The life (and death) of a Mozilla bug

You'll have to excuse me if you think I (or others) have been making a big deal over one Firefox flaw, but in my opinion it is much more than one flaw. With all the fuss over Internet Explorer and its flaws recently, I think it is important to show that when the tables are turned and Mozilla is the one with the flaws exposed, they were able to correct the problem in a few hours. Also, thanks to kainashi for alerting me to this story in BPN.

Adam Sacarny, a freshman at Columbia Univeristy has put together a very interesting timeline of the way the recent "shell:" exploit in the Mozilla application suite was handled. Sacarny put together the timeline as a way to demonstrate to his friends and potential Firefox converts why he feels Firefox is superior to Internet Explorer from a security point of view.

Every point in the timeline is backed up with linked sources.

To round up the entire timeline, beginning on 13:46 GMT July 7, Keith McCanless files a bug in the Bugzilla Database reporting the vulnerability, the bug is marked private since it is security-related; only developers with proper clearance can see it. Around three hours later at 16:26 GMT, Josh Perrymon sends the first e-mail to the "Full-Disclosure" mailing list about the vulnerability. The vulnerability is now known to the world.

Two hours later a patch was created by Mozilla developer "timeless" then approved three minutes later by Mike Shaver. Over the course of of the next few hours, the flaws are cleared up in all three effected programs. Infact around 13 hours after the flaw was discovered, at 03:23 GMT July 8, all Mozilla code was fixed. At 20:53 GMT July 8, the mozilla.org website had the new downloads listed.

The full timeline is a very interesting read, and some insight into the way the Mozilla group works. Sacarny deserves a hand for his handy work, as does the Mozilla team for their speedy handling of this bug.

View: Sacarny's Blog