Browser Wars Play Nice with Congratulatory Cupcakes

The rapid-fire schedule of browser releases these days shows what a competitive industry this has become.  Recent changes harp on the security measures a browser provider must take in order to appeal to an increasingly discerning consumer base, especially in an era of rising malware attacks.  The browser will only become more central to our web interactions, even as the world goes mobile.  IE, Firefox and Chrome continue to vie for your attention with their latest updates and stunts.  Here’s the run down:

Internet Explorer’s Mocking Gesture

In a recent security test, Microsoft’s Internet Explorer 9 (IE9) ranked the highest when it comes to deflecting malware attacks.  Unlike Firefox, Microsoft is not into releasing new versions of IE at a rapid pace, so when Firefox launched Firefox 6 just weeks after they launched the previous version, The IE team sent Mozilla a congratulatory cupcake with the message “Congratulations on shipping! Love, The IE Team!”

It’s a nice gesture if you think about it, rival teams acknowledging one another work.  It used to be like that when the IE Team would ship cakes for every Firefox version update. But with their rapid-release schedule and the versions containing fewer new features, the cupcake now signifies how small a feat the Firefox team has actually accomplished.  You’d think that the Firefox team would be insulted, but Director of Firefox Engineering for Mozilla actually posted the photo of the cupcake on Flickr.  Maybe he’s just a good sport.

Firefox’s Rapid-Release Leaves Users In the Stone Age

As for Firefox, aside from happily accepting the congratulatory cupcake from the IE Team, their own bug-fixing team is thinking of remove the version numbers to its updates, in an effort to make Firefox more user friendly.  Well that idea quickly backfired, conjuring a huge wave of comments from protestors.  But apparently many Firefox users pay little attention to the version numbers at all.  Over a third of Firefox users do not have the current updated version of the web browser, some being several versions off.  If Mozilla removes the version number on their web browser, the result could very well be even more users without updated versions.  Leaving the version number would at least remind them that they probably have an outdated browser.

Google Hires Bug Bounty Hunters

Google released an updated version of their web browser, Chrome, version 13.0.782.215.  The update fixed 11 security issues, which included a critical memory corruption flaw in its vertex handling.  In all, nine issues were deemed as of high importance and one was labeled medium.

Google spent another $8,500 to pay off bug-bounty hunters.  Listed below are some of the bugs found, the bug-bounty hunters, and the amount they were paid for.

  • [$1000] [Windows only] [72492] Medium CVE-2011-2822: URL parsing confusion on the command line. Credit to Vladimir Vorontsov, ONsec company.
  • [82552] High CVE-2011-2823: Use-after-free in line box handling. Credit to Google Chrome Security Team (SkyLined) and independent later discovery by miaubiz.
  • [$1000] [88216] High CVE-2011-2824: Use-after-free with counter nodes. Credit to miaubiz.
  • [88670] High CVE-2011-2825: Use-after-free with custom fonts. Credit to wushi of team509 reported through ZDI (ZDI-CAN-1283), plus indepdendent later discovery by miaubiz.
  • [$1000] [89402] High CVE-2011-2821: Double free in libxml XPath handling. Credit to Yang Dingning from NCNIPC, Graduate University of Chinese Academy of Sciences.
  • [$1000] [87453] High CVE-2011-2826: Cross-origin violation with empty origins. Credit to Sergey Glazunov.

It doesn’t really matter what browser you use, just keep in mind to update them.  Updates are there for a reason, to keep you secured.  So don’t just brush it off.