Mozilla Fixes Firefox Flaw, But Needs New Security Practices
by Sam Dean - Jul. 17, 2008Comments (0)- Related Blog Posts
- 8 Resources for Expanding Your Open Source Skillset
- Chrome and Firefox Get Upgrades
- Mozilla Delivers SeaMonkey 2.0
- Mozilla's Raindrop Project Sifts and Sorts Messaging Views
- Report: Mitch Kapor Pronounces Microsoft's Battle With Open Source "Over"
As we reported on WebWorkerDaily yesterday, Mozilla has issued critical security advisories that affect several of its products, including versions of Firefox, Thunderbird, and SeaMonkey. Late yesterday, Mozilla released a new version 3.0.1 of Firefox that patches security flaws, and you can download it now. You can also get the new version, if you have Firefox 3 running, by clicking on the Check for Updates option on the browser's Help menu. What's still due from Mozilla, in terms of fixes, and what's missing from the security practices the company followed here?
As of Thursday morning, Mozilla's Thunderbird e-mail application is still downloadable only in version 2.0.0.14. As Mozilla's security advisory states, a new version 2.0.0.16 fixes security flaws, but it is not available yet, and Mozilla has not posted anything about when it will be available. Mozilla suggests disabling JavaScript as a workaround in the meantime (JavaScript is not typically enabled in mail).
In my opinion, when Mozilla issues security advisories that it deems critical, it should go beyond just listing the version numbers of its applications that will provide fixes, especially when the fixed versions are not available yet. The security advisory about Firefox 3 was posted well before the fixed version was made available, and there was no language about estimated arrival for a fix. The security advisory pertaining to Thunderbird is still up, and there is no language about when a fix will be downloadable. In one of the workarounds that Mozilla suggested for the Firefox problem, it said that users should just continuously use Firefox, because shutting it down contributed to the reported vulnerability.
It's perfectly understandable for a patch to take some time after Mozilla discloses a security problem. However, listing version numbers for vaporware and offering no disclosure about when the vaporware will become real doesn't go far enough.
Security is one of the primary reasons that many people use an application such as Firefox--because it's less of a target for hackers than Internet Explorer, in addition to its internal security features. Mozilla should ratchet up its security disclosure practices to fall in line with these favorable perceptions that people have about the internal security features found in its products.
Comments
Share Your Comments
