Firefox Flaw Needs Fixing Fast

Ralph DeFrangesco

Firefox released 3.0.8 to fix a vulnerability in its browser software. Guido Landi, a security researcher, published his attack on several security sites last week and put Mozilla developers into a frenzy. The vulnerability affects Firefox on all platforms including MAC OS, Windows and Linux.


The vulnerability, officially known as Bug 485217 (Mozilla), exploits code at the link iframes, an XML file with an XSLT transform that causes a crash reliability problem. In addition, 3.0.8 fixes the exploit that was found at the Pwn2Own contest held at CanSecWest last week.


Firefox is no stranger to vulnerabilities. According to a report from Secunia, a leading vulnerability intelligence provider, there were 115 vulnerabilities found in Firefox last year. This was more than IE, Safari and Opera put together. However, when you look at the number of vulnerabilities in browser plug-ins, ActiveX had 366, Java 54, Quicktime 30, Flash 19, and Firefox 1. What is more important is the amount of time that it took Mozilla and Microsoft to fix their vulnerabilities. On average, it took Microsoft 110 days to fix the vulnerabilities for its two most serious flaws. Mozilla took an average of 43 days to address its three flaws, according to Secunia. One IE vulnerability remained open for 294 days, while Firefox's longest vulnerability remained open for 86 days.


Mozilla developers described the release as a "high-priority firedrill update." I believe that Mozilla was able to respond so quickly to the vulnerabilities because it treated both bugs as zero-day exploits with critical status. IE, on the other hand, has been integrated into Windows. This causes additional work and takes longer to patch because any changes could potentially harm the operating system. We have seen improvements since Microsoft has decoupled IE from the Windows operating system with IE 7.


Look, vulnerabilities are going to be found in software, that's just the reality of it. I have many clients that use both IE and Firefox, and what I am interested in is how long it takes to fix them. I think the reason that so many users are leaving IE is because of the amount of bugs and the amount of time it takes Microsoft to fix them; users are just tired of it. In addition, since Firefox is open source, it has the advantage that everyone can look at the code for vulnerabilities. This feature allows bugs to be identified faster and, of course, because Mozilla is not run like a monolithic machine, Mozilla can react much more quickly to fix them.

Add Comment      Leave a comment on this blog post
Mar 31, 2009 11:11 AM Hank Hank  says:

Would this be because this is all that Mozilla does...produces Firefox?

Apr 1, 2009 11:11 AM Lovs2look Lovs2look  says: in response to Hank

Oh, and Thunderbird...oh, and Bugzilla, and Camino, and Fennec, and Lightning, and Sunbird, and the list goes on.

What? You couldn't have Googled before posting your ridiculous comment? Naaaa of course not.


Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.