Building browsers is hard to do. There are a lot of features in there for attackers to exploit. IE has certainly had it’s share. As Firefox’s popularity increases, it is getting more of them too.
If you’ve got Firefox 1.5, it contains some serious security regressions. You may want to upgrade to 1.5.0.1
I think the most interesting question is – how will Open Source projects like Firefox adapt to avoid security regressions like these? For as much as people gripe about Microsoft’s security (myself included), I have to admit that Microsoft is doing more than any company on the planet to prevent security problems. Here are some things that you get from Microsoft that Open Source will have a tough time beating:
1) All released software goes through a mandatory security review process. Does this slow down the process of shipping software? Yeah. We’re trying to fix that part. But this does catch real issues.
2) Every developer at Microsoft goes to security training. You can argue that this is a bit lame, but does every open-source developer do this? If nothing else, it brings security to the forefront of everyone’s mind.
3) When security flaws occur, software can be updated via Microsoft Update. IT managers can use SMS/WSUS to be notified of patches instantly, get details on the risk, and apply them to their desktops within hours.
The 3rd bullet sounds simple, but actually represents a massive undertaking. When will any open source project be able to track all their customers via a service, and proactively send them updates and allow IT managers to selectively rollout their fleet?
Hopefully we can solve this problem for both commercial and open-source software.