The new beta software includes improved protection from cross-site JSON data leaks, tighter restrictions on cookies, clearer Web site identification by clicking on the site favicon in the location bar, better malware protection, stricter SSL error pages, anti-virus integration in the download manager, and version checking for insecure plugins.
"If you visit a malicious site using Firefox 3, it will block the site and do it with a user interface that doesn't allow a click-through," said Window Snyder of Mozilla Corporation, whose business card reads "Chief Security Something-or-Other."
Snyder said that Firefox gets an updated list of malware sites from Google every 30 minutes, and that the final release may allow or include other blacklist providers.
Mozilla's commitment to security in Firefox goes beyond specific security features and affects the overall design of the software. Snyder described how convenience features, like the ability to restore multiple browser tabs to their state when the application was last closed also served to enhance security by making patching less disruptive. "I really do believe that every feature is a security feature and should be evaluated as such," she said.
While Mozilla may be committed to security, some in the industry -- namely Microsoft -- suggest that Firefox is less secure than Internet Explorer.
Last month, Jeff Jones, Security Strategy Director in Microsoft's Trustworthy Computing group issued a report that analyzed the vulnerabilities in Microsoft Internet Explorer and Mozilla Firefox over three years. He found that Microsoft experienced fewer vulnerabilities than Firefox.
"While the data trends show that both Internet Explorer and Firefox security quality is improved in the latest version, it also demonstrates that, contrary to popular belief, Internet Explorer has experienced fewer vulnerabilities than Firefox," said Jones.
The implication is that fewer vulnerabilities means better security, but that's not a correlation Synder accepts. She prefers "days at risk" -- the number of days between the appearance of exploit code for a vulnerability and the publication of a patch -- as way to assess security. By that measure Firefox shines, having been at risk for only nine days in 2006, according to numbers compiled by Brian Krebs of The Washington Post, who reported that Internet Explorer in 2006 was vulnerable for 284 days.
Mike Schroepfer, Mozilla's VP of engineering, in a blog post makes a similar point, claiming that bug counts are meaningless. He points to the absence of a public IE bug database and says this is "[a] vivid reminder that there is no way for anyone outside of Microsoft to confirm how many vulnerabilities ever existed in Internet Explorer."
Snyder, who used to work at Microsoft as a senior security strategist, echoes that point, noting that while Microsoft works with penetration testers and outsider security consultants, the company does not disclose the vulnerabilities found. "They talk about the security work that they do, but there's no way to check it," she said. "I have a hard time believing they found zero bugs."
In the end, however, such distinctions don't matter to everyone. Dave Marcus, security research and communications manager, McAfee Avert Labs, considers the debate to be splitting hairs. "I don't see the difference they're trying to make," he said.
What matters, Marcus said, is how quickly you can patch.