On MovieTome: Our Favorite 'Twilight' Parodies
BNET Business Network:
BNET
TechRepublic
ZDNet

February 2nd, 2006

Firefox 1.5 patches eight critical security holes

Posted by George Ou @ 11:33 am

Categories: Security

Tags:

[Update: 2/4/2006 6:15 PM] It appears that The Burning Edge’s "Unofficial Firefox Changelog" (which was linked from this official Mozilla page) has changed their tune and removed their claim of "undisclosed security patches" for Firefox.  That puts me in the awkward position of being wrong about Firefox secrecy since my source essentially backed out (though I wish The Burning Edge didn’t just fix their mistake as if they never said it).  Therefore, I have to retract any incorrect statements and apologize to the Mozilla foundation for the misunderstanding based on a bad source that seemed legitimate at the time.

Open Source has always prided itself in openness, but why is the Mozilla foundation patching security flaws without disclosing what they are?  A new Update for Firefox 1.5 was released by Mozilla which actually has a long list of bug fixes several of which are described in Mozilla’s advisory as "several security enhancements".  The problem is that we don’t know what all but one of these security fixes are and that seems to fly in the face of the Open Source mantra.

One security fix in this update that was disclosed was an arguably serious DoS (Denial of Service) flaw that was publicly disclosed in December 2005 by a 3rd party with proof-of-concept exploit code.  That 3rd party maintains that the flaw is serious enough to trigger code-execution but Mozilla disputes this claim.  But now that Mozilla is patching holes in secrecy, one has to wonder if there are more serious vulnerabilities that were patched but not disclosed.

It’s a mystery why Mozilla is operating in secrecy with Open Source code and one can only speculate about the motivations.  Mozilla has always claimed to have the high ground to Microsoft when it comes to security although my report shows that this is debatable.  It’s one thing to keep vulnerabilities secret when there is no fix because no one wants zero-day vulnerabilities, but patching holes and not telling people what the problem was just seems wrong.

[Update:  Joris Evers sheds more light on this issue and Secunia has an advisory listing 7 fixes for "highly critical" vulnerabilities.]

[Update:  My editor pointed to this link which seems to have more details on the security flaws.  Regular reader "Yagotta B. Kidding" says:  "George appears to be objecting to the lack of publicity and confusing it with a lack of openness, perhaps because with the vendors he’s used to anything that isn’t publicized is keep secret."  Ok, Yagotta has a good point."

George Ou is Technical Director of ZDNet. See his full profile and disclosure of his industry affiliations.

  • Talkback
  • Most Recent of 88 Talkback(s)
Best example of a hired troll on the entire internet!
bar none! (Read the rest)
Posted by: An_Axe_to_Grind Posted on: 02/13/06 You are currently: a Guest | | Terms of Use
It sounds to me...  Anti_Zealot | 02/02/06
Or that you would have defended them any way  george_ou | 02/02/06
What I don't get George...  ju1ce | 02/02/06
Proactive? Why did it take 2 months for Mozilla to patch a zero-day flaw?  george_ou | 02/02/06
Message has been deleted.  jacarter3 | 02/02/06
Message has been deleted.  talisman | 02/02/06
Message has been deleted.  george_ou | 02/02/06
Message has been deleted.  Robert Crocker | 02/02/06
whoa!  linuxoverwindows | 02/06/06
What I find funny is...  ju1ce | 02/02/06
rc code  Roger Ramjet | 02/03/06
George, if you want to know what the 'undisclosed' security holes are...  Letophoro | 02/02/06
Oh no, that's not George.  jacarter3 | 02/02/06
Bugzilla  Yagotta B. Kidding | 02/02/06
Good point, I noted this in the blog  george_ou | 02/02/06
Re: Bugzilla  Letophoro | 02/02/06
totally agree  CobraA1 | 02/03/06
One problem with that  rpmyers1 | 02/03/06
"proof of concept exploit code"  Anton Philidor | 02/02/06
Yes, but how to you enforce that internationally?  george_ou | 02/02/06
Small gains are worthwhile.  Anton Philidor | 02/02/06
Sysadmins  Yagotta B. Kidding | 02/02/06
Good point again  george_ou | 02/02/06
Most people would stop this sentence:  Anton Philidor | 02/02/06
Ah, hear no evil, see no evil, speak no evil  george_ou | 02/02/06
Need to know.  Anton Philidor | 02/02/06
WMF exploit sold for $4000 before POC was publicized  george_ou | 02/02/06
The First Amendment didn't stop DeCSS prosecution...  Anton Philidor | 02/02/06
How much of that Really amounted to Anything?  LazLong | 02/02/06
Greyhound  D. T. Schmitz | 02/02/06
Isn't that changing the subject?  george_ou | 02/02/06
No George  zkiwi | 02/03/06
And this is also typical.  george_ou | 02/02/06
Intersections  D. T. Schmitz | 02/02/06
Hilarious (NT)  ju1ce | 02/03/06
double standards of OSS folks.  zzz1234567890 | 02/02/06
It is painfully obvious  NonZealot | 02/02/06
And now that George...  Richard Flude | 02/05/06
Why are they secret? Silly you George  balsover | 02/02/06
like you sense of humor  zzz1234567890 | 02/03/06
No that's "pro-active"  george_ou | 02/03/06
Move along  Ragon2727 | 02/03/06
I'm actually beginning to think this...  ju1ce | 02/03/06
Why, because they got caught in a lie?  balsover | 02/03/06
Well, if there's a lie...  zkiwi | 02/03/06
This article really sounds like disinformation  pascalc | 02/03/06
the Mozilla Foundation gets unnecessarily bashed just like Microsoft  balsover | 02/03/06
Thanks for the laugh.  mobrien_12@... | 02/03/06
How about a modicum of research?  thunderdome1 | 02/03/06
Draft  D. T. Schmitz | 02/03/06
It is easy when you know what to look for  theraven_z | 02/07/06
Retraction, not update  lwparrish | 02/03/06
I would agree  zkiwi | 02/03/06
Not my accusations  george_ou | 02/03/06
what?  pphant | 02/03/06
They just changed it without admitting it.  george_ou | 02/04/06
Fair enough  pphant | 02/04/06
Ok thanks  george_ou | 02/04/06
I can understand the feeling...  pphant | 02/05/06
As my weekend has already started,  tombalablomba | 02/03/06
Sutures  D. T. Schmitz | 02/03/06
I'm gonna need sutures after reading that, LOL!  george_ou | 02/03/06
Now is the time  D. T. Schmitz | 02/04/06
Nah - don't think so  nizuse | 02/04/06
There you go  george_ou | 02/04/06
Well done  D. T. Schmitz | 02/04/06
Sure thing  george_ou | 02/04/06
Looks like I wasn't only one who reported this  george_ou | 02/04/06
To err is human  D. T. Schmitz | 02/05/06
re: To err is human..  barsteward | 02/05/06
Life  D. T. Schmitz | 02/05/06
re: Life  barsteward | 02/05/06
Thx G.O.  mobrien_12@... | 02/04/06
Caw, Caw, Chomp, Chomp  Roger Ramjet | 02/06/06
Kudos  Yagotta B. Kidding | 02/06/06
Igotta Agree  morchant | 02/06/06
Bravo (NT)  tombalablomba | 02/06/06
Dude what happened to the article, AGAIN?!?!  spinits | 02/06/06
Never single source for articles  finnmaccool | 02/06/06
Message has been deleted.  Mpaaequalsmafia | 02/06/06
good to see you updated the blog  Scott W | 02/06/06
above post  Scott W | 02/06/06
FireFox Security Updates  jegar1 | 02/06/06
They're here now, but not back then  george_ou | 02/06/06
Message has been deleted.  jegar1 | 02/06/06
FireFox upgrade worked great!  WiredGuy | 02/07/06
Apology  bargeemike | 02/08/06
Best example of a hired troll on the entire internet!  An_Axe_to_Grind | 02/13/06

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

Click Here
advertisement

Recent Entries

Top Rated

    Premier Vendor Content Whitepapers, webcasts & resources from our Power Center Sponsors
    advertisement

    Archives

    ZDNet Blogs

    White Papers, Webcasts, and Downloads

    Meet Doc

    • Here to help you with your Document Management Needs
    • Doc is an enigma. Born to a Russian ballerina and a German electrical engineer, he grew up in various locations in the United States. He’s seen the insides of more brands, versions, and generations of printer and printer-related hardware than almost anyone.
    • To learn more about this mysterious figure check out his blog on ZDNet and his Workspace on TechRepublic. You’ll be glad you did.
    • Produced by
      ZDNet and