Browser Security Coverage

Ziff Davis eWeek is featuring a story by Ryan Naraine whose headline reads: High-Risk Flaws Flagged in IE, Mozilla. Right away I am thinking – “uhoh … more security trouble and this time it hits Mozilla as well as IE browser”. Wincing a little I read the story details.

“Security researchers have raised the alarm for a series of unrelated, high-risk vulnerabilities in Microsoft Corp.s Internet Explorer and the open-source Mozilla browsers.”

Oh – so these are unrelated but high risk vulnerabilities. And reading on, one discovers that the IE browser problem is so serious that security firm Secunia is advising customers to switch browsers until a comprehensive patch is available. In addition there are two sets of of other critical vulnerabilities in IE uncovered just before and during the Christmas weekend. But is really unclear what vulnerabilities in IE have been patched and when and where to go. But I am considered about Mozilla so I press on.

Finally I come to the Mozilla bug news:

The updated IE warning comes on the heels of a Bugtraq advisory for multiple flaws in Mozilla, Firefox and Thunderbird products. The volunteer Mozilla Foundation has rolled out new versions to patch the holes, which range from a potential buffer overflow and temporary files disclosure to anti-spoofing issues. According to the advisory, a potentially exploitable buffer overflow was discovered in the way Mozilla and Firefox handle NNTP URLs. The Mozilla Team also fixed a way of spoofing filenames in the “What should Firefox do with this file” dialog-box option.

This does not look good at all. So I go to mozilla.org looking for the embarrassing but necessary patch. Nothing! Oh no – has Mozilla caught Redmonds “slip sliding away” disease on browser security ? So I go to the BugTraq advisory. Lo and behold I discover there that all these problems have all been fixed – and months ago! The Thunderbird vulnerabilities are fixed in the 0.9 edition. Ditto for Mozilla browser and Firefox – they are bug free since their 1.7.5 and 1.0 releases. So what is this January 03, 2005 – based memo about ?

It is a memo about the latest discovery of the seriousness of flaws already corrected by Mozilla. But why doesnt eWeek and ZiffDavis tell us that – after all the monster downloads for FireFox and Thunderbird have occurred in the past two months – that is surely a news worthy part of the story. You would think that writer Ryan Naraine would want to assure those readers – and caution any users of earlier and vulnerable editions of Mozilla software. Nothing. So readers are left with the impression by eWeek that Mozilla has major security problems outstanding when they dont.

This might as well be Security Updates at ZiffDavis brought to you by Microsoft Corporation. Or equivalently why go to ZiffDavis and eWeek just connect on directly through to Microsoft Press Pass and get the browser security lowdown straight from the horses mouth. Ohhh, and while you are up there get one of those exotic reading items on Linux, maybe the Veritest one or catch Laura Didio wearing nothing but her risqu