After quite a few stories extolling the Mozilla browser, and numerous bug items and bashings of Microsoft Internet Explorer, it didn't feel good to see the headlines about a major security bug in Mozilla. There was some bad news and some good news about this bug, and borrowing a little from VH-1's "Behind the Music", here is the BugBlog's "Behind The Bug."

The bug was a problem in Mozilla's "shell" command that would let dangerous requests get passed on to the operating system. Depending on the situation, an attacker may be able to invoke programs that are on the target's computer and that have known flaws, such as buffer overflows, and use them to do harm. Apparently, this bug had been noticed over two years ago by the Mozilla development team, but it was decided not to fix it. The reason we know this — most of the work done on Mozilla, except for sensitive security information, is done out on the open and can be tracked in a database called "Bugzilla". While the initial work on this bug was done privately, the Bugzilla record was ultimately made public here.)

This bug is only present in Mozilla for Windows, not Mozilla for Linux or Mac OS X. The bug in Mozilla is in allowing an attacker to have access to other programs on a computer, where other security flaws can then be exploited. Some discussion at SlashDot , the "News for Nerds" site, opines that this was the reason the bug wasn't fixed two years ago — because it was ultimately a flaw in the OS, and not in Mozilla.

The present action started after this exploit had been reported to Mozilla by security researcher Keith McCanless, and then posted to the Full Disclosure security mailing list on Thursday, July, 8. BugBlog reader Roseman alerted me to this timeline of actions by the Mozilla development team. It has been put together at a blog by Adam Sacarny, a student at Columbia University. While I'm not familiar with the writer who put it together, you can see that just about every point in that narrative is sourced somewhere on the web. This shows the speed at which this bug was patched. (Minus the two year lag, of course.)

By Friday morning, new versions of Mozilla, Firebird, and Thunderbird were available for download that plugged this security hole. You could also download patches for all three programs, to fix the problem without having to do an update.