If you’ve been closely following the world of software security, especially in relation to web browsers, you’ve probably heard about a recent URI handling problem found in Microsoft Internet Explorer and Mozilla Firefox which could allow a website to execute malicious code on your computer. There has been a lot of confusion about this issue, and even some major technology news sites have misunderstood the situation. I will attempt to clarify the issue here.

First, it was discovered that Internet Explorer had a flaw in the way it allowed other programs to be launched from web links. Programs like e-mail applications, instant messengers, and media players often reserve certain URI schemes like “mailto:”, “aim:”, and “mms:” for their use. When you click on a link with a reserved URI scheme, the web browser will launch the appropriate program using an internal command format like the following: outlook "mailto:someone@example.com".

The problem is when certain characters are used in the URI which cannot safely be plopped as-is into that command format. For example, if there is a quotation mark and a space in the URI, that might look something like: outlook "mailto:some" one@example.com". So one of Outlook’s command parameters is the first quoted section ("mailto:some") and the rest of the URI would be treated as a separate parameter, possibly triggering an unsafe program function which is only supposed to be available to the local user. By crafting the link URI a certain way, a website could send a program special instructions resulting in remote code execution — the most dangerous kind of security vulnerability.

The proper way a web browser should handle these situations is to use something called URI encoding. This is a process by which special characters like quotation marks and spaces are replaced with safe identifiers which represent those characters. A space would be converted into “%20”, and a quotation mark would be converted into “%22”. So the Outlook example above would become outlook "mailto:some%22%20one@example.com" which runs no risk of executing arbitrary parameters.

When this vulnerability was discovered in Internet Explorer, Firefox was the first program in which the researchers saw that these arbitrary parameters could cause harm. However, it was by no means a Firefox-specific issue. Internet Explorer’s incorrect URI delivery has also been shown to affect dozens of other Windows programs, including Trillian, Adobe Reader, Outlook, AOL Instant Messenger, Windows Media Player, and Skype. Depending on what levels of operation the programs allow from their parameters (which are generally assumed to be safely supplied and thus trusted by the program), some programs face a more serious impact from Internet Explorer’s vulnerability than others. Firefox and Trillian are two programs of which security research company Secunia decided to specifically make note. Firefox has had far more media attention than any other program affected by this issue, but it’s Internet Explorer which is allowing websites to essentially have user-level access to your programs.

Mozilla recently released a Firefox update which prevents it from being exploited by Internet Explorer in this way, but other programs are still at risk of being exploited as long as Internet Explorer has this vulnerability. Microsoft has stated that they do not plan to fix it, although they’ve been known to change their minds on these issues as media pressure escalates.

After Mozilla patched Firefox to guard against the Internet Explorer vulnerability, it was discovered that Firefox has a similar vulnerability to the one that Internet Explorer has: Firefox may mistakenly pass programs URI parameters without encoding the quotation marks properly. As of this moment, Mozilla has already developed a fix and will release a Firefox update shortly.

Many news articles have misrepresented this situation in a number of ways. Some have claimed that both of these problems were specifically Firefox vulnerabilities. Some have claimed that Mozilla released a fix that didn’t actually fix anything. Some have claimed that Mozilla initially blamed the first issue on Microsoft and then later retracted that accusation and admitted to being responsible for the entire issue. These claims are false, and were largely due to the writers misunderstanding the situation as it has developed.

The real situation is that Internet Explorer and Firefox both have a flaw which allows websites some user-level access to various programs on your computer. Firefox has been updated to protect itself from Internet Explorer’s flaw, and Firefox will soon be updated to fix its own flaw. Microsoft has stated that it will not fix the flaw in Internet Explorer, which means that browsing in Internet Explorer could result in your system being compromised.

A couple of weeks ago, Apple gave the web development world a nice surprise when it released a beta Windows version of its Safari 3 web browser.

Safari is currently the third most used browser on the Web with about 5% usage share, largely due to the fact that it is installed by default on all Apple computers. Safari, as well as its webpage display engine, WebKit, was previously only available on Mac OS X, which left Windows and Linux users with no way to reliably test website compatibility without buying a Mac.

The idea of Apple shipping a Windows version of Safari was met with a lot of excitement. High-ranking employees of Mozilla — the company that develops the second most popular browser, Firefox — were quick to praise Apple for this decision.

