One of the most commonly used slams against MS Internet Explorer; and the flip side extolling Firefox, is its security flaws.
However a hacker duo; Mischa Spiegelmock and Andrew Wbeelsoi presented a session at this year’s ToorCon in which they highlighted the complete mess that is impossible to patch JavaScript implementation in Firefox.
Window Snyder; Mozilla’s head of security, has indicated that Mozilla believes that the one exploit the duo presented is real.
Spiegelmock and Wbeelsoi declined to discuss how they identified the exploit, but it has occasioned a return to arguments over the security of open source software. Opponents have long argued that open source software is inherently unsafe because Bad People™ can pore over the source code looking for exploits. Opponents liken it to publishing the blueprints to a fortress. Open source advocates have argued the opposite, namely that publishing source code ultimately results in more security. The more eyes that pore over the source code, it is argued, the more likely it is that vulnerabilities will be discovered and fixed.
The truth is likely somewhere in-between. Publishing source code certainly does raise the possibility of an exploit being found via that same source code. It’s what happens after the flaws are found that seems to stir so much debate. Human nature being fickle, there’s little to recommend predicting one outcome over another, especially in an environment where exploits can be sold to the highest bidder for nefarious means.
You can read the full article over at Ars Technica; but in the mean time I’m more than happy to keep using IE7.
UPDATE: turns out this whole thing was nothing more than an attention getting hoax.
