Slashdot Mirror

How many insecurities has Internet Explorer had since it was launched with XP? I lost count.

So, you don't actually know, then? How can you criticise them meaningfully if you don't know?

According to Secunia, MSIE 5.5 has had 55 so far with 10 remaining unpatched.
MSIE 6 has had 76 so far with 20 remaining unpatched, 98% are remote exploits.

SP2 was supposed to fix many things, but it was as as difficult as a major OS upgrade, just ended up breaking many things, not fixing much and not really fixing what it claimed to fix. Granted, it's slightly more than purely a PR move, but not by much. However, it burned up valuable staff time that could have otherwise been used to evaluate competing products. The delay doesn't help MS' claim of prioritizing security much either.

It's common knowledge that MS products just aren't designed with security in mind, but if you want details, then look it up.

The typical download with my DSL is 187 KBytes/s, so it's actually 1.5Mbit/s, not 768 as I said before. If anything, that video should be halfway on my disk already after I click it. (Joking of course there.)

Real-rants aside, the video is a good one, Real-rants aside. Always interesting how Gates considers security the most important thing despite all the holes.

And that, to me, is the problem. Rather than fix the security holes, companies try to silence people who point them out.

I think that you have absolutely no idea what you are talking about and yet you keep talking about in paragraphs and paragraphs of boring blabber.

Go look here and notice that all vulnerability discoveries are not just published, but also credited. And they are not only credited, but proof-of-concept exploit code examples are often included (and credited).

And there are a lot more other sites/companies/projects who are in the business of discovering and publishing vulnerability warnings.

Where are those companies that "try to silence" them? Or that such practice is (or is becoming) an industry trend?

Please think (and do research) before you talk.

Who is accountable for the security of the Linux kernel? Does Red Hat, for example, take responsibility?

Who is accountable for the security of windows?
Can I bill last months lost work-hours due to spyware-/worm recovery on windows to Microsoft or - better - personally to you, Nickie?

In Microsoft's world customers are confidant that we take responsibility. They know that they will get their upgrades and patches.

Oh, let me rephrase that a little:
In Microsoft's world customers have learned that Microsoft has never taken responsibility for security problems. They know that it can take months for MS to release a patch for a critical issue and that often these patches will break other things (even open new security holes) completely unrelated to the initial problem. They also know that many major MS products like Internet Explorer are commonly banned from corporate network environments for exactly these reasons.

Linux is not ready for mission-critical computing. There are fundamental things missing. For example, there is no single development environment for Linux as there is for Microsoft, neither is there a single sign-on system.

First, you obviously have no idea what you're talking about as your requirements for "mission-critical computing" have nothing to do with it.

Anyways, there is not one but many capable "developement environments" for linux. I assume your definition of "developement environment" would be a pretty IDE like eclipse. Most real developers I've met prefer to just work on the powerful unix shell using their editor and toolchain of choice, though.

As for single signon, again I cannot see how this relates to "mission critical computing". But you can have it on linux.
There's kerberos, NIS+ and probably other options that I don't know about.
Also there's samba to emulate the windows crap if you have to.

These are factors that are holding back Linux.

Look, Nickie, nothing's really holding back linux.
It's fools like you writing ridiculous articles like the one I'm responding to that prove how helpless and jealous Microsoft is watching the steady growth
of linux.

Where are the security updates? To date, not a single Firefox security flaw, as reported by Secunia, has been fully dealt with, and only one has even been partly resolved. Even the first security flaw, from August 2004, has not been addressed by the Firefox developers. In the mean time Apple has no remaining unpatched security flaws in Safari, after the latest security update, and has historically patched discovered flaws in a timely fashion. Firefox is in no way as horrendous as Internet Explorer, of course, but what is it about Firefox's open source development process that is preventing them from patching known flaws? Is the open source process really working, or is it hindering the development process? How long will it be before the known Firefox security flaws are fixed and how many more security flaws will be found in the mean time?

Where are the security updates? To date, not a single Firefox security flaw, as reported by Secunia, has been fully dealt with, and only one has even been partly resolved. Even the first security flaw, from August 2004, has not been addressed by the Firefox developers. In the mean time Apple has no remaining unpatched security flaws in Safari, after the latest security update, and has historically patched discovered flaws in a timely fashion. Firefox is in no way as horrendous as Internet Explorer, of course, but what is it about Firefox's open source development process that is preventing them from patching known flaws? Is the open source process really working, or is it hindering the development process? How long will it be before the known Firefox security flaws are fixed and how many more security flaws will be found in the mean time?

