Re: [News] Mozilla Firefox Tops Internet Explorer for Security

Home	Messages Index

[Date Prev]	[Date Next]	[Thread Prev]	[Thread Next]

Author Index	Date Index	Thread Index

Re: [News] Mozilla Firefox Tops Internet Explorer for Security

Subject: Re: [News] Mozilla Firefox Tops Internet Explorer for Security
From: Erik Funkenbusch <erik@xxxxxxxxxxxxxxxxxxxxxx>
Date: Sun, 1 Oct 2006 12:41:17 -0500
Newsgroups: comp.os.linux.advocacy
References: <3316178.0utDOKJWF9@schestowitz.com>
User-agent: 40tude_Dialog/2.0.15.1
Xref: news.mcc.ac.uk comp.os.linux.advocacy:1163053

On Sun, 01 Oct 2006 11:34:37 +0100, Roy Schestowitz wrote:

>| "Mozilla can turn around on a dime," Levy said. "Open-source programmers
>| can recognize a problem and patch it in days or weeks."

Oh, that's such bullshit.  Let's look at the security vulnerabilities in
firefox that were patched with 1.5.0.7 on September 14th.

https://bugzilla.mozilla.org/show_bug.cgi?id=346090

According to the CVE:

Heap-based buffer overflow in Mozilla Firefox before 1.5.0.7, Thunderbird
before 1.5.0.7, and SeaMonkey before 1.0.5 allows remote attackers to cause
a denial of service (crash) and possibly execute arbitrary code via a
JavaScript regular expression with a "minimal quantifier." 

Hmm.. Reported July 27th.  That's almost 2 months. And guess what?  

https://bugzilla.mozilla.org/show_bug.cgi?id=345071

Here's the CVE:

Concurrency vulnerability in Mozilla Firefox 1.5.0.6 and earlier allows
remote attackers to cause a denial of service (crash) and possibly execute
arbitrary code via multiple Javascript timed events that load a deeply
nested XML file, followed by redirecting the browser to another page, which
leads to a concurrency failure that causes structures to be freed
incorrectly, as demonstrated by (1) ffoxdie and (2) ffoxdie3. NOTE: it has
been reported that Netscape 8.1 and K-Meleon 1.0.1 are also affected by
ffoxdie. Mozilla confirmed to CVE that ffoxdie and ffoxdie3 trigger the
same undelrying vulnerability. 

Reported on July 18th, again 2 months.

And even better, here's a bunch of bugs we can't even access because
they're "too sensitive", but based on their bug number some are older than
the ones from above.  Adjacent bugs were reported in *MAY*.

https://bugzilla.mozilla.org/show_bug.cgi?id=339130
https://bugzilla.mozilla.org/show_bug.cgi?id=339170
https://bugzilla.mozilla.org/show_bug.cgi?id=339246
https://bugzilla.mozilla.org/show_bug.cgi?id=343087
https://bugzilla.mozilla.org/show_bug.cgi?id=344000
https://bugzilla.mozilla.org/show_bug.cgi?id=346980

In fact, pretty much every bug on this page:

http://www.mozilla.org/security/announce/2006/mfsa2006-64.html

I have yet to see any evidence of Mozilla fixing bugs within days or even a
week or 2 except in very rare cases.  They take months.  Sometimes 4+
months.

Follow-Ups:
- Re: [News] Mozilla Firefox Tops Internet Explorer for Security
  - From: yttrx

References:
- [News] Mozilla Firefox Tops Internet Explorer for Security
  - From: Roy Schestowitz

[Date Prev]	[Date Next]	[Thread Prev]	[Thread Next]

Author Index	Date Index	Thread Index