Patches in ten f***ing days? Not really, says Mozilla

Patches in ten f***ing days? Not really, says Mozilla

Summary: Mozilla has moved swiftly to put the kibosh on late-night chatter that it can turn around patches for security flaws within ten f***ing days.

SHARE:
TOPICS: Browser, Security
20

Mozilla has moved swiftly to put the kibosh on late-night chatter that it can turn around patches for security flaws within ten days.

The "ten f-ing days" boast came directly from Mozilla Director of Ecosystem Development Mike Shaver during a Black Hat party conversation with hacker Robert "RSnake" Hansen.

We showed up, and nearly immediately I was surrounded by the bulk of the Mozilla QA and security team that was attending Blackhat. They asked me lots of questions, and gave me lots of info. It was a pretty equitable trade of information. Clearly, they acknowledge that they need help from the community but they also feel confident that once things come to their attention it’s simply a matter of days to close their holes. They said the recent rollouts were actually slower than they would have liked them to be, even though they were only a week and a half apart. Further, they said that they could roll out any critical patches within 10 days. Not one to let challenges go untested I called BS.

At this point Mike Shaver threw down the gauntlet. He gave me his business card with a hand written note on it, laying his claim on the line. The claim being - with responsible disclosure Mozilla can patch and deploy any critical severity holes within "Ten F***ing Days".

Hansen's description of the discussion and an image of the hand-written note on Shaver's business card has set the blogosphere alight, prompting an immediate mea-culpa and explanation from the security folks at Mozilla.

Shaver said his intent was simply to express confidence in Mozilla's ability to turn around a fix quickly if necessary by giving Hansen an "admit one" ticket for a disclosure that he thought needed an especially fast response due to extreme risk.

That was a bit overzealous, in the cold light of hindsight, but at no point did I intend to indicate that Mozilla policy was a ten-day turn around on all disclosed vulnerabilities. People are reading the conversation and Robert’s post that way, but that’s not our situation, and it certainly wasn’t my intent to give that impression.

I apologize, and hope that nobody will think less of Mozilla because of my error. We don’t issue challenges, and nobody here thinks that security response is a game. This was a personal bargain and overwrought showmanship from a late-night Black Hat party that has now taken on a life of its own, and I hope the fracas about my overzealous comments to Robert don't overshadow the great work that people on the Mozilla project do to keep our users secure.

Mozilla security chief Window Snyder also offered an immediate explanation:

When I asked him [Shaver] about it, he said he meant to communicate to Robert that since Mozilla got a recent security update out in only ten days, that there was no reason for Robert to post details of vulnerabilities publicly before a patch was available. Since we're among the most responsive software vendors, security researchers do not have to resort to full disclosure to get us to patch bugs quickly.

This is the official word: This is not our policy. Mozilla does not claim to be able to turn around patches for security vulnerabilities in ten days in general or otherwise.

Topics: Browser, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

20 comments
Log in or register to join the discussion
  • So, somebody gets carried away at a "do"...

    ... and all of a sudden it's a commitment? Give the guy a break.

    Even if they turn out the patches in 20 days, rather than 10, they are still more than a week ahead of their main competition who do it every 30 days and usually every few months or so.
    bportlock
  • This is nothing.

    <i>That was a bit overzealous, in the cold light of hindsight, but at no point did I intend to indicate that Mozilla policy was a ten-day turn around on all disclosed vulnerabilities.</i><br><br>
    The fact any OSS participant is overzealous is a known fact. Everyone knows they are zealots. What's the big deal? <br>
    And the part about having to go back on their word and change their story...well....that's just another well known fact about zealots. c'mon, give the guy a break.
    xuniL_z
    • speaking of zealot

      pot meet kettle. When you can provide some facts rather than just your SIMPLE opinion, then maybe you might have something credible to say. You are still pathetic.
      Monkey_MCSE
      • Don't call him simple.

        You might confuse him. :-)
        Letophoro
        • That's right, you'd BETTER smile when you say that, pal.

          <br>
          xuniL_z
      • Ever hear of

        Occam's razor? Not only is it simple to see most linux backers are zealots (winblows, microsucks, M$, windoze and other playground level mentality) it's easy to see most zealots are simple.<br>
        Of course this would not make sense to you, you are a zealot. <br>
        You want facts? Google any phrase I listed above and restrict it the zdnet if you like. The number of hits will speak for itself.
        <br>
        <br>
        xuniL_z
        • Did you ever consider

          that some of those phrases predate the existence of Linux? For a start, you should eliminate all instances of that! :)

          It has been proven over and over again that it is frequently the case that these phrases are most used by MS users, not by fans of alternatives. After all - who has more right to be frustrated/fed up/p'd off etc than those currently trying to deal with whatever problem they are experiencing?

