Mozilla: The Good And The Bad

Rui del-Negro writes "According to this article at The Register, six security flaws in Mozilla were posted to BugTraq last weekend. They have not been added to the official Mozilla vulnerability list yet. But details can be found here, here, here and here (phew!). Finally, two other bugs were found, relating to loading GIF files (in several Linux browsers) and Mozilla's (JavaScript) implementation of onUnload ( ). Are they trying to prove they can beat Microsoft at their own game..? Or is someone just trying to win a prize?" On a brighter note, Zerbey writes "From Neil's Place here is 101 Things Mozilla can do which IE cannot. Very interesting reading and an excellent resource for convincing stubborn Internet Explorer users why they should switch. This article was also reported at Mozillazine. I'm still waiting for NTLM auth to be implemented so we can switch over at my workplace, the only reason we still have to use Internet Explorer."

Re:Bug reporting?

Yeah, imagine that, the Evil MS notifies customers that an update is avaliable, but the wonderful Mozilla organisation has people visiting the site looking for an updated version or patch. I know that my family at least finds that much easier because they have a deep interest in what web browser they use to browse the interweb...

If you're gonna complain about MS, at least use a valid argument, god knows there's a lot of them, but the kneejerk whining about MS being evil doesn't really do any good for anyone.

Re:Bug reporting?

Look.

Microsoft notifes us *when a patch is available*.

The Mozilla community notifies us *when a security flaw is found*.

Do you want to know about a problem when it is discovered, or after someone has already engineered a fix?

If your car was discovered to be prone to stopping dead on the highway and blowing up, you'd want to know before the manufacturer figured out how to make it stop doing that. You'd want to have the option of choosing to risk it, or parking the car and driving something else for a little while.

Now you know what activies are prone to security dangers, and can either avoid those activities or use another browser for a while.

Open enough?

Well, are they open enough? their policy [mozilla.org] allows for not disclosing vulnerabilities.

The main reasoning seems to be that vendors should be able to protect their customers.

But what happened with the privacy leak [slashdot.org] recently found in Mozilla? Granted, it was a minor glitch, but it is nevertheless useful in studying how policy affects security.

Did it help end users that it was marked sensitive? Well, Netscape knew about the glitch when they shipped their browser, yet, they shipped it. On the other hand, the leak was patched shortly after the story broke, so the answer should be a clear "No!"

This is an example that it is not sufficient to have the sources open, you have to get some light onto the problems too.

6 bug more !?

OK, 21669 to go [slashdot.org] :-)

Most are already fixed

As of 1.2beta almost all of these are fixed. In general opensource is not a whole lot more secure than closed source (both are programmed by humans), they just are more open with information and quicker with fixes.

Re:Most are already fixed

In fact, as of 1.0.1, five of the six bugs are fixed. Only one of these bugs exists in 1.0.1, and it's generally regarded as the least serious. Almost every distribution is running Mozilla 1.0.1 or 1.1 by now. I know I'm running 1.1 on my box, and Ximian GNOME is using 1.0.1.

Seriously, this isn't as big a deal as it looks, folks.

Re:Most are already fixed

Does /. often post stories "previous version of Internet Explorer had 6 security bugs" when the current patch has already fixed them? Seems to me that Mozilla's response was pretty quick...

Why users "should" switch

"...resource for convincing stubborn Internet Explorer users why they should switch..."

Should be:

1. Provides a better subjective browsing experience

If that's not true, you'll never win.

Re:Why users "should" switch

TEN MINUTES of not responding oh a relatively new machine (2ghz P4, 1/2GB RAM) is NOT, by ANY means acceptable.

Well, damn, your computer is so fast it can finish an infinite loop in ten minutes.

Re:Why users "should" switch

If that's not true, you'll never win.

Win what? Is there some competition to get more people using Mozilla than IE? That's a battle that will never be won as long as IE is shipped with nearly all new desktop computers and Mozilla is shipped with nearly none.

To me the interesting battle is to get enough users to use standards compliant browsers and not use old browsers such as Netscape 4 and IE 4 that web developers can finally just write according to web standards and know their websites can work for more than 99% of users.

