I had heard that the Firefox update would be coming out last week, then I heard the 12th and then I heard the 14th.  Looks like it is out on the ftp server now: ftp://ftp.mozilla.org/pub/mozilla.org/firefox/releases/, but they're not yet pointing to it on the FF site, http://www.mozilla.com/firefox/.  

I've been wanting to dig into browser security and vulnerabilities, so I'm looking forward to the official release of this, along with an update to the known (meaning fixed) vulnerabilities page.  Once this is updated, I'll look at a couple of things for Firefox and Internet Explorer:

  • CVE disclosure trends for 2005 and 2006
  • Vendor fixes over the same time frame
  • Breakdown by CVSS severity
  • (maybe) time-to-fix

I will go ahead and share the only stats I've compiled so far, which is the new publicly disclosed vulnerabilities (CVE) for 2006, so far:

Mozilla Firefox: 59

Internet Explorer: 35

No idea yet about severity breakdown, etc, but should have a full analysis within a couple of days.  Just based upon this, though, Window Snyder shouldn't have a hard time finding some place to start over at Mozilla ;-)

I've also been thinking about comparing IE7 security improvements with Firefox security improvements and see where each have pros and cons, in terms of architecture and features, but I think I'll do that separately.