Where are the security updates? To date, not a single Firefox security flaw, as reported by Secunia, has been fully dealt with, and only one has even been partly resolved. Even the first security flaw, from August 2004, has not been addressed by the Firefox developers. In the mean time Apple has no remaining unpatched security flaws in Safari, after the latest security update, and has historically patched discovered flaws in a timely fashion. Firefox is in no way as horrendous as Internet Explorer, of course, but what is it about Firefox's open source development process that is preventing them from patching known flaws? Is the open source process really working, or is it hindering the development process? How long will it be before the known Firefox security flaws are fixed and how many more security flaws will be found in the mean time?

Where are the security updates? To date, not a single Firefox security flaw, as reported by Secunia, has been fully dealt with, and only one has even been partly resolved. Even the first security flaw, from August 2004, has not been addressed by the Firefox developers. In the mean time Apple has no remaining unpatched security flaws in Safari, after the latest security update, and has historically patched discovered flaws in a timely fashion. Firefox is in no way as horrendous as Internet Explorer, of course, but what is it about Firefox's open source development process that is preventing them from patching known flaws? Is the open source process really working, or is it hindering the development process? How long will it be before the known Firefox security flaws are fixed and how many more security flaws will be found in the mean time?

If history is any guide, it's great for DoS and remote exploits too

FF isn't the only game in town, and I would argue not even the best. Matter of opinion of course, but your not a moron if you don't use FF either.

Not using Firefox does not make you a moron. Still, the vulnerabilities in IE are legion, and constantly being expanded. Take this one for example.

Some vulnerabilities have been discovered in Internet Explorer, which allows a malicious web site to execute arbitrary commands or install code on your computer without any user interaction.

That exploit was discovered in october 2004, and XP SP2 users are still vulnerable with all updates (even on 12-1-2005, after microsoft had theoretically closed this hole, but only partially suceeded)

Firefox has problems, certainly (what program doesn't?) but they are of a far less serious nature, and patched much, much quicker. Some IE holes have never been patched.

Me, I'd rather not take the risk. The primary purpose of a firewall is to cut down vectors of attack. Stopping using IE is a similar tactic, in my book.

I'll bite:

http://secunia.com/product/96/

Granted, Apple is much faster (generally 1-3 weeks) at patching known bugs than Microsoft, but new issues are discovered every month and a couple weeks is plenty of time for a nasty worm to spread.

The difference would obviously be what you do with the virus. Keep it on your own systems and play with it? That is absolutely acceptable. Release it to the general public *in source form* also should be acceptable. It's sharing of source code. Nothing wrong with that. If you disallow writing a program that could do something damaging or illegal, then we'd better lock up p2p programs as well (not like they aren't trying). I'm not advocating releasing the binary form in the wild. That is where the problems start. It's one thing to point out security holes in the way that Secunia and others do with proof of concepts, but it's another to release a virus in the wild that actually does illegal things. Make sense?

Actually, I dispute that. Most people that claim it's more secure say that it's because of the amount of vulnerabilities being found in Internet Explorer compared to Firefox. How many people are looking for unknown vulnerabilities in IE? How many are looking at Mozilla/Firefox? This is determined by the media. When there's a MS vulnerability, it's all over the news and the finder gets a ton of glory and hopeful job offers. I see MS patches making it into mainstream news such as the Associated Press. As Firefox gets a spotlight because of a good amount of security professionals (Which happen to be coders with a personal agenda) recommending people switch, I've seen an increase in the amount of vulnerabilities reported. Don't believe me? Look at the stats and compare IE with Firefox. Yes, IEs numbers are higher, but think in proportion to how many skilled people are looking for vulnerabilities in each product. If you look at the different versions of Mozilla over the timeline they give, you can see that not many vulnerabilities were found early last year or before that compared to when Firefox really started to get attention. Imagine how many vulnerabilities would be found if they got the amount of media attention that IE vulns get. Until both products get the same amount of hacker attention, it's premature to say which is more secure.

