Firefox Flaw Needs Fixing Fast


Firefox released 3.0.8 to fix a vulnerability in its browser software. Guido Landi, a security researcher, published his attack on several security sites last week and put Mozilla developers into a frenzy. The vulnerability affects Firefox on all platforms including MAC OS, Windows and Linux.


The vulnerability, officially known as Bug 485217 (Mozilla), exploits code at the link iframes, an XML file with an XSLT transform that causes a crash reliability problem. In addition, 3.0.8 fixes the exploit that was found at the Pwn2Own contest held at CanSecWest last week.


Firefox is no stranger to vulnerabilities. According to a report from Secunia, a leading vulnerability intelligence provider, there were 115 vulnerabilities found in Firefox last year. This was more than IE, Safari and Opera put together. However, when you look at the number of vulnerabilities in browser plug-ins, ActiveX had 366, Java 54, Quicktime 30, Flash 19, and Firefox 1. What is more important is the amount of time that it took Mozilla and Microsoft to fix their vulnerabilities. On average, it took Microsoft 110 days to fix the vulnerabilities for its two most serious flaws. Mozilla took an average of 43 days to address its three flaws, according to Secunia. One IE vulnerability remained open for 294 days, while Firefox's longest vulnerability remained open for 86 days.


Mozilla developers described the release as a "high-priority firedrill update." I believe that Mozilla was able to respond so quickly to the vulnerabilities because it treated both bugs as zero-day exploits with critical status. IE, on the other hand, has been integrated into Windows. This causes additional work and takes longer to patch because any changes could potentially harm the operating system. We have seen improvements since Microsoft has decoupled IE from the Windows operating system with IE 7.


Look, vulnerabilities are going to be found in software, that's just the reality of it. I have many clients that use both IE and Firefox, and what I am interested in is how long it takes to fix them. I think the reason that so many users are leaving IE is because of the amount of bugs and the amount of time it takes Microsoft to fix them; users are just tired of it. In addition, since Firefox is open source, it has the advantage that everyone can look at the code for vulnerabilities. This feature allows bugs to be identified faster and, of course, because Mozilla is not run like a monolithic machine, Mozilla can react much more quickly to fix them.