We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,258 News Articles

Mozilla vows to patch Firefox flaws in 10 days

Exec makes pledge on business card at Black Hat

A Mozilla executive has vowed that his company can patch any critical vulnerability in its software within 10 days. The move has been interpreted as a statement of intent from Mozilla that it intends to step up its efforts to improve security.

Mozilla executive Mike Shaver backed up his claim by scrawling it on a business card at the Black Hat security conference in Las Vegas last week and handing it to Robert Hansen, CEO of SecTheory.com, who also runs the ha.ckers.org website. Hansen posted a photo of Shaver's business card, including the claim "Ten [expletive] days."

"I told him I would post his card - and he didn't flinch. No, he wasn't drunk. He's serious," Hansen wrote in his blog.

Web browser security has become increasingly important with the rise in use of web-based applications, from Google Docs Docs to social-networking sites such as Facebook.com and enterprise software-as-a-service programs such as Salesforce.com. A security vulnerability within a web browser can put a user's data at risk and make a PC vulnerable to hackers.

Shaver's 10-day pledge applies to "critical" vulnerabilities, although there is no standard for such a rating, and different companies evaluate levels of risk in different ways. Another condition is that the vulnerability is disclosed responsibly, meaning Mozilla is notified of the issue before it is publicised.

The pledge sparked some debate about whether Mozilla will be able to keep to it.

"I've always been a fan of Mozilla and Firefox, however, this is a pretty bold claim for a company of any shape or size," Hansen wrote.

Other commentators said keeping the 10-day promise might not be easy. Patches need to be of high quality and tested properly, which could take more time depending on how severe the vulnerability is, said Graham Cluley, senior technology consultant for Sophos PLC.

"If that's what they're saying, then it is an audacious claim," Cluley said. "Some critical security vulnerabilities can reside deep in the bones of a complicated software product like Firefox and may require extensive testing to ensure that the highest quality fix is being made available to the users."

Others had more confidence in Shaver's claim.

"Rome wasn't built in one day, but heck, Firefox isn't Rome," said a commentator on Hansen's blog. "And Mozilla has 10 whole days. I don't know, put 20 geeks in front of a computer for 10 days and just watch them go."

Mozilla security chief Window Snyder said via email late Sunday night from the US that Mozilla would comment further on the matter later today.

Mozilla updated Mozilla Firefox twice in July. The last update, which came out July 30, fixed two problems that Mozilla labeled "critical", although it took about two weeks from when security researchers first posted exploit code for that update to be released.

Microsoft patches its OS and applications on the second Tuesday of each month. The company sticks to the schedule, but has released off-schedule patches for particularly dangerous vulnerabilities.

Faster patching could help Mozilla gain a broader share of the browser market over Microsoft's Internet Explorer if administrators and users feel it's a safer option for cruising the web. Firefox had a 27.8 percent share of the European market, according to recent statistics from XiTiMonitor, a French company that tracks browser market share.

Get the latest PC security news, reviews and downloads at Security Advisor


IDG UK Sites

Nexus 6 vs Sony Xperia Z3 comparison: Lollipop phablet takes on KitKat flagship smartphone

IDG UK Sites

Why people aren't upgrading to iOS 8: new features are for power users, not the average Joe

IDG UK Sites

Free rocket & space sounds: NASA launches archive of interstellar audio on SoundCloud

IDG UK Sites

iPad Air 2 review: Insanely fast and alarmingly thin. Speed tests, camera tests, beautiful...