14 DAY TRIAL // Microsoft has started delivering security development lessons to Mozilla. With Internet Explorer 7, the Redmond company focused on security as the backbone of the product aiming to scrape both the bad history and the rap of IE6 in terms of user protection. The fact of the matter is that one of the aspects that have driven Firefox adoption, fueling Mozilla browser's erosion of Microsoft's market share, is security. Firefox is inherently perceived as a superior product in terms of security. And Internet Explorer 6 offers no contest in this matter. But IE7 has changed the game for Microsoft. Furthermore, the latest browser from the Redmond company, the default installation in Windows Vista, has raised the stakes in terms of security. Now Microsoft is in the position to applaud IE7 as being more secure than Firefox 2.0.
The latest Microsoft Internet Explorer FirefoxURL Protocol Handler Command Injection vulnerability impacting IE7 users via Firefox 2.0 is an example of browser measuring contest from Microsoft and Mozilla. While the vulnerability does exist, placing IE7 users at risk through Firefox 2.0, both Mozilla and the Redmond company have blamed each other's products for the security flaw. However, Microsoft's position has been clear from the get go, and pointing to Firefox as the sole responsible for the vulnerability. And while claiming that IE7 is impacted by a critical vulnerability, Mozilla did present a fix for the flaw in Firefox.
Markellos Diorinos, IE Product Manager, addressed an indirect message to Mozilla, presenting the best way to enrich the Web safely, with Application Protocol Handlers for IE7. "The number of potential applications (and protocol handlers) is effectively limitless, allowing for many new and exciting ways to enrich the Web. However, as with many extension models, there are security implications. In this example, one potential threat is that the custom URL may have dangerous parameters, such as strings that are too long and might cause a buffer overflow. The limitless variety of applications and their unique capabilities make it very difficult to have any meaningful automated parameter validation by the hosting (caller) application. It is the responsibility of the receiving (called) application to make sure it can safely process the incoming parameters. URL protocol handlers are one of the ways we enable rich experiences in browsing, however, as with any other program that accepts untrusted data from the web, URL protocol handling applications must be carefully designed based on the threat environment," Diorinos stated.