          Perhaps your opinions are coloured by the visibility of the few 'highly vocal' proponents on here... just as others might get the wrong impression from a few 'noisy' pro MS posters as well.

          Generalizations are generally wrong!





          Yes - deliberate phrasing. Enjoy life instead, it's not THAT long after all....
          Freebird54
          • Of course I have.

            There are people working in technology on both sides of the MS/Linux fence that are true professionals dedicated to their work and class acts. These people would never post slander or meaningless fud on a site like zdnet. <br><br>
            That said, it is still clear those that do frequent zdnet talkbacks are largely very opinionated about their OS, ready to make sure the other guy knows his OS is the scourge of the Earth. And it can be easily shown the majority of those types are Linux fanatics. (and OS X fanatics as well). There surely are a few vocal MS people here, but they are heavily outgunned by 60% or so. A little research shows the population here is around 10% windows people. 10% Linux/Apple people and 80% people that live and breathe hating Microsoft. ;)
            xuniL_z
          • And your post is somehow relevant?

            No one mentioned MSFT or Apple. Or even Linux.
            Jambalaya Breath
  • Lack of experience

    Well it's either BS or a complete lack of experience in debugging and fixing. I've seen minor programming problems fool people for weeks and major ones cause complete redesign. To say you can patch something within 10 days is incredibly stupid or completely naive.

    In this case, it sounds like a pissing contest as nobody could be that stupid.
    tonymcs@...
    • Depends on the error

      [i]"To say you can patch something within 10 days is incredibly stupid or completely naive."[/i]

      Some errors are incredibly simple to fix. Also is the code is very modular then a fix in one area will have no knock-on effects in other areas.

      In the case of this error, they fixed what they could by escaping the parameters. It *could* have been as simple as changing code from

      param = getParam();

      to

      param = escape_data( getParam() );



      [i]"I've seen minor programming problems fool people for weeks and major ones cause complete redesign."[/i]

      So have I and it is usually caused by poor program design, side-effects and unexpected dependencies and interactions. Good clean modular tends not to suffer from it. If Mozilla's good is of good quality that could explain a fast turnaround.
      bportlock
      • Typo correction

        The last sentence in the above post should have read [i]If Mozilla's code is of good quality that could explain a fast turnaround.[/i]
        bportlock
  • TRASH MOUTH!!!!!!

    There is no place in a professional publication (internet included) for explitives such as what is in the title, even if it is ** out. The author has ZERO credibility due to his resort to sensationalism in the headline. Shame on ZDNET for allowing any author to tarnish their image like this!
    scoobydoozie
    • I second

      your post. The filth is not needed period!!!! Hope you loose your job for a lack of Professionalism!!
      gdude@...
    • shut your f***ing mouth

      Umm... wasn't that a quote?
      Personally I think that kind of language spices up what is otherwise a dull and usually non-informative (increasingly so) forum, so take your prudish sensibilities elsewhere and let us curse in peace.
      shraven
      • No, it wasn't a quote.

        Quotes look like this:
        "Umm... wasn't that a quote?"

        Those two little squiggly things are what set a quote apart from the authors own words. He didn't use them, so the words were his. Moreover, they simply did not quote what anyone else had said.

        If you need potty words to spice up the posts here, maybe you are too bored and shouldn't bother reading here at all.

        And I'm with the first two guys ... the profanity in the headline was gratuitous.
        Jambalaya Breath
  • They SHOULD

    They SHOULD be able to do it in 10 days. Otherwise they're no better than Microsoft's STUPID 30 day policy.
    CobraA1
    • Even if Mozilla takes 30 days

      it's still 30 days from the time they get to know of the bug. MS's 30 days is from from the time they admit there's a bug(and that usually happens only if they can't get away with 'it's not a bug, it's a feature)- remember the cursor flaw the knew about for MONTHS but didn't bother fixing till reports of attacks in the wild grew too numerous to ignore, or all the WGA bugs they KNEW about but didn't bother to fix cos they just wanted to deploy ASAP?
      Mozilla's 10 day record looks all the more outstanding when you consider that MS has already said that they aren't going to do anything to fix it(OK, so it's not MS's fault, but they could at least try).
      balaknair
  • Salesmanship

    "Shaver said his intent was simply to express confidence in Mozilla?s ability to turn around a fix quickly if necessary" ...so he lies, and that's OK?

    Is it not possible to "express confidence" while remaining truthful?
    cquirke
    • Certainly it is

      but I venture to suggest that nearly everyone has, at one time or another, overstated their case to make a point. Especially likely after a certain elapsed time at a 'do', perhaps?

      If you insist on calling it a lie - perhaps you could see your way to treating it like a Hollywood "based on a true story' - after all - the track record is that it has happened!

      I don't think you can hold someone to a generalization of a specific response to one person/situation. Not everything is scalable!
      Freebird54