Mozilla rebuts Firefox 2 bug reports

A pair of security flaw reports are "just noise" and don't present any real risk to Firefox users, Mozilla says.

Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
Joris Evers
2 min read
A day after shipping Firefox 2, Mozilla on Wednesday largely rebutted two claims of security flaws in the latest version of the Web browser.

Bug hunters appear to be in a race to uncover new security flaws in both Firefox 2 and Internet Explorer 7, which Microsoft released last week. Word of what appears to be the first publicly disclosed IE 7 vulnerability came Wednesday.

At least two bug reports that indicated they affected the new Firefox release crossed over popular security mailing lists this week. But Mozilla on Wednesday downplayed those claims.

"I would call it just noise," said Window Snyder, Mozilla's security chief. The two issues don't present any real risk to Firefox users, she said.

One of the problems is related to a vulnerability that was patched in an earlier version of Firefox. A report on the Bugtraq mailing list suggested that the issue, labeled "critical" by Mozilla, resurfaced in Firefox 2.

The report is incorrect, Snyder said. "The vulnerabilities that were identified were actually fixed."

However, there is a related problem that can cause Firefox to crash. "The exploitable issues are fixed. There is a crash, but it is a denial of service," Snyder said. "We're going to look at it and make sure there is really nothing there."

Another report on the Full Disclosure mailing list suggested that there is a flaw in Firefox 2 that could be exploited to aid in cyberscams. The report included some computer code, but not enough for Mozilla to determine whether there is a problem, Snyder said.

"We don't have enough information to identify it. If we get more information, then we will investigate," she said.

Mozilla shipped Firefox 2 on Tuesday, nearly a week after Microsoft released IE 7. Both browsers have an emphasis on security and include features such as phishing shields to protect against fraudulent, data-thieving Web sites.

"This is one of the highest-quality Firefox releases to date," said Mike Schroepfer, vice president of engineering at Mozilla. "We fixed more issues than we ever have before. All empirical and anecdotal evidence so far shows that this is one of the most solid and stable Firefox releases."

Security researchers are welcome to hunt for bugs in Firefox, Snyder said, adding that those bugs should be reported responsibly to Mozilla, instead of disclosed publicly.

"We think it is great that the security community is working so hard to help us identify bugs," Snyder said. "Once they are identified, we're able to fix them and we fix them quickly and that means customers are less at risk."