A scathing report on browser security from Microsoft, which claimed in an "unbiased" analysis that Internet Explorer was vastly more secure than Mozilla's Firefox, ignited a recent war of words between the two browser makers.  However, Mozilla decided that it was wiser to back up its words with action, rather than just more talk.

The end result is that the company just released the second beta candidate of the third iteration of its increasingly popular Firefox browser, and this release ups the ante on security with many new features.

The new browser has tighter protection against cross-site restrictions on cookies, better malware protection, clearer website identification information in the status bar, stricter SSL error pages, version checking for insecure plugins, a built in antivirus program in the download utility, and improved protection against JSON data leaks.

The feature Mozilla is most proud of is its improved protection from malicious sites.  When a user visits a malicious site in Firefox 3, the browser plays sheriff and blocks the site.  Even better; it does it with an interface that does not allow click through.

Mozilla's "Chief Security Something-or-Other" (according to his business cards) Window Snyder says that even the utilitarian features in the Firefox browser double as security aids.  For example, she stated Firefox's ability to restore tabbing makes patching the browser and easier process, thus helping to safeguard it.  She stated, ”I really do believe that every feature is a security feature and should be evaluated as such."

While Microsoft touts that it has fewer vulnerabilities than its competitors, Mozilla measures its browser's security by a different gauge.  It judges its performance based on "days of vulnerability", the number of days between when a known exploit code for a vulnerability appears and the publication of the patch for that vulnerability.   By this measure Firefox was only vulnerable for 9 days in 2006, versus Internet Explorer, which was vulnerable 286 days of the year.

Mozilla also says that its public bug count is a mark of integrity and the lack of a public IE bug database is a way for Microsoft to hide their vulnerabilities.  Mike Schroepfer, Mozilla's VP of engineering said the lack was, "[a] vivid reminder that there is no way for anyone outside of Microsoft to confirm how many vulnerabilities ever existed in Internet Explorer."

Dave Marcus, security research and communications manager at McAfee Avert Labs, threw out an independent opinion on the issue saying the debate over "days of vulnerability" versus vulnerability counts was pointless and that the only thing that mattered was how quickly patches were made.

Firefox is also working frantically to finish fixes for its identified non-security related bugs in time for the final release of Firefox 3.

Who will win the next generation browser war remains to be seen, but as Mozilla's Firefox 3 Beta 2 release indicates, both companies are going to stake their reputation on providing the most secure solution to the consumer.