Firefox 3.0.9 released
Firefox 3.0.9 released
Posted Apr 22, 2009 21:00 UTC (Wed) by pr1268 (guest, #24648)In reply to: Firefox 3.0.9 released by sbergman27
Parent article: Firefox 3.0.9 released
Firefox had more vulnerabilities in 2008 than IE, Safari, and Opera *combined*.
Likely due to the open-source nature of Firefox. I can't imagine how many vulnerabilities are lurking in the proprietary browsers that the software vendors just don't want anyone to know about. Or, perhaps the vendors don't even know of the existence of said vulnerabilities. (An Eric S. Raymond quote comes to mind here.)
Posted Apr 22, 2009 22:48 UTC (Wed)
by sbergman27 (guest, #10767)
[Link] (4 responses)
How soon we forget. Remember when Mike Zalewski demonstrated that the Firefox devs weren't bothering to do basic input validation on html, and that Firefox could be trivially crashed (with buffer overflows) in seconds using just an automated script that generated random, broken, html. That incident alone blows Eric's theory right out of the water. Why, in the six years preceding, did *none* of the supposed "many eyeballs", which you are invoking to support your argument today, notice this gross violation of basic security practice which permeated the entire Firefox code base? It took *years* for the FF guys to work through the resulting family of security bugs in their bugzilla.
To make matters even more embarrassing, IE could withstand hours and hours of anything Michael's script could throw at it. Microsoft obviously already had an internal program in place for testing for such vulnerabilities.
Posted Apr 23, 2009 2:36 UTC (Thu)
by jeleinweber (subscriber, #8326)
[Link]
Posted Apr 23, 2009 12:44 UTC (Thu)
by niner (subscriber, #26151)
[Link]
Posted Apr 24, 2009 0:55 UTC (Fri)
by pr1268 (guest, #24648)
[Link] (1 responses)
How soon we forget. Remember when Mike Zalewski demonstrated that the Firefox devs weren't bothering to do basic input validation on html Wow, this is a sobering revelation of the quality of code (or lack thereof) in Firefox. But, my earlier post wasn't meant merely to defend Firefox, but rather the open-source nature of its development and the (assumed) security benefits proposed by Eric Raymond. But, I agree with the tone of your post in that this level of coding sloppiness is unacceptable. If not only for the security and reliability of the running program, then for the perceived FUD that the proprietary software companies could theoretically use against open-source development in general.
Posted Apr 24, 2009 3:50 UTC (Fri)
by jordanb (guest, #45668)
[Link]
Open Source *can* be a source of greater assurances about system security due to greater access for legitimate auditors but the assumption that there are many people looking isn't always valid. Plus, crap code can be produced large quantities in either side of this industry. I've seen nothing about the Mozilla Corporation or Firefox that suggests that it's anything other than a code-churning organization and a horribly written product.
"Open Source" isn't magic pixie dust that turns offal into prime cuts.
Firefox 3.0.9 released
Or, perhaps the vendors don't even know of the existence of said vulnerabilities. (An Eric S. Raymond quote comes to mind here.)
"""
If you don't remember all this, just google for "zalewski mangle". And prepare for some very uncomfortable reading.
withstanding random input
Firefox 3.0.9 released
IE. Well, they had to learn, too.
Firefox 3.0.9 released
Firefox 3.0.9 released