Mozilla’s new “Firefox 3 Beta 2 “was released recently. The new beta software includes various interesting features like improved protection from cross-site JSON data leaks, tighter restrictions on cookies, clearer Web site identification by clicking on the site favicon in the location bar, better malware protection, stricter SSL error pages, anti-virus integration in the download manager, and version checking for insecure plugins.
“If you visit a malicious site using Firefox 3, it will block the site and do it with a user interface that doesn’t allow a click-through,” said Window Snyder of Mozilla Corporation.
Firefox gets an updated list of malware sites from Google every 30 minutes, and that the final release may allow or include other blacklist providers.
Mozilla’s commitment to security in Firefox includes a vision beyond specific security features and affects the overall design of the software. Convenience features, like the ability to restore multiple browser tabs to their state when the application was last closed also served to enhance security by making patching less disruptive.
“I really do believe that every feature is a security feature and should be evaluated as such,” says Window Snyder of Mozilla Corporation.
Jeff Jones, Security Strategy Director in Microsoft’s Trustworthy Computing group issued a report last month concluding that the vulnerabilities in Microsoft Internet Explorer and Mozilla Firefox were compared over three years. He found that Microsoft experienced less vulnerability than Firefox.
“While the data trends show that both Internet Explorer and Firefox security quality is improved in the latest version, it also demonstrates that, contrary to popular belief, Internet Explorer has experienced fewer vulnerabilities than Firefox”, said Jones.
It implies that fewer vulnerabilities means better security. Window Synder however opts a different correlation. She prefers “days at risk” instead. It is actually the number of days between the appearance of exploit code for vulnerability and the publication of a patch as way to assess security. This correlation equation goes in favor of Firefox, having been at risk for only nine days in 2006, according to numbers compiled by ‘Brian Krebs’ of “The Washington Post”, who reported that Internet Explorer in 2006 was vulnerable for 284 days.
Mike Schroepfer, Mozilla’s Vice President of Engineering, in a blog post impress upon a cognizant concept having a similar point. “Bug counts are meaningless”, says Mike Schroefer.
He points to the absence of a public IE bug database and says this is “a vivid reminder that there is no way for anyone outside of Microsoft to confirm how much vulnerability ever existed in Internet Explorer”.
Microsoft works with penetration testers and outsider security consultants, the company does not disclose the vulnerabilities found. “They talk about the security work that they do, but there’s no way to check it,” Synder said.