However, the excitement was soon muffled by a growing number of problems. From a user experience point of view, Safari for Windows was met with lots of very negative reviews. Popular technology blog Ars Technica stated, “Safari’s user interface simply doesn’t provide the usability or flexibility of competing products.” Many complaints stemmed from Apple’s attempt to emulate the Mac OS X look and feel on Windows, which left the browser feeling awkward and out-of-place.

Then came an avalanche of security vulnerabilities. The official Safari website claims, “Apple engineers designed Safari to be secure from day one.” However, on day one of the Safari 3 beta release, several major security vulnerabilities were already discovered. Security researcher Thor Larholm posted on his blog, “I downloaded and installed Safari for Windows 2 hours ago, when I started writing this, and I now have a fully functional command execution vulnerability, triggered without user interaction simply by visiting a web site.” This is the most serious kind of security vulnerability a web browser can have, and these vulnerabilities were then confirmed by Apple and later patched.

But that wasn’t the end of the security woes. A week later, Apple had to release yet another version to fix more security issues. And the next day, another security vulnerability was found that Apple has yet to fix.

It’s typical for a relatively high number of vulnerabilities to be discovered early after this kind of product release. For most people, web browsers in general are the single largest access points for malicious software trying to get into your computer. The Windows release of Safari was a pretty big-news event among people in the field, and Apple really played up its security benefits. So it was naturally an attractive target for security researchers looking to make some headlines. However, no other browser has been met with this number of security issues in such a short time frame, even when releases like Firefox 1.0 made more news than Safari has. Some security researchers believe this to be an indication that Safari is actually the most insecure of all major browsers on Windows, even counting the infamously insecure Internet Explorer.

Finally, Apple CEO Steve Jobs gave a presentation which was very unsettling to many of the early supporters of Apple’s decision to bring Safari to Windows. In the presentation, Jobs presented a pie chart showing the respective usage shares of today’s major browsers, with Internet Explorer at about 78%, Firefox at 15%, Safari at 5%, and other browsers at 2%. Next, he presented a graph which showed his vision for the future: Internet Explorer with the same usage share as before, but with Safari taking up the entire remainder of the pie, thus eliminating all other minority browsers. Mozilla COO John Lilly criticized Jobs on his blog, stating, “This world view that Steve gave a glimpse into betrays their thinking: it’s out-of-date, corporate-controlled, duopoly-oriented, not-the-web thinking. And it’s not good for the web.”

Safari has an interesting history. Its webpage display engine, WebKit, was derived from the open source KHTML engine, which was developed for the Konqueror browser on Linux and is used in some portable devices and other small applications. Although Apple has made WebKit open source and continues to forward their code changes to the KHTML group, it’s Apple’s general nature to be secretive about its development projects, hence the surprise about the Windows version. Safari’s mixture of open source code and proprietary-themed management is unique when looking at the other popular web browsers. Mozilla, the developers of the only other major open source web browser on Windows, has a very open and transparent nature about the way the company is run and the plans it has for future projects. In general, open source communities have always held freedom of choice in high regard, but Steve Jobs’ presentation seemed to have betrayed this line of thinking, idealizing a world with less choice.

The fact remains that this is the first time the WebKit engine was reliably available on a major non-Mac operating system, which means more convenience for web developers. Safari 3 also boasts much improved support for web technology than the Safari 2 series. But in terms of whether or not it’s the right browser for the average user, Safari isn’t looking too good so far.

Web applications have been all the buzz lately. Traditional desktop applications for e-mail, calendars, and basic word processing have begun losing favor to the online versions you can use in a web browser. Google has so far lead the pack in web application development, and they have recently released a tool which will help take web applications to the next level.

Web applications have several advantages over traditional desktop applications. The data is stored at a central remotely-accessible location, so you can access it from any computer. The application is run within a web browser, so it isn’t dependent on certain operating systems or versions. The “software” itself is typically hosted by the vendor, so security updates and other improvements can be seamlessly deployed by the vendor without any user action or user responsibility. Companies like Google have more safeguards in place to prevent data loss than most users do, in case of hardware failure, cracking attempts, etc. Web applications are usually built on top of the well-established HTML, CSS, and DOM standards which may allow for better accessibility and user control over the presentation.

But along with these benefits, there are also some shortcomings to web applications. The data isn’t in the user’s control, so it may be difficult to manually move data in or out of some web applications. Although desktop applications have equal or higher potential for violating your privacy than web applications, it’s possible for advanced users and tools to monitor and control what your desktop applications are sending across the Internet; with web applications, it’s out of your hands. Software updates are typically done at the vendor’s whim, so you often don’t have the opportunity to review or prevent certain updates. Also, web applications generally require an Internet connection in order to function; if you’re on the road and aren’t near a hotspot, you may be completely unable to access your data.

