Zero Tolerance for Privacy and Security Bugs
Mike Angelo -- 30 September 2002 (c)
While we were working on this story, Mozilla Bug #145579 was fixed in the daily/nightly Mozilla development builds. If you use the daily/nightly Mozilla builds, then you might want to upgrade now -- if you already have not done so.
Please keep in mind that unless you upgrade to a new Mozilla build in which Bug #145579 has been fixed, you likely have that bug in your Mozilla browser suite. Moreover, at this time there is no Netscape 7 upgrade available that does not have Bug #145579 in it -- as far as we know. So, if you are a Netscape user you are SOOL (so out of luck).
This is just one of the reasons why we do not recommend people switch from Internet Explorer to Mozilla or Netscape -- Internet Explorer provides a much richer set of privacy and security options than does the Mozilla-Netscape browser.
The Mozilla browser-suite comes with many Linux distributions. The Netscape browser-suite also is included with many Linux Distributions. The various Microsoft Windows operating systems come with Microsoft's Internet Explorer, but a few people obtain and install the Mozilla and Netscape browsers, or other Mozilla-based browsers, on their Windows-based computers. All told the Mozilla and Netscape browsers, and other Mozilla-based browsers, account for less than five per-cent of the Web-browser market.
Anatomy of Mozilla Bug #145579
Sven Neuhaus, a Software Engineer at Neoply, AG in Germany recently brought Mozilla Bug #145579 to public attention. In an 11 September 2002 posting to the Bugtraq mailing list, Privacy leak in Mozilla, Neuhus stated:
A more complete/technical description of Bug #145579 (link in the Resources section at the end of this article) is found in the description entry of that bug report:
In his Bugtraq posting, Neuhaus notes that:
Something that is obvious from looking at Mozilla Bug Report #145579, and something that several commenters there mention, is that this bug had been there for a while. Mozilla Bug #145579 was opened on 19 May 2002. Mozilla Bug Report #145579 is now four-months old and was not fixed until 17 September 2002. There is no excuse for letting a known privacy bug go un-fixed for four months.
A Pattern of Known, Un-Fixed, Privacy Bugs in the Mozilla-Netscape Browsers
Is there a pattern here? A pattern of the Mozilla-Netscape developers not only writing code that results in privacy invasions, but intentionally releasing Mozilla and Netscape browser-suites with known, un-fixed, privacy bugs and issues?
Oingo Bugs Fiasco
Remember the Mozilla Oingo bugs fiasco? That was another privacy category set of bugs in the Mozilla 1.0 browser and e-mail-news modules. However, the Mozilla people released Mozilla 1.0 (5 June 2002) knowing the Oingo bug was there and took their time before releasing the patched release, 1.0.1-RC1 (15 August 2002). Is there a pattern of dragging on getting privacy bugs fixed?
Mozilla Bug #32571
Mozilla Bug #32571, window.close() can close windows it doesn't own, is an even older, un-fixed Mozilla security bug. It was reported in March 2000 -- more than two years ago. (Link in the Resources section at the end of this article.)
Interestingly the original reporter of Mozilla Bug #32571 noted that he/she did not want the bug to be fixed stating: please try not to fix this bug. it (sic) is too convenient for me. (Perhaps what is a bug or annoyance to one person is a feature to another.)
Traversing the 73 comments to Mozilla Bug #32571 is an interesting experience. Noticeably, there are many bugs that have been marked as duplicates of Mozilla Bug #32571. Some commenters there believe that this bug is merely an annoyance. However, some wiser commenters realize the seriousness of Bug #32571.
For example, in Comment #59, May 2002, Christopher Cook notes:
In Comment #69 Zbigniew Braniecki addressed the importance of Mozilla Bug #32571 stating: [i]t's a big security hole.
It appears that the problem described in Mozilla Bug Report #32571 likely has been in every Mozilla Milestone release since and including Mozilla Milestone M14 -- and likely every Netscape 6.x and Netscape 7.x release to date. Why was Mozilla Bug #32571 not fixed two years ago?
For more information about Mozilla 1.0, please see our Mozilla 1.0 comprehensive coverage articles: