Mozilla Updates Firefox To Fix Flaws

The new versions -- Firefox 1.0.4 and Mozilla 1.7.8 -- patch the browsers against two vulnerabilities made public less than a week ago. Both can be downloaded from the Mozilla Foundation's Web site. Another vulnerability was also addressed in the updates, and a Dynamic HTML (DHTML) problem introduced in Firefox 1.0.3 was resolved, said Mozilla.

The under-a-week response to the public vulnerability was helped in part by an early jump on the problem, said Chris Hofmann, director of engineering at Mozilla. His group was first notified of the vulnerability on May 2; it went public May 7.

"We're constantly engaged in security research, and always looking for things. This was one of those things. We'd been e-mailing back and forth [with the researchers] prior to it going public, but then another person was added to the mailing list, and he was the one who leaked the information.

"There are better and worse ways to disclose security vulnerability," admitted Hofmann. "I think the frustration on the part of security researchers comes from the fact that Microsoft is very slow to respond."

While some have seen Firefox's 2005 security updates -- this was the fourth so far -- as evidence that increased market share for the open-source browser translates into more attention by hackers, Hofmann doesn't buy that argument.

"I think the security of a browser is more closely tied to its architecture than to market share," said Hofmann. "Just look at Apache."

John Pescatore, a security analyst with Gartner, agreed. "It's nothing to do with market share, at least not yet," he said. We think that the tipping point is around 30 percent. In other words, when Firefox has 30 percent of the browser market, then hackers will concentrate on it as much as they do Internet Explorer. If Firefox ever reaches 30 percent, it will see just as many attacks as against the 70 percent IE."

Pescatore also named Apache, a popular open-source Web server that owns about three times the share as Microsoft's own IIS (Internet Information Services) software, as a good example of how market share doesn't necessarily mean a more vulnerable platform.

"The question really is, 'which code was built stronger?' The first key point with Apache is that it was built stronger."

Mozilla's Hofmann also argued that while Firefox has experienced more vulnerabilities so far in 2005 than IE -- according to Danish security firm Secundia, the tally reads 12 for Firefox, 6 for IE -- the real metric shouldn't be raw numbers.

"A better measure," he said, "is how many exploits are in the wild and how open the window of opportunity is between the time a vulnerability is disclosed and when it's patched. There Firefox wins hands down. We're much more ahead of the game than Microsoft."

Pescatore preferred a slightly different measuring stick. "How much damage occurs once a problem happens, that's the only metric worth considering," he said.

Firefox, he said, has a definite advantage over Microsoft on that level, since it's not embedded within the Windows operating system. "Attacks against IE can cause more damage because of its connection with Windows, and fixing a vulnerability is that much harder [for Microsoft]."

The biggest problem Pescatore sees in Firefox's future isn't security per se, but convincing enterprises to double up their workload. "If they buy into Firefox, all of sudden they're having to patch two browsers [because IE is within Windows]. They'll have to patch twice as much."

Firefox 1.0.4 and Mozilla 1.7.8 can be downloaded from the Mozilla site in Windows, Linux, and Mac OS X editions.