Software // Enterprise Applications
02:28 PM
Connect Directly

Mozilla Issues Firefox Security Update

The update addresses 10 security advisories, three of which Mozilla classifies as critical.

Mozilla on Friday released Firefox, an updated version of the upstart browser that has won over roughly one out of every five Internet users worldwide.

The update addresses 10 security advisories, three of which Mozilla classifies as critical.

One of the critical advisories has to do with the way that images are handled on Web pages with designMode frames, an HTML property that allows Web documents to be edited. The vulnerability could potentially be exploited to steal a user's browsing history, crash Firefox, or execute arbitrary code. The second critical advisory has to do with memory corruption crashes in the browser engine used by Firefox and other Mozilla products like Thunderbird. The third outlines a flaw that could allow JavaScript privilege escalation and the ability to execute arbitrary remote code.

In its 2007 security report, Secunia analyzed a limited set of vulnerabilities that were disclosed publicly, before vendor notification, and found that Mozilla on average patched Firefox flaws more quickly than Microsoft patched holes in Internet Explorer.

Secunia's report also notes that Internet Explorer had fewer vulnerabilities than Firefox in 2007 (43 compared to 64). In December, Jeff Jones, security strategy director in Microsoft's Trustworthy Computing group, presented similar statistics to support his claim that Internet Explorer was more secure than Firefox.

Mike Schroepfer, Mozilla's VP of engineering, in a blog post dismissed the idea that vulnerability counts matter. Citing the absence of a public IE bug database, he said, "There is no way for anyone outside of Microsoft to confirm how many vulnerabilities ever existed in Internet Explorer."

One area where Firefox appears to best Internet Explorer is in the number of vulnerabilities reported in browser add-ons. There were six vulnerabilities reported in Firefox extensions and 339 vulnerabilities in ActiveX controls in 2007, according to Secunia. It should be noted, however, that browser add-ons are generally developed by third-party programmers, who are ultimately responsible for writing safe code.

Microsoft has been working to help developers write safer ActiveX controls, though in light of the large number of vulnerabilities cited by Secunia, its efforts leave something to be desired.

"If an independent software vendor discovers that they have shipped a vulnerable control, they can work with Microsoft to issue an update that disables that control," a Microsoft official said in an e-mail on Thursday. "Up until this time, has not been contacted directly by any company regarding the recent public reports of vulnerabilities in ActiveX controls."

Comment  | 
Print  | 
More Insights
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Dec. 9, 2014
Apps will make or break the tablet as a work device, but don't shortchange critical factors related to hardware, security, peripherals, and integration.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of December 7, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program!
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.