With Monday's reports of the Mozilla Foundation's patches for significant new security holes that could let attackers install malicious code or steal personal data, Firefox partisans are finally acknowledging that the core selling pitch for their browser may be vulnerable.
"The versions of Firefox up to version 1.0.3 have had terrible security risks," wrote one participant for the volunteer Firefox promotion, Spread Firefox. "I think these security risks have undermined the promise of Firefox as a more secure browser."
While Firefox offers popular features like tabbed browsing that Microsoft's Internet Explorer browser doesn't have (third-party IE-based browsers do offer them), it has managed to take IE down a few notches in market share -- primarily based on perceptions that Firefox is safer than IE.
As Firefox approaches the 50 million download mark, some participants have begun contemplating celebrations of that milestone. But others have begun to fret that security concerns are weakening what many see as the browser's primary raison d'etre.
Those concerns have sprung a major leak in the Mozilla Foundation's message that Firefox is more secure, as foundation President Mitchell Baker asserted at PC Forum last month.
"The cynical may note that two Firefox security updates have been issued since Mitchell made her comments," Mozillazine wrote in a Monday posting.
The Mozillazine discussion is one of many that have sprung up on Slashdot and other forums after recent columns in InformationWeek and in the IT Observer questioned Mozilla's security superiority.
Eyeing the wave of bad press, Mozilla's marketing volunteers are staying on message with the security theme.
One campaign under consideration will associate the open-source browser with the security of a condom, showing a condom wrapped with the Firefox logo sticking out of the rear pocket of someone's jeans.
"Always use protection," the ad copy reads. ""GetFirefox.com. Firefox is the free Web browser that offers greater privacy and prevents pop-ups, spyware and viruses."
The image was developed for a college poster campaign, but was scuttled because of concerns over offending people, according to the blog of Mozilla Foundation staffer Asa Dotzler, who manages Firefox and Thunderbird product releases. Mozilla said volunteers planned to revive the image, not the foundation itself.
Mozilla insisted, as it has in the past, that it enjoys fundamental security advantages over IE.
"Firefox is safer for a couple of reasons," said Chris Hofmann, director of engineering for the foundation. "With these security releases, the security development community that works on the Mozilla code is actually finding these things before exploits can be developed or discovered by hackers. None of these things that we've produced patches for in the last couple of releases have been things that have been discovered in the wild."
Another reason, Hofmann said, is that Firefox doesn't use ActiveX technology, which he blamed for the preponderance of Microsoft's browser security woes.
"This is the major architectural advantage that we have," he said. "With the ActiveX and the security zone model, Microsoft has taken browsers in a different direction, which provides a mechanism for the most serious exploits in Internet Explorer."
Mozilla has made its own stabs at ActiveX support. One project, which Hofmann deemed "experimental," is an extension that would provide support for specific ActiveX controls like the Windows Media Player. Controls would have to be on a "white list" of vetted applications.
An ActiveX alternative, known as "Plug-ins Future," is a joint effort between Mozilla, Opera Software, Apple Computer, and plug-in makers including Adobe Systems and Sun Microsystems.
One computer security expert called the security contest between Microsoft and Mozilla a toss-up, though he lauded Mozilla's responsiveness and Firefox's pop-up controls.
"The thing I like about the non-MSIE products is that I find they're more easily user-configurable to prevent things like pop-ups and pop-unders, which can be security risks," said Mike Finnie of Computer Forensics. "It seems that the Mozilla group is fairly immediately responsive to incidents of security lapses or bad code, and it seems to be making a genuine effort to fix them and get them released. But on a scale of one to 10, how many more points would they get than Microsoft? I don't know."
The Firefox team are right. ActiveX and security zones produce a security model that's inherently unfixable, Microsoft has been working on fixing it for over seven years and they're still getting exploited by spyware and other malicious programs.