Google has released an open source browser add-on called Google Gears which will help to address that last shortcoming. Google Gears sets up a local database and API on your own computer which web applications can choose to use for offline storage and functionality.

This is similar to a proposed feature of the upcoming HTML 5 standard, due in 2010, which the developers of the Mozilla Firefox web browser plan to implement natively by the end of 2007. Unfortunately, Google Gears does not use the model proposed in the HTML 5 drafts, so there is currently an issue of two competing standards. This is unusual, since Google usually works closely with Mozilla on contributions like Firefox 2’s fraud protection and Firefox 3’s upcoming malware protection. Whether or not Firefox or any other browser will end up supporting Google Gears’ API natively (without an add-on) is up in the air, and will probably depend on how widely Google Gears gets implemented in web applications, but Mozilla Technology Strategist Mike Shaver said that Mozilla wasn’t about to simply give up on the work already done on supporting the HTML 5 model. It will be possible for a browser to support both models at the same time if the browser developers choose to implement them.

For now, the Google Gears model is the only one of the two currently available to regular users, and it is available as an add-on for the Firefox and Internet Explorer web browsers on Windows, as well as Firefox on Linux and Mac. A Safari version is planned in the future. Google Gears is currently used by Google Reader’s offline mode, and more web applications are expected to adopt it in the future.

Secunia, a major software security tracking company, recently released a report which found that 28% of popular software installations miss important security updates. This means that the users of that software have neglected to apply the critical security updates provided by the vendors. The data was gathered through Secunia’s free “Software Inspector” tool, which is currently only available for Windows users. The statistics covered 4.9 million popular software installations, 1.4 million of which were missing vendor-supplied fixes for security vulnerabilities capable of compromising the system.

The report specifically broke down some figures for the three major web browsers for Windows:

Comparing browsers and looking at Firefox, Opera and Internet Explorer, we found out that Firefox 2 is the least vulnerable, as only 5.19% of all Firefox 2 installations miss security updates, whereas 11.96% of all Opera 9.x installations miss security updates, and the numbers for IE6 and IE7 are 9.61% and 5.4% respectively. These numbers are not that alarming and show that users are fairly concerned about applying relevant updates for their browsers – which naturally is one of the most exposed applications.

However, the figures for popular media players like Quicktime and WinAmp were more concerning. 26.96% of all WinAmp users and 33.14% of all Quicktime users missed important security updates. A malicious mp3 or other media file could easily take advantage of a security vulnerability in your media player and achieve the same level of impact that critical browser vulnerabilities allow. Similar problems were also found in other non-core applications.

The study did not appear to take into consideration vulnerabilities which the vendors had not yet supplied a fix for. It was merely focused at whether or not the users applied the available updates.

The study didn’t find any significant difference between home and corporate environments in regard to diligence of updating.

If you use an application on a regular or semi-regular basis, you should dedicate some time every month to check if you’re using the latest version with all available updates. Most applications have an “About” window, usually from the “Help” menu, which tells you which version you’re running. You can check the official website of the application for the most recent version.

Google recently conducted a large-scale study which showed that about 1 in 10 websites attempted to install malicious software like viruses, spyware, adware, or other malware without the user’s knowledge or consent. About 1 in 4 websites had links or other content leading to malicious software.

While it has always been known that many websites contain malicious content, this study makes it clear just how severe the problem is. Most of these websites make use of known security vulnerabilities in your web browser. If you don’t regularly keep your system up-to-date with your operating system’s update mechanism (if you don’t know what this is, then your system probably isn’t up-to-date), or if there are known vulnerabilities in your browser which the browser vendor hasn’t yet supplied updates for, any of these websites could silently install software which tracks your habits, steals your passwords, or bogs down your system while it uses your computer to send people spam.

What can be done about it? Well, Google has begun alerting users before they follow a search result which Google knows contains malicious content. Google has also developed a fraud detection tool as a new feature of the Firefox web browser. New versions of Internet Explorer and Opera also have similar fraud detection tools.

However, these features can only offer a limited amount of protection. Using a more secure web browser is an important step to keeping yourself safer. Internet Explorer, which is the default web browser on most computers, has the worst security track record by a large margin. Firefox and Opera, which are available free-for-life on all major operating systems, have almost no history of exploited “drive-by-malware” vulnerabilities. On average, they have also fixed their publicly known security issues several times faster than Internet Explorer. Take a look at some security charts and figures.

