Firefox certainly has benefited from the ongoing security flaws in IE. With every security alert and well-publicized vulnerability, IE has lost ground. As it is tightly coupled to the Windows OS, security holes in one can lead to an exposure in the other.
"Firefox has a better security record than Internet Explorer, but that's not the same as being completely secure and bug-free," says Haff. "It's a question of degree."
Indeed, Collins points out that the very popularity of the open source browser could actually represent a security situation due to uncontrolled usage. It's quite common to find IE organizations where many of the IT guys have downloaded Firefox.
"This could be a back door for by-passing some types of security, particularly if desktop controls are in place," says Collins. "If it's firewall-based, there will be less of a problem."
He also indicates that there have been plenty of vulnerabilities reported with Firefox, notably with tabbed browsing and with code-related vulnerabilities that can be exploited through scripting attacks. While the open source community may claim to be quick to release patches, he says, this does not help IT managers trying to keep control of their environments.
This past Sunday, security company Secunia labeled cross-site scripting and remote system access flaws in Firefox 1.0.3 as "extremely critical," warning that they are vulnerable to existing exploit code.
Then, of course, there is the threat posed by hundreds of relatively uncontrolled Firefox add-on extensions, which are generally written by individuals or teams. While individual add-ons might be tested, there is no organized process to ensure they are tested together. It is here that bugs and vulnerabilities can creep in.
"There's nothing to stop a plug-in being a host for some kind of spyware, or offering a conduit for it, and this might be difficult to spot as it would operate as part of the browser," says Collins. "Also, once the black hats perceive that Firefox is gaining a good foothold in the enterprise, expect to see some fairly nasty, well-titled worms/Trojans being written as add-ons."
Now that Firefox has made a real impression on the marketplace, there is no doubt that Microsoft has taken notice. It has already announced plans for an early release of a standalone IE7, a move initially forced upon the company by the DoJ and its European equivalent.
By pushing for a separation of OS and browser, these bodies inadvertently may have created what they intended to break up -- a browser monopoly. Microsoft has been constrained by how much IE is embedded into the OS. Its recent loss of market share has exposed this weakness. Had the OS and browser remained tightly coupled, the company would have been far more sluggish in its response to upstart browsers. By breaking this link, that constraint goes. Therefore, any clever upgrades made by Firefox will probably be quickly replicated in IE.
"Microsoft will be able to carry out more upgrades on a standalone IE than they have been able to do on an embedded IE, and so be more responsive to threats such as Firefox," says Collins. "The cruel irony is that this could completely backfire on the lawyers by allowing Microsoft to kill the competition faster than in the past."