Slashdot and NewsForge report on a security vulnerability that affects Firefox, Thunderbird, and Mozilla running under Windows. This link explains the vulnerability and contains instructions on installing the patch (an extension that disables the shell: external protocol handler) or downloading a new release (unnecessary unless you still haven’t upgraded to Firefox 0.9.x, Thunderbird 0.7.x, or Mozilla 1.7.x).
I know that I just railed against Micro$oft for security issues with Internet Explorer (IE), but there is a difference here. Mozilla offered a patch the same day as the disclosure of the security flaw, and new releases were available less than a day after that. In contrast, as NewsForge points out, the recent patch for the serious IE flaw took over a week to be released, and it was still not properly fixed upon its release. Additionally, this vulnerability is actually a flaw in Windows itself: “Windows XP Service Pack 1 was supposed to have closed this hole, but apparently it is still functioning and leaving Windows systems open to remote attack.”
I was a little dismayed to see this news at first, but the speed and efficiency with which this issue was resolved bolsters my confidence in the open-source development model that Mozilla products follow. It also makes me feel that much uneasier about Micro$oft products…
