Firefox drops the ball on updates :(
http://www.securityfocus.com/news/11327As someone who is currently using Firefox for my daily browsing tasks as my default Windows browser, I like to keep up on what's happening with it. I use it mainly because there's some functionality that I rely on (in particular, tabbed browsing, which although not perfect [open shortcuts in new tab turned on, active Firefox window has no decorations such as a site popup, and oops, you're screwed unless you know keyboard shortcuts to work with tabs], is quite nice) and because we have multiple customers starting to use it to avoid spyware. It also forces me to try to keep work I do cross-browser.
All of that said, the whole project is frankly starting to come apart, which worries me. Besides the tab bug I just mentioned, which has existed forever (and don't tell me I'm the only one who sees it; it's sloppy UI that this happens), there has been an increase in security holes as the browser gains in popularity. This matches what I tell students, and what my coworkers (and most students and customers) believe, which is that it had a free ride for a long time because no one cared about it.
This is all coming up now because there is right now a full system compromise exploit out there (cf. FrSIRT or Slashdot or Milw0rm) which is patched in 1.0.7, but here's the problem. Right now, as I type this, the Firefox built-in update mechanism isn't offering the update, even if you ask it to check for updates. In other words, the patch exists, for a serious exploit, but you can't tell unless you go to the Firefox site and find it. This is completely unacceptable. What's the point of automatically checking for updates if it can't find them? A lot of people think Microsoft security is awful, but you know what? Automatic Updates generally works, and Windows/Microsoft Update generally work, and that's been true for years. What's the excuse here? There is none.
Think I'm full of it? A very recent SecurityFocus article agrees that security is failing right now in the project. (The article also says that exploit counts are not the full picture, which is completely true. However, that doesn't change that right now, a serious, exploitable hole exists in Firefox, and you don't know unless you know where to look.)