From the ‘many eyes don’t necessarily mean better security‘ files:
Open Source thrives on the idea that contributions help to grow development. Open Source thrives on the idea that many eyes looking at open code can provide better security than proprietary closed models.
Unfortunately on the security side, it’s not always the case. Mozilla’s Chief Security person Window Snyder has publicly admitted that Mozilla was inadvertently allowing a virus infected Vietnamese language pack for Firefox to be distributed. Snyder noted that the infected code could result in users seeing unwanted ads and could be used as a launching point for other malicious actions.
Mozilla is not aware of precisely how many users may be at risk, though they do know that there have been 16,667 downloads of the language pack since November of 2007.
So how did this happen? Doesn’t Mozilla do some kind of security scanning before they distribute code? Snyder explains:
Mozilla does virus scans at upload time but the virus scanner did not
catch this issue until several months after the upload. We are also
adding after-the-fact scans of everything to address this sort of case
in the future.
IMHO, while it’s NOT GOOD that this happened in the first place, it is good that Mozilla is being relatively open about this now and is taking the appropriate steps to make sure it doesn’t happen again.