Zero Tolerance for Privacy and Security Bugs
Mike Angelo -- 30 September 2002 (c) - Page 2
It certainly is curious that the Mozilla-Netscape developers did not fix Bug #145579 until after it was brought to public attention via Bugtraq. How many privacy and security bugs are in the Mozilla-Netscape code-base that are being kept secret from the public and not being fixed? Moreover, how many privacy and security bugs that are not hidden, such as Mozilla Bug #32571 and all its duplicates are not being fixed timely?
It is past time for the Mozilla-Netscape developers to bring the status of Mozilla-Netscape privacy and security bugs and issues into the full light of day and Sun. Users of the Mozilla, Netscape, and other Mozilla-based browsers and products have a right to know just how safe or vulnerable are their system security and individual privacy when using Mozilla-Netscape and other Mozilla-based related products.
Of course there are legitimate concerns about giving potential crackers and others that would invade your privacy and/or attack your system a leg-up if the details of privacy and security bugs are revealed prematurely. However, we believe that such bugs can be listed and announced in a manner to alert users to privacy and security flaws in the Mozilla-Netscape code-base without giving sufficient detail to aid evildoers.
This duty to let users of computers know immediately about privacy and security violation exposures is not only applicable to the Mozilla-Netscape browser-suites and other Mozilla-based products. This duty and obligation to immediately advise computer users of privacy and security violation exposures is incumbent on all producers and vendors of computer products.
Moreover, we believe that producers and vendors of computer products should provide patches and/or upgrades that fix privacy and security violation exposures within 24-hours of a computer product producer's or vendor's knowledge of such exposures or risks.
We think that is reasonable. Computer products should not be released with privacy and security violation exposures and risks. Twenty-four hours to fix privacy and security violation exposures and risks is not unreasonable in light of the fact that computer products users are being subjected to such privacy and security violation exposures and risks -- until such time as privacy and security violation exposures or risks are publicly announced and fixed.
And if that means company big-shots as well as the little-shots have to go without sleep until the privacy and security violation exposures and risks they created and distributed are fixed -- well then tough! If this sounds harsh, its is. But it is time people started taking responsibility for their wrongdoings -- and releasing computer products with privacy and security violation exposures and risks is wrong.
AOL-Netscape and its Mozilla Organization allowing a security and data loss problem such as that reported in Mozilla Bug #32571 and its progeny to go more than two years without correction is a disgraceful travesty! Four months to disclose and fix Mozilla Bug #145579 is unacceptable. Releasing Mozilla 1.0 with the Oingo bugs was willfully negligent conduct. (Links to all mentioned bugs in the Resources section at the end of this article.)
Certainly there will be instances where privacy and security violation exposures and risks slip through even the best of product development and quality control programs. But immediate announcement of such privacy and security violation exposures and risks when discovered -- and their immediate correction -- goes to the integrity of computer product developers and producers -- and the quality of their products.
On the other hand trying to hide the existence of privacy and security violation exposures and risks from the light of day and from public attention goes to the lack of integrity of computer product producers and developers. Failure to immediately correct privacy and security violation exposures and risks goes to the lack of integrity of computer product developers and producers.
In the case of Mozilla Bug #145579 the AOL-Netscape-Mozilla people knew the privacy violation exposures and risks described by Bug #145579 were in the Mozilla-Netscape code. Yet they released not merely one product with the #145579 bug in it, they released several editions of their products with that bug in it. And that in our opinion is gross moral dishonesty!
Mozilla Bug #82275 is an example of a bug that is hidden from public view. This Bug #82275 was reported in May 2001 -- and it still is hidden from public view. For a hint of what Bug #82275 is about you can check Bug #86497, if you like. From Bug #86497, Bug #82275 does not appear to be a big deal. The point however, is that it is hidden from public view even though that bug was reported more than a year ago. Please see Figure 3.
Consider Mozilla privacy Bug #57351, css on a:visited can load an image and/or reveal if visitor been to a site. It has been around for nearly two years. It's a P3 priority, major, bug targeted for Mozilla 1.2a. It's not hidden but its not fixed either. Bug #32571 has been in the Mozilla-Netscape code-base for more than two years. Just how many privacy and security bugs and issues are in the Mozilla code-base -- whether hidden or public? (Links to all mentioned bugs in the Resources section at the end of this article.)
We have a link to some 25 privacy and security bugs that were fixed between the Mozilla 1.0 release and the Mozilla 1.0.1 release in the Resources section at the end of this article. Please keep in mind that if you used and/or are still using Mozilla 1.0, you have these 25 bugs in your copy of the Mozilla browser suite. Mozilla bug reports with numbers lower than 149219 were filed prior to 5 June 2002, the day Mozilla 1.0 was released. Ten of those twenty-five bugs were known when Mozilla 1.0 was released -- unforgivable!
Here, with Mozilla Bug #145579, the Mozilla-Netscape developers over-used the excuse of confidentiality in order to publish several releases of their browser-suites with a known-to-them privacy problem. It was not until Sven Neuhaus made the privacy issues reported in Mozilla Bug #145579 public via his Bugtraq posting that Bug Report #145579 was made public and the bug fixed.
There is no announcement of this Mozilla Bug #145579 on the Mozilla Organization main Web site page. Nor did we find any announcement of the bug in AOL-Netscape's Browser Central page. That in our opinion is gross moral dishonesty!
If the Mozilla-Netscape developers fail so to make these hidden bugs public without delay, then anyone who has access to the hidden bugs in the Mozilla Bugzilla database ought to have the courage and moral fiber to do as Sven Neuhaus did and post the information about those bugs to Bugtraq forthwith!
AOL-Netscape's Mozilla Project is supposed to be an Open Source Software project. However, it has been hiding and covering up privacy and security problems for months and years.
Should an Open Source Software project hide and cover up privacy and security problems in its products -- for months and years? We do not think so. Open means Open!
For more information about how Mozilla bugs impact on the user experience in general, please see our articles A Quick Look at Some Mozilla 1.0 Browser-Suite Annoyances, Bugs, And Issues, Mozilla 1.0 Browser Quick Look, and Mozilla 1.0 Browser-Suite's E-Mail & News Quick Look Incidentally, please check the MozillaQuest Magazine front-page (mozillaquest.com) sidebar every now and then for bug-count updates and for upcoming Mozilla Milestone progress updates.