The Price Of Fame

It seems to be one of the prices of fame for Firefox that anyone who jumps up and down enough can get on the front page of Slashdot with a Firefox security-related story. Frank has pointed out that Firefox has become part of several “master narratives”, the major one of which is “the new browser wars” of Firefox vs. IE. As security is one area of comparison, it’s easy to connect to that master narrative with a story about “Shock! Firefox is not as secure as its proponents claim”. Therefore any suggestion of a new hole, which makes a story like that easy to write, is not treated with an appropriate level of investigative scepticism.

Newsflash: there are quite a few invalid HTML constructs which crash Firefox, just as I’m sure there are a lot of invalid documents which crash Word. That doesn’t mean they are all security holes – and no-one has demonstrated any evidence that this one (bug 210658) is. And claiming that it’s a DOS is frankly stretching the meaning of that term beyond breaking point. Crashing a single application used by a single person is not a DOS.

Furthermore, it’s worth repeating that security is not a state, it’s a process – and the fact that we have made regular point releases since the release of Firefox 1.0 shows that we take that process seriously. But we won’t be making one for this bug unless someone can demonstrate that it’s anything other than a common-or-garden crash.

17 thoughts on “The Price Of Fame

  1. I found a DoS as well last year, got duped to a bug one year older than it which unfortunately hasn’t been fixed.
    Interestingly enough IE had the same problem last time I checked it. Might’ve been fixed in XPSP2 though.

  2. 99% of the time those articles are sponsored by Microsoft.

    You can’t imagine how much slashdot is banking since they opened the gates of “sponsored” articles.

    They are relatively easy to spot. Bash Linux, Apple and Mozilla without any supporting facts, just a headline will do enough damage.

  3. What a load of FUD. This isn’t news. IE, and probably every other browser, has crashers and hangs from malformed markup. And what about all the other ways to crash, hang or render a browser inaccessible to the user? DoS? Security exploit? This is neither! I hope Whitedust Security are suitably embarrased, because for sure they can only have harmed their reputation amoungst the real security community. The stuff about “the Whitedust name stand[ing] for integrity” etc. on their About page made me laugh. Seems to me this is just a ploy to make money off their Google ads.

  4. DoS == Denial of Service

    Firefox is not a service. Except for mabye geeks whose lives depend on constant surfing of the internet.

    But then slashdot isn’t really a news site either.

  5. That’s all very true. But this “news” has already reached many other news outlets. A part of the price of fame probably will be to fix some publicly well known bugs a bit earlier that what would be the priority list otherwise. And if it’s only not to be bothered by a never ending flood of duplicates in bugzilla and flame wars in the different forums.

  6. There’s not really a lot Mozilla can do about Tom Ferris other than attempting to educate the “technical” press, though. This is unlikely to be the last time this happens.

    – Chris

  7. I don’t understand why the hell are you going mad about things like this?! Just fix it and everything is fine. But threads like this “The Price Of Fame” are only stupid. There is no advisory at “full-disclosure” or something like that, so why are so excited about this little thing? This behaviour don’t fit to your good work. :-)

    So go on with the good work.

    – Mick

  8. Mick: I’m not “going mad”; the post was thoughtful in tone rather than irate. But mud sticks, even if it’s flung unfairly.

  9. Time is running out for the 1.0.7 “security news” with 1.5 comming closer. I guess there will be couple of people tempted to show their “abilities” now. Nothing is so lame as a security warning for an old version.

    I would like however to argue that this is more a price of our not as aggressive as necessary handling of crash bugs in the past and now. Bugzilla has more than enough samples that would feed a daily slashdot story. One has to balance between obscure crash bugs and ordinary software development. Or is there anybody with cvs access, who would block the release till all known crash bugs are fixed.

  10. “I hope Whitedust Security are suitably embarrased, because for sure they can only have harmed their reputation amoungst the real security community.”

    To be honest this is a little unfair Whitedust were only reporting on a third party sites (milw0rm.com) released “exploit” – and the poll on Whitedust confirms that 50% of their readers do consider the problem a DoS. It is likely not Whitedust’s fault they got Slashdotted, they release a lot of third party news links every day this was probably a minor post for them, indeed they were ALREADY Slashdotted that day for an interview, they could have probably done without the excess traffic. Whitedust are best known for their interview’s not their exploit reporting (Tony Watson, Richard Thieme, Simple Nomad, Fyodor etc etc). They have interviewed some major infosec people since they launched; condemning them for reporting what is out there as news seems a little bitter to me. They bill themselves as uncut news that is exactly what they provide.

    If anyone should be getting stick for anything surely it’s the source of this news: milw0rm.com.

    Lets not start shooting the messenger because it’s easier. We’re beginning to sound resentful of firefox’s popularity.

  11. I dont know what you people whine about, thats just one line of code and simple as hell, sure there are DoS exploits found daily but it doesnt make that less of an exploit anyway.
    Exploit is program, code, etc that makes a program do what its not supposed to do. And if that code crashed the program it is a DoS exploit.
    And the fact thats DoS stands for Denial of Service has nothing to with services, dont take everything so literally people :)

  12. Exploit is program, code, etc that makes a program do what its not supposed to do.

    No, an exploit is something that makes your computer execute code that the attacker has written. There’s a massive difference.

  13. At the very least the actually definition of the word “exploit” in this context is up for debate…

    Personally I agree with Furcalor on this one. If it crashed the process it EXPLOITED a BUG in Firefox and is therefore by definition an EXPLOIT.

    …?

    It’s not rocket science.

  14. esr’s word is not gospel (despite what some people think) it’s his version of events…

    The definition of the term “exploit” is up for debate in this ever changing IT world.

    Besides which esr’s own document there says that that is “cracker slang” – and that may well be the case, but just as hacker was original MIT slang for a pranker do you think it’s possible that the term “exploit” has evolved has the term “hacker did” to include a wider spectrum of activity’s given the changing nature of the IT world?

    Quoting esr does not end a dicussion by default; ironically it opens a whole new can of worms. Wouldn’t you say?