Read the entire article....

If you read ALL the way to the end of the article you'll note that 5 of the 6 bugs are already fixed in 1.0.1 which has been out for a couple months now. I believe the sixth is already fixed in the 1.2 nightlies.

Re:Read the entire article....

5 of the 6 bugs are already fixed in 1.0.1 which has been out for a couple months now. I believe the sixth is already fixed in the 1.2 nightlies.

The same 5 of the 6 that are fixed in 1.0.1 are also fixed in 1.1. The last one is already fixed in 1.2 beta. Maybe even alpha or earlier (but why would one use those).

I saw this mentioned on The Screensavers last night and IMO the Register article is greatly overstating the magnitude of the vulnerabilities. These are all known, patched bugs. Good to motivate people to stay up to date, but this is a lousy way to evaluate a product's security.

Let's talk about the known, unpatched bugs in MSIE instead.

31 security vulnerabilities in IE

Here's a link. On November 6, 2002, there were 31 security vulnerabilities in Microsoft Internet Explorer [pivx.com]

The link is taken from: Windows XP Shows the Direction Microsoft is Going. [hevanet.com]. If Spanish is your native language: Windows XP muestra la dirección que Microsoft está tomando. [hevanet.com]

Re:Read the entire article....

There will always be bugs, whether your software is open source, free, or otherwise. What matters is how you deal with them.

Newsflash: Old buggy release has bugs

However, also according to the article on the register, most of these bugs are in Mozilla 1.0, which makes this kind of old news. Mozilla 1.0.1 was specifically advertized as a security bug-fix release, and has been out for quite some time.

NTLM auth

I'm still waiting for NTLM auth to be implemented so we can switch over at my workplace, the only reason we still have to use Internet Explorer.

NTLM auth is bug 23679, and is scheduled for Mozilla 1.3 alpha which will be out in about one month.

Re:NTLM auth

Want to have NTLM support? Vote for it!

No, write the damn code. That's what software freedom is about. You've missed the entire point.

Re:A Word on Mozilla

the Windows version is hurting
That's strange because I've found that Mozilla is more stable and faster in Windows vs. its Linux couterpart.

These are already fixed

To quote Mozillazine [mozillazine.org]

The most remarkable detail about these bugs is that most of them are already fixed. In fact, only one of the flaws (reported here in September) is present in the latest stable branch and trunk releases (Mozilla 1.0.1 and 1.1 respectively), while the more recent 1.2 Beta isn't vulnerable to any of them.

10 Things...

Now, is there a 10 Things IE Can Do That Mozilla Can Not such as run ActiveX properly if at all so one can go to most msn.com sponsored sites such as MSN Chat? Or how about properly running the Java plugin so Yahoo! Chat doesn't crash after a few minutes. I'm not making this up. This happens everytime.

Believe me, like the rest of you, I love Mozilla, and I live by the tabbed browsing. But unfortunetly, there are a lot of things I do on the Internet that still force me to crawl back to IE.

Re:10 Things...

"Believe me, like the rest of you, I love Mozilla, and I live by the tabbed browsing. But unfortunetly, there are a lot of things I do on the Internet that still force me to crawl back to IE."

Frankly, I didn't think the '101 things you can do with Mozilla' was that interesting. Most of the stuff there I'd only care about if I were doing web development today. In that case, yes it'd be really cool. But they're trying to oversell features that most people don't use. I just wanna browse the web, I don't care about color coded source viewing. I do care about the browser opening fast without hogging all the RAM. (Fortunately I'm an Opera user.)

Re:Here's two

2) View source opens notepad. I want to be able to edit, save (without it downloading the damn thing again!), and whatever.

File --> Edit Page

Bug Confirmation

Being a developer myself, I have a huge number of bugs that are reported to my team and I on a daily basis. While security is always a key concern, there is an entire process of validating a bug prior to adding it to an official bug list. An open source project, such as Mozilla, has to rely on the input of who know who for possible bugs, then also has to rely on a large number of volunteer developers to help validate the bug. Sometimes these processes take time.

