Firefox update fixes pwn2own vuln Mozilla responded to reports of vulnerabilities by pushing out a new version of Firefox on Friday. In addition to the "pwn2own" vulnerability used to hack into systems running Firefox at the recent CanSecWest conference, version 3.08 of Firefox also addresses a separate critical flaw involving XSL Transforms. Mozilla …
I'm a long-term Firefox/bird/phoenix user but I'd like to query the assumption that a quicker fix is a better fix.
QA and testing cycles take time for a reason, and if they're compressed for political or publicity reasons you can end up with corners being cut and loose ends being left untied.
Result - hoorah the latest FF is out a few days early, and then in two weeks time another flaw is discovered that might have been picked up in the current cycle, and another version is rushed out to patch that.
I'm a developer, not in QA, by the way, and I hate having my stuff QAed as much as anyone else does; but I'd rather the schedule was stuck to than the release rushed out to score a minor brownie point in the week that IE8 lumbers into view.
I respectfully disagree with AC, I think for security problems that in general a quick fix IS better.
In "mission critical" cases, the admins should generally have a setup where patches are tested out on a test box first, and should be minimizing the live boxes exposure to potential security problems as much as possible. They can feel free to wait on patches to make sure people aren't having problems with them. In a general purpose computer, though, they are much more likely to have security problems exploited and it's good to have security patches out ASAP.
Some security problems have complicated fixes, which could have other side effects in the software and should be more thoroughly tested, and in those cases I think they are. In many cases, though, it's fixing a potential buffer overflow, putting extra tests for stuff that should "never" happen (i.e., happens because someone is trying to exploit the software), or the like. These should not have side effects -- except preventing exploits from working.
"Result - hoorah the latest FF is out a few days early, and then in two weeks time another flaw is discovered that might have been picked up in the current cycle, and another version is rushed out to patch that."
Yes, that is a possibility. But, I think being protected against *one* of those two flaws for those two weeks is better than being protected against neither one.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
