3 min read

Mozilla's Pain, TippingPoint's Gain -- And, Perhaps, A Tipster's Game?

The recent news of a Firefox security flaw illustrates the dangers of security through obscurity. In this case, however, the obscurity I'm talking about doesn't involve the software.
The recent news of a Firefox security flaw illustrates the dangers of security through obscurity. In this case, however, the obscurity I'm talking about doesn't involve the software.TippingPoint, a security software developer and research organization, revealed the existence of a flaw in Firefox 3 just hours after Mozilla kicked off the browser's official public release. TippingPoint pays for such information as part of its Zero Day Initiative, a cash-for-hacks program ostensibly intended to ensure that software developers get wind of security problems before anyone can exploit them.

Here is the key problem with this particular episode: The security flaw exists not only in the Firefox 3 final release but also in pre-release versions that have been available since last year. More interesting still is the fact that the flaw also affects Firefox 2.x browsers.

In other words, this is an issue that could have surfaced at any point in the past two or three years -- but did not. Instead, news of the bug surfaced just five hours into biggest, and perhaps most important, software launch in Mozilla's history.

Some bloggers are lauding TippingPoint as a model for responsible software-security disclosure practices. Presumably, they see the timing of TippingPoint's announcement simply as a peculiar coincidence. Others, however, such as InformationWeek blogger George Hulme, see something else -- and that "something" sure smells like a rat:

"Chances are that the flaw was discovered at an earlier date, and the researcher sandbagged the release to TippingPoint to coincide with 3.0's big download day. Can't say I blame the researcher for that, could be a nice way to ensure successful sale of the vulnerability. But TippingPoint's announcing the zero-day flaw before the patch is released is nothing more than this vendor's typical publicity grab."

George takes TippingPoint to the woodshed for practicing what he sees as "sucker-punch" marketing. Maybe I'm more willing than he is to venture into tin-foil hat territory, but I have to wonder: Did TippingPoint really stab Mozilla in the back, or did somebody simply sell them a slightly-used knife?

In all fairness to TippingPoint, this is a question that could, depending on the answer, cast its activities in a somewhat different light. After all, if somebody really did turn over this information just before the Firefox 3 launch, could you blame TippingPoint for making the most of such a lucrative PR opportunity?

Well, maybe you could. Still, the timing of this announcement makes me far more curious about who supplied the information than about what TippingPoint did with it.

Consider the hundred-plus news stories on this subject that I turned up in a recent search of Google News. Many, if not most, of them carry headlines like "Oops: Firefox 3.0 critical vulnerability," or "There's a Hole in Firefox 3!"

Under other circumstances, this type of security bug (that is, one with no known exploits) rates as a second- or third-tier news item. This week, however, it qualified as a much bigger story, in many cases (and wrongly) with a far more dire tone. Far more important, however, is the fact that the news imposed a significant opportunity cost upon Mozilla, diverting both the company's and the public's attention at the worst possible time.

Certainly, there are people -- or, rather, organizations -- with motives to roll a live hand grenade into Mozilla's big party. And don't be so quick to assume (as many people will) that the list of usual suspects consists of just one name. As any good conspiracy theorist knows, every successful plot begins with a patsy.