If you really want to keep yourself safe from malicious software, you could also consider switching to a different operating system. Mac OS X and Linux both have a file permissions model which prevents unauthorized software from harming your system. Furthermore, viruses and other malware designed to work on Windows generally won’t work on other operating systems because they are tailored specifically for Windows.

At the very least, always make sure that you enable and install your system updates, and always upgrade your web browser when a new version is released. A 2004 study showed that 80% of home computers were infected with some kind of malicious software even though 85% of home computers had antivirus software installed. This is a real risk to every computer user, and you should take the proper steps to mitigate it.

If you’ve been using Mozilla Firefox as your web browser for a while, you should make sure that you are using the latest version. By mid-May, Mozilla will have officially ended support for Firefox 1.5, which was released in late 2005, and they are encouraging everyone to upgrade to version 2.0.

Until now, Mozilla has been distributing security updates and stability improvements to both Firefox 2.0 and Firefox 1.5 users through its automatic update mechanism. But once support for Firefox 1.5 is dropped, that version will no longer receive fixes for newly discovered issues.

Because Firefox 1.5 does not yet automatically upgrade to 2.0, many people are unaware that they aren’t using the latest version. To find out which version of Firefox you’re using, click on the “Help” menu at the top of your Firefox window and select “About Mozilla Firefox”.

Mozilla plans to offer all Firefox 1.5 users automatic upgrades to 2.0 sometime in mid-May. But in the meantime, you can safely upgrade Firefox on your own by going to the Firefox website, clicking on the “Download Firefox - Free” button, and running through the simple installation process. All of your settings, bookmarks, etc. should remain intact.

Some of the new Firefox 2.0 features include automatic inline spell checking in webpage forms, website fraud protection, search term suggestions in Firefox’s search box, ability to re-open accidentally closed tabs, and more. See the Firefox 2.0 release notes for more information.

The upcoming Firefox 3.0 is planned for release by the end of 2007 and is expected to be the most significant Firefox upgrade to date. For the curious types, there is a publicly available list of planned improvements.

Net Applications, a web metrics company, has released a newsletter featuring its March 2007 web browser usage statistics. These attempt to measure what percentages of the Web’s users are using which web browsers.

The February and March usage percentages are as follows:

1. Internet Explorer: 79.09% → 78.57%
2. Firefox: 14.18% → 15.10%
3. Safari: 4.85% → 4.51%
4. Opera: 0.79% → 0.80%
5. Netscape: 0.74% → 0.70%
6. Mozilla Suite/SeaMonkey: 0.18% → 0.18%
7. Other: 0.15% → 0.12%

When reading web browser usage statistics, there are some important things to keep in mind:

• There is no way to know for sure what percentage of the population is actively using which browser. Web metrics companies like Net Applications generally gather data only from sites that use their web analytics products, and they hope that those sites are representative of the Web as a whole. The analytics software applies some amount of guesswork and approximation to determine which webpage hits are from a single unique user, usually by looking at their IP addresses or site navigation patterns. If an Internet user doesn’t visit a site that uses Net Applications software, that user won’t be represented in the statistics. If someone has a frequently-changing IP address, such as with AOL, that user may be counted more than once or may be confused with other users. It isn’t an exact science.

• Many automated agents, such as spam bots, will attempt to tell the website that it’s a legitimate browser. Most often, these agents will pretend to be Internet Explorer (currently the most widely-used browser) in order to minimize risk of being turned away from a website. Because they are often undetectable by the web analytics software, these agents will be counted as the browser they’re pretending to be. By some accounts, spam bots make up a significant chunk of the Web’s traffic.

• There tends to be a lot of month-to-month variation in web browser usage statistics, most prominently around holidays when web browsing patterns are known to change. Internet Explorer usage is known to be lower on weekends and holidays when users tend to be more in control of their own browsing preferences. For this reason, it is usually best to look at long-term changes in browser usage, such as year-by-year averages, rather than month-to-month changes.

• Many people use, for example, Firefox on most sites and Internet Explorer on the few sites that require it. Such a person will often be counted equally for both Firefox and Internet Explorer usage, even though he or she primarily uses Firefox.

Despite the limitations in the level of accuracy these statistics can provide, there are some clear overall trends presented by Net Applications’ data and that of other web metrics companies:

• Internet Explorer usage continues to fall slightly, despite the long-awaited release of version 7 which includes tabbed browsing — one of Firefox’s most popular features — as well as some security improvements. The general perception is still that Internet Explorer 7 is less secure than Firefox, as Secunia’s security reports have suggested.