As a security professional, I believe that as long as you keep your software patched up (computers, routers, switches, etc.), your only fear is a zero day. Hopefully you have other layers of security such as a border firewall, IPSec Transport mode with packet filtering at every host, multiple antivirus vendors software (with at least one of them configured to block password protected archives, known dangerous file types and dangerous content), ongoing training, locked down servers with all the fat trimmed, middle tier servers, etc. These things are not vendor specific. You can run Windows, Linux, OSX, BSD, Solaris and still be able to do these things. Assuming you have all that set up, one zero day most likely wouldn't be enough. If someone really wants in and you've done all these things, do you really think you're going to get "pwned" because you chose a specific vendor or software package? No. You're going to get pwned because someone will be social engineered or some aspect of physical security will be bypassed. It's a hell of a lot easier to get into a company by phishing than it is to hunt down a couple silver bullet zero days as you get through each layer of security. My point is that if someone wants to get in, they can do it. It only takes a few holes at most and enough patience to find them to get to a target. It's up to the admin to ensure that it's as difficult as possible to find them and to ensure that the damage is minimized. Auditing (logging), backups, intrusion detection, policies, procedures, security assessments, a good data structure with granular permissions, etc can help minimize impact.

My professional opinion is that it just doesn't matter what you use as long as it's well administered, but if you want to force me to pick one side and guess which code has less vulnerabilities, I'm going to pick MS. Security through obscurity isn't a magic elixir, but it's definitely another layer of protection. And with all the attention MS gets, they've had an opportunity to patch up a lot of their vulnerabilities. At this point, new vulns are probably easier to find on other vendors that aren't as popular.

-Lucas

So 'we' say Opera, FF etc are all secure and IE isn't.

"Secure" is relative ;-)

So far, it seems like Opera and Firefox is more secure than IE, but neither have been without their quirks.

Neither of those support ActiveX objects like IE does, and neither are integrated in the OS. So a bunch of problems are fixed already on a software design level. But that's basically all we can say about it. All your mentioned browsers have had their shares of severe security exploits, some more than others.

Is there a way to evaluate this? It seems like simply something you have to wait and see.

Yes, you can use for example the software design as indications of where it could be in security. You can also look at their respective exploit histories on sites like e.g. Secunia: Opera 7, Firefox 1.x, IE 6.

There you can find exactly how severe their exploits are, how many there have been, how many are still unpatched, what kind of exploits are most common in the products, etc. I'm not sure how much research is done for IE in comparison to e.g. Firefox though. Since IE is by far the most used browser, it seems logical to think it has most reported bugs simply because most are checking for bugs in that browser. I could be wrong though :-)

So 'we' say Opera, FF etc are all secure and IE isn't.

"Secure" is relative ;-)

So far, it seems like Opera and Firefox is more secure than IE, but neither have been without their quirks.

Neither of those support ActiveX objects like IE does, and neither are integrated in the OS. So a bunch of problems are fixed already on a software design level. But that's basically all we can say about it. All your mentioned browsers have had their shares of severe security exploits, some more than others.

Is there a way to evaluate this? It seems like simply something you have to wait and see.

Yes, you can use for example the software design as indications of where it could be in security. You can also look at their respective exploit histories on sites like e.g. Secunia: Opera 7, Firefox 1.x, IE 6.

There you can find exactly how severe their exploits are, how many there have been, how many are still unpatched, what kind of exploits are most common in the products, etc. I'm not sure how much research is done for IE in comparison to e.g. Firefox though. Since IE is by far the most used browser, it seems logical to think it has most reported bugs simply because most are checking for bugs in that browser. I could be wrong though :-)

So 'we' say Opera, FF etc are all secure and IE isn't.

"Secure" is relative ;-)

So far, it seems like Opera and Firefox is more secure than IE, but neither have been without their quirks.

Neither of those support ActiveX objects like IE does, and neither are integrated in the OS. So a bunch of problems are fixed already on a software design level. But that's basically all we can say about it. All your mentioned browsers have had their shares of severe security exploits, some more than others.

Is there a way to evaluate this? It seems like simply something you have to wait and see.

Yes, you can use for example the software design as indications of where it could be in security. You can also look at their respective exploit histories on sites like e.g. Secunia: Opera 7, Firefox 1.x, IE 6.

There you can find exactly how severe their exploits are, how many there have been, how many are still unpatched, what kind of exploits are most common in the products, etc. I'm not sure how much research is done for IE in comparison to e.g. Firefox though. Since IE is by far the most used browser, it seems logical to think it has most reported bugs simply because most are checking for bugs in that browser. I could be wrong though :-)

Maybe now they'll find some time to fix the highly critical flaw in IE 5 & 6 that was reported on 8/14/2003 that allows a malicious web site to execute arbitrary code on the hapless victims machine. Timeliness is next to godliness!

