If evidence were needed that the new browser war will be won or lost on the security message, along comes the Mozilla Foundation with public confirmation.
In an interview with eWEEK.com, Mozilla director of engineering Chris Hoffman said the Foundation plans to add another staffer to join Dan Veditz, a long-time Mozilla contributor and ex-Netscape employee who now serves as lead engineer for security.
"We're looking to create another position to oversee the entire infrastructure for development and doing releases. We're adding full-time help to help maintain the level of security we're striving for," Hoffman said.
Mozilla has also launched a recruitment drive to find user interface developers, particularly in the PSM (Personal Security Manager), which handles the performance of cryptographic operations for the Mozilla Suite (which includes the flagship Firefox browser).
Hoffman sidestepped a suggestion that the Foundation's renewed push around security was directly related to Microsoft's IE 7.0 refresh plans. "Our security story is bigger than Firefox. Look at it this way; we have 900 engineers who contributed code to Mozilla over the last year. They all have a deep passion for security and privacy," Hoffman said.
The incredible growth of Firefox over the last three months—25 million downloads in 99 days—has been largely fueled by security-related flaws in Internet Explorer, and although both sides refuse to be drawn into comparison discussions, it's no secret that Mozilla and Microsoft are keeping a wary eye on each other's moves.
At this year's RSA Security Conference, Microsoft executives publicly declined to discuss Firefox.
"When you run a business and you worry only about what your competitors are doing, that's not a long-term business proposition," said Gytis Barzdukas, director of product management in Microsoft's security business technology unit.
"Yes, Firefox has come out with technologies that customers are evaluating, [but] we can't worry too much about that," Barzdukas said in an interview with eWEEK.com.
Side-by-side comparisons of the two browsers show that both are prone to security flaws. According to statistics maintained by research firm Secunia, more than 40 percent of all IE flaw warnings between 2003 and 2005 carry a "highly critical" or "extremely critical" rating (see chart here).
Even more worrying, a whopping 32 percent of the 63 advisories over that period remain unpatched.
Mozilla, too, has dealt with its share of Firefox security hiccups. Late Thursday, the browser underwent a browser refresh to plug a series of "moderately critical" flaws. Secunia reports that 25 percent of known vulnerabilities in Firefox still remain without fixes (see graph here).
Next Page: Users will decide.
Mozilla's Hoffman said the renewed Microsoft activity around IE reflected a response to demands from Web surfers.
"Microsoft is finally responding to many years of users asking for higher level of security from them. [With Windows XP SP2] they got a lot closer to the security model of Firefox and the Mozilla code base. But, in a lot of cases, they're passing around the edges of a secure architecture. Hopefully, they'll change that with IE 7," Hoffman said.
He said Mozilla's volunteers take a "proactive approach to security" with an overall philosophy about the way content and the browsing capabilities are handled in the Firefox browser.
At the end of the day, Hoffman said users will make the ultimate decision. "It's up to users to make the choice. That's what we've seen in the last six months. Users will choose on security, functionality and modern innovation. Users are becoming smarter about the choices they make for browser software."
Mozilla's security message goes beyond just browser fixes. At its last staff meeting, lead volunteers were so concerned about a ByteVerifier bug in the Java Virtual Machine that they discussed posting a security warning on the Mozilla home page.
That exploit does not target a browser flaw but, because of the spyware infection risks to all Web users, the group planned to help raise the alarm about the availability of a critical update from Sun Microsystems Inc.
"That's a security problem that lies outside the boundaries of our code. However, we want to encourage users to upgrade to latest version of Java to protect themselves. The plan is to be proactive and push that warning up front," Hoffman explained.
Hoffman said the Foundation's efforts were also boosted by the Security Bug Bounty Program that offers cash rewards to researchers who discover critical flaws in its products.
The bounty program was launched last summer with funding from Internet entrepreneur Mark Shuttleworth, and Hoffman said the response from the volunteer community was a lesson for the industry.
Hoffman said, "A few researchers threw all their tools at the source code and were very impressed with the security of the code. We've paid out about five or six rewards but, for the most part, they found the architecture to be quite secure."
Check out eWEEK.com's for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's Weblog.
Channel News and Analysis 
