|
|
Subscribe / Log in / New account

Firefox 3.0.9 released

Firefox 3.0.9 released

Posted Apr 22, 2009 20:41 UTC (Wed) by sbergman27 (guest, #10767)
In reply to: Firefox 3.0.9 released by elanthis
Parent article: Firefox 3.0.9 released

"""
I would love to see your work on a project that massive without any security vulnerabilities.
"""

Irrelevant. Don't attack the messenger. It would be far more informative to compare its security record to that of other browsers.

Firefox had more vulnerabilities in 2008 than IE, Safari, and Opera *combined*.

http://news.cnet.com/8301-1009_3-10190206-83.html?tag=new...

Oh, yes, they issued fixes. But that only supports my original point. They have no incentive to reduce the vulnerabilities released because they receive lavish praise for each vulnerability for which they issue an after the fact patch. (More vulnerabilities than all the other major browsers combined", remember.)

It will be interesting to see how the upcoming FOSS browsers based on the clean code base of WebKit compare against FF and others based on the ponderous, creaky, and apparently not particularly secure old Gecko code base.

to post comments

Firefox 3.0.9 released

Posted Apr 22, 2009 21:00 UTC (Wed) by pr1268 (guest, #24648) [Link] (5 responses)

Firefox had more vulnerabilities in 2008 than IE, Safari, and Opera *combined*.

Likely due to the open-source nature of Firefox. I can't imagine how many vulnerabilities are lurking in the proprietary browsers that the software vendors just don't want anyone to know about. Or, perhaps the vendors don't even know of the existence of said vulnerabilities. (An Eric S. Raymond quote comes to mind here.)

Firefox 3.0.9 released

Posted Apr 22, 2009 22:48 UTC (Wed) by sbergman27 (guest, #10767) [Link] (4 responses)

"""
Or, perhaps the vendors don't even know of the existence of said vulnerabilities. (An Eric S. Raymond quote comes to mind here.)
"""

How soon we forget. Remember when Mike Zalewski demonstrated that the Firefox devs weren't bothering to do basic input validation on html, and that Firefox could be trivially crashed (with buffer overflows) in seconds using just an automated script that generated random, broken, html. That incident alone blows Eric's theory right out of the water. Why, in the six years preceding, did *none* of the supposed "many eyeballs", which you are invoking to support your argument today, notice this gross violation of basic security practice which permeated the entire Firefox code base? It took *years* for the FF guys to work through the resulting family of security bugs in their bugzilla.

To make matters even more embarrassing, IE could withstand hours and hours of anything Michael's script could throw at it. Microsoft obviously already had an internal program in place for testing for such vulnerabilities.

If you don't remember all this, just google for "zalewski mangle". And prepare for some very uncomfortable reading.

withstanding random input

Posted Apr 23, 2009 2:36 UTC (Thu) by jeleinweber (subscriber, #8326) [Link]

Yes, Microsoft has a large investment in fuzzing tools.

Firefox 3.0.9 released

Posted Apr 23, 2009 12:44 UTC (Thu) by niner (subscriber, #26151) [Link]

Reminds me of the <input type="crash"> that was all that's needed to crash
IE. Well, they had to learn, too.

Firefox 3.0.9 released

Posted Apr 24, 2009 0:55 UTC (Fri) by pr1268 (guest, #24648) [Link] (1 responses)

How soon we forget. Remember when Mike Zalewski demonstrated that the Firefox devs weren't bothering to do basic input validation on html

Wow, this is a sobering revelation of the quality of code (or lack thereof) in Firefox. But, my earlier post wasn't meant merely to defend Firefox, but rather the open-source nature of its development and the (assumed) security benefits proposed by Eric Raymond.

But, I agree with the tone of your post in that this level of coding sloppiness is unacceptable. If not only for the security and reliability of the running program, then for the perceived FUD that the proprietary software companies could theoretically use against open-source development in general.

Firefox 3.0.9 released

Posted Apr 24, 2009 3:50 UTC (Fri) by jordanb (guest, #45668) [Link]

Eric Raymond is a tool.

Open Source *can* be a source of greater assurances about system security due to greater access for legitimate auditors but the assumption that there are many people looking isn't always valid. Plus, crap code can be produced large quantities in either side of this industry. I've seen nothing about the Mozilla Corporation or Firefox that suggests that it's anything other than a code-churning organization and a horribly written product.

"Open Source" isn't magic pixie dust that turns offal into prime cuts.

Firefox 3.0.9 released

Posted Apr 22, 2009 23:26 UTC (Wed) by nix (subscriber, #2304) [Link] (2 responses)

'Upcoming'? Konqueror already exists. (It has vulnerabilities, but many
fewer than FF.)

Firefox 3.0.9 released

Posted Apr 23, 2009 0:30 UTC (Thu) by sbergman27 (guest, #10767) [Link] (1 responses)

Good point. But aren't they still using the related, but different, khtml?

Anyway, I doubt that any browser of any sort has a stream of vulnerabilities as voluminous as that of Firefox. And yet the FF Faithful go on denying the issue. Amazing, really.

Firefox 3.0.9 released

Posted Apr 23, 2009 11:05 UTC (Thu) by BlueLightning (subscriber, #38978) [Link]

KHTML is related to Webkit, yes, but not to Gecko.

Firefox 3.0.9 released

Posted Apr 23, 2009 2:44 UTC (Thu) by roc (subscriber, #30627) [Link]

IE, Safari and Opera do not report every security bug that they detected and fixed themselves. Mozilla does. Thus, Secunia's bug-counting is meaningless.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds