Does bug-fix speed reflect browser value?

I know that it is often difficult for browser vendors to immediately fix every vulnerability identified.  However, I expect delays in fixing widespread and easily exploited breaks to be measured in days or weeks, not months.  But waiting months--and in one case we're still waiting--is exactly what happened with a vulnerability discovered in the way all browsers once handled CSS style sheets.

According to a paper on this vulnerability and related exploits:

"Cross-origin CSS attacks use style sheet import to steal confidential information from a victim website, hijacking a user’s existing authenticated session; existing XSS defenses are ineffective."

The paper, authored by a team comprised of researchers from Carnegie Mellon University and Google, also demonstrates how to block exploits "...with little or no impact on the vast majority of web sites."  It would seem browser vendors would jump on this.  But that did not happen in some cases.  According to Dennis Fisher, writing for Kaspersky Lab Security News Service,

"The vulnerability can be exploited through an attack scenario known as cross-domain theft, and researcher Chris Evans originally brought the problem to light in a blog post in December. At the time, all of the major browsers were vulnerable to the attack, but since then, Firefox, Chrome, Safari and Opera all have implemented a simple defense mechanism. Mozilla was the last to fix the issue, in July.

But Microsoft has not yet implemented a fix for the vulnerability, and Evans on Friday posted a message to the Full Disclosure mailing list pointing out this fact and linking to a benign demo site. Microsoft Security Response posted a message to Twitter later in the day acknowledging that the company was aware of the issue and was investigating it."

via Nasty Data-Stealing Bug Haunts Internet Explorer 8 | threatpost.

What interested me is how long it took for a Firefox fix.  And, yes, Microsoft is dragging its collective feet, even though it has made great overall progress in improving the security of its products.  The surprise for some might be that the two browser vendors that reacted quickest were Opera and Google. 

Why would the two browsers with the smallest Internet footprint take appropriate steps with everyone else lagging far behind?  Maybe the answer is in the questions... they are the smallest and working for bigger market share.  Possibly, but it could also be that they "get it." 

I started using Google's Chrome browser some time ago.  It is fast, it is flexible, and it is increasingly my browser of choice for research.  Google simply gets it.  This is also demonstrated by their offer to pay bounties for security weaknesses found in their open-source code (Google offers bounty for Chrome bug catchers). 

Maybe its time for businesses to start looking beyond the traditional browsers with bloated code and slow bug-fix reaction times.  If not now, the time is quickly coming...

Copyright © 2010 IDG Communications, Inc.

22 cybersecurity myths organizations need to stop believing in 2022