Chris Schiffner’s Corner of the Web

Yesterday Mozilla released version 2.0.0.14 of Firefox which contained a security update to their world renowned web browser. The release contained only one change; patching a security hole in javascript garbage collection which could* be exploitable.

I have spent today reading articles about this “huge security threat to Firefox”. The bug was in fact not yet exploited and thus the security risks were immediately put to rest with the release of 2.0.0.14. Several sites were reporting the bug incorrectly stating that the issue was introduced in their most recent release, which is not true since the most recent release is 2.0.0.14 and NOT 2.0.0.13 (where the problem was in fact introduced). I’m still trying to figure out why so many people are out to crucify Mozilla. Microsoft and even Apple have had their share of security holes in their browsers. In fact Microsoft has let huge security holes pass for six months to a year without a patch. They often release statements explaining that they must fully test the changes before they release the patch. Six months of testing? Come on… But people have just grown to accept these problems and delays from Microsoft. Mozilla has created arguably the most successful third party web browser of all time and has shattered record books with its adoption rate. Being open source there will always be holes and bugs which are discovered more easily than those in the closed source counterparts but they have the advantage of public scrutiny and visibility to both discover and patch problems as they arise. This bug was patched before any exploit was made publicly available (assuming there is one). Instead of waiting until more security issues arise Mozilla released 2.0.0.14 expressly to address this single issue. What they did was admirable and it should be viewed as such. Lining Mozilla up in front of a firing squad only serves to Strengthen Microsoft’s position in a market that has flourished begun to flourish with innovation since the advent of serious competition.

*No known exploit exists for this security hole.