Re: Firefox/Mozila releases new versions (release canidates)

From: Hairy One Kenobi (abuse_at_[127.0.0.1)
Date: 09/17/05


Date: Sat, 17 Sep 2005 10:58:03 GMT


"Steve Welsh" <sjw@stevew.net> wrote in message
news:432B69EC.8070504@stevew.net...
> Quaoar wrote:
> > http://it.slashdot.org/article.pl?sid=05/09/16/182232&tid=154&tid=172
>
> Is that it?
>
> Does nothing to address the issues of whether Moz/Firefox are
> intrinsically more secure, and, moreover totally ignores the fact that
> M$ takes forever to actually DO anything - if they finally decide it
> actually works.

/Intrinsically/ more secure? It's software. And software that (in both
cases) doesn't seem to have been tested all that well (the FF list included
a couple of real howlers, IIRC).

That said, they are both based on (in age terms, at any rate) fairly mature
code. In the case of FF these seem to be things that are cropping-up in the
new code and (ironically) have been seen before in IE, a few years back
(e.g. IFRAME exploits). In other words, a progger just needs to search MS KB
to get the solution.

In theory, FF should eventually be /slightly easier to issue fixes for, as
it's a monolithic chunk of code that doesn't provide external services to
other software (as is the case with IE). The latter approach means that you
have to do that much more testing, and run the risk of breaking someone
else's code. Hence (large assumption on my part), the withdrawal of the
recent IE patch.

Although if they *do* delay a working and tested patch until the next
batch - rather than issue straight away - that sucks.

But is one platform "intrinsically" more secure? Assuming identically
adequate testing on both products, that's a bit like arguing that putting
all the code in one file is more secure than separating it into modules :o)

Incidentally, and just having taken a look at the FF 1.0.6 code for the
first time: it's littered with inline English-language status messages,
mostly unencumbered with comments, and scattered with hard-coded inline
parameter definitions. Not the best of practises when you're supposed to be
dealing with something internationalized...

Also - if there are any Mozilla developers reading - the documentation
states that "bq--" is no longer checked, but in fact it's just sitting
there, large as life, in nsIDNService.cpp. It's commented as being there
"for test purposes". Perhaps getting the code to do what everyone else
thinks it's doing would be a good start when working towards that permanent
fix ;o)

Incidentally, when an IDN "own any domain or certificate" bug was posted
back in February, you had to do an little more work to make the enableIDN
setting "stick":
http://users.tns.net/~skingery/weblog/2005/02/permanent-fix-for-shmoo-group-exploit.html

Anyone tested to see if this is still required?

H1K