LWN: Comments on "Firefox 3.0.9 released"

Firefox 3.0.9 released

roc — Fri, 24 Apr 2009 11:44:55 +0000

Does KHTML have people working full-time looking for security vulnerabilites? Mozilla does.

Do criminal gangs and security researchers spend a lot of time and energy trying to find security vulnerabilities in KHTML? They do for Firefox.

Firefox 3.0.9 released

jordanb — Fri, 24 Apr 2009 03:50:27 +0000

Eric Raymond is a tool.

Open Source *can* be a source of greater assurances about system security due to greater access for legitimate auditors but the assumption that there are many people looking isn't always valid. Plus, crap code can be produced large quantities in either side of this industry. I've seen nothing about the Mozilla Corporation or Firefox that suggests that it's anything other than a code-churning organization and a horribly written product.

"Open Source" isn't magic pixie dust that turns offal into prime cuts.

Firefox 3.0.9 released

pr1268 — Fri, 24 Apr 2009 00:55:42 +0000

How soon we forget. Remember when Mike Zalewski demonstrated that the Firefox devs weren't bothering to do basic input validation on html

Wow, this is a sobering revelation of the quality of code (or lack thereof) in Firefox. But, my earlier post wasn't meant merely to defend Firefox, but rather the open-source nature of its development and the (assumed) security benefits proposed by Eric Raymond.

But, I agree with the tone of your post in that this level of coding sloppiness is unacceptable. If not only for the security and reliability of the running program, then for the perceived FUD that the proprietary software companies could theoretically use against open-source development in general.

Firefox 3.0.9 released

sbergman27 — Thu, 23 Apr 2009 22:35:10 +0000

"""
The "complete disclosure" part means that we don't just fix such bugs silently, as other vendors do, but issue advisories about them. This is one reason bug-counting methodologies of security comparison just won't fly.
"""

So how do you explain the fact that Konqueror's security record is so much better than Firefox's? You think they are concealing security problems?

Firefox 3.0.9 released

gerv — Thu, 23 Apr 2009 22:12:39 +0000

Perhaps you'd care to outline the concrete development practice changes which would constitute "being more careful"?

There are three things you need to consider for a meaningful security metric - severity, exposure window and complete disclosure. Without all of those, you can't make a meaningful comparison of risk.

The exposure window for most Firefox security problems is 0 days - because we find them internally or they are reported to us by white hats. The "complete disclosure" part means that we don't just fix such bugs silently, as other vendors do, but issue advisories about them. This is one reason bug-counting methodologies of security comparison just won't fly.

Gerv

Firefox 3.0.9 released

niner — Thu, 23 Apr 2009 12:44:57 +0000

Reminds me of the <input type="crash"> that was all that's needed to crash
IE. Well, they had to learn, too.

Firefox 3.0.9 released

BlueLightning — Thu, 23 Apr 2009 11:05:49 +0000

KHTML is related to Webkit, yes, but not to Gecko.

Firefox 3.0.9 released

roc — Thu, 23 Apr 2009 02:44:05 +0000

IE, Safari and Opera do not report every security bug that they detected and fixed themselves. Mozilla does. Thus, Secunia's bug-counting is meaningless.

withstanding random input

jeleinweber — Thu, 23 Apr 2009 02:36:03 +0000

Yes, Microsoft has a large investment in fuzzing tools.

Firefox 3.0.9 released

sbergman27 — Thu, 23 Apr 2009 00:30:59 +0000

Good point. But aren't they still using the related, but different, khtml?

Anyway, I doubt that any browser of any sort has a stream of vulnerabilities as voluminous as that of Firefox. And yet the FF Faithful go on denying the issue. Amazing, really.

Firefox 3.0.9 released

sbergman27 — Wed, 22 Apr 2009 23:31:09 +0000

"""
This makes it sound like adding vulnerabilities was a deliberate, conscious choice. I don't think this is reasonable position to take.
"""

Conscious choice as in "let's put in this and that vulnerability and then patch it later"? Probably not. Conscious choice as in "let's give priority to 'cool features', not worry that much about security, and then patch security problems as they are reported"? Far more likely. The way users applaud whenever the FF devs patch a hole, where is the incentive for them to do any better? I don't see any.

