Update: The point of this post is not “Firefox sucks, too.” The point is that patching complex programs takes time. I’ve posted another example that makes the same point here.
In the comments to yesterday’s post about SANS and the WMF exploit, a visitor remarks:
Bear in mind that when popular open source (such as Firefox) vulnerabilities have been exposed, there were patches available in about 48 to 72 hours. It’s been more than a week since the WMF vulnerability was exposed. The problem is pretty well known by now, and it’s telling that users themselves have managed to generate a fix before Microsoft has.
My, what selective memories people have. Patches in 48-72 hours? Maybe if you’re a developer, but not for mere mortals.
Remember the Firefox IDN exploit? Working exploit code was released on or before February 7, 2005. The updated version that fixed the underlying vulnerability was released on February 24, 2005. That’s 17 days later, for those who don’t have a calculator handy. And on top of that, the Mozilla group didn’t make this available through its auto-update mechanism until roughly a week after the new version was ready.
And yet a chorus of doomsayers are ready to throw Microsoft to the wolves because they plan to release a patch for the WMF exploit via Windows Update 13 days after it was first reported. Based on the Firefox experience, that seems to be about how long it takes to produce a reliable, safe, well-tested patch.
Ed Bott 
Yes, Ed, I remember the Firefox IDN exploit. If you recall, this exploit was not discovered in malicious form in the wild. I’m not aware of any documented cases, other than demonstration sites, that actually used this exploit.
This exploit resulted because of an attempt to meet a multilingual standard –some would call it a feature, not a bug. The issue was that unscrupulous web sites could use similar looking letters to look very much like another web site, but actually redirect users to their own sites. You could do the same to people by mispelling their web site names.
Ever see what happens when you misspell chevrolet.com? This flaw was very similar. Workaround fixes were posted very quickly and formal copies were posted, yes, 17 days later.
In the scheme of flaws, the IDN exploit was relatively minor. However, this WMF attack is showing up in all sorts of virusses. The initial work-around suggested by Microsoft is a minor help. The larger problem appears to be in GDI32.
The opportunities for rooting the victim’s computer here are much higher. In terms of severity, the Firefox problem was relatively minor. This Microsoft problem is much more serious.
Please understand, I’m not slavishly defending the tarnished record of the Firefox team. It’s not a pretty record, any more than IE’s record is. However, you have to take the severity of the problem in to account.
I’m not anti-microsoft nut, nor am I a blind open source advocate. I believe in using the most cost effective tools for the job. However, in this case, as in several other recent cases, I think Microsoft has misread the severity of this issue. Criticism is warranted. Whether Tom Liston’s piece was over the top is a matter of opinion.
FWIW, Microsoft just announced they are releasing a patch for the WMF vulnerability this afternoon at 2:00 pm PST – 5 days earlier than originally planned. Details on my Microsoft blog. They’re listening.
Hey, nice touch accidently linking to Asa’s post about a crasher immediately after the 1.0.1 release instead of linking to his release post. No sense just sticking the knife in when you can give it a little twist, eh?
The IDN spoofing vuln would have made phishing a bit more effective, though I didn’t hear about anyone actually exploiting it at the time. The WMF vuln allowed for arbitrary code execution, and on Sunday I googled a random pr0n phrase, clicked two links on the first site from the results, and had Firefox asking me what I wanted to do with the WMF with a trojan in it that the site was trying to get me to download (well, that it was trying to display and execute with no intervention, in IE, really). Ever so slightly different severity and frequency, I’d say.
Mozilla certainly sucks, often and in many ways, but the IDN spoofing thing wasn’t a particularly good example of it.
An unpactched vulnerability in a browser that you have a choice to use or not in your day to day work is not of the same magnitued of one that effects an operating systems basic functionality. Get your head out of Redmond’s backside.
I know that there are too many people who falsely equate “non-Microsoft” with “automagically secure” out there Ed but your post is an over-simplification. Your chosen example isn’t as bad as the WMF/GDI exploit and Firefox is a cross-platform browser so that leads to testing and localization issues of their own.
Andy, I’ve posted a new example. See the update at the end of this post.