July 16, 2009, 7:57 AM — So far this week we’ve heard about two security updates from Microsoft for critical vulnerabilities in Internet Explorer, and the revelation of one critical bug that’s haunting Firefox 3.5. And the week’s not over yet.
These bugs are bad – rated critical – but the contrast between the way Microsoft deals with browser vulnerabilities vs. how Mozilla handled the issue is interesting.
Microsoft did something rather unusual in pre-announcing last week that security updates for the IE vulnerabilities would be available this week. But Mozilla did something even more unusual; it took some responsibility for not having gotten to the nasty Firefox 3.5 bug that, if exploited, could give an attacker control over an unsuspecting user’s PC.
Calling the bug “self-inflicted,” one Firefox contributor explained that the bug most likely came to light because the hacker who posted the exploit code on Monday had searched through Mozilla’s bug-tracking database.
As it happens, Mozilla developers had found the flaw themselves last Thursday and were working on a fix when the exploit code was posted. One Mozilla contributor even said that the group should have hidden the bug earlier.
Taking responsibility in this manner is refreshing, but unfortunately the severity of the bug combined with bad timing may have an adverse affect on the image of the just-released Firefox 3.5.
“It’s unfortunate this (Firefox bug) came to light when there are two Microsoft Internet Explorer exploits also making news - as a result Mozilla seems to be getting more flak than usual about it,” said Beth Jones of Sophos in her Wednesday blog post.
Do you tweet? Follow me on Twitter here.