You're joking right? The information was given the Microsoft 10/21... I wouldn't call 2.5 months fast... Check that release date.

Yes nice and quick. Only took nearly three months!

Release Date: 2004-10-20

http://secunia.com/advisories/12889/

The main difference is the Firefox vulnerabilities were released they had already been fixed. The IE vulnerabilities still f*ck up your computer.

Actually, one of the three hasn't yet been fixed, and my not be. Here's the bug. and here is the Secunia advisory.

But this is all beside the point, as you've once again tried to make this thread about a Mozilla vs Microsoft Browser Flame War. The _point_ is that these exploits are NOT new. If you pay attention to Slashdot (or any one of another of security-related websites) and happen to run IE, you've already been notified about this problem, and if you're smart, you've already done something about this.

Again. This entire article was posted only because no one bothered to actually read the article and realize that it was a minor update to a known vulnerability. If the article was worded that way, I wouldn't be here ranting about it, but it's made out to be a new vulnerability.

Hey can someone please tell me how I can find out where my windows is installed? It says here http://secunia.com/internet_explorer_command_execu tion_vulnerability_test that windows needs to be installed in c:\windows\ for their test exploit to work 'properly'

Computer specs: iBook g3 800mhz...

I hope that helps a little

mkdir C:\\ie6vulnerability.jmcardle

mkdir C:\\ie6vulnerability.jmcardle

Click at your own risk, indeed. I suggest running it on a machine that you plan to reformat or under an emulator like VPC.

It opens an HTML Help document, then a command console that quickly closes (dunno what that did), then opens an IE page with this helpful document.

http://secunia.com/internet_explorer_command_execu tion_vulnerability_test/
is a test page containing a link if you left click on it and a window opens your vulnerable (it didn't do anything in Firefox)

They've also posted a test site.

No, you click it first.

That's the exact problem. I highly doubt that anyone at MS feels personally responsible for the IE mess. The emberassment would hardly be bearable for a single person anyways...

You're making a very broad statement there. Just because a company is large it doesn't mean they don't take pride and responsibility in their code. I know a lot of people personally who work at MS, Google, Apple, Motorola etc who all take pride in what they do and work hard to do the best damn job they can. Just because it's not open source, doesn't mean it is bad, and I am guessing there are a lot of programmers working hard at fixing the bugs and security issues in both IE and Mozilla.

Gimme a break.
Compare this to this.
And be sure to look past the pretty pie charts for the actual vulnerability descriptions.

I checked both links...both programs have about 1/3 of their bugs left unpatched. Yes, IE has more bugs, that's no secret. There are more linux fanboy hackers out there trying to destroy MS, also a fact. I expect more bugs in a more widely used program with a known contingency of "enemies". The interesting thing to me is that both programs have 1/3 of the vulnerabilities unptched. While you're at it, take a look at the Firefox one as well. FireFox Nice job Firefox 1.X, only on the market for a few months and already 4/5 security flaws are unfixed? Cleary this is not an appropriate measure.


And SP2, with its improved security

Ok, nevermind. Why am I even talking...

You're a linux fanboy, why am I even talking...

Seriously though, SP2 is a security improvement for the people previously running with no firewall. I don't think you can logically argue against that. Those of us behind a firewall already, also running antivirus are probably not in any better situation, I agree.

If you read TFA it says that Firefox versions 1.x are affected.

So the people who write the code for both places deserve no respect for the work they do?

That's the exact problem. I highly doubt that anyone at MS feels personally responsible for the IE mess. The emberassment would hardly be bearable for a single person anyways...

Yeah, there are bugs in both programs, and yes both of them have serious bugs at times.

At times? Let me think, the number of critical IE bugs certainly goes in the mid 2-digit range (maybe they've even hit 3 digits already?).
How many remotely exploitable Mozilla bugs have there been? I don't remember a single one so if there were any it must have been few. Now compare the developement models of the two. IE is backed up by a multi-billion dollar company that could very well afford proper Q/A... need I say more?

both IE and Firefox have been doing ok lately at getting patches for them

Gimme a break.
Compare this to this.
And be sure to look past the pretty pie charts for the actual vulnerability descriptions.

And SP2, with its improved security

Ok, nevermind. Why am I even talking...

So the people who write the code for both places deserve no respect for the work they do?

That's the exact problem. I highly doubt that anyone at MS feels personally responsible for the IE mess. The emberassment would hardly be bearable for a single person anyways...

Yeah, there are bugs in both programs, and yes both of them have serious bugs at times.

At times? Let me think, the number of critical IE bugs certainly goes in the mid 2-digit range (maybe they've even hit 3 digits already?).
How many remotely exploitable Mozilla bugs have there been? I don't remember a single one so if there were any it must have been few. Now compare the developement models of the two. IE is backed up by a multi-billion dollar company that could very well afford proper Q/A... need I say more?

both IE and Firefox have been doing ok lately at getting patches for them

Gimme a break.
Compare this to this.
And be sure to look past the pretty pie charts for the actual vulnerability descriptions.

And SP2, with its improved security

Ok, nevermind. Why am I even talking...

Mozilla 1.7.5 and Firefox 1.0 are still vulnerable.

Dude, read. At least one of the advisories states that 1.0 is still vulnerable.

Guys, wake up. According to the first advisory, Mozilla 1.7.5 and Firefox 1.0 are still vulnerable.

Go to http://secunia.com/advisories/13599 (linked in post) and it says: Solution Status: Unpatched

Why is everyone saying these are fixed?

Go to http://secunia.com/advisories/13599 and it says: Solution Status: Unpatched

Why is everyone saying these are fixed?

It would be awfully nice if the editors marked erroneous stories as erronious, though, wouldn't it?

(For the lazy among you, Secunia can't ever repro these on a fully patch SP1 system, to say nothing of an SP2 system.)

Great development environment. Installs apache, mysql, php all in one go. Great replacement for mssql and iis

Ha ha ha ha ha ha *breathe* ah ha ha ha ha ha ha! MySQL makes a "great replacement" for MS SQL Server? I'm sorry, but ha ha ha ha ha ha ha!

Seriously, though. PHP makes a decent ASP replacement, but it's not even in the same ballpark as ASP.NET. It'd be nice to have a proper DBI abstraction layer built into the core libraries without having to use something like PEAR, but it's a little too late for that now (most hosting providers don't run on the cutting edge, so even if PHP did that most users won't see it for years to come anyway).

Apache vs. IIS5 makes sense, but IIS6 is rock-solid and has not had a vulnerability in quite some time. Secunia lists three vulnerabilities for IIS6 in the past year and while one does remain unpatched, it's in an administration tool shipped with IIS6 and not the server itself. Apache had seven last year. However, replacing IIS with Apache isn't a difficult case to make since they're both full-featured web servers, so I can buy that one.

Replacing SQL Server with MySQL? If you have a reason to use SQL Server in the first place MySQL is not a valid replacement. If you don't have a reason to use SQL Server, you probably don't have a reason to use a RDBMS at all -- stick with XML, flat files, or some other lighter-weight storage mechanism. Also note that SQL Server does not come pre-loaded on any system I'm aware of, so you can't make the same argument as something like Word, where "it's already there, so why not use it?" You have to actively purchase SQL Server.

MySQL isn't even very useful for learning purposes, unless your goal is to learn bad database design skills. Using MySQL will teach you to work around MySQL's shortcomings, which is very bad indeed when you graduate to a full-featured product like SQL Server, Oracle, Postgres, DB2, etc. Too bad Postgres doesn't have a native Windows port (it will run under Cygwin).

Great development environment. Installs apache, mysql, php all in one go. Great replacement for mssql and iis

Ha ha ha ha ha ha *breathe* ah ha ha ha ha ha ha! MySQL makes a "great replacement" for MS SQL Server? I'm sorry, but ha ha ha ha ha ha ha!

Seriously, though. PHP makes a decent ASP replacement, but it's not even in the same ballpark as ASP.NET. It'd be nice to have a proper DBI abstraction layer built into the core libraries without having to use something like PEAR, but it's a little too late for that now (most hosting providers don't run on the cutting edge, so even if PHP did that most users won't see it for years to come anyway).

