When I saw all the headlines this week about a new Symantec report contradicting popular perception that Firefox was the secure alternative to Microsoft Internet Explorer, the timing couldn't have been better. Just three days earlier, I wrote this blog about Firefox surpassing Microsoft Internet Explorer in monthly vulnerabilities and a flood of angry comments followed in the talkback -- and Slashdot had another 500 plus comments. It was almost as if I violated one of the ten commandments of "thou shalt not speak ill of any Open Source application" even though I never drew any conclusions on which browser was less secure. Predictably, the debate spilled into Windows bashing and some of the comments blamed the Firefox problems on Windows. But even as the debated raged on, a new extremely critical vulnerably for Firefox came to light and this time it only affected UNIX and Linux systems.
This new Firefox vulnerability is extremely dangerous because it's so easy to exploit and allows arbitrary code execution with zero user interaction. All that is needed to exploit this vulnerability is a simple URL crafted to execute any shell command. The details of the exploit have been publicly released so it would be wise to upgrade to the latest edition of Firefox immediately if you have Firefox.
The year 2004 revived the browser wars with the entry of Mozilla Firefox. While it can be debated until the end of time which browser is more secure, 2005 has shown us that Firefox is not the panacea it was made out to be. Microsoft and Mozilla are at least doing what they can to fix the bugs and the browser we use doesn't matter as much as some make it out to be. The best thing we can do is to make sure we're not running Windows as an Administrator no matter which browser we use. This may be a little hard before Windows Vista UAP arrives because some applications break in user-mode, but even then there are alternatives like DropMyRights that allow you to individually neuter applications even when you're running as an Administrator. Keep in mind that non-administrative mode only reduce the security issues so it's no substitute for staying up to date with security patches.