Mozilla Battens the Hatches Against IE 7.0 - Page 2

Download the authoritative guide: The Ultimate Guide to IT Security Vendors

Mozillas Hoffman said the renewed Microsoft activity around IE reflected a response to demands from Web surfers.

"Microsoft is finally responding to many years of users asking for higher level of security from them. [With Windows XP SP2] they got a lot closer to the security model of Firefox and the Mozilla code base. But, in a lot of cases, theyre passing around the edges of a secure architecture. Hopefully, theyll change that with IE 7," Hoffman said.

He said Mozillas volunteers take a "proactive approach to security" with an overall philosophy about the way content and the browsing capabilities are handled in the Firefox browser.

At the end of the day, Hoffman said users will make the ultimate decision. "Its up to users to make the choice. Thats what weve seen in the last six months. Users will choose on security, functionality and modern innovation. Users are becoming smarter about the choices they make for browser software."

Mozillas security message goes beyond just browser fixes. At its last staff meeting, lead volunteers were so concerned about a ByteVerifier bug in the Java Virtual Machine that they discussed posting a security warning on the Mozilla home page.

That exploit does not target a browser flaw but, because of the spyware infection risks to all Web users, the group planned to help raise the alarm about the availability of a critical update from Sun Microsystems Inc.

"Thats a security problem that lies outside the boundaries of our code. However, we want to encourage users to upgrade to latest version of Java to protect themselves. The plan is to be proactive and push that warning up front," Hoffman explained.

Hoffman said the Foundations efforts were also boosted by the Security Bug Bounty Program that offers cash rewards to researchers who discover critical flaws in its products.

The bounty program was launched last summer with funding from Internet entrepreneur Mark Shuttleworth, and Hoffman said the response from the volunteer community was a lesson for the industry.

Hoffman said, "A few researchers threw all their tools at the source code and were very impressed with the security of the code. Weve paid out about five or six rewards but, for the most part, they found the architecture to be quite secure."


Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.