> In fact, when was the last Apache-specific vulnerability...?

I don't know about the *last* one, but a recent bad one was that a lot
of the database mod_auth_* modules did not escape literals when building
SQL queries, so using an apostrophe in a username would break it (and
could make your database vulnerable to a greater or lesser degree
depending on which DBMS it was).

This was an absolutely appalling schoolboy error, at least as stupid as
any of the recent IIS holes. Most people make this mistake a couple of
times in their first CGI scripts and work it out after that; I'd
certainly not expect it in a module distributed with the world's most
popular web server.

However, because the modules were not activated by default, and actually
had to be in use to be exploitable, there was no big outbreak of worms
and defacements.

> There is something to that, although Microsoft's own
> approach to security is laughable

I certainly can't disagree with that, as you'll know if you've been
following bugtraq recently. (Precis: the Internet Explorer about:-URL
vulnerability I mentioned before is much worse than I realised and can
in fact be used to steal cookies from any website. There is no patch
currently available, but a registry hack or disabling JavaScript is okay
as a workaround.)

Though Mozilla has the advantage of not having all of Windows's object
model integrated, that doesn't mean there won't be any holes. For
example, 0.9.3 (and, I assume, Netscape 6/6.1) has a hole where a
submitted form can steal any file from the local filesystem. (How? Use
DOM setAttribute to mutate an <input type="hidden" value="C:\somefile">
to an <input type="file">.)

I've not found this bug in Bugzilla but it is fixed in 0.9.5. 0.9.4 and
Netscape 6.2 I don't know about. I advise users of earlier Mozillae to
upgrade immediately.