Take the time to compare Mozilla's submitted bug report and their official bug list versus Microsoft's (that is if you can find a copy of it).

Re:The one thing it doesn't do

How sad. You don't 'talk' to a support technician with Mozilla, but you can usually get in contact with the person who actually wrote the code that's giving you trouble. Personally, I find this preferable to sitting on hold, paying through the nose for phone support, and talking to someone who hardly has the technical knowledge to use a computer, let alone code a browser. Mozilla's problems and bugs are well-documented; IE's are well-hidden. Mozilla has an excellent secuity track record; IE's security track record can be seen by the seemingly endless stream of advirories and patchs.

It's a shame that these Fortune 500 companies choose inferior products with inferior support on the basis that they're able to hear a human voice when there's some sort of problem; regardless of whether or not that human voice has the slightest understanding of the problem, the solution, or even the product.

Re:The one thing it doesn't do

I've found that the Bugzilla for Mozilla, Newsgroup usefulness, and general web resources are better, or at least equal to, that of Microsoft. Microsoft has an edge with phone support but, I run 10 servers and 50 workstations, all running Microsoft with SQL, Exchange, NT, 2000, and more - and I've never had to call them. I won't.

I dread calling them. It costs money, immense amounts of time, and I would sit on hold just knowing I'd end up with a moron who would suggest that I try rebooting.

This notion that a software company must be responsible for it's software, so that someone can be held liable and can be counted on to help, is really just dependency and lack of personal responsiblity, and ultimately a crutch. MCSE means Must Consult Someone Else.

Perhaps Fortune 500 companies ARE Fortune 500 companies because they pass the task of software support and maintanence off to the companies that make the software, and focus on their core business.

But they're also the ones spending obscene amounts of money and time trying to understand Microsofts insane licensing policies.

They're spending time and money evaluating Microsoft's DRM moves, preparing to deal with the inevitable (some would say immediate) consequences of Microsoft's negative, condescending attitude toward it's customers.

They're the ones who woke up one day and realized they were renting software, not buying it, and that they have an evil landlord and can't do anything about it. They're just happy their investors also like Microsoft so that they percieve this dependency as a "strategic relationship". They're the ones subject to the whip hand.

I've never walked into a Fortune 500 company and seen Mozilla. I've also never let the public see me having sex. Neither of those means that it doesn't happen.

It's about the browser

How my favourite bug [mozilla.org] was turned into a feature is the best example I have of how easy it is to get off the track with big projects like this.

The bug got lost in several threads, flames and arguments about what IE does or does not do, until it was finally marked WONTFIX by a Mozilla demi-god. IMHO, they missed the point. There is a constant refrain in Bugzilla about whether something is "standard" or not.

From my experience, the argument about web standards is used to either fix or not fix something, depending on how someone feels about a problem.

Don't think it's a problem? don't fix it and say "it's not standard, so we won;t" or "it's not standard, but we break the standard everywhere where it makes sense". Some behaviour need changing? The same arguments apply.

I may be just whining here, but sometime I think the fact that Mozilla is a web browser is lost in the arguments. I still love Moz, but the fact that the right-margin jumps around on my otherwise fine HTML 4.x and CSS pages will always bother me.

Misinformation

What The Register's article fails to mention is that all of the bugs were fixed long ago. Five of the six were fixed by 1.01 and 1.1. The other was fixed soon after. Security Focus's database (The Register's source) is aware of this.

Just some great investigative reporting on The Register's part. My friend's half-brother's cousin says...

Mozilla has had a lot more security bugs then six, anyway. So if they were trying to be silly and sensational, they could have done better. Most "security bugs", in Mozilla and other applications, and very minor and require very special sets of circumstances. Every app has them.

The only difference is they're fixed in Mozilla in days. MSIE still has unpatched holes. (There's a page somewhere that lists them with example code, maybe someone could post that URL, it's rather interesting... lists when the hole was discovered, and when [if] a patch was made available).

Re:Misinformation

Unpatched IE Security Holes [pivx.com]. There's only 31 of them at the moment. That's quality with a capital K.

