[glhaynes]

The first time there is an exploit in system-provided video decoder (any decoder, not just H.264), you can be sure, who will get blamed for that - the browser, of course.

Is this really the case? Aren't there security flaws in platform code all the time that affect browsers along with other apps on the platform? Are those blamed on a specific browser? If both Firefox and Safari use Mac OS X's built-in h.264 and there's a hole in it, is there going to be significant widespread outrage against Firefox?

[vetinari]

Yes, few years ago, there was 'Haha, so Firefox is not so secure after all' bug in Windows 'shell:' protocol handler:

http://www.eweek.com/c/a/Security/Mozilla-Flaw-Lets-Links-Ru...

[recoiledsnake]

Err, I fail to see any bug in the in the Windows 'shell:' protocol handler. But other parts of the article indicate that the bug was in Firefox and was fixed in there.

>Current versions of Mozilla and Firefox pass unknown protocol handlers to the operating system shell to handle. In this case, the location passed to the shell is a program name that the shell executes.

>Internet Explorer is reported as being less vulnerable. When the user clicks on the link, it opens an "open/save" dialog box in which the user is allowed either to run the program, save it to disk or cancel. Mozilla and Firefox simply run the program without any further user action.