• Firefox continues to rise in popularity, and most web analytics companies place it somewhere between 10% and 20% usage. Net Applications’ data shows that it has risen by about 5 percentage points over the last year, and most of those users were from people switching away from Internet Explorer.

• Safari remains in third place and its usage seems to be fairly proportional to the overall Mac OS X usage. Safari is the default browser on Mac OS X and is only available on that operating system, so its relative popularity on the Mac doesn’t seem to be changing significantly.

• Opera remains in low usage on the desktop, although it has a very high usage share in the mobile device market. Opera is also the browser used on the Nintendo Wii game console.

• Usage of Firefox and Opera is dramatically higher on websites that attract technology-inclined users. Internet Explorer usage is likewise dramatically lower on those websites. Sites that target web developers and other technology enthusiasts commonly report Firefox usage around 50% and Internet Explorer usage closer to 25%.

Beyond purely tracking web browser usage, Net Applications also conducted an opt-in survey asking for the user’s preferred choice of browser. The survey is only available from the Net Applications website, so it is biased in favor of technical users. Here are the results of the question “Which is the best browser?”:

1. Firefox: 60.73%
2. Safari: 16.26%
3. Internet Explorer: 11.25%
4. Opera: 10.99%
5. Netscape: 0.76%

Net Applications then divided the “best browser” percentages by the overall usage percentages on the Web (not necessarily the usage percentages of the voters) to determine some very rough user satisfaction scores (higher scores = more satisfied):

1. Opera: 13.75
2. Firefox: 4.02
3. Safari: 3.61
4. Netscape: 1.09
5. Internet Explorer: 0.14

Because the denominating figures weren’t necessarily equal to those of the actual voters, these satisfaction scores should be taken with a grain of salt. Rather, I’m inclined to believe that the above scores are more influenced by the level of awareness of browser choice than satisfaction itself.

For more browser usage information, see the Usage Share of Web Browsers article on Wikipedia.

Web browsing has become so commonplace these days that many people aren’t even aware of what a web browser is. A web browser is the program you load to start looking at web pages. I’m not talking about things like Google or Yahoo — those are search engines, which are loaded by the web browser. The Back, Forward, Refresh, Stop, and Home buttons are part of the web browser. Your Favorites or Bookmarks are part of the web browser. Every webpage you visit, including search engines, is accessed and displayed to you through your web browser.

Most people use the web browser that comes by default with Windows: Internet Explorer. Internet Explorer is the little blue “e” that you probably click on to get to the Web. Currently the most widely-used version is the one that has been around for over half a decade: Internet Explorer 6. It’s distinguishable by the little green circles for the Back and Forward buttons, the little pieces of paper for the Stop and Refresh buttons, and the house with an orange roof for the Home button.

Microsoft recently released a new version of Internet Explorer called Internet Explorer 7 with some differences. Internet Explorer 7 has a gold ring around the “e” icon; the “File”, “Edit”, “View”, and the other menus aren’t there anymore; the Back and Forward buttons are blue or silver circles; the Refresh and Stop buttons have been moved to the right side of the address bar; the Home icon is a little blue house; and some other things have been moved around. Some newer features in Internet Explorer 7 are a search bar to the right of the address bar, and tabs to manage open webpages.

The tab bar is a very helpful feature which was first pioneered in other web browser brands. Instead of having lots of windows open for all of the different webpages you’re viewing at a time, you can manage all of the webpages in a single window with tabs to switch between them. If you want to cause a link to open in a new tab instead of the current one, you can middle-click (or mouse wheel click) on the link and watch where it opens. To open a new blank tab in Internet Explorer 7, click the smaller blank tab on the right.

Internet Explorer is not the only free web browser around, and in fact it is inferior to most others in a lot of ways. The two most popular alternatives on Windows are Firefox and Opera.

Firefox has received a lot of press in the last couple of years, and more than 1 in 10 people have already switched to it. It’s quick and easy to try out Firefox and see if you like it, and you can always just go back to Internet Explorer if you don’t. To get Firefox, go to the Firefox website and click the big “Download Firefox” button. When the download window comes up, click “Open” or “Run”. When it finishes downloading, the setup window will come up. No technical skills are needed to get through this; just accept the default options and click through to the end. Firefox will automatically remember all of your important Internet Explorer settings, favorites, saved passwords, etc., and you’re now ready to use it.

