It appears that the big communal witch hunt over the URL protocol-handling bug has resulted in both Microsoft and Mozilla admitting some level of culpability. Originally, each vendor pointed the finger at the other one. Mozilla officials said it was Microsoft’s fault because Internet Explorer was sending Firefox bad data; and Microsoft said nope, it’s Firefox’s fault for not validating input. Fun. But after Microsoft officials agreed that there was an issue with IE, Mozilla has come to the same conclusion, saying that Firefox also has a problem. Mozilla’s security team, headed by Window Snyder, is investigating the issue now, Snyder said in a blog post:
We thought this was just a problem with IE. It turns out, it is a problem with Firefox as well. We should have caught this scenario when we fixed the related problem in 220.127.116.11. We believe that defense in depth is the best way to protect people, so we’re investigating it now.
We are working to make sure that we are giving you as much information about pressing security issues as possible. We make real-time updates as we find out new information because we are committed to an open and transparent security process.
David LeBlanc, a security guru at Microsoft, also got in on the act Tuesday with a post about security dependencies and why the whole IE v. Firefox discussion misses the larger point:
One of the bits of background information needed to conduct a threat model is the external dependencies – in here, we list what we depend on, and what we expect them to do. An extremely critical part of a threat model is to ensure that the item we’re depending on actually agreed to do what we expected. When we’re looking for problems here, trying to find mismatches between what someone expects in their external dependencies and what the external dependency actually guarantees is often a productive source of things to go tidy up.
Thus if we’re following along with how Frank [Swiderski, co-author of a book on threat modeling with Snyder] and Window say to do threat modeling, and were going to threat model some generic URL handler, we might have an external dependency on the browser that’s invoking us. The problem is that it could be any browser. We might notice that some browsers might present the user with scary warnings, and so on, but what we should build on is what’s guaranteed. If IE or Firefox have some behavior, that’s interesting to note, but you could be hosted by DavidsDodgyBrowser that doesn’t check anything. Or worse yet, you could be hosted by TomsVulnFinder browser that’s just really rude and gives you obnoxious inputs. It’s pretty clear that a URL handler would be making mistakes if it assumed anything about how well formed its inputs were, given that there’s no telling what sort of browser it might be interacting with.
It’s nice to see this finally getting to the point where customers will have some protection from this problem, instead of a bunch of rhetoric. But the question is why it took so long. Instead of spending time writing dueling blog posts and crowing about the problem being in the other guy’s browser, both Mozilla and Microsoft would have served their customers better by putting some serious time into researching the problem and seeing whether there was anything they could do to prevent it. In the end, users don’t really care whether one browser is passing bad data or the other is failing to validate that input; all they want is a safe browsing experience.