« December 2005 | Main | March 2006 »
February 16, 2006
Morning Fun - The Peanut gun
There are a few great hardware geek websites I read on a regular basis - one of them being www.anandtech.com which in general is awesome. A few days ago they ran an insider view on newegg.com, from whom I've bought more computer parts than I'd like to admit. What I thought was going to be a very boring tour of a warehouse tour turned fun when they revealed Newegg's secret weapon - the Peanut Gun.
Posted by schrep at 9:32 AM
February 8, 2006
Security and Vulnerability Ratings
There have been many questions about an issue patched in the most recent Firefox 1.5.0.1 release. When the release came out we rated its severity as “moderate” based on the information we had at the time. Yesterday we became aware of proof of concept that could potentially exploit this vulnerability and released an additional advisory , while also upgrading the rating to “critical.
Here’s what happened:
a) Shortly before the release of 1.5.0.1 the list of security vulnerability notes were shared with the Mozilla security group which includes peers affected by upcoming releases. This is a standard practice for our releases to let affected partners who ship Firefox know what is happening and to allow peer-review of the details to ensure they are correct.
b) At that time the notes did not contain the severity ratings because we just hadn't yet finished the ratings.
c) Final ratings were assigned the day of the release and thus didn't have an opportunity to get peer-reviewed
d) Understanding whether a particular issue *is* exploitable without exploit code in hand is a difficult technical and judgment decision that is made on the best available information. This particular issue was not looked at carefully enough - and was thought to be not clearly exploitable and rated moderate.
e) As soon as the exploit became known to us we released an advisory and upgraded the severity to critical
In hindsight, it is clear now that this vulnerability could be exploitable and that we should have given this a critical rating. There was no purposeful underrating or attempt to hide anything.
We misjudged the severity rating of this particular issue. It's fair to call us on the carpet for making this mistake – but please don't confuse an honest mistake with an evil plan to underrate issues.
I hope this doesn’t overshadow the fact that we shipped Firefox 1.5.0.1 and it is a very successful release. Thanks to the blood sweat and tears of the Mozilla community and automatic software update most people were already patched and protected before any public exploits were made available.
Here is what we plan on doing to improve this in the future:
a) We'll post a write-up of the security classification guidelines used to rate issues to mozilla.org/security within the next few weeks so everyone can better understand how we rate issues.
b) We'll ensure adequate time in the releases to get peer review of the vulnerability notes and severity ratings to make sure they are as accurate as possible.
c) We'll continue to strive to be the model for openness and transparency in security. Releasing the details of issue on the day of the release, which is what enabled the exploit to be developed, is part of that transparency.
We’ll release Firefox updates on a regular basis, as we did last week, to prevent security issues before they become a problem. This is a great thing.
Posted by schrep at 10:19 PM
February 3, 2006
Over 21M served
As of right now in the first 48 hours or so of the 1.5.0.1 release we've served up >21M automatic updates and a little over a 1M new downloads. Shown in a different way - here is the load on the cluster which runs AUS - which serves out the information that updates are available:
Kudos to the everyone who helped identify and fix the issues in 1.5.0.1 and those who did the hard work in releasing our first scheduled update. Here's to making Firefox just a little bit better for everyone on a regular basis . . .
Posted by schrep at 4:57 PM | Comments (2)