Apache vs. IIS5 makes sense, but IIS6 is rock-solid and has not had a vulnerability in quite some time. Secunia lists three vulnerabilities for IIS6 in the past year and while one does remain unpatched, it's in an administration tool shipped with IIS6 and not the server itself. Apache had seven last year. However, replacing IIS with Apache isn't a difficult case to make since they're both full-featured web servers, so I can buy that one.

Replacing SQL Server with MySQL? If you have a reason to use SQL Server in the first place MySQL is not a valid replacement. If you don't have a reason to use SQL Server, you probably don't have a reason to use a RDBMS at all -- stick with XML, flat files, or some other lighter-weight storage mechanism. Also note that SQL Server does not come pre-loaded on any system I'm aware of, so you can't make the same argument as something like Word, where "it's already there, so why not use it?" You have to actively purchase SQL Server.

MySQL isn't even very useful for learning purposes, unless your goal is to learn bad database design skills. Using MySQL will teach you to work around MySQL's shortcomings, which is very bad indeed when you graduate to a full-featured product like SQL Server, Oracle, Postgres, DB2, etc. Too bad Postgres doesn't have a native Windows port (it will run under Cygwin).

I really hate to rain on Timothy's parade, but not only is this story a dupe, it's looking more and more like a hoax. Secunia, no fan of Microsoft, has not even been able to repro any of these on a fully patched SP1 system, much less on an SP2 system. In addition, I tried to repro the last of these on an SP2 system, and could not do so.

33 Opera Vulnerabilities in the past year 4 Firefox Vulnerabilities in the past year

33 Opera Vulnerabilities in the past year 4 Firefox Vulnerabilities in the past year

Outlook Exploits

But just because it doesn't currently have any unpatched security vulnerabilities talked about in the press doesn't mean they don't exist (Secunia currently lists three unpatched vulnerabilities, for example).

I loved that line in particular, an IE fan who points out that FF has 4 vulnerabilities without mentioning that IE6 has 74 vulnerabilities for the same time period - many of which are more serious than spoofing bugs (which all of the FF bugs are), due to the tie ins with Windows????

Just to state the obvious, I'll just give a rebuttal to some of these statements.

Installing Firefox requires downloading an unsigned binary from a random web server

It's a web server that mozilla.org directs you to. If you're downloading Firefox, you need to trust mozilla.org. Likewise, if you're downloading Internet Explorer, you need to trust microsoft.com.

Installing unsigned extensions is the default action in the Extensions dialog

There's also a two (three?) second timeout and this dialog only appears when either the site is whitelisted by default (only updates.mozilla.org is) or by the user, or if the user clicks the yellow bar at the top to specifically access this dialog.

There is no way to check the signature on downloaded program files

Boo hoo. Authenticode isn't that big of a deal when ActiveX isn't turned on in the first place, considering that that's where 95% of Authenticode is used.

There is no obvious way to turn off plug-ins once they are installed

This one is just uneducated. Tools -> Extensions. Wait... that's, um, more obvious than IE. Oh well, someone wasn't wearing their glasses.

There is an easy way to bypass the "This might be a virus" dialog ...

There is an easy way to do that on IE as well. It's called clicking Run. Seriously, you're going to quibble over IE having one more warning than Firefox? Go develop a decent browser first and call me when you do. ...but we'll never get past the spyware / adware problem if people continue to think that installing unsigned code from random web sites is A Good Idea.

This statement is built upon previous assumptions that are false (such as Firefox being downloaded from a "random website", see above). Firefox is demonstrably more secure than IE and has far fewer vulnerabilities than Internet Explorer.

To the Microsoft employee who created the original article: Rather than trying to convince people that something they know is inferior that it is not, why don't you try to make it... not inferior? Innovation speaks louder than marketing. Surely you can do better than a bunch of geeks spread across the globe, right?

Just to state the obvious, I'll just give a rebuttal to some of these statements.

Installing Firefox requires downloading an unsigned binary from a random web server

It's a web server that mozilla.org directs you to. If you're downloading Firefox, you need to trust mozilla.org. Likewise, if you're downloading Internet Explorer, you need to trust microsoft.com.

Installing unsigned extensions is the default action in the Extensions dialog

There's also a two (three?) second timeout and this dialog only appears when either the site is whitelisted by default (only updates.mozilla.org is) or by the user, or if the user clicks the yellow bar at the top to specifically access this dialog.

There is no way to check the signature on downloaded program files

Boo hoo. Authenticode isn't that big of a deal when ActiveX isn't turned on in the first place, considering that that's where 95% of Authenticode is used.

