14 DAY TRIAL // When it comes down to the face-off between Microsoft and Mozilla on the browser market it's not all about the install base, market share percentages and audience converting, but also about security. And one aspect of the security race, of course not relevant onto itself for the entire protection level delivered by the two browsers, is the vulnerability count. In February, both Microsoft and Mozilla tended to their respective products, patching Critical holes in both Internet Explorer 7 and Firefox 2.0.
Mozilla was first having released the Firefox 2.0.0.12 security and stability update since February 7. Firefox 2.0.0.12 is designed to plug no less than 10 security vulnerabilities three of which Critical, flaws which permitted "web browsing history and forward navigation stealing, Privilege escalation, XSS, Remote Code Execution, and crashes with evidence of memory corruption," in the eventuality of successful exploits. A single security vulnerability was labeled with a severity rating of high, due to the fact that it permitted "directory traversal via chrome: URI," Mozilla explained. Firefox 2.0.0.12 can be grabbed here.
Microsoft has also had to hammer away at Internet Explorer 7 this month, with Microsoft Security Bulletin MS08-010 - Critical Cumulative Security Update for Internet Explorer (944533). But unlike Mozilla which only offers support for Firefox 2.0, the Redmond company had to deal with no less than four vulnerabilities across multiple versions of IE, and across multiple platforms.
"This update addresses 4 remote code execution vulnerabilities. This security update addresses these vulnerabilities by modifying the way Internet Explorer handles HTML and validates data, as well as by setting killbits for an ActiveX control," explained Terry McCoy, Program Manager Internet Explorer Security. "This update is rated 'Critical' for IE5.01, IE6 Service Pack 1 on Windows 2000, IE6 on Windows XP, IE7 on Windows XPSP2 and IE7 in Windows Vista, IE6 on Windows Server 2003, and IE7 on Windows Server 2003."
Microsoft has patched a total of three security holes considered Critical including vulnerabilities involving HTML Rendering Memory Corruption, Property Memory Corruption, Argument Handling Memory Corruption. The remaining Important flaw is related to ActiveX Object Memory Corruption.
"The IE Cumulative Security Update for February 2008 is now available via Windows Update. Alternatively, you can receive this and all other Microsoft updates via the new Microsoft Update. I encourage you to upgrade to Microsoft Update if you haven't already to ensure that you receive the latest updates for all Microsoft products," McCoy added.