Mozilla Open Source Security

Zero Day Vulnerability

This really isn’t very accurate. I don’t know the details of the vulnerability or even if there actually is one, but I question the marketing around the Zero Day Initiatives vulnerability report. The big news seems to be “only 5 hours” after the release.

This isn’t really accurate if you think about it. It would be if Firefox 3 were a tightly controlled product that nobody could see a final version of. Reality is that the entire source code lives in CVS, there are nightly builds, and formal release candidates posted. Could someone have downloaded it after release and found a security issue? Absolutely. Is the timing a little suspicious considering everything was done out in the open? Yes.

It wouldn’t have made any waves if a vulnerability was found in a release candidate. It would have just been patched and a new candidate posted.

The advantage to the open source development process is the transparency through the entire process. The code in the release build isn’t remotely new or surprising. Many people had been running it for days prior to the actual release.

Again, it’s possible it all happened in 5 hours. But I doubt someone discovered a security hole, documented it, then it was verified and confirmed in just 5 hours. Especially considering the open nature of the development process and how easy it is to check things out in advance.

4 replies on “Zero Day Vulnerability”

“Reality is” that nobody except the most technically aware and adventurous users looks at beta and nightly version.

The marketing said the launch was yesterday, the version Mozilla had said is ready for the public was released yesterday.

“Reality” is subjective.

How about Mozilla stop wasting time writing blogs posts that try to redefine the world’s million different perceptions of “reality” and just stick to the facts. Is there are a vulnerability or not? If so, fix it!

You can’t on one hand say (paraphrased) “we fix security holes faster than anyone” in your marketing and then on the other say “oh but nah, but, uhmmm, but reality is, … it’s not *really* 5 hours …”.

@pd: alphas, nightlies and betas, yes; they are not run by that many people (except Fx3 beta 5, shipped with Ubuntu)

The vulnerability in question also exists in Firefox 2; so no, it’s not new. It just appeared now, but it is suspicious that it should appear right during the Fx3 Download Day.
We’ll have release in a few days… A few other patches were in the pipe too.


Leave a Reply

Your email address will not be published. Required fields are marked *