People In Glass Houses....
…shouldn't throw stones. This expression, added to my literary repertoire as a child courtesy of liberal use by my dear mother, comes to mind as I hear of the latest security stumbles by Apple and the Firefox folks. Here's another term that this situation makes me think of; karma, the law of cause and effect. Both Apple and the open-source team that develops Firefox have in the past, and with no shortage of glee, ripped into Microsoft's many security stumbles. The cosmic reaction to their naive actions has, it seems, manifested.
At the moment, Apple's dealing with two separate issues. Buried within the release notes for the recently-released v4.8 update to iTunes is the admission that it resolves a buffer overflow vulnerability in prior revisions' MPEG-4 parser code that could allow the execution of arbitrary code. Unless Apple is more upfront with the issue, and in the absence of another compelling feature motivation to upgrade (sorry, I'm not into buying music videos, especially if I can't play them on an iPod), I wonder how many iTunes users will bother with the multi-MByte download and installation? Especially when recent-past upgrades have stealthily restricted consumers' usage rights?
Apple's second security snafu is, if anything, even more flabbergasting. After many years' worth of ActiveX Control bashing, Apple has apparently neglected to provide safeguards sufficient to preclude the unintended download and auto-installation of Dashboard widgets through the default Safari web browser. Apple will likely fix the hole, sooner or later, via a security patch or O/S upgrade. But until then, do you think some Tiger early adopters will end up with difficult-to-remove pornographic or other undesireable adware plastered all over their displays? Or worse yet, even more malicious widgets, perhaps obscuring their identities by replacing and mimicking benign applets, and bred for "erasing files, changing ownership and permissions, running AppleScripts and command-line utilities, and so forth"? Yeah, me too.
Firefox v1.0.3 has its own exploit woes. Paraphrasing the advisory released on May 7th, if a user clicks anywhere on a web page containing malicious JavaScript code, that code will automatically create and execute a malicious batch/exe file. Last spring I wrote an editorial that was critical of the lack of O/S upgrade capability in many Linux-powered systems. In response, I was vigorously email-assailed by open-source advocates, claiming that Linux was inherently superior because a) many sets of eyes led to better first-rev code and b) any issues that cropped up would be speedily dealt with.
Well, it's been almost a week since the Firefox exploit was first made public (it has reportedly been on the confidential developers' bug-tracking list much longer than this), and the clock is still ticking. Although I received an RSS feed from VersionTracker earlier today indicating that Firefox v1.0.4 was available, it doesn't appear on Mozilla's site (I just checked again prior to posting this blog entry), and Firefox's 'check for update' facility doesn't know about it either. Better first-rev code? Speedy resolution of issues? Glass houses and stones, indeed.