Firefox 3.0.9 released

nix — Wed, 22 Apr 2009 23:26:57 +0000

'Upcoming'? Konqueror already exists. (It has vulnerabilities, but many
fewer than FF.)

Firefox 3.0.9 released

sbergman27 — Wed, 22 Apr 2009 22:48:10 +0000

"""
Or, perhaps the vendors don't even know of the existence of said vulnerabilities. (An Eric S. Raymond quote comes to mind here.)
"""

How soon we forget. Remember when Mike Zalewski demonstrated that the Firefox devs weren't bothering to do basic input validation on html, and that Firefox could be trivially crashed (with buffer overflows) in seconds using just an automated script that generated random, broken, html. That incident alone blows Eric's theory right out of the water. Why, in the six years preceding, did *none* of the supposed "many eyeballs", which you are invoking to support your argument today, notice this gross violation of basic security practice which permeated the entire Firefox code base? It took *years* for the FF guys to work through the resulting family of security bugs in their bugzilla.

To make matters even more embarrassing, IE could withstand hours and hours of anything Michael's script could throw at it. Microsoft obviously already had an internal program in place for testing for such vulnerabilities.

If you don't remember all this, just google for "zalewski mangle". And prepare for some very uncomfortable reading.

Firefox 3.0.9 released

alankila — Wed, 22 Apr 2009 21:42:47 +0000

"keep patting them on the back for silently including vulnerabilities"

This makes it sound like adding vulnerabilities was a deliberate, conscious choice. I don't think this is reasonable position to take.

Firefox 3.0.9 released

pr1268 — Wed, 22 Apr 2009 21:00:30 +0000

Firefox had more vulnerabilities in 2008 than IE, Safari, and Opera *combined*.

Likely due to the open-source nature of Firefox. I can't imagine how many vulnerabilities are lurking in the proprietary browsers that the software vendors just don't want anyone to know about. Or, perhaps the vendors don't even know of the existence of said vulnerabilities. (An Eric S. Raymond quote comes to mind here.)

Firefox 3.0.9 released

sbergman27 — Wed, 22 Apr 2009 20:41:47 +0000

"""
I would love to see your work on a project that massive without any security vulnerabilities.
"""

Irrelevant. Don't attack the messenger. It would be far more informative to compare its security record to that of other browsers.

Firefox had more vulnerabilities in 2008 than IE, Safari, and Opera *combined*.

http://news.cnet.com/8301-1009_3-10190206-83.html?tag=new...

Oh, yes, they issued fixes. But that only supports my original point. They have no incentive to reduce the vulnerabilities released because they receive lavish praise for each vulnerability for which they issue an after the fact patch. (More vulnerabilities than all the other major browsers combined", remember.)

It will be interesting to see how the upcoming FOSS browsers based on the clean code base of WebKit compare against FF and others based on the ponderous, creaky, and apparently not particularly secure old Gecko code base.

Firefox 3.0.9 released

elanthis — Wed, 22 Apr 2009 19:33:42 +0000

I would love to see your work on a project that massive without any security vulnerabilities.

Projects that large and with such frequent updates and feature additions is going to have bugs, no matter what your development practices are. Many of those bugs will have security implications. Fact of life.

Firefox 3.0.9 released

sbergman27 — Wed, 22 Apr 2009 17:51:46 +0000

It would have been much better not to have had the piles of vulnerabilities in the first place.

Expect yet more piles, and piles, and piles, as long as you keep patting them on the back for silently including vulnerabilities and then publishing fixes for them publicly.

The FF devs get more accolades for fixing the piles of vulnerabilities than they would have if they had been more careful in the first place. And that's not good.

Firefox 3.0.9 released

frlinux — Wed, 22 Apr 2009 17:48:03 +0000

Saying "yet another pile of security fixes" implies this is bad. I am happy to see a browser fixed on a regular basis as exploits are discovered. I still have bad memories about competitors just ignoring exploits out there for months.