Released May 11, Mozilla Firefox 1.0.4 provided fixes for two vulnerabilities rated as critical which had surfaced a few days earlier. When combined, the flaws could allow an attacker to take advantage of Firefox’s software update system and take over a user’s machine. There were no known actual exploits.
The flaws were the latest in a spate of vulnerabilities affecting Firefox, which has gained market share from Microsoft’s IE, partly because it is viewed as more secure.
According to French web analysis firm XiTi, Firefox’s share of EU browser usage was 14.08 per cent in May, with 24.36 usage share in Germany and over 30 per cent in Finland. Since November 2004, Firefox’s share of usage in the United States has more than doubled, but IE still dominates the US with 88.7 per cent usage.
Asked if he is concerned that the recent problems may affect Firefox’s adoption, Chris Hofman, director of engineering at Mozilla, said that the firm takes a proactive approach to security.
“We think we’ve done a good job trying to encourage research around potential vulnerabilities and getting them fixed before they become a problem,” he said.
Some experts said the vulnerabilities simply show that the browser – like all software – is not immune to flaws.
“Some of the recent Firefox vulnerabilities are similar to ones in [IE]. It is a web browser and web browsers face similar threats. They try to provide similar types of functionality,” said Art Manion, internet security analyst at US-CERT.
Joe Stewart, senior threat researcher at managed security firm LURHQ, said he does not usually worry about vulnerabilities discovered in Firefox because Mozilla fixes them so quickly.
“It doesn’t matter what browser you use, there always will be vulnerabilities, so you might as well pick one that has a relatively fast turnaround on patches,” he said.
Steve Fallin, director of WatchGuard’s rapid response team, agrees. Rather than trying to figure out which browser is more secure, firms should decide which best fits requirements, then secure it.