You’ll notice that it doesn’t look dramatically different. You have your basic Back/Forward buttons in the form of green arrows, a blue Refresh button, a red Stop button, and a brown Home button. To the right are your address bar and a search bar to perform quick searches on Google or whatever your favorite search engine is. Firefox also supports tabs. Just middle-click (or mouse wheel click) on a link to open in a new tab, or you can open a blank tab by going to the File menu and clicking “New Tab”.

But there are lots of subtle differences that you may grow to appreciate. When you’re filling out large text fields on a website, Firefox will automatically highlight misspelled words. It blocks popups better than Internet Explorer does. If you press Ctrl+F, a discrete “Find” bar will appear at the bottom of the window and will highlight the matches on the page as you type. If the browser ever crashes (as all browsers will from time to time), it’ll allow you to automatically restore everything to the way it was — same webpages open, same form field entries you were working on, and so on — so it doesn’t break your workflow.

If you ever want more tools and gadgets in your Firefox browser, check out the thousands of extensions available. Get AdBlock Plus to block annoying banner ads on websites. Get Forecastfox to always show you the current weather forecast. Get Foxytunes to control your music player from inside the browser. It seems there’s an extension for almost any feature you can imagine.

Firefox also has a lot of improvements under the hood. Internet Explorer has a uniquely bad security record, with a seemingly endless stream of serious system-compromising vulnerabilities exploited in the wild and many older vulnerabilities that Microsoft never bothered to fix. Firefox has maintained a record of much fewer exploited vulnerabilities, and faster and more consistent fixes. Firefox has also been much faster than Internet Explorer at adopting future web technologies that will improve user experience and reduce the cost of website development.

Firefox has been recommended by many big-name sites including Google, Ask.com, and Craigslist.

People who want a quick browser with lots of neat tools right out of the box can look to Opera. Opera comes with a built-in e-mail program, IRC chatting, and peer-to-peer filesharing tool. You can have it read pages to you aloud and you can browse using your voice and a microphone. Despite all of these features, Opera is very fast even on older computers. It also has a much better security record than Internet Explorer and better support for future technologies. Because of all of these features and a somewhat nontraditional interface, some people find Opera to have a bit of a higher learning curve than Firefox.

It may be interesting to note that the Nintendo Wii browser is derived from Opera, and a scaled-down version of Opera is also popular on phones and other mobile devices.

Something to be aware of when considering a different browser is webpage compatibility:

Webpages are complex documents and each browser has its own engine for loading them and displaying them to you. There are well-established standards in place, but all browsers have bugs here and there. After 2001, Microsoft took a five-year break in Internet Explorer development, and so it has had less development time than other browsers to fix its bugs. What this means is that Internet Explorer has a lot more inconsistencies with webpage display standards than other browsers.

Because Internet Explorer is the most used browser, there are some websites that were written with only Internet Explorer in mind. Some of these websites only work as expected because of Internet Explorer bugs. That means that other less buggy browsers and newer versions of Internet Explorer may have problems with those websites. This happened to a few big websites when Internet Explorer 7 was first released.

That said, the vast majority of websites have no problem in Firefox and Opera, and since Firefox now has such a large and growing user base, this is becoming less and less of an issue as time goes on.

Whether you recognize it or not, web browsing has become a significant aspect of our daily lives, and everyone should take some time to get familiar with their web browser and understand what their choices are.

The Firefox web browser has just added APNG support to its development versions, meaning it will appear in a future release. APNG is an animated version of the popular PNG image format, solving one of PNG’s main shortcomings to the GIF format. APNG was designed to replace MNG, a different animated PNG format that never took off because its design was seen to be unnecessarily complex. The APNG specification hasn’t yet been finalized, but is expected to be once the PNG group approves a minor change.

Firefox is currently the only major web browser to support APNG. However, applications that support regular PNG have no problem loading the first frame of an APNG file, so there’s little risk in using it today with that in mind.

PNG is a World Wide Web Consortium open standard and has good support in all major browsers except Internet Explorer, which has a few noteworthy bugs: Internet Explorer 6 and below don’t support partial transparency; and Internet Explorer 7 and below don’t correctly support gamma correction, meaning that many PNG images will appear somewhat darker or lighter than they should. Nevertheless, PNG has largely replaced GIF on the Web due to its better compression, fuller color depth, and additional features.

Here are some relevant links:

• APNG Specification
• Firefox APNG development tracking
• PNG Specification