It hasn’t been a good week for Firefox and its fans. First, the Danish security company Secunia warned that it had uncovered a vulnerability in Firefox and other browsers that can allow the URL displayed in the address bar and the SSL certificate to be spoofed, which means the browser and others are vulnerable to phishing attacks. The flaw affects all browsers built using the open-source Gecko browser kernel.
And this time around, Internet Explorer is not vulnerable to the attack.
Making matters worse, a few days after that, a security researcher found a trio of security bugs that affect Firefox and Mozilla — but not Internet Explorer. Among other dangers, the bugs can allow someone to steal your cookies, and then use them to find out personal information about you and log into web sites with your login.
Perhaps most disturbing is that as of this writing, although fixes have been found, they have not yet been rolled up into a patch, or made available in a new Firefox version that can be downloaded and installed.
I’m a big Firefox fan, and I tell everyone I know to give up IE and use it. But this news doesn’t bode well for the browser. Its increasing popularity will mean that it will be subject to more frequent attacks. Worse, though, is that as of this writing, the fixes aren’t publicly available. People have rightly accused Microsoft of not posting security patches quickly enough. But up until now, Firefox developers have always been quick to react with security fixes.
Let’s hope that this is an anomaly, and patches are posted quickly. I’d hate to see Firefox get bedeviled by the same problems that afflict Internet Explorer.
What do you think about how Firefox handles security flaws?