A Black Eye for Firefox Security

by Preston Gralla

Another day, another Firefox vulnerability.

Ho hum. It's starting to feel old hat.

But the way that Firefox has responded to the latest threat (and previous threats) has given those in charge of the browser a black eye.

First, consider the newest vulnerability. This time around, it's serious --- "extremely critical" because the flaw in Firefox and Mozilla could allow malicious code to be executed on someone's machine when they visit a Web site. As I write this, there's no complete fix, but Mozilla is working on the problem.

In the meantime, you can protect yourself by disabling JavaScript by choosing Tools-->Options-->Web Features, and unchecking the box next to "Enable JavaScript". You should also disable Firefox's software installation feature by going to the same screen and unchecking the box next to "Allow web sites to install software". When you're done, click OK.

The problem here is that if you visit the Firefox front page, you'll find not a single word about the vulnerability. No warning. No explanation of the security issue. No details on how to protect yourself. Nothing. If you want to find out about it, you'll have to dig very deep on the Mozilla site to find the security advisory.

This just isn't good enough. Security holes are the price of success --- there will be more of them. But the Firefox team has to start fessing up publicly on its own Web site when there's a vulnerability, and give people instructions on how to protect themselves.

What do you think about the way Firefox developers respond to security threats?


2005-05-10 09:23:18
It was well publicized on mozillaZine and Planet Mozilla

In addition, disabling JavaScript is WAY overkill. Just follow the instructions in the article above.

The Mozilla community has been more than forthright about the firefox' security issues, giving ample details about the vulnerabilities themselves as well as the strategies to fix them. I would hardly expect Microsoft to react the same way.

Don't forget that Microsoft tries its hardest to keep any vulnerability from being publicized before a patch is available. Would you consider this a black eye? or simply a cover up?

Such opaqueness (at best...) is not likely in the open source world.

Does Microsoft place unresolved advisories on its frontpage?

2005-05-10 10:12:56
Mozillazine? Not enough ...
I think that FOSS projects should held themselves to higher standards than just discolose vulnerability somewhere. See Debian homepage for the level of openness and vulnerability I expect (and BTW this is also one of the reasons why I stay with Debian).
2005-05-10 12:21:32
How Many years Microsoft took for no security?
Firefox is at 1.0.3
2005-05-10 13:56:16
    Security holes are the price of success – there will be more of them.

Uhm, what? Security holes are the price of writing software. Popularity is an extraneous factor. Linux servers have been getting attacked less as they became more popular.

I agree more could have been done to alert users more prominently, but c’mon – it’s just been two days. And when have MSFT last plastered all of their outstanding security vulnerabilities over any product’s homepage?

Let’s keep proportionality in mind and see how this unfolds, shall we?

2005-05-11 11:40:41
I had no problem finding it
Firefox news is not on the start page. The start page is empty advertising-like info that no one is expected to look at twice. That never changes. I did not have to "dig deep" to find the information. News is on the Mozillazine page and I check there once a day or so. Mozilla put the bug there on May 8'05:

Sunday May 8th, 2005

Mozilla Arbitrary Code Execution Security Flaw

A security flaw that allows a malicious site to execute arbitrary code on a user's system has been discovered in Mozilla Firefox. Secunia has probably the one of the more accurate and concise write-ups of the code execution vulnerability. It appears to be the first "Extremely critical" Firefox flaw logged by Secunia.

On the other hand, Mozilla had known of the security hole since May 2'05. While Microsoft may sit on security information for several months, considering a PR offensive the priority, Mozilla did sit on it when they could have told us to shut off an automatic update feature until whenever. It was the same in principle tho not in extent.

BTW, the Preston Gralla repeats the same syntax I've seen on Secunia, etc. On my copy of Firefox (20050509) the syntax is:

Tools > Options > Content and then uncheck "Allow web sites to download software".

2005-05-12 05:25:32
The problem has been fixed; 1.0.4 update available
As usual, the Firefox team has come through in record time: a fix is already available.

Great work, guys, notwithstanding the article's author's opinion

2005-05-13 01:02:28
yes but ...
I would like to point you towards an Internet Explorer security hole that, still works and hasn't been fixed now for over 7 months

i wont publish the details here since its already on the web (but thankfully a little hidden), let me just say it involves