In a public mea culpa, Mozilla Corp.'s chief security officer acknowledged today that Firefox includes the same flaw that the company called a "critical vulnerability" in Internet Explorer during a two-week ruckus over responsibility for a Windows zero-day bug.

"Over the weekend, we learned about a new scenario that identifies ways that Firefox could also be used as the entry point," said Window Snyder of Mozilla. "While browsing with Firefox, a specially crafted URL could potentially be used to send bad data to another application.

"We thought this was just a problem with IE," Synder continued. "It turns out, it is a problem with Firefox as well."

Synder admitted that the flaw should have been spotted. "We should have caught this scenario when we fixed the related problem in 2.0.0.5," she said.

She did not specify when a patch would be issued, but one is in the works, according to an entry in Bugzilla.

But, the story does not end here. I have one more news for Firefox and Safari users. According to a message posted over the weekend on the Full-Disclosure mailing list, the latest version of Firefox, 2.0.0.5, contains a password management vulnerability that can allow malicious Web sites to steal user passwords. If you have JavaScript enabled and allow Firefox to remember your passwords, you are at risk from this flaw.

The Mozilla team fixed a similar flaw last November, one which did not require JavaScript. The heise Security Web site contains a demo/proof of concept of the vulnerability risk that you can use to determine your vulnerability.

The original flaw was referred to as reverse cross-site scripting and was reportedly widely used on Myspace.com.

Apple's Safari is vulnerable in the same way. Current workarounds include disabling JavaScript in Firefox or avoiding the use of Firefox password management on sites where users are allowed to post JavaScript pages.

So, Firefox is not safe at all. IE was never safe in the past and till date it can't be proved as a safe browser. Safari has the same vulnerability as Firefox has. So, what's the conclusion? Opera is the right choice - isn't it? Although Opera is recommended by hackers, it is safe if used with scripts and plug-ins disabled. So, in this situation can't we conclude like this: Opera + Linux = Ultimate security? What's your opinion?

Sorces: Computerworld Singapore and Linux.com