I just saw this post by Michal Zalewski on BugTraq. From the post:
It appears that the overall quality of code, and more importantly, theamount of QA, on various browsers touted as "secure", is not up to parwith MSIE; the type of a test I performed requires no human interactionand involves nearly no effort. Only MSIE appears to be able toconsistently handle [*] malformed input well, suggesting this is theonly program that underwent rudimentary security QA testing with asimilar fuzz utility.
I'm wondering when Michael's post will show up on slashdot.
Edit: Corrected Michal's name - Sorry about that.