline of the latest security bug. It shows how quickly the Mozilla developers handled the problem, tracking from the first mention in Bugzilla to the last CVS commit to the webpage. Readers get a peak into how development works over at mozilla.org, in particular into how security issues get resolved."

We reported on the shell: security vulnerability yesterday. A NewsForge commentary also praises the speed with which the exploit was patched. A slightly more pessimistic view can be found in an article from Enterprise Security Today (part of the NewsFactor Network) entitled Mozilla Security Nightmare Begins (according to Bart Decrem, the author of the article did contact the Mozilla Foundation for comments but they lost his number and could not return the call).

Update: Adam, author of the timeline, has written a followup post with further commentary on the bug and its fix.


#6 Re: Alarmist "Enterprise Security Today"

by Gnu

Saturday July 10th, 2004 1:00 AM

You are replying to this message

Unfortunately, that isn't the problem. The timeline is quite fascinating, but the issue isn't racing against the hackers -- it's racing against the end-users. Most MS security issues are been patched days, weeks, or even months before the first real-world exploits start to trickle in, but confusion, laziness, and outright miseducation on security issues keep these patches from being deployed as they should.

If Mozilla wants to stay ahead of the game, not only do they need to get the update engine up and running, it needs to silently install security updates by default. There's always a potential risk to pushing unattended patches, but it beats the alternative.

This major exploit has really burst everyone's bubble about Mozilla being impenetrable; ActiveX notwithstanding (which, admittedly, is half the problem), it's no more inherently secure than IE, and Mozilla are no more or less capable in the grand scheme of things of deploying patches than Microsoft (who has a superior mechanism to do so at this point). Now that Firefox is starting to move into position to compete, we're going to see this a lot in time. This is actually a good thing, because it will cause advocates to shift away from arguments that often seem intangible to common end-users (security), and towards the better overall experience that Gecko products can bring everyone.