The Register: "Mozilla riddled with security flaws"
17 posts
• Page 1 of 2 • 1, 2
The Register has an article up. It has the quite misleading headline "Mozilla riddled with security flaws". Most of these bugs seem to pertain to older (i.e. pre 1.0.1) versions of Mozilla. While I think it is good to be stay on top of things, I absolutely disagree with the headline and style of this article. I mean "riddled" compared to what (IE????)?
You can find the article here The Register: "Mozilla riddled with security flaws" Gunnar
It seems the author does not make any false claims - these flaws do exist.
I am puzzled though concerning whether these flaws are fixed and in which releases. It seems that the most stable+secure version currently available at mozill.org is 1.0.1 and most of the flaws mentioned are *not* fixed in there, right? I also wonder which of these flaws is actually in the NS 7 release? I think the bottom line is that Mozilla.org should give more attention to these issues, e.g. by giving clear instructions and information about security issues and updates on the home page. Mozilla is used by end users (I believe to a bigger extend than NS7) and it always will be and I think this is good and in the interest of promoting Mozilla/NS. Security issues have always been a major argument against IE, with issues like this one (even if it should be mostly hot air) the public's opinion might change. It is of course much easier to find out security flaws in an open source program - I think this should be turned into an asset and clearly pointed out at the mozilla.org home/download pages, together with other advantages.
That is definitely correct. I do, however, disagree with the headline since most of these flaws seem to affect versions prior to 1.0.1, so the correct headline should be "older Mozilla versions....". Plus, "riddled" is definitely an exaggeration.
It seems that most (but not all) of these flaws only affect versions prior to 1.0.1.
note: boldface by me.
See above. Netscape 7 is based on Mozilla 1.0.1 so it should be mostly fine.
I could not agree with you more. Still, seeing how (relatively) few bugs security flaws there are, especially when compared to IE/Outlook Express and how quickly they usually are fixed, I think Mozilla is still doing fine. What Mozilla should do is keep the page that listst these issues up-to.date and easy to find. Gunnar http://mozilla.gunnars.net - The Mozilla Help Site
I looked <a href="http://www.mozilla.org/projects/security/known-vulnerabilities.html">here</a> and it seems most of the bug are marked as "through 1.0.1" which I understand as "including" 1.0.1 (but maybe my english is poor) - which would be contradicting the article and what you say. Thats why I asked about the status - is there an updated version of 1.0.1 or are the fixes only to be seen in 1.0.2?
<Planet of the Apes> You Register maniacs! You hired Mangelo! Oh, damn you! God damn you all to hell! </Planet of the Apes>
The Register does, after all, bill itself as "biting the hand that feeds IT." I don't mind the tart tone. Six vulnerabilities is a sufficient number to use "riddled" in my book. The thing to do now is, as others here have said, to get these recognized and addressed on Mozilla.org forthwith.
To quote the MozillaZine mainpage:
Argh! Is my typing really that bad? Thanks, I'll update the article. Alex
I still dont get it - the link given in the register to <a href="http://www.mozilla.org/projects/security/known-vulnerabilities.html">here</a> shows
a list of flaws of which most seem to be in 1.0.1 ("though 1.0.1"). This is the latest release of what is supposed to stable and secure branch of mozilla, right? And it is what NS 7 is based on so these things are in NS7 too. So if you argue that these things are fixed in the recent builds, why should anyone bother to use the recommended stable release 1.0.1 or even NS7? Dont get me wrong, I have been using current builds all along, but I dont really see how you would sell 1.0.1 given these facts? Why havent there been security fixes for that "stable production" release? Wouldnt that release be the one that needs those fixes most?
Johann, there's a last column "Date Fixed".
My limited comprehension of English makes me read the issues have been fixed. Else, what would these dates mean? 
All I see there, is that the most recently fixed security flaw was in September, so in the worse case scenario, this flaw and the previous one from August are in 1.0.1 and NS7.
My question was NOT about the date fixed, but about whether it is true that
these bugs are in version 1.0.1, which seems to be the case. 1.0.1 is the version that is recommended as the most stable and secure one and it is the one NS 7 is based on. It is also the one that is probably distributed with most current Linux distros and which will be used by those who are concerned about stability and security. And as it seems, if you donwload 1.0.1 which is the latest stable release NOW from mozilla.org you will still get these problems. And if all this is the case, the statement about these issues being fixed in 1.0.1 is simply not true. Or are there different builds of 1.0.1? Is the 1.0.1 you download now different from the original one? (I would assume that no),
Of course Mozilla has security flaws. Big surprise there.
However, how many people are using NS 6.x? I know that many people are slow to upgrade, will this affect NS 6.x users as well? Last edited by mfk on November 5th, 2002, 4:29 pm, edited 1 time in total.
Johann,
this is SecurityFocus' vulnerability list for Mozilla 1.0:
whereas this is their vulnerabilities list for 1.0.1:
and this vulnerability is no longer present for Mozilla 1.1, so it seems that you should be on the safe side using the recommended stable branch. You can see the vulnerabilities list for yourself here I hope this helps address your concerns. Gunnar http://mozilla.gunnars.net - The Mozilla Help Site
I think the "Milestones Affected" column on the "Known Vulnerabilities" page must mean "until" instead of "though". This should be corrected by Mozilla.org as it is very confusing. But it makes no sense for security flaws corrected in May and June to still be in 1.0.1 which was released toward the end of August.
What's more, the list of "25 security fixes" that were made fore 1.0.1 (available <a href="http://www.mozilla.org/releases/mozilla1.0.1/security-fixes-1.0.1.html">here</a>) lists the same bug numbers as in the "Known Vulnerabilites" page. So it seems clear that when "Milestones Affected" = "Through 1.0.1" they mean 1.0.1 is the first milestone not affected. They should have said "Milstones Affected" = "Until 1.0.1".
Your English is fine - it's just that the author was using a dialect of American
17 posts
Page 1 of 2 • 1, 2
Who is onlineUsers browsing this forum: No registered users and 1 guest |
|
