It seems to be one of the prices of fame for Firefox that anyone who jumps up and down enough can get on the front page of Slashdot with a Firefox security-related story. Frank has pointed out that Firefox has become part of several “master narratives”, the major one of which is “the new browser wars” of Firefox vs. IE. As security is one area of comparison, it’s easy to connect to that master narrative with a story about “Shock! Firefox is not as secure as its proponents claim”. Therefore any suggestion of a new hole, which makes a story like that easy to write, is not treated with an appropriate level of investigative scepticism.
Newsflash: there are quite a few invalid HTML constructs which crash Firefox, just as I’m sure there are a lot of invalid documents which crash Word. That doesn’t mean they are all security holes – and no-one has demonstrated any evidence that this one (bug 210658) is. And claiming that it’s a DOS is frankly stretching the meaning of that term beyond breaking point. Crashing a single application used by a single person is not a DOS.
Furthermore, it’s worth repeating that security is not a state, it’s a process – and the fact that we have made regular point releases since the release of Firefox 1.0 shows that we take that process seriously. But we won’t be making one for this bug unless someone can demonstrate that it’s anything other than a common-or-garden crash.