There is no obvious way to turn off plug-ins once they are installed

This one is just uneducated. Tools -> Extensions. Wait... that's, um, more obvious than IE. Oh well, someone wasn't wearing their glasses.

There is an easy way to bypass the "This might be a virus" dialog ...

There is an easy way to do that on IE as well. It's called clicking Run. Seriously, you're going to quibble over IE having one more warning than Firefox? Go develop a decent browser first and call me when you do. ...but we'll never get past the spyware / adware problem if people continue to think that installing unsigned code from random web sites is A Good Idea.

This statement is built upon previous assumptions that are false (such as Firefox being downloaded from a "random website", see above). Firefox is demonstrably more secure than IE and has far fewer vulnerabilities than Internet Explorer.

To the Microsoft employee who created the original article: Rather than trying to convince people that something they know is inferior that it is not, why don't you try to make it... not inferior? Innovation speaks louder than marketing. Surely you can do better than a bunch of geeks spread across the globe, right?

The author of this blog entry linked to a Secunia page that listed 4 Firefox vulnerabilities, one of which was listed as 'Moderately Critical,' and the rest of which were listed as less than moderately critical. Curiously, the Secunia IE Page, which of course was not mentioned in the blog entry, lists 74 IE vulnerabilities, many of which are ranked "Highly Critical." Isn't it odd that the author didn't compare the two?

The author of this blog entry linked to a Secunia page that listed 4 Firefox vulnerabilities, one of which was listed as 'Moderately Critical,' and the rest of which were listed as less than moderately critical. Curiously, the Secunia IE Page, which of course was not mentioned in the blog entry, lists 74 IE vulnerabilities, many of which are ranked "Highly Critical." Isn't it odd that the author didn't compare the two?

I'm a Student Ambassador to Microsoft, and promote VS.NET on campus. I think this guy is quite nieve (even if from Microsoft) or being deceptive. A few pointers:

1) At least when you post, do a similar comparison between both browsers. I want IE so when I search Google for download internet explorer, then the first link is "www.microsoft.com/ie/" which REDIRECTS me to http://www.microsoft.com/windows/ie/default.htm which again REDIRECTS me to http://www.microsoft.com/windows/ie/default.mspx

Can someone tell me if that is the same Internet Explorer? After all, Microsoft is a big company. I just wanted the regular IE.

2) Watch what you quote - when you wisely point out that Secunia has found (gulp!) 3 security advisories, did you know that only one was moderately critical and the rest were minor? Then, I noticed the advisories for Internet Explorer 6 (the most secure IE browser) - only 53 advisories from 2003-2004 (same timeframe), of which 42% (or around 24) were either highly or extremely critical! Oops, let's not compare using that website.

3) Then, there's the whole issue with downloading extensions - when I click on a link to download my XPI (no clue what it is, as naive user), it waits a few seconds (no surprises) and then asks me to install now or cancel. Oh, and horror of horrors, the Install Now is default! That's what I wanted anyway...and this isn't ActiveX that installs/runs immediately or whenever, but explicitly states that it starts on restart of Mozilla. So, I can even uninstall before reloading Mozilla if I have second thoughts! Hmm, sounds secure to me.

4) I've seen too many web sites that have Versign and a bunch of other BS images that give me no more trust than another site without them. So, I create a spoofed website with Verisign pictures and have no problem fooling users. But with a Firefox plugin, I'll know I'm on a spoofed website. Personally, word of mouth is the biggest way to increase trust, and that's why I recommend Firefox using word of mouth the most - I'll tie my name to Firefox because I use it and trust it. (Even carry it on my USB drive).

5) Why not fight for some real change and migrate AWAY from ActiveX controls and Microsoft-specific mangled HTML code (and even links) that I can't even run in Firefox? And build in some Firefox-like security rather than pretending the fire is under control!

From the article
"Today, the security of the Google Desktop system is resting on JavaScript's "same-origin" policy. If an attacker can somehow violate this policy, far more serious attacks than merely reading local search results will become possible..."

Doesn't the famous Window Injection Vulnerability which affects most browsers violate the "same-origin" policy of javascript?

What? Mathematically?! What greedy SUN saleman said you this outrageous stupid thing?

Then in what about all these bugs (15 security advisories in SUN JVM in 2 years):
http://secunia.com/product/784/