Mozilla Updates Firefox To Fix Flaws - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

03:06 PM

Mozilla Updates Firefox To Fix Flaws

The Mozilla Foundation releases a security update to both its standalone Firefox browser and its Mozilla suite, a move the organization says shows it can react faster than rivals.

The Mozilla Foundation on Thursday released a security update to both its standalone Firefox browser and its Mozilla suite to squash bugs revealed last weekend, a demonstration, said the organization's head of engineering, of the fast reaction advantage Firefox has over Microsoft and its Internet Explorer.

The new versions -- Firefox 1.0.4 and Mozilla 1.7.8 -- patch the browsers against two vulnerabilities made public less than a week ago. Both can be downloaded from the Mozilla Foundation's Web site. Another vulnerability was also addressed in the updates, and a Dynamic HTML (DHTML) problem introduced in Firefox 1.0.3 was resolved, said Mozilla.

The under-a-week response to the public vulnerability was helped in part by an early jump on the problem, said Chris Hofmann, director of engineering at Mozilla. His group was first notified of the vulnerability on May 2; it went public May 7.

"We're constantly engaged in security research, and always looking for things. This was one of those things. We'd been e-mailing back and forth [with the researchers] prior to it going public, but then another person was added to the mailing list, and he was the one who leaked the information.

"There are better and worse ways to disclose security vulnerability," admitted Hofmann. "I think the frustration on the part of security researchers comes from the fact that Microsoft is very slow to respond."

While some have seen Firefox's 2005 security updates -- this was the fourth so far -- as evidence that increased market share for the open-source browser translates into more attention by hackers, Hofmann doesn't buy that argument.

"I think the security of a browser is more closely tied to its architecture than to market share," said Hofmann. "Just look at Apache."

John Pescatore, a security analyst with Gartner, agreed. "It's nothing to do with market share, at least not yet," he said. We think that the tipping point is around 30 percent. In other words, when Firefox has 30 percent of the browser market, then hackers will concentrate on it as much as they do Internet Explorer. If Firefox ever reaches 30 percent, it will see just as many attacks as against the 70 percent IE."

Pescatore also named Apache, a popular open-source Web server that owns about three times the share as Microsoft's own IIS (Internet Information Services) software, as a good example of how market share doesn't necessarily mean a more vulnerable platform.

"The question really is, 'which code was built stronger?' The first key point with Apache is that it was built stronger."

Mozilla's Hofmann also argued that while Firefox has experienced more vulnerabilities so far in 2005 than IE -- according to Danish security firm Secundia, the tally reads 12 for Firefox, 6 for IE -- the real metric shouldn't be raw numbers.

"A better measure," he said, "is how many exploits are in the wild and how open the window of opportunity is between the time a vulnerability is disclosed and when it's patched. There Firefox wins hands down. We're much more ahead of the game than Microsoft."

Pescatore preferred a slightly different measuring stick. "How much damage occurs once a problem happens, that's the only metric worth considering," he said.

Firefox, he said, has a definite advantage over Microsoft on that level, since it's not embedded within the Windows operating system. "Attacks against IE can cause more damage because of its connection with Windows, and fixing a vulnerability is that much harder [for Microsoft]."

The biggest problem Pescatore sees in Firefox's future isn't security per se, but convincing enterprises to double up their workload. "If they buy into Firefox, all of sudden they're having to patch two browsers [because IE is within Windows]. They'll have to patch twice as much."

Firefox 1.0.4 and Mozilla 1.7.8 can be downloaded from the Mozilla site in Windows, Linux, and Mac OS X editions.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
2018 State of the Cloud
2018 State of the Cloud
Cloud adoption is growing, but how are organizations taking advantage of it? Interop ITX and InformationWeek surveyed technology decision-makers to find out, read this report to discover what they had to say!
9 Steps Toward Ethical AI
Cynthia Harvey, Freelance Journalist, InformationWeek,  5/15/2019
How to Assess Digital Transformation Efforts
Lisa Morgan, Freelance Writer,  5/14/2019
Is AutoML the Answer to the Data Science Skills Shortage?
Guest Commentary, Guest Commentary,  5/10/2019
Register for InformationWeek Newsletters
Current Issue
A New World of IT Management in 2019
This IT Trend Report highlights how several years of developments in technology and business strategies have led to a subsequent wave of changes in the role of an IT organization, how CIOs and other IT leaders approach management, in addition to the jobs of many IT professionals up and down the org chart.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll