No sooner than I presented Mozilla, specifically Mozilla Firefox, as a safe alternative to Internet Explorer did an exploit for Mozilla show up. Argh!
At least the fix came out swiftly and installs painlessly. Visit the page, click another link, wait a minute or so, and then restart the browser. Badda bing, badda boom, you’re patched. No reboot necessary.I still stand by my recommendation of Mozilla, whether it’s the entire bloatware Mozilla suite or the lightweight Mozilla Firefox, over IE. Why? Lessons learned from Linux.
When a vulnerability is discovered in a Microsoft product, an unpredictable length of time passes before the vulnerability is patched. Sometimes it’s a matter of days, but sometimes the length of time is just plain ridiculous. Forgetting for a minute how frequently patches come out–a case can be made that Linux gets more patches than Windows but just as strong of a case can be made that it gets less–the length of time that passes between the instant the vulnerability is discovered and announced and the release of a patch is usually very small. Usually it’s a matter of hours.
The reason is simple. Lots and lots of eyeballs looking at the code. And in Open Source, having your name in the code is a badge of honor. It’s a big, big line on a resume to say you wrote a line of code in the Linux kernel.
Other open-source software gets patched just as quickly, however. Not every open source programmer is comfortable maintaining operating system kernels. And no self-respecting programmer wants his or her system hacked due to a vulnerability in a piece of software she or he was perfectly capable of fixing.
This particular vulnerability stems from a little-known capability in Mozilla. I’m sure there was a legitimate use for it at one time, but were Mozilla being designed and rewritten from scratch today, I can’t see how it would possibly be implemented because the potential for abuse is huge. The code’s gone now. It won’t be in Firefox 0.92 or the next revision of the Mozilla suite.
Will there be other instances of this? Sure. Probably less of it, since Mozilla was a total rewrite of Netscape and the engine is entirely different from the one in Netscape 4.x. The IE codebase goes back to the early 1990s, as it’s based on the old NCSA Mosaic code, which Microsoft licensed from Spyglass. (Go into IE and hit Help, About to see for yourself.) There’s much more potential for harmful dead wood in IE than in Mozilla, but the presence of some in either is inevitable.
But at the end of this year’s storm season, I expect Mozilla to come out a lot stronger because most of the dead wood will be shaken out. I don’t expect the same from IE. The codebase is too old, the teams too disparate, and the motivations behind the changes that have been made were too different from Mozilla.
I’m standing by my browser.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.
You forgot to mention that this bug only affects you if you are running Windows. That’s right, If you run Firefox on Linux, Solaris or any other operating system except for Windows then you are safe.
And it’s really a bug in Windows code to begin with, in a legacy "feature" nobody uses. It’s not, really, a Mozilla "exploit" at all.