Hi FwF,
Well of course Mozilla is not spreading malware. That in itself is a silly wrong way to put it. How can a browser spread malware? Simply because malcreants make it spread malware or greedy folk seeks ways to add adware, scumware etc. to it.
Yes and any browser because so many people code for it and review it, and build onto it, and patch bugs for it. These developers are busy with a very complex tool that basically works in a way that was never intended to go out on the World Wide Web from the onset in the University theater where all noses went one direction anyways.
So now it has underlying built-in vulnerabilities, and some of these can be abused in all sorts of ingenuous ways (compression to load faster, can also be used against the user in the hands of those that want to obfuscate hidden content to abuse, redired, to inject malicious code etc). The bulk of these exploits have to do with script in some form (Javascript and in other script), illegal characters in SecFilterEngine.Js, abuse of nsIWebProgress.removeProgressListener, XPCSafeJSObjectWrapper, securesyndication,user.JS and all sorts of external packed code to be run inside a browser to do its evil deeds.
But then there is a better browser, that is Firefox with NoScript installed, I have added some specific filters for things that ought not take place, sometimes the pages look like they are shown on a mobile, but that is the pre-filtering phase. User agent abuse is a next security thing, not only inside the browser but also redirected and external, and the right policy and trust is also imported, I have an advanced plug-in to evaluate site certification, and that can be an important tool, that is why some forms of cybercrime malware now comes with certificates and even EULA's. It is a dangerous world, but Firefox with NoScript and ABP is still one of the more secure browsers I have experienced, and I dug deep folks,
polonus
*as is Flock 1.1. with NoScript and ABP
