Some potentially nasty browser security vulnerabilities found this weekend in Mozilla and in Safari. Both involve software update mechanisms. The Firefox one tricks the browser into thinking it’s installing from a trusted update site (the maintainers of updates.mozilla.org and addons.mozilla.org—the only trusted sites by default—have made some changes on their server to prevent the exploit from working). The Safari one takes advantage of the Macintosh tradition of automatically opening archives. This one just happens to unzip itself into the location where Dashboard stores its widgets.

IEBlog has weighed in with a balanced (i.e. non-fanboyish) comment on just who “us” vs. “them” should mean: responsible developers & security researchers vs. the malicious ones. It won’t happen—people are too hunkered down in their own trenches—and even with Mozilla, Opera and Apple collaborating on specs, I don’t expect to see much in the way of collaboration on security except in the actual open-source world. (Even then, I suspect there’s too much rivalry between Gecko and KHTML developers to do much collaboration.)

Just look at the different approaches to IDN spoofing. Opera limited IDN display to top-level domains known to check new registrations for homographs. Mozilla disabled IDN display entirely while they worked on a more permanent solution. Safari disabled IDN display for certain scripts, so if you visit sites with Japanese domain names but nothing in Cyrillic, you don’t need to worry about sites using a Cyrillic “a” to imitate a Latin “a”. (IE doesn’t support IDN in the first place, so it wasn’t vulnerable. Kind of like how Notepad shouldn’t be vulnerable to JavaScript-based attacks.) Of course, there is an advantage in this: each browser maker can see how well the others’ approaches work, and update theirs to use the best one.

Anyway, I just realized it’s Microsoft Patch Tuesday. Time to check Technet and Windows Update.