Mozilla Battens the Hatches Against IE 7.0

 
 
By Ryan Naraine  |  Posted 2005-02-25
 
 
 

Mozilla Battens the Hatches Against IE 7.0


If evidence were needed that the new browser war will be won or lost on the security message, along comes the Mozilla Foundation with public confirmation.

Unfazed by Microsoft Corp.s plan to roll out a security-centric Internet Explorer refresh later this year, the open-source Foundation says it will hire more staff to work full time on security issues and beef up its public relations efforts to beat the secure browsing drum.

In an interview with eWEEK.com, Mozilla director of engineering Chris Hoffman said the Foundation plans to add another staffer to join Dan Veditz, a long-time Mozilla contributor and ex-Netscape employee who now serves as lead engineer for security.

"Were looking to create another position to oversee the entire infrastructure for development and doing releases. Were adding full-time help to help maintain the level of security were striving for," Hoffman said.

Mozilla has also launched a recruitment drive to find user interface developers, particularly in the PSM (Personal Security Manager), which handles the performance of cryptographic operations for the Mozilla Suite (which includes the flagship Firefox browser).

Click here to read more about Yahoo Toolbar support for Firefox.

Hoffman sidestepped a suggestion that the Foundations renewed push around security was directly related to Microsofts IE 7.0 refresh plans. "Our security story is bigger than Firefox. Look at it this way; we have 900 engineers who contributed code to Mozilla over the last year. They all have a deep passion for security and privacy," Hoffman said.

The incredible growth of Firefox over the last three months—25 million downloads in 99 days—has been largely fueled by security-related flaws in Internet Explorer, and although both sides refuse to be drawn into comparison discussions, its no secret that Mozilla and Microsoft are keeping a wary eye on each others moves.

At this years RSA Security Conference, Microsoft executives publicly declined to discuss Firefox.

"When you run a business and you worry only about what your competitors are doing, thats not a long-term business proposition," said Gytis Barzdukas, director of product management in Microsofts security business technology unit.

"Yes, Firefox has come out with technologies that customers are evaluating, [but] we cant worry too much about that," Barzdukas said in an interview with eWEEK.com.

Side-by-side comparisons of the two browsers show that both are prone to security flaws. According to statistics maintained by research firm Secunia, more than 40 percent of all IE flaw warnings between 2003 and 2005 carry a "highly critical" or "extremely critical" rating (see chart here).

Even more worrying, a whopping 32 percent of the 63 advisories over that period remain unpatched.

Mozilla, too, has dealt with its share of Firefox security hiccups. Late Thursday, the browser underwent a browser refresh to plug a series of "moderately critical" flaws. Secunia reports that 25 percent of known vulnerabilities in Firefox still remain without fixes (see graph here).

Next Page: Users will decide.

Users Will Decide


Mozillas Hoffman said the renewed Microsoft activity around IE reflected a response to demands from Web surfers.

"Microsoft is finally responding to many years of users asking for higher level of security from them. [With Windows XP SP2] they got a lot closer to the security model of Firefox and the Mozilla code base. But, in a lot of cases, theyre passing around the edges of a secure architecture. Hopefully, theyll change that with IE 7," Hoffman said.

He said Mozillas volunteers take a "proactive approach to security" with an overall philosophy about the way content and the browsing capabilities are handled in the Firefox browser.

At the end of the day, Hoffman said users will make the ultimate decision. "Its up to users to make the choice. Thats what weve seen in the last six months. Users will choose on security, functionality and modern innovation. Users are becoming smarter about the choices they make for browser software."

Mozillas security message goes beyond just browser fixes. At its last staff meeting, lead volunteers were so concerned about a ByteVerifier bug in the Java Virtual Machine that they discussed posting a security warning on the Mozilla home page.

That exploit does not target a browser flaw but, because of the spyware infection risks to all Web users, the group planned to help raise the alarm about the availability of a critical update from Sun Microsystems Inc.

"Thats a security problem that lies outside the boundaries of our code. However, we want to encourage users to upgrade to latest version of Java to protect themselves. The plan is to be proactive and push that warning up front," Hoffman explained.

Hoffman said the Foundations efforts were also boosted by the Security Bug Bounty Program that offers cash rewards to researchers who discover critical flaws in its products.

The bounty program was launched last summer with funding from Internet entrepreneur Mark Shuttleworth, and Hoffman said the response from the volunteer community was a lesson for the industry.

Hoffman said, "A few researchers threw all their tools at the source code and were very impressed with the security of the code. Weve paid out about five or six rewards but, for the most part, they found the architecture to be quite secure."

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

Rocket Fuel