Some potentially nasty browser security vulnerabilities found this weekend in Mozilla and in Safari. Both involve software update mechanisms. The Firefox one tricks the browser into thinking it’s installing from a trusted update site (the maintainers of updates.mozilla.org and addons.mozilla.org—the only trusted sites by default—have made some changes on their server to prevent the exploit from working). The Safari one takes advantage of the Macintosh tradition of automatically opening archives. This one just happens to unzip itself into the location where Dashboard stores its widgets.

IEBlog has weighed in with a balanced (i.e. non-fanboyish) comment on just who “us” vs. “them” should mean: responsible developers & security researchers vs. the malicious ones. It won’t happen—people are too hunkered down in their own trenches—and even with Mozilla, Opera and Apple collaborating on specs, I don’t expect to see much in the way of collaboration on security except in the actual open-source world. (Even then, I suspect there’s too much rivalry between Gecko and KHTML developers to do much collaboration.)

Just look at the different approaches to IDN spoofing. Opera limited IDN display to top-level domains known to check new registrations for homographs. Mozilla disabled IDN display entirely while they worked on a more permanent solution. Safari disabled IDN display for certain scripts, so if you visit sites with Japanese domain names but nothing in Cyrillic, you don’t need to worry about sites using a Cyrillic “a” to imitate a Latin “a”. (IE doesn’t support IDN in the first place, so it wasn’t vulnerable. Kind of like how Notepad shouldn’t be vulnerable to JavaScript-based attacks.) Of course, there is an advantage in this: each browser maker can see how well the others’ approaches work, and update theirs to use the best one.

Anyway, I just realized it’s Microsoft Patch Tuesday. Time to check Technet and Windows Update.

Update 4pm: Mozilla is testing an update to Firefox that will fix the vulnerabilities found this weekend. That’s roughly two days since they were announced. I figure the final release will be later this week.

Now check out security firm Secunia’s pages on Known Firefox 1.x vulnerabilities and known IE 6.x vulnerabilities. Compare the number, severity and age of still-unpatched vulnerabilities. There are 2-year-old vulnerabilities in IE that have never been fixed!

This may help explain the “double standard” Photomatt and others see in the way many people react to security flaws found in the two browsers. If nothing else, Mozilla is perceived as having a faster reaction time and, overall, a better track record. So it’s a matter of “Eh, they’ll fix it in a few days,” vs. “My God, man, not another one!”

Leave a Reply

Your email address will not be published. Required fields are marked *