Firefox 1.5 patches eight critical security holes
[Update: 2/4/2006 6:15 PM] It appears that The Burning Edge's "Unofficial Firefox Changelog" (which was linked from this official Mozilla page) has changed their tune and removed their claim of "undisclosed security patches" for Firefox. That puts me in the awkward position of being wrong about Firefox secrecy since my source essentially backed out (though I wish The Burning Edge didn't just fix their mistake as if they never said it). Therefore, I have to retract any incorrect statements and apologize to the Mozilla foundation for the misunderstanding based on a bad source that seemed legitimate at the time.
Open Source has always prided itself in openness, but why is the Mozilla foundation patching security flaws without disclosing what they are? A new Update for Firefox 1.5 was released by Mozilla which actually has a long list of bug fixes several of which are described in Mozilla's advisory as "several security enhancements". The problem is that we don't know what all but one of these security fixes are and that seems to fly in the face of the Open Source mantra.
One security fix in this update that was disclosed was an arguably serious DoS (Denial of Service) flaw that was publicly disclosed in December 2005 by a 3rd party with proof-of-concept exploit code. That 3rd party maintains that the flaw is serious enough to trigger code-execution but Mozilla disputes this claim. But now that Mozilla is patching holes in secrecy, one has to wonder if there are more serious vulnerabilities that were patched but not disclosed.
It's a mystery why Mozilla is operating in secrecy with Open Source code and one can only speculate about the motivations. Mozilla has always claimed to have the high ground to Microsoft when it comes to security although my report shows that this is debatable. It's one thing to keep vulnerabilities secret when there is no fix because no one wants zero-day vulnerabilities, but patching holes and not telling people what the problem was just seems wrong.
[Update: Joris Evers sheds more light on this issue and Secunia has an advisory listing 7 fixes for "highly critical" vulnerabilities.]
[Update: My editor pointed to this link which seems to have more details on the security flaws. Regular reader "Yagotta B. Kidding" says: "George appears to be objecting to the lack of publicity and confusing it with a lack of openness, perhaps because with the vendors he's used to anything that isn't publicized is keep secret." Ok, Yagotta has a good point."