Zero Day Vulnerability

This really isn’t very accurate. I don’t know the details of the vulnerability or even if there actually is one, but I question the marketing around the Zero Day Initiatives vulnerability report. The big news seems to be “only 5 hours” after the release.

This isn’t really accurate if you think about it. It would be if Firefox 3 were a tightly controlled product that nobody could see a final version of. Reality is that the entire source code lives in cvs, there are nightly builds, and formal release candidates posted. Could someone have downloaded it after release and found a security issue? Absolutely. Is the timing a little suspicious considering everything was done out in the open? Yes.

It wouldn’t have made any waves if a vulnerability was found in a release candidate. It would have just been patched and a new candidate posted.

The advantage to the open source development process is the transparency through the entire process. The code in the release build isn’t remotely new or surprising. Many people had been running it for days prior to the actual release.

Again, it’s possible it all happened in 5 hours. But I doubt someone discovered a security hole, documented it, then it was verified and confirmed in just 5 hours. Especially considering the open nature of the development process and how easy it is to check things out in advance.

Tags: , , , ,

Related Posts

Related Posts


4 Responses to “Zero Day Vulnerability”

  1. pd says:

    “Reality is” that nobody except the most technically aware and adventurous users looks at beta and nightly version.

    The marketing said the launch was yesterday, the version Mozilla had said is ready for the public was released yesterday.

    “Reality” is subjective.

    How about Mozilla stop wasting time writing blogs posts that try to redefine the world’s million different perceptions of “reality” and just stick to the facts. Is there are a vulnerability or not? If so, fix it!

    You can’t on one hand say (paraphrased) “we fix security holes faster than anyone” in your marketing and then on the other say “oh but nah, but, uhmmm, but reality is, … it’s not *really* 5 hours …”.

  2. Mitch 74 says:

    @pd: alphas, nightlies and betas, yes; they are not run by that many people (except Fx3 beta 5, shipped with Ubuntu)

    The vulnerability in question also exists in Firefox 2; so no, it’s not new. It just appeared now, but it is suspicious that it should appear right during the Fx3 Download Day.
    We’ll have release 3.0.0.1 in a few days… A few other patches were in the pipe too.

    Mitch

  3. […] exactly in the middle of the Firefox 3 download day. A unluckily coincidence, of course: only a conspiracy theorist could suspect that the timing has been chosen in order to maximize the hype effect for the Zero Day […]

  4. […] that the vulnerability was intentionally made public on that particular day for the benefit of ZDI. Robert Accettura’s post has something for us to […]

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

By submitting a comment here you grant this site a perpetual license to reproduce your words and name/web site in attribution.