I can do them!

I'm posting this from Mozilla 1.2b/MacOS X and it's close to pushing IE off my desktop.

But, looking over the list of 101 things Mozilla does that IE doesn't, there are plenty of things that IE does, and has done for years. (It may not do them on Windows -- I have no idea.)

I can view cookies, block individual cookies, disable tooltips and a bunch of other things listed. I'd also argue that IE can be trivially installed and uninstalled and has a more complete, and certainly much more usable bookmark manager.

How about https?

I've been using Mozilla for over a year now and for the life of me, I still can't access anything via. https. So, I have to open IE to do anything secure forms. I've read that I must do a complete install in order for this to work which I do, but still no dice.

Anyone have this problem?

Re:How about https?

Anyone have this problem?

With some sites, yes. If they don't support the Mozilla certificates, they won't allow https. I use Mozilla for my Banking (switched banks because they supported Mozilla) and things like Hushmail. For some things at work, I still have to use IE for sites that don't support Mozilla's certs.

The 101 list is bullshit

1. You can do this by writing a 12 line VB app that embeds the MSHTML COM control on separate tab controls. Some projects already do this. (Yawn)

5. uh, hit ctrl-H in IE6

7,8. Hold control, scroll mouse-wheel

17. IE does this

22. This can be set in IE

31. IE can do this

46. Is this a joke ?

77. I don't buy this. IE is a ship-component of Windows XP, and thus exists in 25 distinct locales.

97. This is just fanboyism. There is no substance here.

101. Got me there, champ.

These are just the things I know are crap off the top of my _head_. Why does fanboy shit like this make it to slashdot on such a consistant basis ?

Re:The 101 list is bullshit

While the 101 list goes a bit overboard, you're wrong to dismiss a lot of the items.

1. Tabbed browsing is inherantly slower with IE because it creates a new browser instance for each tab.

5. The side bar is NOT just a history window. You can put virtually anything in it, including slashdot headlines or a google box.

7-8. MSIE does NOT adjust font sizes if the CSS specifies it in pixels. Mozilla does.

17. At least with 5.5, the "cookie manager" is nothing more than a listview of all your temporary internet files. Mozilla has a real interface with more capabilities.

22. The average user will not set this, and will inevitably install Bonzi Buddy or some other crap because they click OK too fast. Mozilla comes secure by default.

46. You can run Mozilla from a network share without ever launching an installer. I'd like to see you do try with MSIE 6.

77. Yeah, assuming that you have the appropriate locale of Windows. And that you'd never want to run a version that was different from your operating system's locale settings.

97. True. But you must admit that Mozilla's security process is more open than IEs, and that there won't be major vulnerabilities that go unpatched for months. With IE you have no such guarantee.

101. You just can't argue with that one. The lizard is cool.

Some questions or suggestions....

I think Mozilla is in a position to really get innovation going again. Being a Web developer who started back in 1994, I remember first using Mosaic and Netscape back when features came so fast and furious that you really like progress was an everyday thing. I haven't felt that way lately (at least about Internet Explorer). So without further ado, here are some ways to innovate at a fundamental level, changing some things that should have been obvious.

First, making navigation buttons out of the link tags is great. But does Mozilla pre-fetch the "next" link, so that if I actually decide to go to the next page (likely), it comes up fast? WebTV has this feature. Makes the Web feel faster.

Second, why am I entering HTML tags into a plain text field? Where is the HTML text field? You know, a form object that comes with B, I, and U buttons, and allows me to visually format the text before sending (and which is delievered as standard, XHTML 1.0 compliant markup)? I've seen that Microsoft's new Web-based Outlook tools have this, but they use over 100k of JavaScript files to accomplish it. Shouldn't we just have something like this: <htmlarea></htmlarea>???

Finally, one of the things I've been waiting for is the ability to set images or other objects on angles. For example, if I wanted to have the slashdot logo appear as if it were on an incline, I might use CSS to specify the image display at -15 degrees. And if this were exposed to JavaScript, I could make some interesting animations. But I haven't seen this in CSS yet.

