Lair of the Wolf

Well, no software is perfect. So today saw alot of activity regarding a newly publicized exploit in Firefox 1.0.3. The exploit is a combination of several flaws, which make it appear that a software install comes from addons.update.mozilla.org, then another flaw in the iconURL paramter of installTrigger that JS can be inserted into, which runs with chrome privledges.

So, in an effort to mitigate the effects of this problem, the Update team and the Mozilla Foundation have redirected Mozilla Update to do-not-add.mozilla.org, which is outside the whitelist, and therefore can't install software (and blogs the installTrigger.install JS call).

Only one problem...
From the top of Mozilla Update...

"To address security concerns, we have made a number of changes, including temporarily changing the URL for this site. If prompted, please DO NOT add this new URL (do-not-add.mozilla.org) to your Allowed Sites or White List."

Umm, this is not only inexcusably vague, its basically misleading. End-users greeted by this message don't know what the security concern is, what to do, if its with the website or the Firefox browser, or anything...

From MozillaZine:
"I'm sorry if I'm coming off a little thick here but could someone please explain in plain english what the problem is. I downloaded an update for one of my extensions through the automatic extension updater today before I saw anything was going on. How can I tell if I downloaded this exploit and how do I get rid of it. Turning off Java just isn't practical though I have turned it off for now. Please any and help would be appreciated. Thanks in advance."

Mozilla Update operates on the basis of trust, between the users and the site, and the people/organization that operates it. I feel the vague security warning at the top, makes people question if Update is safe to use at all, and in the lack of any information regarding a Firefox flaw, the attempt to actually protect users, is hurting Update at the same time it helps it and Firefox both.

So, the warning on Mozilla Update really needs to be changed to not confuse the users hitting that site that are completely unaware of the flaw. Be clear that the changes are attempting to address the vulnerablity, as a workaround, to make them safer. and that the Update website was not compromised. Failure to explicitly mention details and rely on the user to find them on their own, is very likely to end up with the user just making uninformed and blind assumptions.

On a slightly different, but related note, (which should be in a seperate post, but I don't much feel like doing two posts tonight.) I really am starting to hate all the hype about Firefox security. Firefox is a secure browser, only because Mozilla.org puts effort into patching flaws that are found quickly, and in general, design considerations take security into account. Firefox is most certainly not a security utopia though. It seems like Firefox advocates, in their effort to make the case that Firefox is more secure than Internet Explorer, a topic which is very likely to convince people to switch browsers on, have over-hyped Firefox's security. To the point where people expect Firefox never to have a flaw. This is now starting to generate alot of bad press for Firefox, by over-eager reporters wanting to find the smoking gun in Firefox that brings it into the same field as IE. It makes even fairly minor security flaws have the same weight as every one of IE's usually much more critical flaws. Basically, allowing Microsoft to get off the hook with having to be accountable for their security problems. By being able to say, "look over there at the "more secure" Firefox browser, it has flaws too." Its fine and useful to use Firefox's security as a "selling" point for the browser, but try to keep it realistic. So when flaws are discovered and patched, you can use Mozilla's responsiveness to support the product, instead of having to defend it from overblown criticism because it had a flaw.