ZDNet Goes for Mozilla’s Throat, Misses Real Story
Smelling blood in the water after a recently reported security vulnerability in the Mozilla web browser, ZDNet IT blogger David Berlind posted an entry attempting to pit the (allegedly) crippled Mozilla against Opera, another alternative web browser. He missed the real story — how small vendors and open source projects run circles around Microsoft when it comes to fixing these things.
According to Bugzilla (the Mozilla Foundation’s bug tracking database), the Mozilla vulnerability was reported on July 7th. A patch which fixed the problem was made available the same day, and when I visited Mozilla.org on the 10th a new point version of the browser with the patch built-in was available for download from the front page.
I don’t know what the big deal is here. As long as there is software for interacting online, there will be exploits and security breaches for that software. It’s happened to Mozilla before, it’s happened to Opera before, and it’s going to keep happening. What’s important isn’t as much that the exploits and vulnerabilities occur, but what is done about them once they are discovered. The zero-day turnaround time that the Mozilla Foundation managed when fixing this vulnerability beats anything MS has managed hands down. Opera Software has been similarly impressive in their security efforts. Microsoft prefers to advise users to type out web addresses rather than clicking them, then wait weeks or months to release a patch.
In addition, it’s worth mentioning that the Mozilla vulnerability only existed because Microsoft introduced a new network protocol called “shell” in Windows XP. This new protocol allows local applications to be activated through a network interface. This means that the vulnerability fixed in Mozilla exists in IE 6 as well — try typing shell:windows\notepad.exe in Internet Explorer’s address field for a demo.
My point is this: Mozilla and Opera are both great browsers, and they’ve had a tremendous publicity boost lately thanks to the federal government’s anti-IE recommendations. Now all eyes are on Opera Software and the Mozilla Foundation, waiting for them to screw up. Instead of focusing so lopsidedly on this “flaw” in Mozilla, why not focus on how quickly and effectively smaller vendors and open source projects address such problems? Why not point out that the vulnerability was created by yet another poor security decision Microsoft made on the operating system level?
I guess that doesn’t make snappy enough news copy, eh?
Line and paragraph breaks are automatic. Your e-mail address will never be published publicly unless you put it in your comment (and then I’d probably edit it out).
Please read my comment policy if this is your first time commenting here.