Why we need Gecko updates

Jim squibblyflabbetydoo at gmail.com
Wed Dec 9 08:57:09 UTC 2015


On Wed, Dec 9, 2015 at 2:44 AM, Ben Bucksch <ben.bucksch at beonex.com> wrote:

> Mihovil Stanić wrote on 09.12.2015 09:04:
>
>> If remote servers are disabled by default and java script disabled in
>> email, how big threat are those vurnabilities?
>>
>
> No JavaScript stops 90% of the holes. But not all of them. Some are in
> lower level libraries.
>

Right. If you eliminate 90% of the holes, it's probably possible to handle
the remaining 10% on your own (through a combination of porting any
relevant security fixes from Gecko, plus handling any security bugs found
in Postbox itself). Of course, this means that you lose the benefit of
having Firefox play the role of a giant target for hackers that you can use
to stress-test all the code. However, I can't say for sure if that benefit
outweighs the regular introduction of new vulnerabilities due to Gecko
patches constantly landing; I'd have to guess that many of the new
vulnerabilities are in new code that simply hasn't had as much time to get
all the bugs removed.

- Jim
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/tb-planning/attachments/20151209/8d63cddb/attachment.html>


More information about the tb-planning mailing list