Firefox 3 Beta 2 Arrives As Mozilla and Microsoft Jostle for Security Crown - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

02:46 PM
Connect Directly

Firefox 3 Beta 2 Arrives As Mozilla and Microsoft Jostle for Security Crown

If you visit a malicious site using Firefox 3, it will block the site and do it with a user interface that doesn't allow a click-through, say company executives.

Firefox 3 Beta 2 was released on Tuesday, featuring several new security features.

The new beta software includes improved protection from cross-site JSON data leaks, tighter restrictions on cookies, clearer Web site identification by clicking on the site favicon in the location bar, better malware protection, stricter SSL error pages, anti-virus integration in the download manager, and version checking for insecure plugins.

"If you visit a malicious site using Firefox 3, it will block the site and do it with a user interface that doesn't allow a click-through," said Window Snyder of Mozilla Corporation, whose business card reads "Chief Security Something-or-Other."

Snyder said that Firefox gets an updated list of malware sites from Google every 30 minutes, and that the final release may allow or include other blacklist providers.

Mozilla's commitment to security in Firefox goes beyond specific security features and affects the overall design of the software. Snyder described how convenience features, like the ability to restore multiple browser tabs to their state when the application was last closed also served to enhance security by making patching less disruptive. "I really do believe that every feature is a security feature and should be evaluated as such," she said.

While Mozilla may be committed to security, some in the industry -- namely Microsoft -- suggest that Firefox is less secure than Internet Explorer.

Last month, Jeff Jones, Security Strategy Director in Microsoft's Trustworthy Computing group issued a report that analyzed the vulnerabilities in Microsoft Internet Explorer and Mozilla Firefox over three years. He found that Microsoft experienced fewer vulnerabilities than Firefox.

"While the data trends show that both Internet Explorer and Firefox security quality is improved in the latest version, it also demonstrates that, contrary to popular belief, Internet Explorer has experienced fewer vulnerabilities than Firefox," said Jones.

The implication is that fewer vulnerabilities means better security, but that's not a correlation Synder accepts. She prefers "days at risk" -- the number of days between the appearance of exploit code for a vulnerability and the publication of a patch -- as way to assess security. By that measure Firefox shines, having been at risk for only nine days in 2006, according to numbers compiled by Brian Krebs of The Washington Post, who reported that Internet Explorer in 2006 was vulnerable for 284 days.

Mike Schroepfer, Mozilla's VP of engineering, in a blog post makes a similar point, claiming that bug counts are meaningless. He points to the absence of a public IE bug database and says this is "[a] vivid reminder that there is no way for anyone outside of Microsoft to confirm how many vulnerabilities ever existed in Internet Explorer."

Snyder, who used to work at Microsoft as a senior security strategist, echoes that point, noting that while Microsoft works with penetration testers and outsider security consultants, the company does not disclose the vulnerabilities found. "They talk about the security work that they do, but there's no way to check it," she said. "I have a hard time believing they found zero bugs."

In the end, however, such distinctions don't matter to everyone. Dave Marcus, security research and communications manager, McAfee Avert Labs, considers the debate to be splitting hairs. "I don't see the difference they're trying to make," he said.

What matters, Marcus said, is how quickly you can patch.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
2020 State of DevOps Report
2020 State of DevOps Report
Download this report today to learn more about the key tools and technologies being utilized, and how organizations deal with the cultural and process changes that DevOps brings. The report also examines the barriers organizations face, as well as the rewards from DevOps including faster application delivery, higher quality products, and quicker recovery from errors in production.
The State of Chatbots: Pandemic Edition
Jessica Davis, Senior Editor, Enterprise Apps,  9/10/2020
Deloitte on Cloud, the Edge, and Enterprise Expectations
Joao-Pierre S. Ruth, Senior Writer,  9/14/2020
Data Science: How the Pandemic Has Affected 10 Popular Jobs
Cynthia Harvey, Freelance Journalist, InformationWeek,  9/9/2020
Register for InformationWeek Newsletters
Current Issue
IT Automation Transforms Network Management
In this special report we will examine the layers of automation and orchestration in IT operations, and how they can provide high availability and greater scale for modern applications and business demands.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll