Mozilla's Pain, TippingPoint's Gain -- And, Perhaps, A Tipster's Game? - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Government // Mobile & Wireless
Commentary
6/20/2008
10:38 PM
50%
50%

Mozilla's Pain, TippingPoint's Gain -- And, Perhaps, A Tipster's Game?

The recent news of a Firefox security flaw illustrates the dangers of security through obscurity. In this case, however, the obscurity I'm talking about doesn't involve the software.

The recent news of a Firefox security flaw illustrates the dangers of security through obscurity. In this case, however, the obscurity I'm talking about doesn't involve the software.TippingPoint, a security software developer and research organization, revealed the existence of a flaw in Firefox 3 just hours after Mozilla kicked off the browser's official public release. TippingPoint pays for such information as part of its Zero Day Initiative, a cash-for-hacks program ostensibly intended to ensure that software developers get wind of security problems before anyone can exploit them.

Here is the key problem with this particular episode: The security flaw exists not only in the Firefox 3 final release but also in pre-release versions that have been available since last year. More interesting still is the fact that the flaw also affects Firefox 2.x browsers.

In other words, this is an issue that could have surfaced at any point in the past two or three years -- but did not. Instead, news of the bug surfaced just five hours into biggest, and perhaps most important, software launch in Mozilla's history.

Some bloggers are lauding TippingPoint as a model for responsible software-security disclosure practices. Presumably, they see the timing of TippingPoint's announcement simply as a peculiar coincidence. Others, however, such as InformationWeek blogger George Hulme, see something else -- and that "something" sure smells like a rat:

"Chances are that the flaw was discovered at an earlier date, and the researcher sandbagged the release to TippingPoint to coincide with 3.0's big download day. Can't say I blame the researcher for that, could be a nice way to ensure successful sale of the vulnerability. But TippingPoint's announcing the zero-day flaw before the patch is released is nothing more than this vendor's typical publicity grab."

George takes TippingPoint to the woodshed for practicing what he sees as "sucker-punch" marketing. Maybe I'm more willing than he is to venture into tin-foil hat territory, but I have to wonder: Did TippingPoint really stab Mozilla in the back, or did somebody simply sell them a slightly-used knife?

In all fairness to TippingPoint, this is a question that could, depending on the answer, cast its activities in a somewhat different light. After all, if somebody really did turn over this information just before the Firefox 3 launch, could you blame TippingPoint for making the most of such a lucrative PR opportunity?

Well, maybe you could. Still, the timing of this announcement makes me far more curious about who supplied the information than about what TippingPoint did with it.

Consider the hundred-plus news stories on this subject that I turned up in a recent search of Google News. Many, if not most, of them carry headlines like "Oops: Firefox 3.0 critical vulnerability," or "There's a Hole in Firefox 3!"

Under other circumstances, this type of security bug (that is, one with no known exploits) rates as a second- or third-tier news item. This week, however, it qualified as a much bigger story, in many cases (and wrongly) with a far more dire tone. Far more important, however, is the fact that the news imposed a significant opportunity cost upon Mozilla, diverting both the company's and the public's attention at the worst possible time.

Certainly, there are people -- or, rather, organizations -- with motives to roll a live hand grenade into Mozilla's big party. And don't be so quick to assume (as many people will) that the list of usual suspects consists of just one name. As any good conspiracy theorist knows, every successful plot begins with a patsy.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Slideshows
IT Careers: 10 Industries with Job Openings Right Now
Cynthia Harvey, Freelance Journalist, InformationWeek,  5/27/2020
Commentary
How 5G Rollout May Benefit Businesses More than Consumers
Joao-Pierre S. Ruth, Senior Writer,  5/21/2020
News
IT Leadership in Education: Getting Online School Right
Jessica Davis, Senior Editor, Enterprise Apps,  5/20/2020
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Key to Cloud Success: The Right Management
This IT Trend highlights some of the steps IT teams can take to keep their cloud environments running in a safe, efficient manner.
Slideshows
Flash Poll