In short, I remember fondly when Netscape pushed the envelope -- I remember Andreesen adding the img tag, I remember Netscape implementing the file upload tag. I think some working demos of this stuff might help it gain acceptance, and give people a reference model to work from. Not to mention make Mozilla seem much more useful than Explorer.

*blink*

"Supports blinking text
You can make text blink."

*blink*

This is GOOD?

Already fixed?

I recall reading about this; those bugs were fixed before the bugs were reported this weekend.

Point 77 (Mozilla translations) is not really true

The problem with Mozilla's translation method is that it is designed in such a way that a translation team has to update a translation for every single release of Mozilla. That means that if a given translation team doesn't update the translation, newer versions of Mozilla have to be used in English.

In particular, if I wish to have Spanish-language dialogues in Mozilla, I (as of a month ago) can not upgrade to Mozilla 1.0.1 because none of the volunteer Spanish translation teams [1] has updated their 1.0.0 translations to version 1.0.1; instead they chose to direct their translation efforts towards 1.1 and 1.2.

Compare this to AbiWord, which has a translation structure such that, if a given translation team decides that meeting girls at dance clubs is far more fun than spending Saturday night translating dialogues, the translations still work for new versions of the program. If any new dialogues appear, those dialogues will be in English until someone steps up to bat to translate them, but any unchanged dialogues remain translated.

IE has an edge here, since their translation teams are paid; guaranteeing that any formal release of IE will be translated in to all officially supported languages. The disadvantage to this is, if a given language is deemed by Bill Gates to not be worthy of translation, you have to use the application in English (or one of the other official languages).

This structure causes Mozilla 1.0.1 to have translations available in languages like Estonian (a beautiful language [2] which has about, as I recall, 2 million speakers) but not in Spanish (which has more native speakers than English--about 325 million).

OK, thinking out loud, it should not be too hard to set up a perl script which unzips a translation for a given version of Mozilla, compares the labels against the English version for a given later version of Mozilla, and then translates all of the labels it can; leaving the untranslated labels in English. This would be far more productive than posting to Slashdot; perhaps a Mozilla guru can tell me if a tool like this already exists.

- Sam

[1] There are three Spanish trnaslation teams: One for Latin American spanish, one for Argentinian Spanish, and one in Spain. The Argentian is the most active group right now.

[2] One of my linguist teachers is a native Estonian speaker; she once talked to us in Estonian to demonstrate a language learning technique.

These are only the publicly known bugs

I'm sure there are security bugs in Mozilla that haven't been made public yet. That was the problem with the onUnload(). It was known about for a long time, but not until it became public did it get fixed.

My favorite bug

My favorit

My favorite bug is wh

My favorite bug is when mail cras

My favorite bug is when mail crashes whenever I tr

My favorite bug is when mail crashes whenever I try to sen

My favorite bug is when mail crashes whenever I try to send a message

Re:Yes, I've run into some of these

errors as allowing javascripted emails to both access files on the HD and automatically send out new messages

Or you could go to "Edit" -> "Preferences" -> "Advanced" -> "Scripts and Plugins" -> and uncheck "Enable JavaScript for...Mail and Newsgroups".

Does IE let you do that? Why do you need JavaScript in Mail anyway? I won't even accept HTML email.

Text is fine. I get the content without all the cookies and graphics.

Re:There is something

> It has much fewer bugs and still retains all the
> functionality needed to have a decent web
> experience.

Let's get real here. Dillo is great to browse simple stuff like local HTML documentation, and it's good for checking on the local news sites (when it doesn't choke on them too badly), but that's about all it's good for.

It has some sort of annoying cache bug that lets it get "stuck" (refusing to load a document whether you hit reload or not) on pages like Google's search results.

As distributed (version 0.6.6), Dillo doesn't do any kind of authentication or SSL. It also doesn't do Javascript/Java. So it has to be *very* casual browsing. It also doesn't print.

(I use Dillo myelf for viewing local copies of web pages I make for my students. This is mainly because it's so FAST.)