August 22nd, 2006

Firefox developers need to accept Microsoft help

Posted by George Ou @ 5:19 pm

Categories: Security, Vista

Tags:

ZDNet UK reporter Colin Barker reports that Microsoft is reaching out to Firefox developers.  Even though this is a generous offer for four days of free lab space and free one-on-one help, the response from many Firefox advocates went along the lines of we don’t need no stinking help from M$.  At the end of Colin Barker’s story, he even asks the question: "Firefox already runs successfully on existing Windows, Linux and Macintosh operating systems. Testing by ZDNet UK Reviews found that it also runs well in Vista beta 2, so it’s not clear why Mozilla would need help from Microsoft".

The root cause of these attitudes is the misconception that Firefox is perfect to begin with and that it doesn’t need help, much less than Microsoft.  But nothing could be further from the truth since Firefox has been plagued with even more exploits than Microsoft Internet Explorer within the last year.  While Internet Explorer 6 and 7 beta have had recent zero-day exploits as well, Mozilla is not immune and has more than its share of vulnerabilities.  Some of these zero-day threats on Firefox have been so serious that even a simple ` character embedded in a URL could have obtained the shell on Linux while other proof-of-concept exploits attack the Mac as well as Windows.

The truth of the matter is that any web browser regardless of the creator is one of the biggest threats to the modern day Internet-connected desktop computer.   To deal with this threat, Microsoft created a protected mode for IE7 on Windows Vista which is often called IE7+ [Update: Ed Bott says this name has changed].  IE7 without the + designates IE7 running on Windows XP without the protected mode feature.  Protected mode allows the web browser to run inside of a sandbox.  While the use of non-admin users protect the operating system against exploits on the browser, it doesn’t protect the user’s files.  This means a hijacked browser will be able to steal, delete, or encrypt your personal data for ransom.  With Vista’s protected mode, an exploited browser will only be able to exploit that current browser session and sniff key strokes entered in to the browser but not outside of the browser where it can damage system files or precious user data.  While browser session key logging is still a big problem, it’s a lot better than system level infection, system level key logging, and compromised user data.  Furthermore, a browser infected in protected mode isn’t persistent and a restart of the application will flush the infection.

When I spoke with Microsoft before WinHEC, Microsoft told me that Vista’s protected mode is available to any other browser vendor and this is probably one of the key areas that Microsoft will help Mozilla with.  The offer from Microsoft’s open source labs is a generous one and Mozilla developers should accept the invitation with open arms (which they seem to be doing).  Microsoft could have simply allowed Mozilla to continue the status quo and run in the user space on Vista and claimed a distinct advantage for IE7+ over Firefox on Vista, but they chose to offer free help and free lab space to get Firefox up to par with Vista’s enhanced security features.  This would ultimately benefit all Windows Vista users regardless of the browser they chose and Microsoft’s effort to reach out should be applauded. [UPDATE 8/24/2006: Mozilla accepts offer]