With all the buzz around these days by the anti-Microsoft crowd about how insecure Microsoft's Internet Explorer is, it's quite ironic to see a security notice come out about a cookie problem existing in the anti-Microsoft crowds' browser of choice — Mozilla. What's even more ironic is that the security hole was reported to Netscape in the middle of November 2001. There wasn't a fix available until the release of Mozilla 0.9.7, approximately 1½ months after it was reported. And there's no mention of this fix in the release notes, though it was reported as fixed to Mark Slemko who discovered the exploit. A very similar security hole was reported to Microsoft within approximately one week's time and a patch was available within 4 days. There was plenty of noise about how Microsoft wasn't quick enough to address the issue. How come we don't hear the same amount of noise (or, more appropriately, more noise) about Netscape dropping the ball on this issue for so long?
There's a more in-depth news article available at TheRegister.com. If you'd rather skip the news story and get right to the technical details about how the exploit works, go read about the exploit discovered by Mark Slemko.