31 vulnerabilities were reported for Internet Explorer (IE 5.x, 6.x, and 7), including those
publicly disclosed prior to vendor patch as well as those included in Microsoft Security
Bulletins.

Safari and Opera each had 32 and 30 vulnerabilities, whereas 115 vulnerabilities were registered for Firefox in 2008.

From a quick read it appears as though Firefox had almost 4 times as many security issues as IE or Safari! Like, OMG! However, that conclusion would be painfully incorrect. Mozilla discloses and releases bulletins for all security issues fixed in Firefox, regardless of how they were discovered. Unlike other vendors that only disclose issues reported by external independent parties, but not by internal developers, QA or security contractors.

So presenting those numbers as comparable is worse than useless, it is in fact very misleading. It’s like comparing traffic accident rates for two cities of equal size, but one only reports accidents that make the news while the other reports all traffic accidents. Directly comparing such numbers is meaningless.

Some vendors make the point that the number of internally found issues is small and not meaningful. That would unfortunately imply their internal testing and security processes are incapable of finding security issues, and rely entirely on the generosity of random strangers (security researchers). I would find that pretty scary.

Fortunately, having worked in-house and consulted to a number of large software vendors, I can assure you that is not true. In fact they generally have very capable security teams and QA processes, which are so good at finding security issues that they usually find far more internally than they ever disclose to the public.

The Secunia report is deeply disappointing on a number of levels. Frankly, it’s disappointing that security researchers aren’t taking the “research” part of their jobs as seriously as they once did. It’s also disappointing that Secunia would publish something like this as one really expects better from them. This sort of reporting only encourages companies to hide as many security issues and fixes as possible, which moves the state of security backwards. And this is perhaps the most disappointing thing of all.

Lucas Adamski
Director of Security Engineering

You will still get Mozilla security information here. Johnathan Nightingale, Lucas Adamski, Brandon Sterne and Mike Shaver will all be posting on the Mozilla security blog to keep users informed about security issues and announcements.  I leave you in their very capable hands and wish them the best of luck.

The Mozilla community is an incredible group of dedicated people who are really making a difference in how we experience the Internet.  The contribution you make to the world is tremendous.  I am honored to have been a small part of it for these last few years.

Thank you,
Window

Window Snyder
window@dec.net

If QuickTime is set as the default media player, Firefox will send the request directly to QuickTime.  Mozilla is currently investigating this issue to identify ways to protect Firefox users.

More information is available in the CERT report.

Being open about security issues means that users have the information they need to understand their risk, that the community can contribute to the security process, and that other software development projects can benefit from our experiences.  Unfortunately, sharing the details of security issues broadly before they are patched could expose users to risk. The balance we have come up with is to work with a group of people that represent the interests of the entire community who can give feedback, suggestions, and help to fix security issues.

The Mozilla Security Group is a team of people from the community, including employees, individual contributors, and other vendors who work on securing Mozilla projects. This group has been in place since 2002, is older than Mozilla Corporation, and as of today there are 93 people in the group. The team is self-organizing. New members are nominated by existing members through recognition of valuable contributions to security efforts. This system is democratic and is similar to the method used to assign rights to add code to Mozilla projects for new contributors.

This team enables us to leverage the knowledge of the community, be open about security issues, but also protect our users until we are able to ship a fix.

Petko D. Petkov identified an issue in Quicktime that allows an attacker to execute arbitrary code.

Impact

If Firefox is the default browser when a user plays a malicious media file handled by Quicktime, an attacker can use a vulnerability in Quicktime to compromise Firefox or the local machine. This can happen while browsing or by opening a malicious media file directly in Quicktime. So far this is only reproducible on Windows.

Petkov provided proof of concept code that may be easily converted into an exploit, so users should consider this a very serious issue.

Status

Mozilla is working with Apple to keep our users safe and we are also investigating ways to mitigate this more broadly in Firefox.

You can follow our work in bugzilla: https://bugzilla.mozilla.org/show_bug.cgi?id=395942

Credit

Petko D. Petkov discovered this issue and posted details here.

 http://www.sockpuppet.org/baysec/