A Tale Of Two BrowsersA Tale Of Two Browsers

Internet Explorer and Firefox are sitting on a bench, enjoying the warm summer sun. Suddenly, Firefox sneezes, reaches for its handkerchief, grabs its cell phone, and calls its doctor. "I think I'm coming down with something," it says. "Is there something I can do to get rid of this problem?" Then IE sneezes. What does it do?It reaches for its handkerchief, grabs its cell phone, and calls its doctor. "I just want to tell you," it says, "that wasn't my sneeze, my handkerchief is perfectly clean, and if I sneeze again I'm telling everyone it's Firefox's fault."

Sorry for the bad joke, but this is what immediately popped into my head when I read Sharon Gaudin's recent news item about a new security flaw that seems to be affecting both browsers. Apparently, a researcher named Thor Larholm has asserted in his blog that, "There is an input validation flaw in Internet Explorer that allows you to specify arbitrary arguments to the process responsible for handling URL protocols." In other words, if you're using IE and visit a Web page that calls on a Firefox URL -- with, presumably, malicious code attached -- Firefox will be launched and will execute that code. The result? Two sick browsers.

Of course, this all depends on several factors, including the tendency of the user to go to malicious Web sites and whether your version of Firefox has the specific FirefoxURL handler. However, what I became most interested in was actually the reaction of the two browser vendors to the news: A Mozilla representative said they will be patching the problem in an upcoming release, while a Microsoft representative wrote that "this is not a vulnerability in a Microsoft product."

Strictly speaking, the Microsoft rep is right. The ultimate vulnerability is in Firefox. But this vulnerability only exists in the presence of both browsers. And would those of us who have both IE and Firefox on their systems (which includes everyone who installed Firefox but decided not to uninstall IE -- in other words, a lot of people) really care which browser is the one being ultimately targeted when our systems slow down to a crawl? And is a general policy of defensiveness really appropriate when you're dealing with a potential problem that will affect your user base?

Over the years, Microsoft acquired a reputation -- not unearned -- of acting as though it was the only viable source of software around; if its products had any interactions with other software products that didn't work, well, it was the user's fault for straying from the path. Over the last year or so, my impression was that Redmond had mellowed a bit, understood that our current technology is based on a culture of complex collaborations with other products, and had learned to Play Well With Others. I hope I wasn't being optimistic.

[UPDATE: Several people have pointed out that most people can't decide to uninstall IE, whether or not they want to -- there isn't a way to do that without some severe hacking. And they're quite right -- my error.]