Good comeback to those damn articles! Whenever one of those comes in the headlines, it pisses me off. Sure, all software has bugs (MoFo said it THEMSELVES...NO SOFTWARE is 100% bulletproof!), but of course, the media is rushing into things and seeing the problem, tries to get the public worried over possibly nothing. Have they seen IE with all patches applied VS FF with all patches applied? Secunia reports people! [offtopic](Asa, 1.0.3 HAS been acting a bit quirky lately, such as when closing the browser, the process is still left in memory, some extensions suddenly turn themselves off but are enabled and after a restart of the browser it's fine, etc. Although, I did do a reinstall over top of my 1.0.2, but I figured FF is stable enough now to do that. Let me know otehrwise.)[/offtopic]

Thanks for letting me rant! :-)

Mhh, looks like i am one of those new "security researchers" working on Firefox.

While i agree with your observation that the media is hyping the news of security bugs to get a lurid headline, i disagree on your judgement why reseachers are working responsible with MoFo (for sure i can only speak for myself and not for other researchers):

Microsoft (i assume you mainly pointed to them with "our competitors") isn't working so much different with researchers than you seem to think. I reported a few Internet Explorer vulns responsible to MSRC, two of them are public. They neither ignored nor attacked me for that in any way. Actually they are friendly, responsive and they do their best to give you the feeling your work is appreciated. Working with them is fun.

It is true Microsoft takes longer to fix a bug. And it is true that it mostly really takes too long. But look at the amount of regressions Firefox is currently facing and that i was able to break one of the 1.0.3 patches with a simple trick (see #290949). Kicking a patch out the door in a couple hours isn't everything. A quality and at the same time "soon enough" available patch takes probably something between 4 days (Firefox) and 4 months (Internet Explorer).

Most people don't like Microsoft. They are considered "the evil empire" and some researchers like to bash them. But if someone is dedicated to work responsible on security the company shouldn't matter. If you publicly disclose a vuln without or a few days after informing the vendor, than that says more about you than it says about the vendor.

Don't get me wrong, you are on the right track. Working with the Mozilla Security Team is really great (a HUGE thank you to everyone!), but don't believe you are the unrivaled "market leader" when it comes to work with researchers. The MSRC (Microsoft Security Responce Center), Redhat Security and Google Security are also a great teams to work with (at least from my experience).

Contribute to Media Response, it's helpful :)

It's also worth remembering that there's a lot of truth in the maxim "There's no such thing as bad advertising". Don't worry too much and just be happy they're keeping Firefox in the news.

It is worthwhile analysing the time taken to release patches for these issues and compare them to some others in the market.
Specifically IE:
http://www.eeye.com/html/research/upcoming/index.html
Both affect IE and Eeye have specified both as enabling remote code execution, the first affecting all current MS OS's at all patch levels.
hopefully they will beat the time taken to release patches for these previous issues.
http://www.eeye.com/html/research/advisories/AD20030820.html (4.5 moths)
http://www.eeye.com/html/research/advisories/AD20050208.html (6 months)
http://www.eeye.com/html/research/advisories/AD20040210.html (7 months)

I agree with what Michael Krax said too, but this was a good post. I too have seen a lota stupid news articles lately. One on Cnet in paticular kinda made me mad, the headline was something like 'Mozilla flaws allow data access, net attacks', and it was this long story about the vulnerabilities and what they do and how bad they are and then in one single sentance at the bottom 'All versios of mozilla prior to 1.7.7 and firefox prior to 1.03 are vulnerable'. I was like well figures, that line shoulda been at the top of the article, or the article shoulda been named 'Mozilla releases security fixes. It seemed like the article was trying to scare people away from using mozilla and if anyone was still reading by the end of the article then oh yea theres an update to fix all this.

It's a fair point about the sensational headlines, but there is something behind them - if Firefox hasn't been bitten, it's been slightly gnawed. All these security updates are taking development/QA/release resources away from the trunk (where the nightly builds still have some of the vulnerabilities), and they're prompting a bunch of moaning from users who need to go through the download and installation process, and cope with some extension breakage and the odd regression.

Firefox attracting more security experts would be a better headline, but it'd be even better if there were less stories to cover. Anyway, I hope 1.0.4 turns out to be less work than 1.0.3 :)

You have to be fair.
Firefox has had a massive amount of good reviews so why be bothered about the few lesser ones.
They may not be true but getting no publicity at all probably is worse.
I'm sure we'll all be smiling again when 1.1 gets its reviews

Well, the negative press hasn't slowed down the counter... not in the least... but I do agree about that fact... A hacker's main goal is to get their "handiwork" seen by as many people as possible, and if 47! million people are using Firefox, more than one hacker / spam site / popup site will want to find a hole. However, that's the great thing about Open Source, since all 100,000 members of the SFX community along with the 47M users are all working together to stop those holes as soon as they happen.

In conclusion, s**t happens, but the best you can do is continue fixing things.

P.S.: The counter just flipped over to the wonderful 47,000,000. At this rate, 50M is just a few days off! Congrats to ASA and all of the SFX community!

A followup to my previous post:

I think I have two of the main reasons that FFX is under attack by the media:

[rant]

1. FFX is on people's minds. Nobody really knows that much about IE, other than that it is the "big blue E". Putting a story about IE in a paper won't get much attention.

2. For each couple of fixes, FFX releases a new version. Thus, Firefox has been released four times in the past couple of months, while IE has still kept themselves at 6.0 Build #182945, just releasing a new BUILD for each bug. Thus, the media thinks (without doing any research), "Wow! Firefox has had to have THREE FULL RELEASES, while M$ has just had a few measly security fixes! MSIE is more secure! I'll write a story about the amazing security holes of FFX and selectively quote a user!"

[/rant]

The press loves a few story templates. Firefox has grown with one of those, which is the "Scrappy Underdog" template. However, that story has probably reached saturation, so the press is now looking for a new template to apply to the subject. "Sudden Reversal of Fortune" is the template we're most likely to see.

And the existence of security holes fits the template because the meme out there is that Firefox is without security problems. A binary signal is easier to transmit then an analog signal, reality be damned.

Mind reading/commenting on my thoughts of FireFox at http://journal.pdsys.org/archive/2005/04/19/5972.aspx ? Thanks.

Nicholas, there are no "simple things". Seriously. If you think there are, maybe you can help us implement/fix some of them :-) Of course we have lots to fix, but I think all software has lots to fix and tens of millions of plain old users are having a much better experience of the web using Firefox than what they were using before.

- A

maybe the 'stupid' is a bit too much in the title - remember what you just wrote on sfx, and that no ignorant likes to be called stupid, he just needs to be enlightened :-)
Besides we need to accept those comment more and more, without any conspiracy theory in mind, I'm not sure MoFo is spending a lot in advertising dollars, whereas 'some other internet company' do, so don't expect 'journalists' to be as objective in one case as in the other - keep low profile and keep up the good work, their reaction is a proof we are winning, don't worry!

I'm not quite sure what Asa's so happy about. Granted, it's great having thousands of people poring over Firefox for holes, but the bottom line is that 1.0 now has a quite impressive list of security flaws, and the media is quite right to pick up on that.

It's all well and good releasing a patched version every month or two, which no doubt inflates the download figure even more, but the bottom line is that millions of people are out there with a browser as insecure as IE6. Not one of the people I've turned to Firefox have payed the new version available icon any attention. Some haven't even noticed it's there.

The bottom line is that few people are willing to go through having to download and re-install their browser every couple of months, and that's left millions of users with insecure browsers.

Asa is quite right to point out that all software has 'lots to fix' - just look at Thunderbird!!!

W.

No mather how many security holes Firefox has, i always know, that they will be fixed :-)

Firefox is great and safe product imo.

Every software has its ups & downs, i think that Firefox will only keep getting better

You might want to read the attached commentary on this issue by Bill Thompson of the BBC who still prefers Firefox despite the recent security fixes

http://news.bbc.co.uk/2/hi/technology/4472219.stm

A