LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Firefox 3.0.12 released

Firefox 3.0.12 released

Posted Jul 22, 2009 21:42 UTC (Wed) by jwb (guest, #15467)
In reply to: Firefox 3.0.12 released by joedrew
Parent article: Firefox 3.0.12 released

I'm sure you'll understand if I respectfully decline to take your word for it. As usual mozilla.org's policy of hiding these reports makes it effectively impossible for the user to evaluate his own risk in using the browser.

(Log in to post comments)

Firefox 3.0.12 released

Posted Jul 22, 2009 22:01 UTC (Wed) by joedrew (guest, #828) [Link]

Our general policy is to keep security bugs closed until either they've been fixed or otherwise "outed" (for example, by exploit code elsewhere). It's a tradeoff; we don't like closing people out of information, but we also don't like the security of our users to be jeopardized by something we can prevent.

Precisely that sort of thing happened recently with the Firefox 3.5 JIT bug - we let people know there was a critical bug, let them know how to mitigate that bug in the mean time, and had a fixed release out in less than 2 days. And yes, not closing the bug put our users at risk.

Anyways, I have started the discussion on opening bug 459906 among the security folk at Mozilla (I am only peripherally involved in that group), and it will hopefully be opened before long.

Firefox 3.0.12 released

Posted Jul 23, 2009 9:58 UTC (Thu) by roc (subscriber, #30627) [Link]

It's an unfortunate fact of life that keeping all our bugs public all the time would make it far too easy for the bad guys to abuse our users.

At least we do open all our bugs sooner or later, generally as soon as we can. All other browser developers keep their security bugs in closed bug systems and never reveal them.

Firefox 3.0.12 released

Posted Jul 23, 2009 18:41 UTC (Thu) by jwb (guest, #15467) [Link]

I totally understand the policy, roc, but wouldn't it be nice to have something more than "You are not authorized to access bug #470487" when a user is trying to look up some of these bugs? All I know about that bug is it's a topcrasher, it must be exploitable (because it's hidden), as of two days ago the fix for it is not in the 1.9.1 branch (according to the platform weekly meeting notes), and it was reported seven months ago.

It might be nice if the Bugzilla page could give me at least some useful information. For example it should tell me the severity of the vulnerability and its status in the trunk and each of the release branches. Then I would at least be able to think about the risk rationally.

Firefox 3.0.12 released

Posted Jul 24, 2009 0:21 UTC (Fri) by roc (subscriber, #30627) [Link]

That's an interesting idea. It might be useful to reveal that bug 470487 is Windows-only and so probably isn't relevant to you.

But again, we're miles better than our competition in this department. I don't know of any project that supports partial bug revelation.

Firefox 3.0.12 released

Posted Jul 23, 2009 10:01 UTC (Thu) by roc (subscriber, #30627) [Link]

It's an unfortunate fact of life that keeping all our bugs public all the time would make it far too easy for the bad guys to abuse our users by turning testcases into exploits.

At least we do open all our bugs sooner or later, generally as soon as we can. All other browser developers keep most of their security bugs in closed bug systems and never reveal them.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds