Slashdot Mirror
Is The Firefox Honeymoon Over?
prostoalex writes "With Firefox market share reaching a substantial level, is the popular Internet browser becoming a security nightmare for IT administrators? George Ou takes a look at the hard numbers. From the article: 'From March 2005 to September 2005 10 vulnerabilities were published for Microsoft Internet Explorer, 40 for Mozilla Firefox. In April-September timespan there were 6 exploits for MSIE, 11 for Firefox. Conclusion? As you can see, the facade that Firefox is the cure to the Internet Explorer security blues is quickly fading. It just goes to prove that any popular software worth hacking that has security vulnerabilities will eventually have to deal with live working exploits. Firefox mostly managed to stay under the radar from hackers before April of 2005.'"
There is one significant difference. I'm a knowledgable user. I program and sys-admin. I practice good security. Regardless of the number of exploits out there, I've never been hit by a FF exploit. I have been hit by IE exploits.
But the submitter is right. Though code security is important, the number of users is also a huge factor.
Cue someone to mention Apache.
Yes, Apache is everywhere, exploit-free. So are lots and lots of other binaries. It's only when you compare Apache to IIS 4/5 that it's really such a perfect example. Compare it to WinAMP, or Bash, or Finder, and its no more, no less secure.
Implicit Evaluation with PHP
Well, this is a good example of bad journalism. I don't want to get into a flame ware about which browser is more secure (although I have an obvious bias). What I'm try to say is that this guy is quoting useless statistics and this is a great example of bad science/tech reporting in the media.
1) The number of vulnerabilities reported has almost nothing to do with the number in the code. At most it dictates a minimum number that exist. Perhaps the firefox community is much more active at searching for bugs in the much newer firefox code.
3) How effective are the fixes? MS seems to have the same recurring problems because they only do triage. They don't fix the bigger problem (VERY poor browser design). The firefox team appears to address the bigger problem, not just stop the current bleeding.
2) How critical are these vulnerabilities. The article makes no mention of any ranking. He lumps everything into the same category. MANY of the IE bugs over the last 5 years have been SUPER critical, allowing remote access with little or no user intervention and no settings work around. Are the fire fox bugs the same?
3) Different organizations handle the vulnerabilities: MS and the Mozilla Foundation. MS is known to sit on bugs as long as possible. Perhaps the Firefox team is just being more responsive to the people looking for them.
Remember 99% of people that have cancer have eaten pickles. That doesn't tell you squat about the relationship of pickles and cancer.
IAAITG (I am a IT guy)
Spell check? Why bother. That is what grammer/spelling Nazi freaks who waiste band width posting "spell right" are for.
As well, how many of these vulnerabilities/exploits were "critical" and how severely did they expose your computer to running unauthorized code vs. the MS ones? How much effort did it take to repair them? The last vulnerability I recall patching required making a minor change to my Firefox config by hand rather than patching or upgrading.
Because IE is so tied in not only to the OS, but to various Visual Studio API's, were Microsoft's vulnerabilities more far-reaching?
I'm no MS apologist, but I'm also not a Linux or OSS zealot. I like to use what works best for my needs and habits, which ends up being a mix of Closed Source and Open Source products. I don't want to be biased on one side or another, but I'd like to be sure that comparisons like this are apples to apples.
- Greg
Start a happiness pandemic
It's still more secure than IE.
This is Slashdot! You're not allowed to talk about Mozilla like that!!!
I use it because its a better browser. It has more (and better) features than the competition. THAT is why I use it and recommend it to those who ask, not because of its security track record.
Anyway, maybe it's time to switch to Opera or Lynx now. Or maybe tkWWW... Does anybody know of any other browser out there that may be usable on a variety of OS:es???
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
Another in a series of stories that seem to be written to raise the ire of /.'ers. You're smarter than this, fellow reader. Do not give in to the temptation to flame on. We all know better.
Sad that the writer didn't.
A clever person solves a problem, A wise person avoids it. -Einstein
don't mean anything unless you do a side by side comparison of the security holes. What is the severity of each bug? Clearly, there is more activity and work in finding and actually fixing bugs in FF than there ever could be in IE, which could in and of itself account for the higher numbers.
Yes there are a lot of problems with firefox, its being developed so there are going to be vulnerabilities and security problems, but at least its constantly being developed. When everyone moves over to Vista and uses the new version of IE for Vista its going to be the same old crap all over again and im sure that IE will once again have more problems then firefox.
What Ou does not consider are the number of vulnerabilities fixed.
All software has bugs, lets just get over it and move on with life.
Here's the difference.
If the Firefox web browser sucks, the average Joe can uninstall that web browser from a Windows box....
if IE sucks...
guns kill people like spoons make Rosie O'Donnell fat.
Remember the age of the code though, how long has IE been around as compared to firefox. I would expect that about 6 years of sniffing thru firefox will result in less exploits that the amount thats still found in IE
Is still more fun than coming up with relevant comments.
Facts do not cease to exist because they are ignored.
1. How many Critical IE vs Firefox
2. How fast where patches/new versions deployed
3. How many days was the browser open to the exploit
And Finally
4. Total number of days browser was exploitable - IE vs Firefox
I bet you will find issues in IE that are not even patched yet, turnaround for more Firefox issues however? In most cases a solution within hours a patch within days.
Personal Website
Apple just always seems to come up with the right solution. Firefox suffers from the "sophmore slump" phenomena. Apple hung back and watched the mistakes being made. They learned the lessons and leapfrogged the competition. Apple may not be the pioneer; but they are the king of innovation.
but I think the marriage will last. I for one, have more faith in the open souce community to fix whatever issues hackers eploit. I also trust that firefox will just strive to be the best browser possible, as opposed uber-integration-domination-bloatation, and I've been told trust is the most important thing in a good marriage.
the minute I tried out Opera, I was hooked. A couple of my friends spent months trying to convince me to try it out, and I never really did. Opera is absolutely beautiful, very clean, functional, and customizable. I love it. I dropped FireFox like a....well a something once I'd tried out Opera. But, to stay on topic :D don't take this story for face value. Like an earlier poster said, its Quality, not Quantity. There might be a few tiny little security holes and maybe just 2 gaping security holes in IE - which one would you rather use?
Plus theres the obligatory "download our new patch to fix the patch that was designed to fix the patch for the security hole" deal thats involved with IE.
"Potpourii doesn't taste as good as it smells." - Dark_Link2135
I think that this is an important point about Microsoft's security issues that I know I never considered before. When you have any software that is so widely used it is going to have more security breaches than an equal but less mainstream peice of software. Looks like the problems that Microsoft has had over the years have more to do with being too widely used than actual poor design (or more likely they are on par with eachother). And with the kind of money Microsoft has at its disposal, they are finally cutting down on those security issues.
I wonder if this will be a problem for open source software in general if it starts to become more mainstream. Maybe it will be found that without a large amount of money to be put into security that there will be massive security holes in the future for OS software.
-- All that is necessary for the triumph of evil is that good men do nothing. -- Edmund Burke
It's like you're comparing apples and ......... PC's!
Actually, I use IE, Safari, Firefox, and Opera, for quite some time, and the only browser I've ever had issues with is IE.
Just my $2x10^-2
I refuse to engage in a duel of wits with the unarmed.
Also, the number of security flaws reported is meaningless. A security hole could be very serious, or completely inconsequential.
And by the way, the article is extremely short, and doesn't actually give much useful info beyond what was in the slashdot summary, so please think twice before clicking through to TFA and steering ad revenue to zdnet.
Find free books.
I read thru some of Ou's other blogs, and I have to say he seems to be a MS Troll.
It seems to me that MS simply won't patch certain things in IE. They haven't from the very beginning. Firefox is pretty new and will always have more security issues early on. Seems simple to me.
bluespaceradio.com - New Wave, Indie and Alternative
Yes, the honeymoon is over, and now the more enjoyable adventure of building a life together begins.
"I'm not impatient. I just hate waiting." - My Dad
The number of vulnerabilities and exploits make some difference, but what about the average time it takes to fix the vulnerabilities? If one takes an average of 2 weeks and the other 2 days, I'd rather have the latter.
I'm a big Firefox fan and don't user other browsers (IE at work doesn't count cuz I'm quitting in 1 week) so I am wondering what the stats are for browsers like Opera, Mozilla, Netscape, Dillo, Konqueror, Epiphany, and Galeon. Does anyone have this information? Honestly though, there aren't many developers out there that make perfectly secure software...IMHO it the open-source communities response to the problem that keeps me sticking with it.
"I reject your reality and substitute my own!"
The prime reason that we should support Firefox is that it is a well (but not perfectly) designed product and that it provides competition for Internet Explorer. One of the best innovations behind FireFox is the search-engine drop box, in which I can instantly do a search on any topic of interest. I set MSN Search as my default search engine on Firefox.
ActiveX
Actually, winamp is a bad example.../ 2/index.php
Type winamp exploit into google some time.
http://www.mashada.com/forums/index/show_topic/60
Could someone please contrast the bugs in MSIE and Firefox on something other than numbers alone (lies, damn lies, statistics). For example, number critical (remote access), number that will crash the application, number that are theoritical (no known exploit or very difficult to exploit), number that are in 3rd party extensions (i.e., not in the core product). These are FAR more useful figures than 40 bugs for FF and 10 for MSIE. Lets have some facts here (of course, I digress, this is slashdot and facts often are secondary criteria).
and while im concerned with security, its not a huge concern. if you are going to start saying that IE and firefox are equal when it comes to vulnerability, then im still going to stick with firefox just from the useability alone.
plus (which im sure everyone will have mentioned by the time this gets posted)
time for mozilla to fix a bug: few days?
time for MS to fix a bug: god knows...
so to call it a 'IT nightmare is a bit over the top.
This is always an argument used against open source, but its a poor one.
With general software development practices as well as because of other things, both open and closed source software will have securtiy issues.
But the probability of finding them in open source software is much greater because you have access to the source. It does not mean that open source software may have more bugs.
With the benifit of having the source code, its more likely that it will be found and fixed before an exploit is developed. WIth closed source, its more likely the knowlege of the issue will be known publically with the release of an exploit.
In America we are imprisoned by our fear of them.
I'm not excusing Firefox for having security vulnerabilities, but you have to look at the fact that Firefox is relatively young and is rapidly growing. IE has had time to work out a lot of the bugs over the years since IE6 went live. How many years has IE6 been around with little or no modifications? There's less chance of introducing a bug because of this, but the browser is nearly featureless compared to Firefox because of it. Which would you rather have?
Secondly, Firefox's exploit to patch time is miniscule compared to Microsoft's. The last exploit that came out had a "fix" within days. Although that fix didn't actually correct the error, but turned off the functionality that was broken. Then again, this is compared to Microsoft which says "don't click on links you don't trust" when a vulnerability comes out, until it comes out with its patch a month or more later. Pick your poison.
"Men lie."
"Yeah, about sleeping with other women, but never about bioluminescent plankton."
-Dan Brown
Firefox was never a panacea. Using Firefox never guaranteed anyone immunity against the various pitfalls that come with using Windows. And, so far as I know, Firefox was never entirely free of vulnerabilities.
That said, Firefox will always retain a competitive advantage over IE. Fixes and workarounds are released with astonishing speed, especially when compared with IE--this is because Firefox is Open Source, but more importantly because it is free. The developers have nothing to lose by releasing a patch, by admitting to having written something less than perfect. There is no corporate reputation at stake; therefore, using Firefox will always be inherently safer than using IE. That safety gap will only widen with time.
Find your friends!
They should have separated vulnerabilities into classes then also taken into account the average time between discovery and fix and ease of patching. Anyone one of such a study?
1) Small memory footprint
2) Excellent stability on Linux and FreeBSD
3) The way extensions work no matter which version you have. Upgrade a minor or major version, the extensions are still there, all working properly.
4) How themes work no matter which version you have.
5) How the Firefox start page doesn't default to any specific commercial search engines, but lets you choose.
6) How the popups are blocked on sites like SitePoint.com
1. Define the threat level.
2. How long before notification that it was acknowledged.
3. How long until the fix.
4. For the fixes, did it work?
MS has the bad habit of not letting us know of a hole until they have the patch ready. This is a real pain as the ones who can use the hole can, without me knowing!. Also, Firefox is a new product, it has an excuse. MS is a mature product, why are there serious holes still in this product?
Panic now, beat the rush!
Or is it just that, with source fully available for people to examine (and a community of die-hards willing to spend a Saturday evening actually looking at same), flaws can be more easily found?
I don't know if that really would make much of a difference, but then again, we can't really know for sure since the IE source code isn't available to make it a fair test.
Anyone out there who does seek out flaws care to shed some insight on how you go about doing it? I imagine some is like with old school video game hacking - you notice strange behavior and experiment - but I'd also imagine some is looking at source and saying "Hm, this seems off..." and then trying something without actually noticing "off" behavior.
Since I can't tell them apart, I treat all ACs as the same person.
What I'm try to say is that this guy is quoting useless statistics and this is a great example of bad science/tech reporting in the media.
0 219783
AMEN! Your pickles example is a good reminder of the confusion many Americans have over causality vs. correlation.
Damned Lies and Statistics by Joel Best is an excellent primer in the dangers of poorly used and cited statistics. It's a must read:
http://www.amazon.com/exec/obidos/tg/detail/-/052
So, who here REALLY wants linux on all desktops, again? Not that it WILL happen, but don't wish for it!
This script-graphic was very hard to get.
J.
You're only jealous cos the little penguins are talking to me.
is exploit A which has bugs a,b,c,d,e,f,g,h, and i
the same (quantitively) as exploit B which is due to bugs y, and z?
just because IE list 6 exploits doesn't mean they are due to 6 bugs.
For me, it's not the number of vulnerabilities and never was. I, like most other people, used IE because it was preinstalled. I was lazy and figured "a browser's a browser". Only once I started using other browsers did I realize:
1. There is no reason a browser should lock your operating system.
2. There is no reason a browser should mysteriously slow down your computer.
3. There is no reason a browser should purposefully make it difficult to change some settings.
It's like the Messenger service that Microsoft seems DETERMINED to re-enable on my computer every time I update / patch. I know what settings I want, and the browser that lets me use those settings with a minimum of issues is the one I'll use. This isn't loyalty. It's a user-friendly program that doesn't pretend to believe it knows what I want better than I do.
There are many differences between the two and what I think makes Firefox sound more desirable is mainly the fact that Mozilla will release patches much faster for Firefox than MS for IE and that it is also a much more stable program.
$fortune
Tomorrow has been canceled due to lack of interest.
i would consider this a good sign for firefox; all the attempted exploits, in my mind, point to the fact that firefox is grabbing mindshare as well as marketshare - you know your close to the top when someone tries to knock you off..
I was crazy back when being crazy really meant something. (Charles Manson)
It's great that as a sysadmin/programmer using firefox, you've had less problems than with IE.
More importantly, when I switch my users to Firefox, they cease to have problems. More exploits or not, FF causes fewer headaches. When it's all said and done, I'll choose FF's problems over IE's problems.
Procrastination -- because good things come to those who wait.
And conversly how many exploits are there for Microsoft Personal Web Server?
The Difference isn't the number of users, it's the number of people actively looking for exploits. I could write a crappy piece of code with 100% market share, but if no one is trying to break it, it'll probably be pretty darn "secure"
-Adam
Honestly, whatever Firefox had was hardly a honey-moon. The number of people using firefox is insignificant when compared to those using IE. And, it will always be.
Clearly, Google is the next Microsoft.
1, 3, 2, 3, 3, 3, 4, 3, 5, 3...?
No, it still makes me hard an I still enjoy having sex with it.
Evil people don't think they're evil. - George Lucas, Making of Ep III
Thanks, Steve. It's nice to see you're still paying attention to things over here.
I'm not tense. I'm just terribly, terribly, alert.
So what this article says is that the open source development model finds and fixes bugs much quicker than a single company could ever hope to. Cool. I'd much rather have security holes discovered and fixed quickly - also I wonder how many of these holes in FF only effected Windows users?
There is a new crashing bug in Deer Park Firefox, but not in Firefox 1.0.x. There is no patch either! Disabling IDN or using the latest nightlies doesn't stop it from crashing. It's being reported by Tom Ferris again and he has a test page here.
Does it count as a bug/exploit if it's fixed before anyone discovers it?
Microsoft has a habit of reactivity, "Oh shit, someone released an exploit, let's fix it".
I'd like to say Mozilla has a habit of proactvity, "Oh shit, there's this bug, let's fix it before someone exploits it".
Also, if you RTFA, you see things like Note that this is not a count of the number of advisories because advisories can contain multiple vulnerabilities. This is a count of the actual number of vulnerabilities. The article is short on substantial evidence or proof (author refuses to provide links). Furthermore, he doesn't even attempt to qualify what he claim.
Take it with a grain of salt.
this is the most useless article I have read.
I have read it and still don't know what to make of it. He doesn't really define a vulnerability first of all.
If anything this tells me firefox is being actively developed and improved and is easily upgradeable.
I think Microsoft is just putting security updates out and not improvements. So it makes me wonder what he defines a vulnerability.
IE exploits fsck with your entire system. you know, it's a built in component. FF problems are more limted and deal more with windows alone. i've had no problems with FF on os x nor linux. FF and IE exploits are apples and oranges.
My problem? I was perfectly gruntled, until some numbnuts came by and dissed me.
Firefox vulnerabilities are fixed within a day, two at most. Just about every time I see a Firefox vulnerability it is published before a fix is available. Also, I've never seen an instance of someone actually exploiting a Firefox vulnerability for evil.
IE on the other hand doesn't publish vulnerabilities until they are fixed. So 10 means they fixed only 10, how many are there? Also, IE exploits are actually exploited all the time. Usually it happens after the patch is released and the exploit published. Firefox upgrades itself now with very little user interaction whenever there is a fix. IE only updates on Black Tuesday, if you're lucky.
The GeekNights podcast is going strong. Listen!
that some of the Firefox issues were not because of coding bugs on the mozilla side of things, but because of how Microsoft's OS handled things. Essentially, Firefox was protecting itself against the evils of the OS that it is forced to run upon. Even if all 11 security issues were purely because of Mozilla code, how are we to truly know that there were only 6 for IE? Those are just the ones that Microsoft fessed up to and actually fixed - there's likely plenty more that they're working on - just waiting slowly to release the updates to make themselves look better than the better equipped competition.
Open Source will always be a better idea than the Microsoft solution!!! Besides, I'm almost sure Microsoft is developing Firefox exploits just to make Firefox look bad. And I could probably argue that the combination of the 11 exploits that Firefox had were less dangerous than the 6 that IE had. So THERE!
Please tell me you're going to legitimize that by blogging it... I bet you could make the front page of Slashdot!
This is exactly true. I administer over 2,000 machines (mixed platform environment). We started installing Firefox as part our standard package over a year ago. There has never been one report of a problem with security involving Mozilla Firefox. There have, in the same time period, been numerous security problems originating in the Microsoft Internet Explorer web browser. It doesn't matter how many exploits get published if they aren't being exploited or their exploit does not result in any significant harm. As posters below have noted, this article is a result of bad journalism.
As I recall, IE does not have anything even remotely similar to bugzilla (as FF has).
So, if I find a bug in FF, I'll report it in bugzilla. If I find a bug in IE, where do I report? send an e-mail to wishes@microsoft.com?
I'm sure there are some people that know that better than me -- enlighten me. How does one submit a bug found in IE?
We need more exploits for IE
Anybody who wants to inspect the source code for security holes can do so.
Precisely. But why do you assume that once the bug is found, it will be fixed? If the bug is found by a malicisous pair of eyes, an exploit will be written instead.
Open source helps both the attackers and defenders, and thereore does not have an inherent advantage in security, in my opinion. Now, the formerly closed code that has leaked is indeed more vulnerable after the leak.
I would like to see a comparison of the seriousness of the vulnerabilities - how many of those IE exploits gave remote users full control over the victims computer, vs those of Firefox? Given that IE is so deeply tied into the OS, security problems with it tend to be much worse. For Firefox, the vulnerabilities tend to be trivial, such as browser crashes.
Firefox less secure than IE? Man that's the last thing I expected to see posted on SlashDot.
5 2&tid=217
The next thing you'll hear them saying Google is evil. oops, wait a sec..
http://slashdot.org/article.pl?sid=05/08/24/15262
-Adam
As long as there's still ActiveX support in IE it _will_ be the less secure browser. ActivX is, and will always be the most critical hole in IE.
It's insane to execute binary code from the internet with just a few clicks.
When Microsoft turns off ActiveX by default, we can start comparing browsers.
The main question is: Does M$ want IE (and Windoze in geenral) to be secure ?
I believe not. An important activity at most corporations is spying on employees. Some of the flaws are used for that particular purpose.
Moreover, the Firefox community is calling "bug" a vulnerability that M$ would completely ignore. Why would they care that you get a lot more leakage through 5 one-meter holes than through 40 one-milimeter ones.
How many bugs/vuln's are there in IE that microsoft either doesn't want us to know about, are too serious for them to consider releasing info on before they have a fix, or just don't care about? Most FF bugs are revealed relatively quickly, and a patch is made, but M$ can keep them a secret to keep their numbers down to promote studies like this one.
"In a world without walls and fences, who needs Windows and Gates?"
I am Paul from Greyhats Security. I found and submitted several of those Firefox vulnerabilities, a total of 5 that I received bug bounties for.
I have to back up the article writer on this issue. The fact is, Firefox was a lot easier to exploit than Internet Explorer, and believe me, I have experience in both browsers. Also, I have been testing Internet Explorer 7, and I must say that it is very secure. I haven't found a single vulnerability in it yet.
More important than how many bugs appeared in a span of time is how many of those bugs were solved ?
Or no, facade is fading. But the rear is still ok.
I think these reports give the answer.
Firefox
Internet Explorer
To conclude firefox has three unpatched advisories of which the most severe is less critical. IE has nineteen unpatched advisories of which the most severe is highly critical. Notice that actually IE had more advisories both patched and unpatched.
While firefox may have more vulnerabilities, these are publically acknowledged bugs. How many bugs does IE have the microsoft hasn't disclosed? Keep that in mind!
What I find most fascinating is that no one seems willing to recognize that the more users you have, the greater the interest in hacking becomes. If you have a paltry penetration for your technology, hackers ignore you.
Now, is Firefox more secure? In theory it should be. Are the exploits in Firefox less problematic? Well, until hackers care to exploit it, who the heck really knows? I remember when Firefox pop-up blocking worked. Now, there are known methods to circumvent the technology...go figure...the folks who care have found new methods because Firefox was eating their lunch.
Now, I heard someone say that Apache is a model...what about all those worms that have been attacking, and defeating, Apache for the last 3 years (slapper, scalper, etc.)? Apache's only grace is that the developers move FAST when a new exploit is found. However, most attacks are not day zero attacks, which means that the vast majority of attacks are based on known, patched or patchable flaws.
So, it is incumbent on any admin to keep their systems up-to-date AND recognize that patch management is one of the key hallmarks of a secure system.
What does this mean for Firefox? Same patch management must be implemented for Firefox as should be in place for Exploder. Moreover, perimeter firewalls and intrusion detection systems must be in place and up-to-date themselves. And even with this diligence, per the CSI FBI Computer Crime & Security Survey 2005, 95% of Enterprises experienced system penetration and 55% were attacked by worms or viri.
Guess what? Software development methodology is not a panacea anymore than anything else.
Diligence, not arrogance, will protect your computing assets.
"... but you can love completely without complete understanding." - Norman Maclean, "A River Runs Through It"
The most important thing this author should have asked is: what is the severity of these vulnerabilities? Something like a DoS is a PITA, but compared to a vulerability that opens a machine to remote system access-- come on! Let's compare: IE Firefox
IE integrated into the base OS gives a lot of those buffer overflows much more destructive potential than some regular old program. I'm not ruling FF out as a potential threat, but so far, it has shown itself to be far less dangerous than IE.
Only difference as far as i know , I havent been hit with any FF vulnerabilities from places i visit , but have been with IE on windows. And hi there is no IE on linux .. so there
I prefer Fx to IE any day. And not just because of security.
.src property. Guess what? In Fx, of course it works perfectly. In IE, it worked sporadically. I went to microsoft's solution base, found the issue, and guess what I was told? Stop using so many images! Now, I am not a sysadmin, and am not in the know with all of the security issues. But my example does show MS's attitude toward fixing things. I know that images are not (usually) as important as security, but often we show how we'll react to large things by how we react to small things.
For example, I was designing a web page that required that I refresh an image every 15 seconds. So, rather that reload the whole page, I just used javascript to refresh the img's
So, I guess this really supports the people who will (and probably already have) posted threads about how Mozilla fixes stuff faster and better that MS. I am sure that will continue to be the case. Mozilla has not yet shown me the "ignore it and it'll go away attitude".
blah blah blah
Also.. the most important factor. The Firefox community fixes the problems.
There are flaws in IE that have been known for better than 6-8 months and still there is no fix.
Digital is, by definition, imperfect. Analog is the way to go.
Run! He has a chair! God help us if he starts doing his dance!
It'll be like playing Donkey Kong...
I don't really believe in this, but arguing like that is arguing against Firefox.
My personal opinion on these things is: People care way too much about browser religion. Let people use IE, not that much wrong with it. Both IE and Firefox are huge complex applications processing huge amounts of diverse untrusted data. Sure it'd be great if they were secure, but it is just not happening that way yet.
There might be some hope on the horizon with low-rights IE7. It might be that it really does manage to remove the impact of the bugs, which is really the best case scenario as things stand. If so we will no doubt see similar approaches integrated in Linux desktops and see Firefox refactored to use the same approach.
I find it very interesting that 9 times out of 10, if I ask someone why they use Firefox, the response is "Tabbed Browsing" or "It's not Microsoft."
As a developer, I have found Firefox to be almost unusable in many instances:
1) They implemented CSS, but none of the old CSS. This means when you change a cursor to a "hand", it won't recognize it.
2) It also leaves you unable to create custom variables in HTML tags. This leaves out ease of use in dynamic information systems.
3) You cannot call a style of an document object directly, you must first call the object, then on a seperate line, call that object's style you want. Just plain inefficient.
4) You cannot use span tags or div tags even remotely how you can in IE (and some cases even in Safari!).
5) They took out many Javascript functionalities because they simply couldn't implement them correctly. (.focus())!
In the end, it's frustrating that in Firefox you must deal with coding around what they left out, because it's more "secure", and as we now know, it's not even more secure! And thank you to Firefox for making me have to download a plug-in every time I want something to work like it should. It's just not what everyone seems to think it is. Is it just an excuse to name drop something new??
Ubuntu, the way linux should be.
Try Ubuntu FREE! --
Firefox for Linux is INFINITELY worse than IE for Linux, because there has never been a security-related bug found in IE for Linux.
That's "Mr. Soulless Automaton" to you, Bub.
Aside from the fact that you're plainly wrong -- my Firefox does things right on OS X that my Safari isn't even close to -- I think you need to look up the word Innovation.
I'd paste it below, but the Lameness filter hates it. Instead, I'll just point out that there isn't a single definition which does not use the word "new".
Tell me, what's new about Safari? Oh, right, it's Konqueror for the Mac. I guess that makes the OS X version of Firefox just as innovative, right?
Don't thank God, thank a doctor!
Time to change to a less popular browser again, for security reasons, guys. lol
doubtfully,
exploits aren't just from original code. Every time someone tries to add something new to Firefox, there is the real possibility of an exploit.
Just because an app has been around doesn't mean they could have fixed all the errors. Maybe in that original bit of ocde that still exists, it is error free. It will still take a lot of time to find the exploits that are caused my new insecure code and those problems will always be around.
to line my mac trashcan
At least the Firefox developers are making a real effort to keep their program up to date. The program itself is designed better than IE, which is why I like it.
When the honeymoon is over, it usually means that you don't get anymore sex. However, I'm still getting plenty of one-handed sex with Firefox and www.nudenuns.com!
If someone says he and his monkey have nothing to hide, they almost certainly do.
Remember ~15 years ago, when the net was a hellofa lot smaller, and netscape just came out. As time moved on, Netscape got bigger and around 3, it was more sublime. Websites weren't so annoying beyond the ugly backgrounds and animated gifs. But people learned quickly not to do that too much. Smart people found the web and things were good.
/really/ have an advantage?
Now, everyone and their mom has IE. But you notice, the smart people have firefox and go to websites that aren't IE specific? Has the number of smart people who use a better browser decreased? Are the people from yore using IE now? Does microsoft
Hrm.
FireFox version 1.0 is less than a year old, IIRC.
IE 6 is how old, 4, 5 years? And they're still releasing patches??
Kiteboarding Gear Mention slashdot and get 10% off!
I mean, From March 2005 to September 2005 ?! Good god, I thought ignorance could no longer make me mad, but yes, it can. Educate us please, 1) how many versions of IE were released in this timespan, 2) how many vulnerabilities were disclosed about IE6 since it was released, 3) how many vulnerabilities had IE when it had the same [release] age as Firefox has now, 4) how does the patch release speed of Firefox and IE compare, 5) how does the feature set of Firefox and IE compare, 6) how does the size, stability, platform support, plugin support of Firefox and IE compare, 7) how many vulnerabilties of IE's and how many of Firefox's were/could in fact be exploited by worms and trojans in this period.
I could go on with this, but for me, even these questions are more important, by a magnitude, than how many exploits were discovered.
I am putting myself to the fullest possible use, which is all I can think that any conscious entity can ever hope to do.
I'll tell you what's a security nightmare - dealing with all the trojans, viruses, and spybots that IE lets in.
George Ou tends to constantly rag on Open Source projects and always slants his articles in a pro-Microsoft way. I tend to take everything he says with a pilar of salt.
I have yet to see him say anything POSITIVE about open source in an article so I find him constantly suspect.
This is my sig. There are many like it but this one is mine.
I really want to give Firefox to all my users, but there's no good way of managing the updates for my users. Until the Firefox comes packaged as an MSI so that I can force an upgrade via Group Policy, I won't install it on my users machines. And when they do make an MSI for it, how am I to keep people up-to-date with extensions? The Grease Monkey extension had a vulnerability awhile back, and I don't see a way for Firefox to allow me to force an upgrade to everyone for extensions. IE works well because I can release patches for it via WSUS. And since SP2 for XP, we've had less calls about spy/adware installs.
Knowledgable? Practice good security? I'd say the same about myself, and I've *NEVER* been hit by an IE exploit.
I'd say a fundamental part of good practice with IE is to use it with an HTML rewriter. I use "The Proxomitron".
Proof that Apple is kicking Open Source AND Microsoft's ass.
Read and weep, Linux fanboy! The people have voted with the investment dollars. Apple is winning the war on two fronts !!!
Firefox ... is the popular Internet browser becoming a security nightmare for IT administrators
Not a statement of fact but by asking it as a question you give the meme credibility. Get those ad servers warmed up.As you can see, the facade that Firefox is the cure to the Internet Explorer security blues is quickly fading.
Really, need some straw?[statistics of vulnerabilities provided without context] ... It just goes to prove that any popular software worth hacking that has security vulnerabilities will eventually have to deal with live working exploits.
Oh, I see you are already building your straw man. What was your point again... FF is no better than IE so don't bother trying to use it? Nice. Not sure which is worse, the the zdnet Microsoft shill or this poseur inciting a flame war to embiggen ad server revenues. Bravo, your internship at FoxNews is waiting.Speak truth to power.
It just goes to prove that any popular software worth hacking that has security vulnerabilities will eventually have to deal with live working exploits.
What can I say? I pity the administrator that need "proof" to realize this.
Straight to the "Security 101" class you go, as you should have before getting a job.
Or if not having one, thank god for that.
As you can see, the facade that Firefox is the cure to the Internet Explorer security blues is quickly fading.
Here's the hard facts according to Secunia...
IE 6: 19 of 85 unpatched issues, the most severe classed Highly Critical.
Firefox 1.x: 3 of 22 unpatched issues, the most severe classed Less Critical.
Opera 8.x: 0 of 7 unpatched issues.
I don't know about you, but as long as a product is auto-updating (which the Firefox 1.5 beta and onwards indeed is, like IE 6, and unlike Opera 8), what does it matter how many exploits are found? Isn't it how many issues you're affected by that matters?
Yes, this was a problem with Firefox before 1.5 as you can't excuse having to manually upgrade your browser while monitoring security sites (at least not from the audience Firefox is targeting), and that's why I recommend people to upgrade to 1.5 ASAP. The minor instabilities still present from being in beta isn't as bad as missing out security fixes.
Beware: In C++, your friends can see your privates!
So the meaning of the holes is not the same: while on IE, it shows that the software is full of holes with some discovered by bad hackers, on firefox it shoows that the community of developers tends to be more active. In opensource, when a software becomes popular, it attracts more hackers and also more developers.
exploits are just successfull code reviews in the opensource world
Dam, I can't argue with that. I guess I'm switching back to IE, where can I find the source for 2.6.12 i386
This is such a ridiculous use of statistics. These were all pulled from the Secunia website. Using the same stats from the website you'll see that:
t ics Secunia Stats for IE
i stics Secunia Stats for Firefox
http://secunia.com/product/11/?period=2005#statis
http://secunia.com/product/4227/?period=2005#stat
While IE has less advisories, they also have a higher unpatched percentage as well as a higher severity of exploits percentage.
What is even more funny is that a co-worker of mine always uses the number of advisories to indicate how much better IE is over Firefox, but never mentions that most of the advisories remain unpatched as well as more critical from the same website.
Apples to Oranges indeed.
Skin cancer is the most common kind of cancer, because our skin is our main "interface" with a world of carcinogens. It's also among the most treatable kinds of cancer, posing a much lesser threat to our essential health than its rate of onset. We can learn from our own biological infosystems how to survive in a world where attacks and damage are part of the ecosystem. A compromised browser shouldn't equal a strike to the heart of our computer systems. We should be able to spread on and wash off the info equivalent of sunscreen, and grow a new layer once our outer perimeters show the stinging-red signs of breakdown in a hostile environment.
--
make install -not war
I think the underlying issue here is who, generaly, usis which browser.
People who use IE tend to use it because it does it's job and they don't know/care about security, or it's just too much trouble to bother if they do know.
People who use firefox, on the otherhand tend in generaly to be tech savy or close to someone who is. they tend to practice safe brousing better that the avaerage, and run antivirus software (or linux).
I guess what i'm saying is, that even if security holes per user is the same between ie and firefox, which it's not, the firefox userbase would have a much better idea of what to do if they are attacked.
Full disclosure: I am a firefox zealot.
-schwal "Hanging is too good for punners, they should be drawn and quoted"
His last 5 entries are ALL about Microsoft versus the world, in which MS always wins. Even going to previous months, it has always something to do with MS doing something great. If this guy isnt paid by MS he really should be.
Okay, we're used to things being slanted... and let's admit it-- we are used to them being slanted in our direction. (When I say "our" I speak of the typical slashdot demographic who uses Linux on at least one machine at home/office, certainly uses firefox and openoffice and is generally anti-microsoft.) I wonder if there can ever be an unbiased progress report on the current state of security and userbase.
.EXE in order to get it, THAT's what they do. (Yesterday, I had this exact experience... thank god I was there to oversee the process so I could kill the spyware before the infestation started.)
Whether I have the approproate stats or not, Firefox is better and safer than MSIE. Pick your reasons, for better or worse, Firefox is used by fewer people and is still not quite on the radar for those who hack for profit. MSIE users are "default" users... so whatever the defaults are, that's what they use... whatever the defaults of the security settings are, that's what they use. And if you want to get that wallpaper and it says you need to use MSIE and install this
Let's look at this like a disease control situation. There might be "11" exploitable flaws in FireFox and just 1 in MSIE (just an example). Using Firefox, I'm immunized against a huge variety of diseases that are targetting only one organism -- MSIE in this case. SO WHAT if I am vulnerable to 11 other diseases? The diseases aren't in circulation and the one that targets MSIE is running rampant.
If they want to tell the truth, let them break it down in terms that make everything EQUAL such as "liklihood of being exploited." It's fair to measure in those terms since that's what we're really interested in guarding against while using any browser. But we already know the slant that a liklihood measurement would take us to...
Not all vulnerabilities are created equal. As you assert, there doesn't seem to be (m)any people actually getting their system compromised from Firefox issues. Contrast that with IE, where we have seen numerous exploits in the wild which install malware, simply from the user visiting a web site. In large part, I believe this is due to IE's integration with the base operating systm.
Let's go through your objections point by point
If this is so it just leads to the question: Why should people use Firefox now then? Lets wait until 2010 when it will actually be better and stick to IE which is better now.
Except then Firefox will not get developed to as high a level as IE has and will never reach that point. Note that this observer has the same problem as most observers who say, "It's better!" And that problem is that the numbers aren't exactly fairly proportioned. An IE hack that gives someone access to all your 'net data then wipes your entire hard drive is counted as one bug, as is a firefox flaw that gives someone access to your last ten sites viewed. That's a biased and unfounded example, but the reality stands regardless - THIS IS NOT A GOOD WAY TO DO A SECURITY STUDY.
I don't really believe in this, but arguing like that is arguing against Firefox.
It is arguing against the further development of Firefox, too. No users, no development.
My personal opinion on these things is: People care way too much about browser religion. Let people use IE, not that much wrong with it.
There's piles of things wrong with IE, they're just not user-visible all the time and that is a main portion of the problem's gestalt.
Both IE and Firefox are huge complex applications processing huge amounts of diverse untrusted data. Sure it'd be great if they were secure, but it is just not happening that way yet.
You can lock Firefox down if you want. Won't be able to see EVERYTHING, but it will definitely be secure. Not quite anywhere near as true with IE.
There might be some hope on the horizon with low-rights IE7. It might be that it really does manage to remove the impact of the bugs, which is really the best case scenario as things stand.
You can do this in linux. Natively. Just make yourself a different user with no rights to do certain things. Try that in Windows and see if it works for you. As to the, "Microsoft will solve everything in the end" mentality, well, I can't really argue with that.
If so we will no doubt see similar approaches integrated in Linux desktops and see Firefox refactored to use the same approach.
You're looking at it the wrong way. Microsoft is behind and has been so for a very long time. The stuff you want is part of the problem with their occasional 'buy instead of implement' business model.
My little site.
"Fundamental" as in "never heard of by anyone else"?
Information wants to be anthropomorphized!
If all exploits do equal damage or exploit equally, then the numbers probably could be compared. If you are exploiting Firefox, you are exploiting an application. If you are exploiting IE, you are exploiting an OS. Hmmm, I wonder which exploits you would rather have over another (and I know we would prefer no exploits, but that is only in shangri la). It doesn't seem to me like exploits bear equal weight for each respective browser.
Just my $0.02.
Check out my sci-fi/humor trilogy at PatriotsBooks.
So if you're a Firefox user -- rejoice! You're no longer a renegade!
Fuckin' "blogosphere" losers trying to be cool by pretending to know more than jack shit and promote some new browser just because everybody else was doing it. Nobody with the slightest bit of common sense bought into that firefox-is-god^H^H^Hpanacaeum bullshit. It's another browser and it's not bad. So? What an abstruse idea to promote its security when obviously practically nobody was even looking for security problems. All those fucktards achieved was make exploits for gecko-based browsers plausible in the wild.
All hail common sense. And yeah, fuck the firefox-hipsters.
Should there be any surprise?
IE6 has been out for 4 years and built on code that has been used for many years before that. With no significant features being added to IE6 and two major service packs it would seem that the software should be (at this time) very secure. Its still not.
Firefox has been out for less than a year. Given the age, it would stand to reason that it would have more bugs that need to be fixed. With time, it would be anticipated these will reduce.
Firefox has more features and higher degree of compatibility with standards -- I'd expect these would introduce bugs as well that need to be fixed.
Firefox does not have access to the resources Microsoft has (some of the best developers, huge amount of capital, sophisticated testing facilities and networks, etc..) and as a result, it would be expected there are more bugs, etc..
Firefox is available for a wider range of platforms. Given this variance, it would be anticipated more bugs would occur as a result.
The source to Firefox is freely available. As a result, it is very possible for a wider amount of people to look at the code and find bugs MUCH easier than with IE. As a result, more bugs should be reported.
I could go on and on and on.. but needless to say, the fact there are more security/bug reports shouldn't be that big of a surprise. The biggest question is if the fundamental architecture of the software keeps security issues minor and if the development team is capable of keeping their software secure in a quick and efficient manner.
I think it is pretty clear from looking at the links provided in the article that this indeed is the case. The vulnerabilities are far less critical, there are less outstanding issues, etc..
I'm curious how the picture will change a year or two down the road.. IE has been pretty consistent with security issues -- I really expect Firefox security issues to decline.
So they found more exploits to FF. FF is also newer. Does this mention the hundreds of IE exploits in the back catalog? Does this mention some of the fatal flaws that MS has not repaired since IE 5? I know because I have had to hack fixes for web apps in IE... never had to do it for Firefox. Read through MSDN and count all the bugs, then read through Bugzilla.
Any new product will have more flaws found per month than an existing product. This is common sense. The difference with FF is the turn around of the fixes. You could imply as much from the article. 40 down to 11. Notice how IE6 has the same amount still found (10 and 6 are alot closer than 40 and 11), and it is a product that has been on the market how long( 4 years)?
There is no news here, just FUD and a normal software lifecycle. This is perfectly normal.
So what makes these people think that because IE has fewer fixes going in, they have fewer problems to start with?
Remember that Firefox has far more people looking at the code base for errors - so fixes generated are for problems people have seen in code that can cause an issue, even if in practice they might never be used for an exploit.
Meanwhile in IE you have fewer people just looking over the code for errors, so patches that come out are likley because someone, somewhere, is actually USING that hole right this second!!
Then look at the numbers for patches and see if using IE doesn't just creep you out in all sorts of ways.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
You need only to look at secunia.com's summaries to see through the idiocy of this article:
vs.
Firefox: 0% Extremely Critical
IE: 14% Extremley Critical
Need we say more?
Firefox vulnerabilities are commonly that a website address might be spoofed.
Internet Explorer is a complete system compromise.
Not apples-apples.
Are you saying that knowledgable users necessarily get hit, even on IE? I develop on Windows (and on Linux too, though my architectural understanding of Win32 exceeds Linux (which is pretty much limited to POSIX)) and you know what? I've never had a problem with an IE exploit in my life. Like someone else said a few stories ago, a user who knows what he's doing can make even Win98 safe.
Yes, IE pre-XPSP2 UI+security model of Yes by default and ActiveX definitely required vigilance; but today it's a function of user skill on both Firefox and IE to *not* be infected.
Someone here mentioned their users don't have problems with Firefox. Well, disabling ActiveX certainly helps. But if Firefox users visit RandomScreenSaver.tld and download with abandon (as many IE users do), compromising Firefox will be a piece of cake. And there is the gaping hole in Firefox's armor -- even many of its biggest boosters think nothing of installing unsigned extensions.
Btw, I'm not sure anyone who developed on Apache through the late 90s would call it 'exploit free' in the sense (say) vsftpd is exploit free. Apache's strength is cross-platform ubiquity and a rich plugin environment, not perf or security. I doubt any Apache dev would claim Apache to be unexploitable even today.
Go somewhere random
There are flaws in IE that have been known for better than 6-8 months and still there is no fix.
Ok, sure... I'll bite. I don't buy it. Name ONE risky security flaw that has been known for 6 months without being patched by Microsoft.
Oh please, not again. "Firefox has more security bugs! firefox is teh evil! omgomgomg" /. comment, but from a STORY SUBMISSION?
I'd expect this kind of comments from a
In any case I already know the answer: "more bugs, but some less critical, and all patched in less time".
Or am I wrong?
Honeymoon is over because the FF people fixed more security bugs than IE6? I don't follow.
sic transit gloria mundi
Better Links:
http://secunia.com/product/11/
http://secunia.com/product/4227/
Also note that a high number of the IE vulns are "multiple" ones grouped together.
1) The number of vulnerabilities reported has almost nothing to do with the number in the code. At most it dictates a minimum number that exist. Perhaps the firefox community is much more active at searching for bugs in the much newer firefox code.
i sticst ics
:-) Firefox is great enough to have a simple auto-patching system, whereby you don't have to wait for an entirely new version to come out and install it over the new ones, thus not having any compatibility issues with plug-ins or the like. Doesn't happen with Firefox. Nope.
Or perhaps you're being a hypocrite. Strange, I've never once seen this defense come up for MSIE on Slashdot. You seem to think that the number of known vulnerabilities doesn't matter, but then you go on to address the criticality of the known vulnerabilities as if that matters latter on. Make up your mind, don't contradict yourself and don't be a hypocrite.
It's funny, people always scream "ZOMG L@@K @ TEH NUMBER OF VULNERABILITIES FOR MSIE3) How effective are the fixes? MS seems to have the same recurring problems because they only do triage. They don't fix the bigger problem (VERY poor browser design).
Is that your SCIENTIFIC opinion based on a study of FACTS or just anti-MS FUD on your part? Don't bother answering that, the answer is obvious. For someone who blasts a legitimate finding for being 'bad science', you sure are fond of using bad science when it suits you. You simply ASSUME--with absolutely no factual grounding (unless you count hearsay) that it's a result of poor browser design.
The firefox team appears to address the bigger problem, not just stop the current bleeding.
Again, what are you basing this on? Your "scientific opinion"? The multiple dialog spoof and frame injection vulnerabilities? The multiple, related cross-site scripting vulnerabilities? The partial fixes? THe workarounds?
I'm sorry, but firefox isn't fixing the source, its design is flawed too. Have you even LOOKED at the design of Firefox? After all, you're the expert, surely you've seen the strides they've taken in security design. OH wait, no, just like with all browsers, security was an afterthought in design.
2) How critical are these vulnerabilities. The article makes no mention of any ranking. He lumps everything into the same category.
Interesting that at first known vulnerabilities don't matter, now they do when it comes to criticality. Way to be incosistent.
As it turns out, there are the same number of highly to extremely critical fixes according to JUST secunia statistics. Secunia only released advisories for a little under half of the Firefox vulnerabilities. Those stats are going to go up and have Firefox beat the pants off MSIE in terms of more serious vunlerabilities.
Here are the statistics:
http://secunia.com/product/4227/?period=2005#stat
http://secunia.com/product/11/?period=2005#statis
MS is known to sit on bugs as long as possible. Perhaps the Firefox team is just being more responsive to the people looking for them.
6% workarounds, 6% partial fixes as per the above statistics. Yeah, they're awesome
IAAITG (I am a IT guy)
But not a scientist, nor a rational thinker, apparently.
Ignoring the risk of some bad mod points, frankly I consider ZDNet rather similar to Fox News. I quit reading them a couple of years ago.
Since Ou is too much of a prude to post the links to the exploits, can anyone here post them so we can get a better understanding of what the real differences are behind the different exploits?
ôó
Or, perhaps, he was saying "Many Americans" because he is an American, the article was written by an American for a largely American audience, you are at a website dominated by Americans, and he simply didn't give enough of a crap to include the rest of the world when he generalized "many of us" into "many Americans".
Take your knee-jerk victimization trolling elsewhere.
I'm sorry the rest of you had to read that. I put self-victimizers above people who confuse your and you're on my pet peeve list.
Never confuse volume with power.
... Untill google writes their own browser. :D
So you see no problem with an application that should be mature and stable and secure and a 2-year-old piece of code thats getting a similar number of exploits. oh and check on the severity of the bugs while your at it.
I am SOOO tired of seeing these stories about how firefox has this many bugs vs IE has this many blah blah blah....
They totally miss the point.
First off, anybody who switched to firefox because they thought it (or any other browser) was "safer" than any IE is totally deluding themselves. The fact is the web is just a dangerous place to be, and no browser no matter how "bug-free" or "tested" can ever really protect you. If you are an idiot and go to phishing sites or places that give you spyware or whatever, you deserve what you get.
the reason to use firefox is because it is a BETTER browser. It's hard for me to overstate just how awesome tabbed browsing is, but that feature by itself convinced me. That, and it's 100% free.
what else do you really need?
so the bottom line is, all browsers are unsafe, pick the one that you can use most effectively.
For me, that's firefox.
sometimes, i wonder if i'm the only conservative on teh intarweb. ah well, back to mah hogs and warmongerin'....
If this is so it just leads to the question: Why should people use Firefox now then? Lets wait until 2010 when it will actually be better and stick to IE which is better now.>/i>
It's already better than IE now. Both security and user experience are far
superior to IE. It's true that there have been several vulnerabilities found
in FF recently, but none have been exploited in the wild. IE exploits are
plentiful.
Out of curiosity, what makes you claim that IE is better than FF?
*sigh* back to work...
my family does not have to deal with the constant spyware attacks. They really do not care what administrators think. For all they know, I "fixed" IE until I tell them it's not IE. That's all that matters at this point.
Coderz 4 Life
"the facade that Firefox is the cure to the Internet Explorer security blues [...]"
It's not a product specific issue. Diversity is the cure to monoculture security blues. The more mainstream a product becomes, the more malicious users will target it. And if it's the only game in town it might as well have a big bullseye pinned on it.
In all matters of opinion, our adversaries are insane. -Oscar Wilde
I'll give you not one but 19.
http://secunia.com/product/11/
Watch what you ask for, you just might get it.
Clearly he's a spammer or sells bots to spammers!
I will rebut these so called claims of fact
1) Small memory footprint-not after you are required to go hunt down and install those features that make a browser somewhat useful. Even default minimum install it's a ram and cpu hog. It is more bloated than the moz suite browser component (just the browser which you CAN install all by itself), opera or konqueror
2) Excellent stability on Linux and FreeBSD--crashes like a big dog on my linux machine, usually every other day or so, it gets extremely unstable if you have JS turned on or more than a dozen tabs. Moz doesn't crash on me, opera doesn't crash, konq doesn't crash-EVER
3) The way extensions work no matter which version you have. Upgrade a minor or major version, the extensions are still there, all working properly.-just plain untrue, read some forums
4) How themes work no matter which version you have.-themes are way down the list of useability features, ie, who gives a crap what the paint job on your yugo is if the engine is the sux
5) How the Firefox start page doesn't default to any specific commercial search engines, but lets you choose.-why is this important? Oh ya, it isn't, any tard can find any search engine, and having that separate window where what you pasted doesn't go away when you add a new tab is retarded, makes you waste an extra mouse step for no good reason to just search. Using the regular title bar for searching was WAY better, too bad they had to fool with it and make it *worse*
6) How the popups are blocked on sites like SitePoint.com-no, it *doesn't* block all popups, some JS and flash popups get through, unless you install extra extensions, and they make it more unstable and don't work quite as advertised At best they add 50% more blocking, but don't get all of them
Firefox is first and foremost windows software,and as such it will continue to suck, maybe suck marginally less than IE, but no way is it superior to the other three mentioned browsers, out of the 5 it is number 4 (next to the bottom which is IE) in terms of useability, features, resource management and stability. It's just currently popular, like way back when yahoo was popular with the kids, now it's google and FF. It's a fad right now, that's all, and it's not even that good of quality. Pretty poor when the best you can say is that it's better than IE. That's like mississippi claiming their school system is better than ugandas. Well, ya, but nothing to brag about.
In fact, I am smelling a big fat stinking rat with the whole MOFO scene, damn if it doesn't look like a certain large company is hiding well in the background someplace (just like with the SCO debacle) sucking down free dev work from the well meaning but naieve "community", so they can slide nifty features into their "product" later on, without making it look like that is what they are doing. Helps with that "anti trust" action as well to have some controlled opposition.
I still have hopes that the project will mature. I enjoy the browser immensely. But, yes, I think the truth about browsers is becoming clear to the Mozilla folks: it's constant work! Rgith now, they need to keep up with the quick updates and focus on better memory management and code quality.
BenCurry.net
I am always interested in comparison pieces, but I've read enough biased Microsoft articles already to know this. Microsoft doesn't disclose all of their defects and vulnerabilities, or even acknowledge that they have found issues, so I would say that is a poor choice of a benchmark. Using this same flawed logic, I could even argue that Firefox has more bugs because more attention has been given to it and more bugs have been found and resolved as a result, therefore making it more secure. I can't hold the same confidence in Microsoft's security because of not only their policy of excessive secrecy (copywriting bug reports??) , but also their long standing history of critical security issues they have neglected to address such as the security zone issues, which are not actually issues in internet explorer, but from what I understand are issues in Trident, on which IE digs its hooks into. I can give you reasons to use Microsoft IE. NTLM pass thru authentication is one of them, and I've got other technical reasons. Want a non-technical reason? Fear of being audited by Microsoft for using alternative software and having a lot of unlicensed software in use is one of them. I can't however, tell you that IE is a more secure browser because every ounce of common sense I have tells me otherwise. Like my brother would say, that's just buhtarded.
Except then Firefox will not get developed to as high a level as IE has and will never reach that point. Note that this observer has the same problem as most observers who say, "It's better!" And that problem is that the numbers aren't exactly fairly proportioned. An IE hack that gives someone access to all your 'net data then wipes your entire hard drive is counted as one bug, as is a firefox flaw that gives someone access to your last ten sites viewed. That's a biased and unfounded example, but the reality stands regardless - THIS IS NOT A GOOD WAY TO DO A SECURITY STUDY.
Right, I don't really buy this study either. I were just stating that if one says that Firefox is worse now one can't argue that people should switch. Also, sure, if people switch over in masses the development effort will go faster, but this was not really about what was best for Firefox, but what is best for the user now.
There's piles of things wrong with IE, they're just not user-visible all the time and that is a main portion of the problem's gestalt.
This is one that shows up over and over, that IE's basic design is flawed. Which is, as far as I can tell, unfounded. All the external interfaces and architecture seems clean and nice enough, and since I (and I would guess; you) have no way to look at the source I can't say that we have any reason to believe that the IE source is in a bad state.
You can lock Firefox down if you want. Won't be able to see EVERYTHING, but it will definitely be secure. Not quite anywhere near as true with IE.
This does not say anything meaningful, it is true that if one keeps removing things sooner or later one will have removed all bugs. The point is to have a working browser with as good security as possible.
You can do this in linux. Natively. Just make yourself a different user with no rights to do certain things. Try that in Windows and see if it works for you. As to the, "Microsoft will solve everything in the end" mentality, well, I can't really argue with that.
This one I am actually a bit tired of, but I'll go over what has impressed me with what Microsoft is doing for Vista and IE7:
This is not a process-level permission thing (which would wreck the way the application works, you need to be able to save files, change settings and so on for it to be a sane desktop application). Rather Microsoft is finally getting around leveraging and extending the rather advanced and fine-grained NT security model for something. The basic idea is that most of the application runs with very restricted permissions and can launch subcomponents like a download or settings panel that have a higher level of permission. This is set on a very fine-grained level. There is no need to have separate components, nor is it all-or-nothing, a component can have access to specific system calls according with specific parameters, they may change only some given parts of the registry and so on.
Now this is not new as such. It is however leveraging well-known and well-implemented security technology to make a desktop application simultaneously relativly locked down but still as usable as it would be running at full permissions in all parts. It is not limited to IE7 either but there is supposed to be new tools and libraries to make it easy to take advantage of for new applications. As I said, Linux will have this real quick if it works out nicely. There are better security models for Linux already implemented and running in specialized distributions, they would no doubt be brought into mainline is they appear useful.
You're looking at it the wrong way. Microsoft is behind and has been so for a very long time. The stuff you want is part of the problem with their occasional 'buy instead of implement' business model.
This I call bullshit, we don't know the actual state of the IE code but I can't say that I see any reason why it should be bad. What Microsoft did do
I agree this article is bogus. Measuring security by counting the number of vulnerabilities is like saying two cars are similar because they both have wheels. Because of M$soft coding integration with their OS their security vulnerabilites affect many more features than the browser. /D
Vulnerabilities are a product of mistakes on the part of the people who write the code. The number of bugs in a piece of code is a function of the experience, skill, and coding/QC practices of the programmer(s) who wrote that code.
There is no relationship between popularity and vulnerabilities in software. Period.
There may be a relationship between popularity and exploits in code (hackers targeting the biggest slice in the pie.) But this wasn't about exploits, it was about vulnerabilities.
More appropriately, there may be a relationship between the popularity of a codebase and the likelihood that any inherent vulnerabilities will be discovered. Whether this is good or bad for the users of the software depends entirely on whether any discovered vulnerabilities are fixed, or allowed to fester so that they can be exploited.
I'm a sys admin for a small network, since I got rid of IE in march 2004, nothing special has happened. Before, with IE everywhere, it was a nightmare for me to keep safe from hackers.
I think that there must be out there paid MS peoples who make a living bashing Firefox.
Just one?
How bout this one?
A vulnerability has been identified in a Microsoft ActiveX plugin called MCIWNDX.OCX, which possibly allows malicious HTML documents to execute arbitrary code on a vulnerable system.
The problem is that a property called "Filename" isn't properly verified allowing malicious websites or HTML emails to cause a buffer overflow by supplying an overly long string. This could potentially be exploited to execute arbitrary code on the system.
unpatched since: 2003-08-14
Granted, thats only a little more than 2 years...
hey...not important.
But there are oodles more at:
http://secunia.com/product/11/#advisories
God may be on your side, but Lady Luck is MY bitch
Note that only one of those is a 'critical' flaw, and that one is an ActiveX buffer overflow than can be avoided by just not using ActiveX. The rest are spoofing or system information flaws.
as people like me keep setting Opera to report itself as Firefox pushes up the numbers.
-- Tigger warning: This post may contain tiggers! --
Winamp is a bad example - it has suffered from lots of security holes in the past. Just look through the changelog for Winamp 5, and you'll find several.
quidquid latine dictum sit altum videtur.
Do not care much for the browser wars, all I care about is that the browser I use works, and does not expose me to unecessary risks. I use FF 80% of the time and IE the other 20%. Mostly because of sites that are IE centric.
See, but there is where I would heartily disagree with you. This all of course depends on what you do with your browser, because for me, Internet Explorer is by far the worse browser. I'm talking about Web Technology support, or rather Internet Explorer's lack there of. This is a much ranted-about topic, so I'll spare you the rant, but IE lacks full support for several key technologies (Including HTML, CSS, SGML, and XML) and of course lacks support for new up and coming technologies (Newer XML, SVG, XForms, XFrames).
Yes, I stronly encourage all IE users to switch. Because other browser makers (Mozilla, Opera, Safari, Konqueror, ect) are improving and adding technologies to their products, while IE stays still. IE 7 won't be a very big jump, either. So my main fustration with Internet Explorer, as a Web Developer, is that the browser is holding back advancement on the web.
Firefox's continual development and implemenation of web technologies, along with its incredible extensibility, is why I use Firefox. The added security is rather nice as well, but I expect any majorly used app, especially a browser which bares the brunt of networking, to be the focus of many attempts to be cracked.
And that, my liege, is how we know the Earth to be bannana-shaped.
It's simple, Firefox is open source, so it's much MUCH easier to find and fix holes in the software. Guess what, after a while, most of the holes in Firefox will be fixed, and there will be much less problems with it, than with IE.
This author picked a date range that favored IE on the surface, and then quoted some pretty useless numbers which were skewed toward IE for the casual observer. Better numbers would be how many vulnerabilities REMAIN OPEN and HOW LONG they took to close from report date to fix date... I went to Secunia and pulled the following statistics In 2005 -- Firefox had 18 advisories posted. 1 remains unfixed, 1 remains partially fixed, 16 are fixed. -- IE 6.x had 11 advisories posted. 5 remain unfixed, 1 remains partially fixed, and 5 are fixed. Looking from 2003-2005 -- Firefox 1.x had 22 advisories posted (1 partial fix and 3 unfixed still) -- IE 6.x had 69 advisories posted (10 partial fix and 19 unfixed still) On Criticality of any advisory ever issued -- Firefox has had 0% extremely, 23% highly and 36% moderate -- IE has had 14% extremely, 29% highly and 20% moderate If you want tons more stats and graphs, go to... http://secunia.com/product/11/ (IE stats @ Secunia http://secunia.com/product/4227/ (Firefox stats @ Secunia)
... George Ou, on numerous occassions infuriates me and his editorials. I am not the Linux zealot that most Slashdot readers are (in fact I'm a .Net developer), but his articles and conclusions offend many educated readers.
He recently published a PGP vs. PKI article (I would link the article, but I am not giving him another web hit) where he was continually debunked by posters and PKI implementers because he stated that PKI was "too difficult". He couldn't grasp the concept that each job requires a different tool and one that fits the requirements best.
He constantly replies back on his blog through the Talkback feature ZDNet has (not that responding to user input is a bad thing) and does so with a level of arrogance that drips off the page. I refuse to even read his columns anymore and refuse to +1 his counters. Many users have already commented - there are too many reports acting as technical experts disseminating information that is misleading.
Hagrin.com
All to many posters are turning this /. posting into an open source v. m$ thing and thus evangelistically
defending Firefox and condemning the original post and the article it
refers to. How about considering Firefox in comparison to other open
source browsers such as KDE Konqueror or the Mozilla browser. KDE
Konqueror seems to be the best of the bunch
Also many of the replies to the original post have the earmark of the firefox and Mozilla crowd, which is to vehemently attack anyone or any magazine that criticizes Firefox or Mozilla. There are lots of problems with Firefox. And killing the messenger that points out the problems is not going to get the Firefox problems fixed.
Firefox is just another Mozilla browser. It has the same problems that Mozilla has and more. "When the Mozilla project started, it immediately became the number one poster child for Open Source software development. Now its luster is tarnished to the point where closed source advocates point to Mozilla as an example of how Open Source cannot compete one-on-one with proprietary software, in this case with Microsoft's Internet Explorer. Is this true? Or was Mozilla's development process, not the fact that it was Open Source, to blame for its problems?" (
How about (right-click-on-shortcut) 'Run As' or 'Run as different credentials' (shortcut properties | advanced).
Wouldn't those work nicely?
-M
when you see the word 'Linux', drink!
Has the DRM impressed you?
A great sarchasm divides these two posts by users with 5-digit uids.
Information: "I want to be anthropomorphized"
I think you're missing a fundamental point here, at least in my experience. I use Firefox everywhere I can, even at work (run through .cmd script), but sometimes I'm forced to use IE. It's so hard to use IE after using Firefox, I feel like I'm being forced back to the stoneage of browsing productivity.
One issue is the Tabs, but there's more than this. The Extensions system is very very nice, especially the Mouse Gestures extension. How many times has someone here used IE after a while of using Firefox and you find yourself right-clicking dragging-up on URLs to open them in tabs and it takes you a few seconds to figure out that this is not Firefox anymore?
I mean I use Betas of Firefox and sometimes not everything works until the Final releases. Yes there's even the usual security patches which is expected, but as long as my Mouse Gestures works then I'm fine. Productivity has increased with Firefox, why would you ever want go back to IE? Even if IE7 has tabs, what about Mouse Gestures and the customization possibilities?
"As you swim the river of life, do the breast stroke. It helps to clear the turds from your path." - George Carlin
You also have to look at how quickly the exploits discovered in Firefox are fixed, as opposed to how long it takes to get the IE exploits fixed.
By the time I read about a FF exploit, I can often download the fixed version. MS sometimes takes months to issue fixes.
It's not about religion, it's about numbers. Thousands of programmers hacking on FF are going to fix things faster than whatever number MS has on the project. Don't forget, that MS actually abandoned development of IE, until Firefox started cutting out slices of market share.
What we really need are several good secure, standards complient, browsers to choose from, including IE, FireFox, Opera, and others. Competition is a good thing.
-All that is gold does not glitter - Tolkien
www.ra
Is this for real?
What college are you talking about?
What is the origin of such a policy?
*sigh* back to work...
FF has problems, so does any software of any significant size. There's no need to be so defensive!
or even doing a mouse-over on the links... I'm going guess that this is from what... another zdnet blog?
Well, am I correct?
Come on slashdot. Stop getting "news" about Linux/OSS from fucking zdnet.
...Rob
The American Dream isn't an SUV and a house in the suburbs; it's Don't Tread On Me.
Remember the age of the code though, how long has IE been around as compared to firefox. I would expect that about 6 years of sniffing thru firefox will result in less exploits that the amount thats still found in IE
Which to me read as "Firefox may have many exploits now, but in six years it'll be way better than IE". I would consider Firefox the better browser, I just argued about that guys post.
Interestingly I really don't know if I'd pick IE or Firefox first security-wise. A year ago it would have been a no-brainer; Firefox; however Microsofts security push really has stepped things up a fair bit. We get to know most problems because the update shows up, SP2 really straightened a lot of things out. They also seem to have some nice plans for IE7. Overall Microsoft security has improved greatly.
Still: Firefox has at least as good security and has more compelling features.
... owned by Microsoft and friends.
Meh.
Firefox is definitely losing some momentum. Its growth rate seems to have stagnated, and it is starting to show some of the problems that have plagued other browsers. Namely, firefox is quite unstable with the latest official release (it takes up a lot of memory and slows down if you have multiple tabs open with somewhat sizeable (1MB) images. I think there is something wrong with the way it allocates and frees memory.) There is also some increase in vulnerabilities.
I think the real test will be to see what happens when the new version of Internet Explorer comes out in a few months. Is that going to steal back some of the lost market share or will firefox out-innovate it?
Sivaram Velauthapillai
Seeking the meaning of life... @slashdot of all places
ActiveX?
Read my blog.
Moderators need to lay off the acid. Insightful? You added nothing to the discussion. Here, I'll try to explain it so that even you and the tripping moderators will be able to understand: Say you're having a discussion with a group of people about the upsides and downsides of the GPL, and some old man butts in out of the blue and says "I don't care, I use computers and they just work", wouldn't your reaction be ah, whatever dude, now go away? Or would you say wow, now that was insightful?
I have to disagree with you on this. I know a lot of people that have installed Firefox with the help or suggestion from me. When I come back to them months later and see the red arrow in the top right hand corner, I ask them "why haven't you installed your security updates". They always respond with "oh, I didn't know what that was up there so never clicked on it".
So I would say that many FF users are probably still on older versions based on my experience.
But the submitter is right. Though code security is important, the number of users is also a huge factor.
The coding standards and testing proceedures of the project/programmers matters also. I just switched from Netscape 7 to Moz 1.7.11 and found an annoying (non-security related) bug in Moz. Looked it up in Moz's bugzilla and found it had been a problem in 1.4, patches submitted, and it was marked "fixed." And yet, 3 versions later I've found exactly the same bug. Whatever testing proceedures Mozilla & Firefox are using look pretty weak and if they don't take regression testing more seriously, I predict that they will be hit again and again by the same bugs, some of which will be security issues.
The big advantage of Firefox is that it is not integrated with the OS in the same way that IE is. That alone is a big factor in reducing the number and severity of security bugs.
FreeSpeech.org
"It just goes to prove that any popular software worth hacking that has security vulnerabilities will eventually have to deal with live working exploits"
No, it goes to show that firefox is a poorly written, buggy mess of crap. The code is terrible, and the developers do not care. Firefox has always had tons of security problems, popularity just makes people exploit them.
Popular software can be secure if its written properly by people who care about security. Don't try to pretend all software must suck just because mozilla does.
Most of you have noticed by now that we have a severe statistics misuse problem in this article. IIRC, it's been a few years since IE went to version 6.0. At least 3 sub-versions of firefox have been released in the time frame covered by the article's stats. Last time I checked, the number of vulnerabilites found every month goes down after the first few months after release because there are fewer of them left to find. It looks to me like exploits per version would be a much better way to measure these things than any time-based bias they can come up with. Every new upgrade that adds functionality is going to come with a few exploits. Perhaps we should be using exploits/feature? Either way, security cannot be measured over time. That just doesn't make sense.
Check out this site. http://www.detroitarchive.com/ He proclaims to be a web designer and a budding programmer, but he fails to see the faults that lie within IE from a web/design/programming standpoint. If he doenst understand and spreads this FUD then others will believe what he says since he says himself that he's a tech/web/designer guy. Perhaps the immediate goal is to not make users aware of Firefox, but users like this web admin.
Yes, Apache is everywhere, exploit-free. So are lots and lots of other binaries. It's only when you compare Apache to IIS 4/5 that it's really such a perfect example.
No it's not. Compare Apache to IIS 6/5. That's a more equal comparison. IIS 6 has a stellar security record and it's been available for 2 years now. IIS 5 has also gotten a lot of the bugs worked out.
I'm a knowledgeable user as well and I've never (knock on wood) been hit by an IE flaw. In the end, it's not about the user, it's about the software. If Firefox is to tbe the alternative, then it better be better than what's currently out there.
Don't compare legacy IIS to Apache, lets compare apples to apples. IIS6 to Apache 2.x,
The Secunia database currently contains 0 Secunia advisories marked as "Unpatched", which affects Microsoft Internet Information Services (IIS) 6.
This is based on the most severe Secunia advisory, which is marked as "Unpatched" in the Secunia database.
Currently, 0 out of 2 Secunia advisories, is marked as "Unpatched" in the Secunia database.
Now for Apache 2.X
Apache 2.0.x with all vendor patches installed and all vendor workarounds applied, is currently affected by one or more Secunia advisories rated Less critical
This is based on the most severe Secunia advisory, which is marked as "Unpatched" in the Secunia database.
Currently, 2 out of 27 Secunia advisories, is marked as "Unpatched" in the Secunia database.
IIS6 advisories = 2
Apache 2.x advisories = 27
And I predict IIS7 will do just as well...
IIS6 Wins!
I don't really believe in this, but arguing like that is arguing against Firefox.
Unbelievable! Surely nobody can argue against FF... Somebody delete that post immediately!
What I find most fascinating is that no one seems willing to recognize that the more users you have, the greater the interest in hacking becomes.
You do realize that this exact point is made in reference to every single Slashdot article discussing IE/Firefox, Windows/Linux, Windows/OSX, Windows/Unix, Windows/OS2, (...), right?
EVERYONE with a brain recognizes this. However, it's not by far the determining factor in computer security. Apache proves it. Oracle proves it. The utter lack of any major worm attacking a non-Microsoft product since Morris proves it.
Believe it or not, there have been, and still are, many areas where Microsoft is not the dominant player, and since the Internet got big to boot. The reason most people *ignore* user base is that it's pretty much irrelevent once you get over a handful of users.
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
But the parent poster only asked for one... and he didn't even specify it had to be critical.
SFAIK a lot of IE's vulnerabilities came from scripting and pluggin issues, the problem with Firefox is that it's scripting doesn't have any form of security so a bug in a plugin/ extension becomes a bug in Firefox.
I don't even want to think about how they came to design a scripting interface without any security... all they had to do was look at Java as an example of fairly good sandboxed security and copy the model.
thank God the internet isn't a human right.
The college of total bullshit, and the origin is out of his ass.
This poo is cold.
This might of course to some part be because I consider the W3C to push through way too many way too complex standards at a way too high rate. How did we arrive at SVG really? A 750 page specification to manage to make vector drawings?
To some part I thought sanity would increase as Javascript became a deeply integrated web-standard, making a vector image format as simply javascript instance with some nice drawing primitives (basicly adopting the postscript model) would have been so much simpler that it isn't even funny. I guess it would have missed the big XML paradigm, but who is actually going to transform an SVG image with XSLT or whatever while serving pages?
But but, getting off-topic; you are in principle right, but it is not an end-user consideration.
You patch it just like any other software... And with firefox I just make an MSI and it rolls out to all my workstations.. easy as cake!
The numbers shown actually indicate that firefox has superior security development work done.
Both browsers have exploits of course, the Mozilla team is actually finding and eliminating more of theirs.
Giving the number of bugs found is one of the favorite sources of fud for proprietary vendor supporters wanting to claim to be as secure as open source. Open source development models find and eliminating a far greater number of vulnerabilities and ADMIT to all of them. That hardly makes them less secure.
At work, I use IE for internal network browsing as our applications demand it. External I use FireFox and Opera to avoid the pop ups and reduce my security risks.
Sure. I do prefer Firefox myself for similar reasons. The security sell has been the "big thing" for the casual user though.
Has someone restated Godwin's law with DRM instead of nazis? If not I would like to call it "Jiushao's law" please.
All to many posters are turning this /. posting into an open source v. m$ thing and thus evangelistically
defending Firefox and condemning the original post and the article it
refers to. How about considering Firefox in comparison to other open
source browsers such as KDE Konqueror or the Mozilla browser. KDE
Konqueror seems to be the best of the bunch
Also many of the replies to the original post have the earmark of the firefox and Mozilla crowd, which is to vehemently attack anyone or any magazine that criticizes Firefox or Mozilla. There are lots of problems with Firefox. And killing the messenger that points out the problems is not going to get the Firefox problems fixed.
Firefox is just another Mozilla browser. It has the same problems that Mozilla has and more. "When the Mozilla project started, it immediately became the number one poster child for Open Source software development. Now its luster is tarnished to the point where closed source advocates point to Mozilla as an example of how Open Source cannot compete one-on-one with proprietary software, in this case with Microsoft's Internet Explorer. Is this true? Or was Mozilla's development process, not the fact that it was Open Source, to blame for its problems?" (Learning from Mozilla's mistakes )
Has there actually been a malware installing vulnerability that had something to do with "integration"?
Until we find a way to write perfect code, it would be smart to mitigate risk by providing binaries with stack smashing protection on by default:
3 8
https://bugzilla.mozilla.org/show_bug.cgi?id=2721
They've already had at least one old security issue revived by regressions. How the hell they manage to make a piece of code unsafe after it's been patched specifically for that, I don't know... Perhaps they just bandaided it without comment and someone ripped it off in the process of "improving" it...
I'm sorry, but that example does not count. The parent asked for an example of a flaw that has been unpatched for 6-8 months. This flaw has been unpatched for over 24 months. This is clearly outside the query specifications.
We do commend you for your efforts in identifying flaws in the software.
This analogy is flawed. In this case your Old Man did not claim he "doesn't care" because "computers just work". He said that users of his who are delivered an F/OSS solution consistently prefer that solution over a non F/OSS solution. Granted some sense of scale and credibility would be interesting here, but it is important to remember the vast majority of users will choose the solution that most conveniently meets their needs, regardless of ideology.
While not insightful, the PP was informative (underrated at the very least).
Dammit, why did you post anonymously???
More exploits or not, FF causes fewer headaches. When it's all said and done, I'll choose FF's problems over IE's problems.
exactly. and really, at the end of the day it's not just number of the exploits, is it? maybe firefox has 44 exploits, all of which are easily implemented by a supreme diety who speaks assembler like a native speakers, and which, once done, make the browser a little slower or the graphics render funny.
whereas there may be only 6 exploits for IE, but my dog can (and does) routinely use them, and every single one of the roots the box the browser's running on.
this is clearly exagerated a bit, but the simple *number* of exploits isn't too relevent
While I mostly agree with your post, I have something to add. The stats that are really useful should show the relation between the usage of a browser and negative consequenses.
You know, conditional probabilities.
Like this: P (owned | $browser) = P ("you use $browser" && "you get owned") / P ("you use $browser")
Seriously, how many times did you or your friends get burned with Firefox exploits? Most of them seem to be either proofs-of-concept or DoSes.
WYSIWIG, but what you see might not be what you need
Your analogy is crap. Yes, it's exactly right that guns kill people. And spoons do make R'O'D fat. However the good uses of spoons clearly outweigh the bad uses, while guns only have bad uses.
(founded 95,000,000 yrs ago, very space opera)
Only ten?? Guess it depends on where Internet Explorer ends and where the "operating system" begins. Many of the worst bugs haven't "officially" been MSIE bugs, but the result is that a malicious web page can take control of your system or do other things you'd never imagine it ought to be able to.
I did a quick search of the microsoft bulletins and found 13. And these aren't even exactly the same ones Secunia lists (two of which they say Microsoft hasn't even fixed).
And why from March? Look at what an ugly month February was for MSIE.
MS05-038 - aug 17
JPEG Image Rendering Memory Corruption Vulnerability - CAN-2005-1988
Web Folder Behaviors Cross-Domain Vulnerability - CAN-2005-1989
COM Object Instantiation Memory Corruption Vulnerability - CAN-2005-1990
MS05-037 - jul 12
JView Profiler Vulnerability - CAN-2005-2087
MS05-032 - jun 14
Microsoft Agent Vulnerability - CAN-2005-1214
MS05-028 - jun 14
Web Client Vulnerability - CAN-2005-1207
MS05-026 - jun 14
HTML Help Vulnerability - CAN-2005-1208
MS05-025 - jun 14
PNG Image Rendering Memory Corruption Vulnerability - CAN-2005-1211
XML Redirect Information Disclosure Vulnerability - CAN-2002-0648
MS05-024 - may 10
Web View Script Injection Vulnerability - CAN-2005-1191
MS05-020 - april 12
DHTML Object Memory Corruption Vulnerability - CAN-2005-0553
URL Parsing Memory Corruption Vulnerability - CAN-2005-0554
Content Advisor Memory Corruption Vulnerability - CAN-2005-0555
MS05-015 - feb 8
Hyperlink Object Library Vulnerability - CAN-2005-0057
MS05-014 - feb 8
Drag-and-Drop Vulnerability - CAN-2005-0053
URL Decoding Zone Spoofing Vulnerability - CAN-2005-0054
DHTML Method Heap Memory Corruption Vulnerability - CAN-2005-0055
Channel Definition Format (CDF) Cross Domain Vulnerability - CAN-2005-0056
MS05-013 - feb 8
DHTML Editing Component ActiveX Control Cross Domain Vulnerability - CAN-2004-1319
MS05-009 - feb 8
(PNG buffer overflow, may not affect IE, remote code execution in MSN, WMP, etc)
MS05-008 - feb 8
Drag-and-Drop Vulnerability - CAN-2005-0053 (yes, exploitable via web page)
MS05-006 - feb 8
Cross-site Scripting and Spoofing Vulnerability - CAN-2005-0049
PJRC: Electronic Projects, 8051 Microcontroller Tools
They need to automate the updates without user input, ala AVG antivirus.
http://secunia.com/product/4227/
"Less critical". There are 18 though.
It's rare that you're presented with a knob whose only two positions are Make History and Flee Your Glorious Destiny.
I don't need to rely on the argument that Firefox is more secure or has more features than Microsoft Internet Explorer. I prefer the argument that cannot be trumped by getting lost in a horse race of technical features; George Ou arguments aren't his alone and I'm sure that similar arguments will be made as time goes on.
Instead, I choose to acknowledge that Firefox lets me keep my software freedom and Microsoft Internet Explorer does not. Software freedom means that I can inspect, fix, and share the program (or improved versions of the program) instead of relying on a proprietor to do that for me. This matters for non-programmers despite their inability to directly leverage the freedom to modify the program because they distribute copies of the program, and they can get programmers to do the work the work that they cannot do themselves. Collectively, this means we all benefit from an improved browser and treating each other in an ethically justifiable way. Proprietary software, by comparison, keeps users helpless and divided. The Mozilla Foundation should have been using these past years to educate users about the power and social importance of treating users right by valuing freedom for its own sake as well as leveraging the practical benefits of freedom.
Digital Citizen
You can't simply look at the numbers, imagine 2 vulnerabilities:
Browser A has a vulnerability, it opens access to a virus or spyware to enter your computer and get all your information while selling your children into slavery.
Browser B has a vulnerability that hides the true url you're looking at, but makes it look funky as hell.
Browser A get an update 6 months down the road that fixes this problem.
Browser B is fixed by an immediate change to the configuration, and an updated version is issued disabling that featureset. Then, shortly after, another new version is available, with that featureset back on.
These are hypothetical, IE doesn't really sell your children into slavery. =) And I doubt my FF history is correct. But what's worse? A problem where your car explodes when driving down the "wrong street" or your seatbelt being a little sticky? Both count as 1 problem, and thus looking at numbers becomes flawed.
Firefox finds the problems and tries to fix them asap, with 1.5 it has automatic updates and binary patching, hell yeah. IE has delayed some problems until IE7, period. FF is actively finding and fixing probs, IE fixes major ones and pushes others to the back of the line.
And that UI guy was right, Security doesn't interest non-programmers really. It's something to consider, especially in business/corporate enviroments, but "by the numbers" is really just asking to get yourself screwed.
The other day I was going through some old boxes and found an article from a 1996 tech magazine titled "Internet Explorer 3 Debuts with Holes". It was meant to be an article about the new IE 3, but pretty much all they could do/say was elaborate on four or five critical security flaws in the brand new IE 3, and explain to users how to try protect themselves against the exploits.
In hindsight this was clearly a major harbinger of things to come, but for some bizarre reason the entire industry just looked the way and adopted IE on a massive scale, perhaps blindly trusting that MS would fix the problems real soon.
It's shocking that we've been putting up with this security hell from Microsoft now for almost TEN YEARS and yet STILL the industry keeps on with IE, and it's STILL nowhere near secure. Exactly how long does this have to continue before people wake up, realise it's not getting better, and ditch this rubbish? Twenty years? Forty years? 100 years?
But no, industry will stick with IE indefinitely, because our memories are incredibly short and all it takes is a few feel-good press releases from Microsoft and everyone's crowing about how wonderful the security of Vista/IE7 are going to be. Again we're blindly trusting that they'll fix things "real soon now". But with the release of Vista slated for 2006, that'll make it ten years of non-stop awful security. Praising MS for starting to deal with security only now is a bit like praising a thief for starting to steal from you less, or praising an abusive husband for starting to beat his wife less. This is not just not the sort of software company that is good for the industry/economy etc.
Wake me up when Firefox has also had ten years to sort out their security problems and we'll compare then, I know which one my money.
It's quite hypocritical, that people criticise Firefox so heavily for having a few security flaws so far, but well, the hundreds of security flaws in IE, with more being discovered still every month, that's just normal. Don't people see the irony in their behaviour when they say "ha look FF also has flaws, I'm going to keep using IE"?
As for IE7, I haven't seen any features promised that Firefox doesn't already have. And I think Firefox is still more standards-compliant, which is a pretty big deal to me. Also, Microsoft's general attitude toward their web services has been contrary to the spirit of common standards with multiple implementations, and has almost always been some kind of maneuver to force a lock-in. They thought they had that with IE 4.0, which explains why they didn't really take the broswer any further until maybe now.
This presents a kind of moral argument for using Firefox over IE. It sounds ridiculous on the surface, and it would be in any kind of sane universe. But we have Microsoft.
Uhmm... wait... that was wrong
The best weapon of a dictatorship is secrecy, but the best weapon of a democracy should be the weapon of openness.
Right, I don't really buy this study either. I were just stating that if one says that Firefox is worse now one can't argue that people should switch. Also, sure, if people switch over in masses the development effort will go faster, but this was not really about what was best for Firefox, but what is best for the user now.
Best for the user right now is probably Opera - noone is willing to pay for a browser so there aren't really that many people willing to mess around with writing viruses and crap for it. As to whether Firefox or IE is better, well... Hard to say. I'd have to sift through exactly what the holes found in Firefox were, but last time I read up in any detail on the security holes found in an Open Source project, I was pleasantly surprised to find that they were all holes in tertiary stuff... Linux server software (and this is not necessarily true of Firefox, I'm really going way out on a limb here, and it will take backup from someone who keeps completely on top of this to really help me out... hint hint...) has bugs and problems and security patches, yes, but they're for a minor exploit that crashes or allows someone in through highly obscure software. Microsoft, since it's all one big piece, ends up handing you the keys to the castle. Therefore, one Microsoft bug can be seen as an unequivocal disaster and twenty Linux bugs can be seen as a biteme.
This is one that shows up over and over, that IE's basic design is flawed. Which is, as far as I can tell, unfounded. All the external interfaces and architecture seems clean and nice enough, and since I (and I would guess; you) have no way to look at the source I can't say that we have any reason to believe that the IE source is in a bad state.
This is where I do have proof. All those security patches for IE? Yeah, design flaw. It's not an arms race to fight off the hackers at the gate because you wrote effective, stable software. It's an arms race to fight off the hackers at the gate because you wanted to lock Netscape and friends out of the browser industry by making ActiveX mildly attractive and highly proprietary / dangerous to work in due to its features which were promised but under-tested. Or badly designed. Take your pick.
This is not a process-level permission thing (which would wreck the way the application works, you need to be able to save files, change settings and so on for it to be a sane desktop application). Rather Microsoft is finally getting around leveraging and extending the rather advanced and fine-grained NT security model for something. The basic idea is that most of the application runs with very restricted permissions and can launch subcomponents like a download or settings panel that have a higher level of permission. This is set on a very fine-grained level. There is no need to have separate components, nor is it all-or-nothing, a component can have access to specific system calls according with specific parameters, they may change only some given parts of the registry and so on.
You mean like Unix? What an innovation!
This I call bullshit,
Microsoft has been behind in security design for over a decade. I was working in Unix, which is capable of doing the things you're calling revolutionary, when I was in junior high a full uhm.... Longer than I want to think about... ago. Everything is a file and files have - while not a perfect permissions system - at least something which is designed for multi-user and therefore easily modifiable to multi-permission. Call BS all you want, but M$ has a lot of spaghetti code in your computer....
I'm trying not to be biased here, but I obviously am very much so.
My little site.
man thats truely funny. i'm configure that on my gparents and clueless friends machines. perhaps we can start you a trend!
;)
rofl
thanks for the laugh.
If you mean through IE integration with Windows, Nimda is definitely one. You could get it through network share, uploaded into IIS, or downloaded through IE. It took us almost two weeks at one company to clean it up (would have been about five days, but upper management got involved). We eventually traced it back to a user in one of our Asian offices visiting the webpage of a newspaper in the Phillipines. Within twelve hours, several hundred systems had been infected primarily through shares but some through internal websites. Ugly mess.
You can never go home again... but I guess you can shop there.
What is it with people continuing to compare number of exploit fixes per month and whatnot to determine how secure something is? Surely we know by now that it's not a good idea. Didn't we just have an article a few days ago explaining the top 10 worst security practices? Anyway, this could mean that using firefox will net you lots of spyware or make it easier for someone to hack you. Or it could mean that the people working on firefox are better at finding and patching security holes (either because firefox has more of them or because it's coded better). In one article, we complain about bosses always being persuaded by hype, and in the next we overreact to the same hype. What hype-ocrisy.
Because it's about grace. It really is about grace.
... when someone was proven wrong, they were often shot.
None of this nancy "big man behind keyboard" syndrome with one-way arguments (sorry discussions) of one persons opinion where no one could directly argue their point and they would look like heros because of it (god bless read-only).
Ahh the days of non-rebuttals, and six shooters on your belt.
A great sarchasm divides these two posts by users with 5-digit uids.
What's a 5 digit uid have to do with anything? Is a low digit uid becoming fashionable? If so, I want in!
Can I get an eye poke?
Dog House Forum
The risk is what matters. Firefox still has a much better reputation than IE in that there have been no worldwide meltdowns due to Firefox, but there have been several due to IE. Arguably this is because the security advisories related to Firefox have been:
Comparing the total count of advisories is naive. You have to assess the threat, the impact and the likelihood. The total number of advisories says nothing substantial about any of those 3 assessments. It's like comparing two cakes by counting the number of ingredients but not bothering to taste them.
Firefox sucks. Why? Bugs threatening the internet infrastructure lie there unfixed for a year. Most sites look ugly in it. Many important sites don't work properly with it. It takes an hour to launch it. I don't have to continue, you get the idea.
Firefox has source code available. IE doesn't. Therefore more exploits will be found in Firefox and fixed because you can find them from the source and not just reverse-engineering.
IE has just as many flaws (or more), they are just not being identified. Just because they are not public does not mean there is not anyone out there who knows how to exploit them. One of the main drivers in Open Source is that anyone can find and fix flaws.
Is OpenBSD less secure because their continual code audit turns up security defects? Most people would argue that this makes it _more_ secure. Likewise any well-written open platform.
Duh.
This means there are other application aside from those of Microsoft that have exploits!?
Nooo!
Lets say we have two products both with a dozen (12) security holes. In six month, one releases patches for 6 of the 12 problems and the other releases patches for 11 of the 12 problems. Which is the more secure product, the one with 6 problems still left unaddressed or the one with 1 problem still left unaddressed?
Where are you getting the number 6 for exploits of IE? What is the true number of exploits available for each browser? How many of those 6 IE exploits include the ones that Microsoft has not announced and has left wide open. For all the upcoming advisories from eEye Digital Security, not a single one is currently for Firefox. So, I don't care which one had to be patched more in the past. I do care about which one should have been patched over 100 days ago and wasn't!
ActiveX is not a big part of the bugs or of a poor design. It is just a misfeature. Microsoft could overnight throw out ActiveX and be in the same position as Firefox when it comes to those controls, as such it is not a fundamental design flaw. On the other side of the coin: ActiveX is a bad idea in practice. It is not due to Microsoft bugs or flawed design, it is just a fundamentally flawed idea since application developers deploy stupid things and users do stupid things. Microsoft has mae moves to improve the situation, demoting the ActiveX confirmation dialog to be a right-click option on the "popup"-bar in SP2 was a move in the right direction for instance.
You mean like Unix? What an innovation!
Microsoft has been behind in security design for over a decade. I was working in Unix, which is capable of doing the things you're calling revolutionary, when I was in junior high a full uhm.... Longer than I want to think about... ago. Everything is a file and files have - while not a perfect permissions system - at least something which is designed for multi-user and therefore easily modifiable to multi-permission. Call BS all you want, but M$ has a lot of spaghetti code in your computer....
Sure it is something. But it is not used well in desktop applications (applications can all write to your home directory with your session startup scripts and so, wreck your data or whatever else they please). One could run them as dummy users that can't write to your home directory, but that'd make for an extremely confusing and inconvenient application. One could with some care and a whole lot of dummy users and setuid scripts copying things about in intelligent ways create the same kind of security model that Microsoft are doing for IE7. Problem is that it isn't a very good design and more importantly; no one appears to be doing it.
Even if possible it does not help if no one does it, and even if it gets done it will not be as nice as Microsofts framework that utilizes the much better security model provided by NT. Now, as I said, if it works out for Microsoft there will no doubt be some movement to get something going on Linux as well, but credit where credit is due. Microsoft is doing something interesting here.
How many of these 11 exploits are only /exploitable/ on Windows?
Thats a true-er representation of security.
Mozilla usually patch flaws fairly quickly - there's flaws in IE that have been known for *years* before they were patched, if at all.
smash.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
Best for the user right now is probably Opera - noone is willing to pay for a browser so there aren't really that many people willing to mess around with writing viruses and crap for it.
Opera is free as in beer btw. And it's the exactly the same browser as if you pay for it. Unless you think about the tiny Google ad bar at the top.
You only need to pay if you want the banner away and get official support by the company.
Nicolas Mendoza
Prepare for MSIE 7
I think 5-digit uids are way cool.
René Seindal
I agree. I have IE disabled and several other "features" of windows as well as a finely tuned firewall which controls traffic in, out, and between the machines of my network. The end result of this is that although we have virus protection which is up to date etc I get maybe one or two alerts a day that anything is even trying to come in for 20+ users, and that is usualy a blocked email. Firefox bugs seem to be the sort that can only be exploited in a supremely limited scenario where as IE bugs tend to trash your system if they get hit. Little difference? I think so. What I wonder is why no one publishes opera bugs? Are they that good or just not enough market share?
If FF/IE was 50/50, would we have the same confidence?
Just a thought,
Author, Shell Scripting : Expert Re
Sure it is something. But it is not used well in desktop applications (applications can all write to your home directory with your session startup scripts and so, wreck your data or whatever else they please). One could run them as dummy users that can't write to your home directory, but that'd make for an extremely confusing and inconvenient application. One could with some care and a whole lot of dummy users and setuid scripts copying things about in intelligent ways create the same kind of security model that Microsoft are doing for IE7. Problem is that it isn't a very good design and more importantly; no one appears to be doing it.
Even if possible it does not help if no one does it, and even if it gets done it will not be as nice as Microsofts framework that utilizes the much better security model provided by NT. Now, as I said, if it works out for Microsoft there will no doubt be some movement to get something going on Linux as well, but credit where credit is due. Microsoft is doing something interesting here.
Implementation is something I'm worried about, but on the whole you're probably both right and working in an area beyond my level of expertise with the newer MSFT software. That's not to say I believe / like your opinion wholly - I don't WANT the revolution in security to come from someone involved in encrypting my computer's data.... But I can definitely see your point.
I'm not downloading IE7 unless people start writing stuff that only works on IE7. I hope THAT doesn't happen quite desperately, but I am also probably doomed to grumbling about it. M$'s grand new plans of interaction capabilities developed right out of the box are going to be really really useful for certain kinds of applications and I wish it were as easy to do with Apache, MySQL, PHP and Javascript.... *sigh*
My little site.
LitePC
Am I the winner?!
I have a 0 digit id number, I win!
I suggest you visit the bugs/holes database to see how old some of those potential security exploits are. Some are measured in years.
I like Firefox...look at my sig...but I don't give them that much credit.
You want to know who isn't running Firefox 2.x? They spell it "definately" and "rediculous".
Mozilla has marked flaws as "Confidential" for them to sit unfixed for over a year.
"Sufferin' succotash."
I installed Firefox myself. Until I read your post, -I- didn't know about said red arrow. Of course, I periodically update it anyway, so it's not a big deal, and since I don't see what you're talking about, I assume I'm up-to-date enough, but....
Anyway, I sort-of like the "There is an update available. Would you like to install it?" dialog on launch that a lot of apps do. Just so long as it isn't broken like the one in Adobe Acrobat Reader. Running 1.5.0 and it says "A new version 1.50 is available," which turns out to be the same version.... (That's probably not the right version number, but you get the idea.)
Check out my sci-fi/humor trilogy at PatriotsBooks.
My experience has been the same - my mom works for a small public library, and they had no end of problems on their public internet terminal. Once I had them start logging in as a restricted user, (Win2k) and removed all traces of IE from that desktop, they have had 0 problems with browser hijacking, search plugins, and spyware.
And not to be an ass, but isn't FF's code open? Of COURSE you will find more bugs, because more people can look at it. # of bugs found for IE has no real correlation to # bugs that EXIST for IE.
Velociraptor = Distiraptor / Timeraptor
If bringing up security concerns over a product "raises the ire of /.'ers," perhaps those Slashdotters should consider removing their blinders and looking at things objectively. Thank goodness they had your warning to disregard it because it challenges their worldview!
Then again, I've never understood the obsession over Firefox. It has security flaws too, and its browsing features are taken from the much faster and smaller Opera.
"Sufferin' succotash."
This is one that shows up over and over, that IE's basic design is flawed. Which is, as far as I can tell, unfounded. All the external interfaces and architecture seems clean and nice enough, and since I (and I would guess; you) have no way to look at the source I can't say that we have any reason to believe that the IE source is in a bad state.
Sorry, but if you have any brain at all or mind you if you do any web design or development it is more then obvious the problems that exsists in the Disgn, implementation, architecture, and source of this application.
Ie Is a pile of shit, that relies on external plugins to perfrom even basic functions like loading a jpg or loading a png with real opacity. Even better still is the fact that it indexes every site you visit, every file you access and stores them in seperate locations, making even the smallest security exploit a big deal. IE is by no means even close to a browser that adhears to a standard of web based languages nor is it even close to a standard in internet development. Even sane checked code does not function the same in IE as it does and many, many, other browsers.
This one I am actually a bit tired of, but I'll go over what has impressed me with what Microsoft is doing for Vista and IE7:
This is not a process-level permission thing (which would wreck the way the application works, you need to be able to save files, change settings and so on for it to be a sane desktop application). Rather Microsoft is finally getting around leveraging and extending the rather advanced and fine-grained NT security model for something. The basic idea is that most of the application runs with very restricted permissions and can launch subcomponents like a download or settings panel that have a higher level of permission. This is set on a very fine-grained level. There is no need to have separate components, nor is it all-or-nothing, a component can have access to specific system calls according with specific parameters, they may change only some given parts of the registry and so on.
Now this is not new as such. It is however leveraging well-known and well-implemented security technology to make a desktop application simultaneously relativly locked down but still as usable as it would be running at full permissions in all parts. It is not limited to IE7 either but there is supposed to be new tools and libraries to make it easy to take advantage of for new applications. As I said, Linux will have this real quick if it works out nicely. There are better security models for Linux already implemented and running in specialized distributions, they would no doubt be brought into mainline is they appear useful.
This is fundamentally flawed period. You claim to see and understand but you have a plank stuck in your eye. You simply don't. The fact is that every oem release on desktops makes the primary user and administrator, plain and simple. Any security exploit that is even small can open up a window of oppurtunity to destroy the entire working file system as well as expose every piece of information on your system. There is nothing fine grained about this, and unless you are in a commercial enviroment with a real administrator you will never see a day when the average home user is not a full privlaged administrator, sorry, it just won't happen.
There is a fundamental difference between the way most Linux systems and windows systems handle user managment. In the here and now most linux systems disable passwords entirely on local only root accounts, which means you have to be authenticated via a local protected core application. The normal user is one that contains only the right to use protected core applications and read his/her own data in thier folder. This is not at all like windows, where you have instant administrative rights. If an exploit is found on a windows system with IE it affects the system security in its entire state, this is not at all the case with most common linux installations and configurations t
Something that is not true though is that I have a deep enough understanding of the actual workings of IE7. What I "know" I have picked together from the IE team blog and some MSDN papers. There is a very real risk that they might end up implementing something significantly worse than this. Even if they end up botching it I do however believe that functionality to allow properly working desktop applications to run different parts of their functionality in differently restricted ways will show up in Linux and friends sooner or later. It is just too good an idea to leave behind.
Reminds me of the guy who worked in the pickle factory and just couldn't resist the urge to stick his dick in the pickle slicer.
So one day, he did it.
Turns out, he got fired. So did the pickle slicer.
That, Sir, seems to exude the height of arrogance and self-importance while invoking Godwin's Law at the same time.
Very clever ploy at humour. You were joking, right?
Microsoft has the attitude of them against the world. They will conquer spam, hackers, or any flaws in the system. Founded in a belief that because they created windows and hold the code that it is their right to take on any malicious code themselves. The problem is that with such a god-complex stance they end up challenging every hacker to show them how they are so wrong. The introduction of Sp-2 was the solution? One flimsy firewall was all that was needed to keep the 'bad-men' at bay? Mozilla Firefox developers attitude is that security is important and that is a real pain in the ass for almost everyone involved. Firefox is an alternative to IE not as a solution to the problem, but because they offer tools to deal with the problem. Switching to firefox and doing nothing is not a solution to anything. Firefox offers meaningful tools to address security problems, but users still have to implement them. If one user is a paranoid freak that wants no porn, no spam, no interaction with the web he can structure firefox to be so prohibative through the many extensions that he can feel all safe in spite of not getting a very interactive web experience. Much harder to do in IE6. If another user is willing to trade web experience for security firefox allows for that too. After beta testing Deerpark Alpha it is apparent that the mozzila team is really stepping up the security options as well as making it easy to use them. Offering strong security options as a choice allows user to get what they want out of their browser. Ultimately, the answer to internet security is the same as the answer to any large social problem. Until society makes the rewards for negative behavior worthless the negative behavior will continue. If your house is full of goodies...it matters not how many locks you have. The solution is to make hacking worthless or at least less of a challenge
Relax, aren't you lucky that it is only my Opinion?
I count upon them to botch it, unfortunately. If you look at the articles currently coming up about the company itself, it reminds me more of a place where good insurance or accounting practices are followed than a place where everyone does an incredible job and loves doing it. It seems management will be the absolute best place to work, if not the only decent one, and that's not very good for code quality; especially when you have such a high-test set of people working for you. It is monstrously hard to produce good code in a large corporation, and it seems to get harder over time no matter what you do.
My little site.
No! You mentioned it! Now you've cancelled its effect!
*#*#*#*#*#******* I love peanut butter sandwiches!
Also of course since I hate the Slashdot attitude that Microsoft are stupid and OSS developers can walk on water. But but, I'll leave that for another day.
IE 6.x is much more mature than Firefox, being basically IE 5.x with some extras. What is really needed here is a graph which shows monthly exploits found or patches released for IE 5/6 over its lifetime, superimposed by the same graph for Firefox over its lifetime. That would probably give a better idea relatively vulnerbilities than this current survey.
Flying is easy, just throw yourself at the ground and miss. -Douglas Adams
Noone ever says M$ is stupid around here. The general view is that they are extremely crafty and cunning. They just write frustrating code to work with sometimes, and Slashdot can grow into one giant brain fart of rage.
My little site.
Ok 24 months My record was in the javascript reported it in 1995 patched in 2004. A know buffer overflow for 9 years.
Question wonder how many more are hidding in IE.
6-8 months there are alot.
Go to secunia.com compare FireFox and IE. Make interseting reading
IE outstanding faults
2003-03-13
2003-08-14
2003-11-07
2004-02-09
2004-02-27
2004-04-01
2004-08-16
2004-09-18
2004-10-09
2004-11-10
2004-11-17
2004-11-26
2004-12-08
2004-12-09
2005-01-18
2005-02-17
2005-02-21
2005-05-31
2005-06-21
FireFox Outstanding Faults
2004-08-30
2004-09-18
2005-03-01
I really don't think Firefox has that much of a problem yet. I think when You read Firefoxs outstanding I don't think you would worried to much. But IE is down right scarry. 3 are yellow status on IE. All three of Firefoxs are still in the green.
Come on Microsoft catch up on your out standing.
Rather than simply counting vulnerabilities, take at look at the reports for Firefox and Internet Explorer 6. Firefox 1.x shows 22 holes, 3 unpatched and rated 'less critical.' IE6 has 85 holes, 1/4 unpatched, and a 'highly critical' buffer overflow in ActiveX that's been open since 2003. Now, tell me, which one is more secure?
[Insert usual mantra of anyone being able to fix F/OSS but only MS being able to fix MSIE here] [Append snide remark about companies trying to hide rather than fix vulnerabilities here] [Insert random Zeeky Boogy Doog here]
I am a computer assistant at a very busy computer lab. In fact the most used lab at my university (a private university of over 40,000 students). Whenever blackboard or webapps act funny I direct people to firefox, and problems disappear. There may be security problems, but they get fixed, machines get re-imaged, and firewalls protect. But having a usable, working browser is priceless.
Damn. I really wish I had modpoints for you here. Yeah, maybe you're getting to hard on Firefox, but it's way, way more insightful than the parent, IMHO. (Combine the two and they're informative, that's why I think it's bad the GP was modded on the skies, but the parent wasn't.)
I'd say a fundamental part of good practice with IE is to use it with an HTML rewriter. I use "The Proxomitron".
hehe, thats a good one. I agree, a good practice for surfing with IE is to not let it read it's own HTML.
You are a bit incorrect with the Active X comment. IE is not a browser exactly, its an Active X container that loads other controls (like MSHTML or Acrobat reader) that can also be active x containers... another words IE is active x. They can't fix it because its how IE works. That is the design flaw.
MidnightBSD: The BSD for Everyone
ActiveX is not a big part of the bugs or of a poor design. It is just a misfeature. Microsoft could overnight throw out ActiveX and be in the same position as Firefox when it comes to those controls, as such it is not a fundamental design flaw.
Actually, (for example) IE implements the XMLHTTPRequest (javascript) object as an ActiveX control. This is a favourite new toy for very spiffy interactive webpages (think AJAX). Examples of things that break if you turn ActiveX off: Gmail, google maps, google suggest.. etc.
This in turn causes users to not turn off ActiveX (the tin-foil-hat crowd would tell you this isn't a coincidence) because it would fundamentally break many really useful websites.
Reinard
There is one significant difference. I'm a knowledgable user. I program and sys-admin. I practice good security. Regardless of the number of exploits out there, I've never been hit by a FF exploit. I have been hit by IE exploits.
... Microsoft has made similar claims about Apache for years, but I'm pretty sure most users would choose Apache over IIS for security.
Yes, you see, it's the unpublished exploits that you have to watch out for
As far as I can see, this whole article is an MS troll - every recent article in his blog praises MS software against OSS alternatives, with often outrageously stupid claims - e.g. that Word documents are an "open format" because everyone uses Word!
So in other words, you've installed a little known, third party tool, to shield your browser from those dastardly Internets. This is not "good practice" - it should not, under any circumstances, be necessary to transparently doctor a program's input stream in order to keep said program happy. Not when said program is as frequently and widely used - indeed relied upon - as a web browser. If such a feature is genuinely useful in achieving robust security, then it can damn well be a feature of the core program, not something the user has to go above and beyond to utilise. IE is not made inherently more secure by using such tools; instead, you have simply introduced more developers into the arms race, who may or may not be more agile than MS when it comes to catching new exploits.
Congratulations - you've fitted your browser with a pair of rose-tinted glasses while it slept.
Firefox doesn't have to be perfect. It doesn't even have to be better than IE.
It just has to be competition for IE.
"Destroy science and religion. Science would re-emerge exactly the same; but not religion." - Penn Jillette, paraphrased
Seriously, doesn't this happen every couple months -- some idiot notices that active Open Source projects get more bug reports than Commercial projects, and suddenly the worlds on fire and the OSS model is unsound and the software is useless?
I'm not going to reiterate the truth of the matter, because if you don't know it by now, you are probably one of the few who don't WANT to know.
It's been a long time.
I can agree that I were unclear, ActiveX as a web technology can be thrown out (that is, the on the web installable signed controls), and that is the problematic kind. Using ActiveX as a clientside plugin and component architecture does not matter any more than using say CORBA.
Note that only one of those is a 'critical' flaw, and that one is an ActiveX buffer overflow than can be avoided by just not using ActiveX. The rest are spoofing or system information flaws.
Actually, at least one other involves the possible exploitation of malicious code, although it requires active user input to do so.
But let's look at that one big famous doozie, the ActiveX exploit. That was reported in August 2003 - that's over two years ago!! It requires no user intervention if ActiveX is enabled, can do just about anything it wants to and it affects any MS ActiveX enabled product that can read HTML. The only solution is to turn off ActiveX, or to get it to prompt the user before it installs anything (which is not guarantee of safety). This is far, far worse than any exploit Firefox has ever had!
But even if it wasn't so potentially disasterous, don't you think MS would have been interested in fixing something that involves their pride-and-joy, ActiveX?? How could anyone ever look at such incompetence and claim that IE is more secure?!
I were a bit unclear, they can disable ActiveX as a web distributed component technology. That is also the only problematic kind, the local pre-distributed or plugin-installed ActiveX-controls have no security problems as such (they of course have complete control, but that is of course expected for plugin programs and features of the browser as such). ActiveX the component technology is not really problematic for code that you trust anyway, having signed ActiveX controls downloaded from the net be arbitrarily trusted was the stupid idea.
Unless I misremind myself there is also straighforward ways to disable controls from the net but allow local plugins and core components to run just fine. Which is really all one can ask for.
Firefox is a huge and complex piece of code. And in such a beast, it's difficult to avoid bugs.
But check facts, ie. what really happens to Firefox and to IE users.
In the real life, IE users quickly get tons of spywares. Auto-installing spywares for Firefox could be made, but they don't really exist, except as proofs of concept. It doesn't mean that the Firefox code is safe, but since IE remains the primary target, FIrefox users don't suffer as much as IE users from vulnerabilities.
{{.sig}}
Let's look at this over the lifetime of the product, not just the last 6 months. If Firefox has only been out for a year or two (for example's sake), 46 potential "exploits" in that time doesn't even come close to the amount of vulnerabilities over the lifespan of Internet Explorer, which is indeed much, MUCH longer.
In George Ou's own words:
It just goes to prove that any popular software worth hacking that has security vulnerabilities will eventually have to deal with live working exploits.
With that being said, the data is flawed and one-sided. IE has been around for a decade or more, so it is a FAR more refined program. This is due to the fact that they've had to deal with those exploits and vulnerabilities for much longer than the people over at Mozilla.
As usual the count of security flaws is meaningless.
As long as Firefox doesn't run Active X, whatever flaws it may have are so unlikely to be exploited as to be meaningless - even with eighty million users at last count.
IE on the other hand has been and will continue to be a security hole - not to mention a pathetic piece of dog shit as a browser...
Take your Microsoft shill FUD-shitting face out of my face...
Not even worth my time to read the article.
The only complaint I have about Firefox is it still screws up every other day or so at something, due to memory leaks or whatever. I can't wait for 1.5 which will hopefully eliminate these bugs.
I probably should go ahead and download the 1.5 beta, but I tend to avoid betas unless I read somewhere that the beta is already adequately solid.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
What does it matter how many vulnerabilities have each of the programs? You should remember that MSIE is close source and Mozilla is open, so there are no just accidental bugs, but bugs that can be found by reading the code (unlike MSIE). The point, for me at least, is that Mozilla has another mothel of production, which is to adress security concerns as fast as possible. And if they found that number of vulnerabilities in that period on mozilla, being an open-source program, I would congratulate Mozilla. For me, Mozilla will be, for that reason my first choice for a browser.
Putting aside for a moment all the various arguments people will make in this thread (statistical arguments, Firefox-IE is better designed, bugs are less/more serious or take shorter/longer to fix, blah blah)...
For the sake of argument, let's just say from a security standpoint that FF and IE come out dead even. I'd still prefer Firefox by a wide margin, because it's open source. That's not a zealot's position, but a practical matter related to security. (And I'm not arguing that open source is inherently more secure because "more eyes look at it," whether or not that may be true.)
Simply put, I trust open source. Ever since taking the leap to Linux and OSS, I have largely stopped worrying about the software I use being spyware, locking me into formats, managing to break my other applications, etc. The OSS community's focus on users' needs (and not on profit) has made me trust software again.
How does this make me more secure? It means I I now feel free to apply updates and software patches with wild abandon. If there's a new version of Firefox with patches, when I update my Kubuntu system it's installed within days.
In my pre-OSS days, I would hold off installing new versions or updates because I had so often been burned by unexpected collateral damage...
Now, I no longer worry about that. I patch like mad, and I've no doubt it makes my system (and by extension, yours) more secure.
= 9J =
ooooh less than 1 in 20 use firefox - its taking over!
I don't use mouse gestures, but I do find myself middle clicking on links to try to open them in new tabs every time I have to use IE.
I do some Web development and, while I'm not the ultimate Web Guru, some people actually pay me to do it. I don't follow security as closely as I should, perhaps, but this is about browser choice. And security is not the only factor to consider.
I have not invested in a subscription to MSDN. So, most of my references are either from books with strange animals on the covers or from the W3C recommendations.
I use my references and create a Web site for a client. Then I proceed to testing with Firefox, Mozilla, Netscape, Opera, and IE. What I have found is that, in Firefox, Mozilla, and (most of the time) Netscape, it usually all works just as expected. In Opera, a few changes are required. In IE, however, it almost never works like it should.
To be completely fair, I have to say that none of the popular browsers seem to get the W3C recommendations right 100% of the time (but that might be me getting it wrong :)). Sometimes (rarely), I must admit, it even seems like IE's interpretation of the W3C recommendation makes more sense. However, after using all of the browsers I test with, and a few others, I have to say that I choose Firefox.
nig nig nig nigger nig
The point must be how valid the code is in 2005.
Author, Shell Scripting : Expert Re
He'd use the spoon, of course. Have you been paying attention at all?
</sarc>
I am talking completely out of my butt .. but as I remember most of the exploits affected only Windows versions of mozilla.
:) I loved netscape and do not remember how you called the OS/2 default browser but as soon as it was not IE I love it ..
:(
Besides: i run mozilla on my UNIX(tm)-like systems
and if i am really cautious I am running them with a user that do not have access to my personal files.
Now I wonder how many do not run mozilla as Administrator, and how to run it under the same GUI than the user you are primarily using.
Also how many of these explits exploited system-wide libraries that were OS specific?
And how many other browsers do you have as a choice for linux ?
I swear I would run explorer (on linux with the above mentioned different user) so I can rid of the windows and VMs I am running just to be able to test sites I develop in IE if it
1. existed
2. beleived that nonsense that IE is more secure than mozilla
Ohh can we also mention that mozilla is patched on the spot... while most IE exploits are "low risk" according to MS?
I love mozilla
HEY how many exploits are ther for lynx/links ?
how many popups do you have in those ? What was the last time it crashed on you?
also how many websites can you access with them without a problem
I'll sell you mine.
It's the deal of a lifetime, at a dollar per point match.
That's only $55,734! (Act now and I'll discount it 10% for eagerness)
Just think, you can skirt around slashdot with your sexy new low uid. (relatively speaking of course)
I just wish I had uid 99999... boy will he make a killing.
"You should always go to other people's funerals; otherwise, they won't come to yours." -- Yogi Berra
ActiveX a design flaw? What drugs are you on? Not everyone uses HTML as an interface to the masses - DHTML has proven itself to be a compelling application front end. I've been developing exclusively with IE & HTML & Binary Behaviours (a form of activex) with AJAX style architecture for more than six years because it's just so easy to turn out great looking apps. If you stopped to actually look within windows you'll see that MS does this in many places - HTML inside dll's for many common interfaces. Why? Because it's a hell of a lot easier and more flexible designing an interface in HTML than the alternatives, hence the XAML direction. Given that the IE DOM is written in COM (something that Mozilla tipped their hat to with XPCom after the terrible architecture in netscape) does it not make sense to use activeX controls within IE? (ActiveX controls are COM components). From an architectural point of view, this is a given. Please explain why MIME types on file extensions are a bad idea? And that comment about web services lock-in is just rubbish - if you're going to make throwaway comments like that, at least back them up with some evidence.
Only real problem i have with firefox is their lack of a network/silent install (can DL a free MSI compiled version, thanks drakenpern). Since our company started pre installing firefox on ALL new pcs sold, our reports of spyware from new customers has dropped dramatically (1/5 of what it was) which, when the recent increases of destructive (read rootkit) spyware releases this is particularly good.
...
It's not the number of holes, but the time between detection and fixing! (Okay, two sentences: And if the holes got detected by someone caring for its security or someone caring for its insecurity.
Poeple will never get it i guess...
Any sufficiently advanced intelligence is indistinguishable from stupidity.
I'm not sure why people keep going back and forth on this issue. It's not hard to run either Firefox or IE as a restricted user. But that does nothing to alleviate the pain caused by malware. If a program ran as this "restricted" user and deleted everything it could, then what would you say? Oh, but it didn't delete sol.exe so I'm safe!
Both IE and Firefox are balking at the one change that could eliminate all of these security issues. Simply don't allow a web page to run code unless the code is signed by a trusted authority. If you don't like/trust the current list of trusted authorities then make a new damn list! Or else remove the ability to execute ActiveX/Java entirely.
That BS was added in under the assumption that code signing would help prevent malware. Somewhere along the line people decided they didn't like the hassle of code signing but left the ability to execute code there.
Firefox gives you a pop-up when a page tries to run invalidly signed Java code. Yes - run this unsigned code with full system access, or No - don't run this code at all. Where's the option for running code like the spec says it should run (with no system access)? IE has the same problem with ActiveX. These browser security models need to grow some balls and quit catering to stupid/lazy web designers.
Oh and buffer overflows are another big problem in these poorly written apps. Two words, "guard bytes". Do your own due diligence.
maybe the optimizer removed the extranious step.
i don't think you can say "if it did not happen by now, it is safe...".d itorials/dumb/index.html
i can't remember where but it's somewhere in there: http://www.ranum.com/security/computer_security/e
Any sufficiently advanced intelligence is indistinguishable from stupidity.
She still the sexiest browser out there.
All IE has is a lot of makeup and the pock marks of too many STD infections... The only thing Gates is offering is more makeup to cover more blimishes.
Running with Linux for over 20 years!
Exactly! (Where are my mod points?)
Firefox is immensely better than IE. My computer was riddled with spyware until I started using Firefox. But even better than that, Firefox has extensions -- IE doesn't. IE will never be able to keep up with the functionality of Firefox.
Ok, but it never should have had anything to do with any kind of public network, in that case. The flaw might not be the invention itself, but that it was enabled in the *web browser*.
Name ONE risky security flaw that has been known for 6 months without being patched by Microsoft.
The ability to boot MS Windows?
Fabio Aquotte
You can do the same thing in windows as well, just create a user 'nobody' (with as few permissions as needed) and then instead of runnig firefox.exe use
You'll have to type in nobody's password though (if he has one) and you (obviously) won't be able to access the same profile that you use in your regular account, but you can just copy the stuff over and you should be fine.OMG, are you serious?!?!
Someone else already responded in a quite correct and logical way, so I've gotta flame you. It has to be done.
I work at a large company where all kinds of total TUBERS hide nonexistent web development skills behind the fact that IE is the standard. These same people get quite ruffled when introduced to real standards, aka web standards. You sound too much like one of them. I am sorry, but that sounded like the moron at my cell phone company that rhymes with Texnel who told me that Firefox doesn't work right and that's why I have to use IE to pay my bill online. I mean, get a CLUE!
To be fair, Fx does NOT perfectly adhere to standards. But 99% of the time, I can code to standard and only have to fix my code to compensate for IE's inadequacies.
Please please please, if you are a web developer and like IE, that means that you 1) work for Microsoft or 2) don't know the correct way to code web pages. But there's hope! You can learn! Just learn the right way and not the IE way.
blah blah blah
IE exploits are patched because they are abused, regularly. FF exploits are patched before that happens. Secondarily, a more accurate comparison of security holes can be found be comparing ie when it was a couple of years old to firefox now.
Excuse my ignorance, but WTF does 'free as in beer' mean, and how does that differ from 'free as in speech'? I've never seen those used anywhere but here, and all my friends (90+% of them being programmers, technicians, and administrators, some even visiting /. regularly) haven't the slightest clue what that means.
You have tried to support your argument with faulty reasoning! Go directly to jail; do not pass Go, do not collect $200!
Beer is not free
javascript, css, even html can be thought of as a language
They ARE languages, what the heck else would you call them? Hypertext Markup LANGUAGE. Ring a bell? Is English not your native language?
this ignores insane things like activeXpoit
Your use of said colorful language otally speaks for how unbiased and experienced you are.
That is nuts. It is also probably the biggest reason why MS has so many security problems in general.
You're right. It's nuts. That's why MS doesn't do it. The kernel isn't tied to MSIE. You said you weren't trying to spread FUD and yet here you are spreading something with ZERO FACTUAL EVIDENCE based entirely on what a bunch of anti-MS zealots have told you.
Can you even produce evidence of a SINGLE MSIE exploit being a result of being tied into the kernel?
Seriously. If you can't produce a single case, then it is CERTIFIABLE F-U-D.
Every peice of software they write is tied to everything in the OS in 10K ways.
Based on your scientific analysis, right? Oh wait, that's right, you're not a scientist, you're not a programmer, you know nothing of systems level programming and you don't know the slighest bit of how the windows kernel actually functions.
What is this statement based on? Seriously. let me guess, you got some errors with THIRD PARTY VIDEO DRIVERS and blamed it on MS. I'm curious as to your source of information. Is it your massive '100+' (oh yeah, that's a LOT...not really) workstations.
The difference is, when you crash my browser using spify example exploit, or even get it to run code, all you can do is execute in my user land environment or kill that app.
REVISIONIST HISTORY! Lets not forget about exploits like teardrop and the like which froze the Linux kernel before it was patched. The person didn't even need to be running any specific internet software.
Nevermind local expliots that can be run once you get local access as well that can kill the kernel too. Woot woot, FUD AND REVISIONIST HISTORY! Do I need to run down a list of DoS exploits against the Linux kernel?
There is almost no risk to the computer as a whole or even of effecting stability.
Now ignoring the fact that this is wrong, this isn't exaclty a grave threat to windows either. The past windows freezing/crashing exploits (such as teardrop) have long since been fixed. Let me guess, you're one of those anti-MS zealots who uses Windows 95 as an example even though practically everyone is using the NT based Windows kernels now.
Oh yeah, oh wise administrator, you DO know what teardrop is don't you? I mean, after all, you're the SHIZNITE and you'd totally PWN ME in a graduate level class, so you MUST know the history of Linux exploits.
Why do you feel the need to continue to post? You're begining to sound like Ballmer. Are you gonna throw a chair at someone who uses the Google search feature built into FF next?
/. with your monumental ignorance so you can feel better about yourself for being stupid. That whole 'stupidity loves company' thing.
Shut the hell up already. You've been proven wrong, IE sucks, and you've posted a dozen times in this thread saying the same idiotic banter over and over.
Do you really feel that the people are here to talk with you?
Does it make you feel special to respond to EVERYONE WHO HAS AN OPINION in this topic? Like you know something they don't?
Get over your love for M$ and stop trying to convince everyone that you're right, or they're wrong.
It's a matter of personal preferance. People use Firefox for all it's added features, not just it's security. (themes, extentions and developer tools) Oh, and it's adherence to web standards happens to be a GOOD THING.
You must be a M$ cheerleader or something, as you clearly have NO IDEA WHAT A WEB STANDARD IS GOOD FOR ANYWAY!
I consider the W3C to push through way too many way too complex standards at a way too high rate
You're so brilliant!!! "It's too hard, so it must be bad!"
Do you feel this is insightful?
You're just a lUser who won't stop trying to infect the userbase of
Just because you can't figure out why IE is insecure and just plain terrible for the web, doesn't mean that IT ISNT!
Get over yourself.
That's silly reasoning. The only reason it's so 'secure' is because you're relying on security through obscurity. I could make my own custom made browser with thousands of obvious buffer overflows in it and because it's so obscure, it would be rarely exploited. Does that mean it's "secure"? Not really.
The only reason the Firefox machines have so few reports is because Firefox's marketshare is still too small, very few websites have bothered to exploit its vulnerabilities.
The articles has CLEARLY DEMONSTRATED there are WORKING exploits. The only issue is that they're just not in wide use. So your so-called security comes through minimal use. That's good journalism. Your comment is bad FUD.
This very bad article goes to the trouble of breaking down the number of vulnerabilities for FireFox, but somehow fails to to the same for IE. ... I wonder why?
Hmm
Total vulns in IE for 2005 = 18 ; 5 still unpatched, plus 14 still unpatched from previous years. Hmmm.
total vulns in FF for 2005 = 47 ; 3 unpatched, none from last year
Not to mention the fact that the severity level of vulns is far greater and more damaging in IE than FF. Of course that damage is subjective, any vuln could possibly be a financial disaster should certain data be captured. So not only is this writer biased, but he can't count either. Also some vulns in FF only affect MS or Linux, while others affect both (i.e. js holes). I saw no mention of Mac OS in any notice. So the numbers are lower for FF for either MS or Linux.
Still I like the raw numbers (FF) 6% unpatched vs. (IE) 28% unpatched. Or 3 vs. 19.
In all fairness the number for MS is really 32 since there are still open items from previous years, leaving us with 47 vs. 32. Not so different now is it? Well, except for that whole 3 vs. 19 thing. I may be a zealot, but at least I try to be an honest zealot.
I read that and at first I was struck oddly by the numbers, but a half-second later i knew the truth. IE came out a long long long time ago. There hasn't been a new version in YEARS. Firefox is an infant compared to IE. Also, OSS and FSF software lend themselves to being secured; the code is visible to anyone anywhere. With IE, only the select demigods (and I use that term loosely) get to view the code. As another user said, the ActiveX promises were either undertested or badly designed. I second that...for both. It was and still is just a browser to edge out competition. It is tied to the platform and is volitile. Arbitrary statistics don't really give any information about either of the two browsers. In fact, since "no hackers would work on hacking firefox" since IE still is such the kingpin, how were so many security holes found and sealed? Refer to my OSS/FSF statement.
Commercial software (really the copyrighted stuff and crap EULAs) is a plague on software that served a purpose until the advent and wide use of the internet. Programmers will still be able to make money, and a good amount of it at that. But software firms will have some different business models. We can already see it beginning. The beginning is with the old empire, the RIAA, MPAA and others. Too much power for an obsolite organization. Now Microsoft is reported to be internally fighting due to their fat fuck CEO. Apple and Google are at unprecidented profit levels (although GOOG is very dubious). Linux is gaining more popularity. Vista is subject of scorn and the brunt of jokes. M$ is not the monopoly it used to be. They never really came up with anything innovative (Xerox had GUIs before either Apple or Microsoft did), and they only had marketing staff. Gates understood the tech aspect, but he's not a terribly creative man. Definitely visionary, definitely intelligent, but not the greatest innovator or creative person. He doesn't see products that revolutionize. Apple does. They may not have the vision (although in recent years since baApple, they've got much more of a "vision"), but they can sure as hell invent or borrow another idea and make it dead sexy. Case in point: iPod. Though Creative did actually come out with a device first, Apple made the iPod so sleek that it was an instant hit. OS X is probably the greatest Unix shell out there. These are exciting years for big business and software.
btw my little security word is "reefer"...wonder what dictionary generated that random word...
The number of vulnerabilities and exploits isn't an accurate protrayal of the security of a product. What was the impact of the vulnerability, was it a buffer overflow or potential information disclosure? Any comparison that doesn't take the severity of the vulnerability into account is worthless.
Yes, my only tool is a hammer. And you're starting to look like a nail.
Yes, why are you ignoring all the highly critical vulnerabilities in Firefox? Talk about spreading FUD. Firefox has had its fair share of highly critical vulnerabilities and you're ignoring that simpyl because it doesn't suit you.
An IE hack that gives someone access to all your 'net data then wipes your entire hard drive is counted as one bug, as is a firefox flaw that gives someone access to your last ten sites viewed.
There have been Firefox exploits that give you access to the local file system, including at least one that let you install arbitrary extensions.
That's a biased and unfounded example, but the reality stands regardless - THIS IS NOT A GOOD WAY TO DO A SECURITY STUDY.
It's not a security study, it's an op-ed piece. It's just pointing out that Firefox is not magically immune to exploits and it doesn't have some super security design like some people seem to think it does. It's just your average piece of software, holes and all, that's the whole point.
You can lock Firefox down if you want. Won't be able to see EVERYTHING, but it will definitely be secure. Not quite anywhere near as true with IE.
Uh, how so? There's nothing in the design of Firefox that makes it more magically immune than IE.
This reeks of technical hackery -- someone abusing facts to push some opinion that grossly distorts the truth. Why aren't these guys working for the government? (Or are they...?)
The point is the Firefox has had 0 extremely critical vulnerabilities. Yes, 23% (read: 5 total) of it's 22 vulnerabilities were "highly critical"
Compare that to 14% (10 total) if IE's 69 being rated "Extremely Critical" and 29% (20 total) being "Highly Critical".
What's the analysis? A 2 year old project has 5 vulnerabilities at the second most extreme rating level. In the same period of time, a much, much older application has twice as many vulnerabilities, but of a more extreme nature, and four times as many of the same nature. FUD? Fuck no. If anything, looking at the "Highly Critical" numbers makes IE look even worse.
Are you being funny my most intimate friend? You, sirs, can have all the bears to yourself. I used to be a lacto-ovo-fruitarian and I eat nothing furry with cold, staring eyes. But that was before my VW bus broke down in the Kenyan desert. Then HER friend got pregnant and the world as we know it came to an abrubt stop. It's all kindof blurry, carriage-returny after that. If you ask me. And most importantly, THERE IS NO fscking SPOON
(founded 95,000,000 yrs ago, very space opera)
Firefox had 40 vulnerabilities, not just 22. You're limiting yourself only to the Secunia statistics, which doesn't include all of the vulnerabilities in that time period.
Where are you getting 69 from? There were only 10 vulnerabilities TOTAL for IE the time period. Only 9% were 'extremely critical' in 2005 (and that's longer than the time period specified in the article). You're making up numbers now, I call that spreading FUD.
Furthermore, the "highly critical" vulnerabilities include ones that allow you to install arbitrary extensions without the users permission and access any files on their hard drive.
Not everyone uses HTML as an interface to the masses - DHTML has proven itself to be a compelling application front end.
DHTML is scripted manipulation of the HTML DOM. It needs no custom ActiveX controls. AJAX as I know it is just DHTML + XMLHttpRequest.
I've been developing exclusively with IE & HTML & Binary Behaviours (a form of activex) with AJAX style architecture for more than six years because it's just so easy to turn out great looking apps.
Where were these apps deployed? On the Internet or on intranets? Unlike Java applets, ActiveX controls do not run in a sandbox by default, and they have full access to everything the user can read and write. Given that most users on Windows XP Home Edition still run as a user with administrative privileges, this can be and has been exploited as a major security hole for, say, adding spyware to a machine.
Given that the IE DOM is written in COM (something that Mozilla tipped their hat to with XPCom after the terrible architecture in netscape) does it not make sense to use activeX controls within IE? (ActiveX controls are COM components).
But does Mozilla Firefox allow random web pages to run arbitrary XPCOM controls with the user's full access rights?
Please explain why MIME types on file extensions are a bad idea?
Problem is that in certain circumstances, the Internet Explorer suite will ignore the Content-type provided by the server in favor of guessing a Content-type based on the last few characters of the URL. Not only does this behavior violate the RFCs that govern the Web and Internet e-mail, but authors of malicious programs for Windows have managed to exploit this misbehavior.
I've been telling people for a long time now that Firefox flaws will exploited as soon as there's enough market share to bother messing with it. There's going to be flaws with any product, anytime you have software with thousands or millions of lines of code, bugs and security flaws are going to be there. I just wish people would get over the browser wars crap anyway. Just use whatever browser you like and make sure all the security updates are applied in a timely fashion. I prefer Opera out of all the browsers anyway. Everybody keeps talking about how Microsoft is losing market share with their browser, well I hate to say it but they don't charge for the browser anyway. There's no revenue coming from IE it just happens to be integrated with the operating system, so who cares if they lose 10 percent or more of market penetration of the browser wars. Individuals and companies alike are going to primarily use IE anyway. Until windows updates functions without IE it will still be in use. And now that tabbed browsing has finally be incoporated with IE7 and additional security enhancements I think there won't be a whole lot of reason to go with other browsers other than personaly preference.
but WTF does 'free as in beer' mean, and how does that differ from 'free as in speech'?
Or look it up in Wiktionary: "free beer" refers to definition 2, while "free speech" covers most of the other definitions.
all my friends (90+% of them being programmers, technicians, and administrators, some even visiting /. regularly) haven't the slightest clue what that means.
Any of them speak Spanish or French? In Spanish, free as in "free speech" is libre, while free as in "free beer" is gratis. The words in French are similar (libre and gratuit).
I call bullshit. They MYTH about more people looking at the code is exactly that, A myth, 99.9% of people never look at code and those that do more than 99% are not qualified to find security problems
.01% of FireFox users are looking at code.
.01% of that figure. That's 445,000 - the number of people YOU estimated look at code. Now lets find the security experts - in fact I think your estimate that only 99% of people are really unqualified to examine security issues is too optimistic (having done extensive corporate application security work myself), I'll say 99.9% of programmers are probably not qualified to really look for security issues in code.
So lets say only
How large is the installed base? For simplicity, I'll go with published figures for downloads - I figure repeat downloads are roughly offset by bulk installs from one download.
Hell, I'll cut it in half.
So SpreadFirefox.com reports there have been 89,000,000 downloads.
Cut that in half and you have 44,500,000.
Now take
The final number is now down to a mere 4,450 crack security programmers.
So of course that number seems awfully large. Lets cut that again, say to even just 400 people - an absurdly large cut.
How many people do YOU think Microsoft has looking at IE code? I can tell you right now that 400 would be an awful lot for one project even for a company the size of Microsoft. Now how many of THOSE people do you really think are qualified to look at security? Would it even be 50%? Is that large an increase even possible over the general populace - or does it even matter since you still fall hundreds short of the number I produced above.
My original theory is bourne out by the observation that even though FireFox has more patches issued month to month, it literally has a few orders of magnitude fewer exploits. You may claim that IE is more prevalent and thus more likely to be attacked - but this is a false argument that ignores just what a juicy target 89 million browsers would be. Simply put, if it were anywhere near as easy to attack FireFox as it is IE, there would be more exploits for FireFox than we are seeing. More patches are simply a sign of better QA.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Since this is pretty deep, I'll wager a shot, rather than risking letting your post disappear unanswered.
Free beer at parties is free for you to drink, but someone, somewhere had to pay money for that beer. Party goers are usually encouraged to bring a few six packs to add to the pool - especially at many college parties, where some drinkers are too young to buy beer*.
So, extending the analogy, this is usually applied to nagware, uncrippled shareware, etc. In the case of Opera, it's "free", but you get advertisements (which many, including me, find irritating enough to spoil the deal) and you won't get "official" tech support (if you're having troubles with software, especially web browsers, you probably need a computer nanny, not tech support).
Free speech, on the other hand, costs nobody anything (except those on the opposite side). If you want to donate to the ACLU, it's splendid, but nobody's going to go door-to-door to check who's donated.
This applies to many Linux distros, programs such as ICQ, and works of the public domain.
I'm reasonably sure this is reasonably accurate, and I'm sure I'll be corrected if I'm wrong.
*-of course, for those of you browsing from the *.gov and *.edu domains, all of these drinkers turn 21 the night of the party, and have the consent of a parent or legal guardian.
Firefox dramatically slows the de-hibernation procedure in my laptop if I happened to access the CNN page before sometime before hibernating.
Does it happen with foxnews.com? Does it happen with other sites that use SWF or Java?
If you want to work a little bit more to get a more elegant solution you can use Software Restriction Policies in Windows to configure IE to run always as a basic user regardless of your user's privileges.
You can even create policies that allow for running the whole desktop as basic user except for the apps you specially mark, though this option requires launching apps from task manager or some other app launcher.
Once the policy is created you are able to define which apps run as admin (or at the actual user's level) and which ones run as basic user, without having to enter any command or use any special procedure to run the app every time.
Regarding those comments in the line of "unix has been doing this for years", so did Windows. The problem is not with Windows architecture, is with the assumprions app developers made when developing apps (including some of microsoft developers) that make them break when not running as an admin.
What you experience certainly is not normal.
Make sure you have installed the latest official release and create a new profile. It is known that keeping profiles from older versions of Firefox can cause instabilities. This also makes sure that no fragments from outdated extensions cause problems etc.
PS: The bookmarks of your old profile are stored in a html document. Once you found it, you can load the page to migrate them.
How on earth can anyone expect millions of companies and individuals to re-invest substantial sums of money and/or time in order to be compliant with Firefox, aka "Web Standards"? Grandstanding about w3 bullshit and equivocating Firefox with Web Standards is a waste of time when discussing Web sites that already exist and will probably not ever be changed, or when discussing corporate Web apps that force IE on the users.
I would LOVE to see Firefox take more market share. But face the facts: it does not yet provide enough compatibility with MSIE to be a true contender. Popular opinion indicates that real web standards are dictated by the market leader - not the venerable w3. Consider how MS conformed to real (non)standards introduced by then market leader Netscape (NN3), and went on to take the market with a BETTER PRODUCT (IE4/5/6).
Your appeal to ridicule is pointless. Your way is not necessarily the right way.
Perhaps it works for you, but I would rather stick to free market mentality and let Firefox live or die by that mentality. Perhaps some developers like IE because they get paid to write code that targets IE. Your accusation indicates that these developers all work for MS or are incompetent coders. This is sometimes referred to as a False Dilemma.
Unfortunately, the moron at the cell phone company was correct. If Firefox worked properly, you wouldn't have to use IE to pay your bill online.
Not stupid, just pure evil. And nobody really blames them for that - you can't expect the spawn of Satan to be good, now, can you?
What do you do when a user needs to access a page that is IE-centric, and does not render correctly for them? Honestly curious here. I have a couple users that occasionally access government web sites that generate incorrect URLs in their CGI when used with Firefox. I've had to block off all sites from IE, and allow them to use IE for only these specific domains. So far, that's all I've been able to do until some of these webmasters make their stuff more generic.
hello dear sirs my name is jamesh i are india (bihar) can u guide me install red had linux 9?
What about Mozilla Seamonkey? Is the browser code the same as Firefox? IIRC it was different enough to create incompatibilities for the extensions ... what about security situation?
"I'm never quite so stupid as when I'm being smart" (Linus van Pelt)
Firstly, nothing is "written in COM". COM is a technology that can be used from just about any language, and is very similar in both design and function to CORBA. Interestingly, COM is yet another apparent example of Microsoft's NIH syndrome: CORBA was invented around the same time according to the available history, probably just after CORBA. Odd how that pattern recurs, no?
Mozilla may have tipped their hat to Microsoft's name, but Microsoft isn't the originator of the technology.
Secondly, the fact that IE uses COM is not a security issue at all. COM is perfectly safe when handled properly. The fact that IE can be coerced into automatically downloading an unknown COM component from J. Random Website and executing it -- THAT is the security problem that everyone talks about.
--S (if I'm wrong about the history of (D)COM and CORBA, somebody do please point it out with references - I'd like to know.)
-- sigs cause cancer.
Don't get me wrong, I use and love Firefox, but have no idea how/where to update it correctly (short of the inopportune jigsaw piece that pops up out of the lower right corner). Firefox would do wonders if they simply included a simple menu item for update checking. Every time I read another /. headline "New Firefox vulnerability" I would be comforted if I could easily check that my version is up to date.
And, yes, I know that clicking the circle throbber will bring me to Firefox Central.
http://www.eeye.com/html/research/upcoming/2005032 9.html
> Yes, Apache is everywhere, exploit-free
Are you taking the piss! Exploit free! And you claim to be a knowledgable user. LOL.
Apache 2.0.x has more then 27 security exploits (http://secunia.com/product/73/) which is extremely high when compares to IIS 6 (which has 2! http://secunia.com/product/1438/)
Actually MS's batting average is 2-4 months if you take all the vulns, most of which don't hit databases, but there's plenty of stuff in the 6-8 month bracket; and they have known - fixable - vulnerabilities classed by them simply as design faults which will not be fixed, ever, and are several years old.
2 9.html
Here's a juicy one, but of course, as per policy, you don't get the details, because then everyone would know, and we'd see spyware and stuff using it... that said, that might be the only surefire way to kick them into patching stuff they are being lazy with.
http://www.eeye.com/html/research/upcoming/200503
NONE of the ones in the eEye upcoming list are scheduled for patches anytime soon, far as I know, and far as eEye knows (that said, eEye haven't heard much, if anything; MS are, contrary to what they say, extremely uncommunicative with some security researchers, and oddly cooperative and communicative with others, and we don't know why; possibly they only go for the easy fixes, but one of my open ones is an easy fix, and it's so overdue I am beginning to consider if a public disclosure, whistleblower style, might be the right thing to do even if it really annoys MS).
Oh yeah, and Microsoft just skipped a Patch Tuesday, refusing to release a patch out-of-cycle for an extremely critical hole in IE because they couldn't fix it properly and keep ActiveX working on the first try (and no, it's not that eEye one either).
Record, as far as I know, is 44 months from discovery and private disclosure, to patch. They're SHOCKINGLY bad, they typically won't even acknowledge a vuln unless you actually provide a fully working exploit (just demonstrating there is a buffer overflow will not do it, they want to see a working exploit with remote code execution first).
And if you want them to name you rather than get pissy at you, deny you any credit and shitcan your submissions in future, you'd better not disclose anything to anyone. And will they tell you if they're doing anything? Course not. You might, maybe, get a note from a human that the vulnerability exists. And the patch appears out of nowhere, what, 3, 4 months later?
Why don't you ask Skylined, or Liu Die Yu, or Georgi Guninski? Seriously -- MSRC are crap (though it's gotta be said, I hear Oracle are worse, known for sitting on working patches).
Mozilla aren't always great, it's gotta be said, but their response times are much better. and they're generally much sounder. Opera are great.
I think the big problem is that although security is a focus now, it's a PR focus; the problem they are trying to solve is the perception of bad security in Windows, because of course, if no-one knows what a swiss cheese it is, it might as well not be for most of the cases (and the other cases, well, they're not the type of people to report vulnerabilities after discovering them, but they're also not the type of people to give their exploits out until they're extremely old or independently rediscovered). They don't really want to make Windows more secure, they want to make it appear more secure, and while part of that involves fixing bugs, a large part of their bug management process seems to involve denying their existence, smokescreening, backpedalling, and plain not saying anything.
- A slightly annoyed security researcher, who (for obvious reasons) wishes to remain anonymous
The problem with IE's file-type handling is in the interaction between components that sniff a type one way, and components that sniff a type a similar, but actually quite different way. It's patchy enough they can make different decisions about what something is, and these parts of the code are in bad need of a complete refactor (but they daren't because any significant change would most assuredly break things).
... well... it would be OK, except there's a long publicly-known design fault in Windows that means you can essentially declare any two threads which both have windows (even hidden window handles) open on the same desktop, to have equivalent security credentials. Some of the more obvious ways have been fixed, but Shatter-like attacks still work (and this is why, for example, Services shouldn't be allowed to interact with the desktop). So it's perfectly possible to bounce from IE's credentials to the current user's credentials, say, using the recent RunAs vulnerability. Which is, yes, still unpatched. There are numerous ways to bounce to SYSTEM too , but MS don't regard local root exploits as being critical, but as being lesser impact which "...[don't] always require a fix being issued..." (mainly due to the design fault, and also in practice largely because the vast majority of Windows users run with Administrator rights anyway, and they're not even touching *that* mess until Vista).
For example - not wanting to give away the merest hint of expansion on an unpatched vulnerability of which Microsoft were aware, but haven't resolved - but let's just say for the sake of argument, ahem - if there was an inconsistency between, say, the magics, content type and extension sniffing MSHTML's rendering does along with SHDOCVW that causes it to take an unusual path in the code, that calls another object in that more commonly deals with actions from Explorer, which always sees it with the extension, which wouldn't be a problem, unless that's a CLSID, and if you were to put that in an iframe you could potentially run arbitary unsafe ActiveX objects that already exist on the system in security zones that shouldn't allow that at all. Even if the kill bit's set.
A few minutes of ADODB.Stream later, or if you were adventurous, another, less travelled way that isn't as likely to set antiviruses' existing alarm bells ringing, and you have remote code execution as the current user, no matter what the security zones settings or hardenings.
Yes, this does sound very similar to a previous, patched vulnerability. I think MS have a policy of only making the smallest possible changes to most security bugfixes, deliberately trying not to fix the underlying behaviour because of the possibility of unwittingly introducing regressions in behaviour that people rely on. (Not that that's always stopped them before, and I don't always agree with their judgments on that kind of thing; for example, a hard-coded rate-limiter on outbound half-open TCP connections in XPSP2 *doesn't* slow modern worms down, because they have runtime patches to TCPIP.SYS now; change the right two bytes, 'cause they have SYSTEM access anyway, and it's pretty much a done deal, but it does seriously affect the performance of applications where sudden bursts of simultaneous connection requests are normal; segmented downloaders, and particularly swarmed ones, most of which have had to work around the change, or patch it out, hence the existence of said patches in the first place... the removal of raw sockets was another similarly bad call made in SP2.)
Unfortunately that tends to leave MS, metaphorically speaking, floating in a colander, trying to plug the holes with corks. They had a serious drive with IE XPSP2, but it's really in a state that requires more than one shakedown to approach acceptable levels. They're having another drive with IE7, but it's not as thorough.
For example, running IE as restricted users is
owns FF yet again ;)
Hail Opera! :D
Made it to that list too, maily due to their security focus. http://www.pcworld.com/reviews/article/0,aid,12049 8,00.asp
Granted, Moz is #1 on that list, but it has
one big bonus over opera, that is its FREE.
However I find this mostly true:
Firefox: The best all-around alternative to IE. Great for power users who want to add functionality to the browser, and appropriate for newbies just getting started.
Internet Explorer: Best for corporate users in controlled environments and those who spend most of their time on Microsoft-branded or IE-specific Web sites.
Netscape: Best for AOL subscribers (with AOL Instant Messenger integration) and those who are willing to put up with some rough edges to use other goodies, including an HTML editor and e-mail program.
Opera: Best for power users who keep many pages open at once and perform frequent downloads. There's an e-mail program included, but banner ads on the free version of the browser are annoying.
IE still has much more unpatched exploits than Firefox. That sounds a real danger to me.
Yes, I'm looking at the Secunia statistics for both browsers. If you know a more complete list, show me it.
That said, when I view Firefox's "Criticality" breakdown, it says "(Based on 22 Advisories from 2003-2005)".
When I view the criticality breakdown for IE, it says "(Based on 69 advisories from 2003-2005)".
I can't believe the most critical vulnerability inherent in IE has not been mentioned yet. What I am referring to is the fact that IE is a shell to the operating system
For the benefit of those who don't know what that means, opening up IE is effectively the equivalent of opening up a command prompt. Any command typed into IE will behave as if you typed it into a command prompt and will execute with whatever privileges you have. For most users, this will be Administrator. Another brilliant design choice.
Go ahead and type "c:\windows\system32\calc.exe" (or "c:\winnt\system32\calc.exe" depending on the name of your system directory) in IE and watch as Calc opens up. Try it with FF and you'll be prompted to save it--nothing more.
I don't know. You tell me. Which is the secure option and which is the security flaw so inexpressibly stupid it should be considered criminal negligence?
This isn't the sig you're looking for...
Even if Firefox does have some bugs, I've had it crash a lot less than IE. I've also been infected and had malicious code run thanks to IE, many times. It's never happened with Firefox.
I am a Windows 98 user, however, and Microsoft has long since forgotten about me. I'm not the only one still using this OS, there are plenty of others, and all using the same bug filled IE. So, since no security patch will ever come our way, I use Firefox.
Furthermore, Firefox is not a mature application relative to IE. Yet it works better, and most people who use it never look back. Firefox only recently reached version 1, and updates are still released fairly regularly. (And a lot more often than IE patches!) On top of that, Firefox has better features, and works in more places (Windows, Mac, *nix). Therefore the article's author's point of comparing vulnerabilities in Firefox and IE is moot, since Firefox and IE cannot be compared on this level alone.
While the vulnerabilities pile up for IE, this latest one for Firefox has not only been acknowledged, but there is a workaround to avoid it.
Theory: you
Practice: I have *NEVER* suffered an IE exploit.
In any case, I understand that html-rewriting is already a commonly-used Firefox extension anyway. (not part of the core program!) (I think it's happier as a general proxy, rather than firefox-specific.)
Free beer is free is in "costs 0 ${CURRENCY}s", while free speech is free as in "liberty, freedom and equality".
My new blog
when was the last Windows virus you heard of that erases files? they're few and far between. as the trends of the past five years of malware will attest, the costs of insecure software are in damage to local and global networks, and in the compromise of sensitive information.
"it'll still wipe out your home directory!" is no critique of a security regime. if a user has no ability to recover from data deleted by a software process, then i am left absolutely baffled wondering why they are storing that data on a failure-prone -- no... failure-inevitable -- hard disk drive.
limiting the impact of security breaches simply to the contents of /home/username is a dramatic improvement over the wild-west "everyone's an admin!" approach.
Hello, I'm still accusing you of spreading FUD and not reading TFA, because that's NOT the time period covered by the article. You're talking about a two year time period, 2003-2005. This is about a period from March 2005-September 2005, ACCORDING TO THE ARTICLE IF YOUHAD ACTUALLY READ IT. You are using 2003-2005, not the correct time period.
Don't accuse other people of making up numbers when the source is obviously mentioned
I read the article, you OBVIOUSLY DIDN'T. They clearly stated they were referring to a specific recent time period. They clearly stated that there were 40 in Firefox and 10 in IE. If you had read the article, you'd see that doesn't jive with your numbers in the slightest.
Second, my numbers are about advisories - the root problem of the vulnerability
No, that doesn't properly explain the discrepency in statistics. If we were to take your word as true, then there would actually be lower numbers for IE, because, according to your, there are less advisories than there are vulnerabilities.
HOWEVER, the numbers SHOT UP, and you completely ignored that, despite it being totally illogical and not supporting your point. The fact is, both in terms of advisories AND vulnerabilities, IE has more for the time period described in the article, read the damn article already.
I forget where it's posted, but that Firefox number is unique and I don't think counting as many copies as you think it does. I don't think it rolls back with each version but it did reset at some point. But still, my main point was that there there are masses of people using it, and thus a much smaller but still relativley massive number of people looking over the source - like experts from IBM, Sun, and other companies that have a stake in it working well. Honesty despite the figure I gave before I would be terribly surprised if more that three people total were responsible for security of IE. That's just how large companies work.
The holes may technically be as bad (though other reports say not), but if there are no actual exploits - are they REALLY as bad? A minor hole left open for a year is far worse than a major one left open for a week. Security is all about Risk Management and small risks over time are far worse that short-term ones because they have a much greater chance of being exploited.
Lastly, all I have to say is look at the front page of Slashdot today. I just can't offer more compelling evidence for the reality of the situation regardless of how the statistics around it are argued. Also it brings to light another factor - the magnitude of Firefox security exploits can NEVER bea as great as IE, since Firefox is simply not baked into the OS at as low a level and thus cannot ever possibly do the same degree of damage that is possible from an IE exploit.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
'From March 2005 to September 2005 10 vulnerabilities were published for Microsoft Internet Explorer, 40 for Mozilla Firefox. In April-September timespan there were 6 exploits for MSIE, 11 for Firefox.
the numbers present a negative impact, but how fast are problems fixed? i remember 2 versions of firefox within a couple weeks of each other in response to problems found.
...but anyone with a genuine clue knows that comparitive popularity aside, Microsoft do have a truly abysmal philosophy with regards to programming.
I have to wonder when these amoral trolls in the trade press (who somehow think the continuation of their employment is tied into Microsoft remaining a monopoly) are going to give up. Don't they realise that they could still make a living writing stories about Linux?
If I was an editor and had staff pumping out crap like this, it wouldn't matter which side of the fence I was on, opinion wise...they'd get fired.
Maybe it genuinely is true that autism is a prerequisite for considering moral integrity important...because I sure don't know too many muggles (the neurologically typical) who care much about it.
I'll sell you mine.
. . .
Just think, you can skirt around slashdot with your sexy new low uid. (relatively speaking of course)
Uhm my uid is lower than yours.
Can I get an eye poke?
Dog House Forum
My UID is even lower than yours. Hell, I even remember Slashdot before it had enough comments per day to require moderaters (other than CmdrTaco), let alone MetaModeration. I rule.
4 DIGITS ARE WAY BETTER THAN 5!
Sorry to reply so late, I just wanted to be more specific about web services lock-in. My original post was long enough, and I didn't want to go any further off topic.
AFAIK ActiveX controls are built for the Win32 platform. So you must be on a PC running Windows to use ActiveX content, even if another browser besides IE could handle it. The lock-in here is blatantly obvious. Once your company starts using ActiveX + IE as an application frontend, they can no longer migrate to any other platform without huge redevelopment costs.
My UID is even lower than yours. Hell, I even remember Slashdot before it had enough comments per day to require moderaters (other than CmdrTaco), let alone MetaModeration. I rule.
;->
Eh, so do I. I use to post as anonymous coward back then, was always too lazy to reg.
4 DIGITS ARE WAY BETTER THAN 5!
Eh, there are ten times more of us than there are of you
Can I get an eye poke?
Dog House Forum
I didn't know about said extension, and I for one have never used it, nor know anyone personally who does. Nor can a (very brief, admittedly) stint with Google or mozdev turn up such a thing. I'm not saying it doesn't exist - but if it does, it's not perhaps as commonly used as you think.
I've also suffered from very few (possible none) IE exploits on my machine, but the "family" PC - a winXP box - used to be forever getting hit with spyware, adware, things transparently replacing the home page/search function, and so on and so forth. (Yes, I switched it over to Firefox the best part of a year ago now, but the problems with spy/adware aren't completely gone - largely due to my mum's free game habit and my sister's kazaa addiction.)
You and I know what we're doing with our computers. To the people using the box downstairs in the kitchen, it's just a tool, they don't want to have to think about such things.
In-house applications accessed from corporate intranet portals on secure LANs/WANs.
[...] overly-tight system integration (inflating minor security flaws into complete system compromise), [...]
Typically this occurs not because of IE's "system integration" (which is really no more "tight" than, say, khtml in KDE or WebCore in OS X) but because the user is running as an Administrator.
[...] and the way it handled MIME types based on file extensions (part of the former design flaw, really)
Yeah, that was pretty stupid. Not really a design flaw though - more of a policy mistake.
How are you remotely managing those Firefox installs for that many machines without GPOs ?
Oh, I read the article. I'll grant you one thing: Firefox has more advisories listed on Secunia in the given time period.
So I beg your pardon for citing the overall numbers. I'd ask you to take a look, anyway:
Firefox experienced more advisories in March than IE. That's great. Overall, IE has still shown many more. Even if that trend continues to change, the Mozilla team has a much better response time - just take a look at some of the release dates for unpatched IE advisories: (2003-03-13, 2003-08-14, 2003-11-07, 2004-02-09, 2004-04-01, etc etc etc). That second date is Highly Critical, and has gone unpatched for two years. This is why we raise such an outcry against the article - for a few months, Firefox is finding more bugs, yes. They also happen to fix the problems that come their way (the oldest and most crictical unpatched being a one-year old Less Critical) incredibly faster and more reliably.
Mac users are "operating under a false sense of security", according to Symantec, and Firefox users will have to recognize that the open-source browser is currently a greater security risk than Internet Explorer.
Story
If it's anecdotal, it must be true!
Opera is now as free as it can get!
NO banners, no registration or license fees.. just Free!
Check their site out!
Alright, it shouldn't take much to explain why FF (even with its weird CSS rendering and slight website incompatibility) is better. I used to roll my eyes at everyone telling me to "USE FIREFOX!" until I learned the hard way about why I should've done it a long time ago.
I was browsing through an internet site a few months ago when a stupid popup came on screen. Shaking my head, I clicked out..and that's when all hell broke loose. That same popup came back about a 1000 times, an MS-DOS prompt came up installing some nasty shit into my computer, my wallpaper was changed to a fake 'blue screen of death', it installed porn dialers, fake anti-virus/spyware programs and the whole nine yards.
This was all thanks to a little exploit in IE that was allowing some bastard's virus to control my whole computer. Not to mention it would re-direct any site I typed in, to a search engine..and that I literally had to fight the browser to get to another site. Finally, after some fighting and a system restore/cleaning I was able to fix the problem.
Moral of this story? Not only did I learn to despise IE, but since I have moved to FF (at least 5 months now) I have never had this problem once. Furthermore, although some popups make it through FF's blocker? None have launched a deadly code onto my computer.
Case in point: IE sucks.
I just had an epiphany tonight and realized that I probably got these two totally twisted around. I darted back here to check and make sure, and shoor 'nuff, I got taken back to school. Thx.
Mozilla needs to somehow snag a deal with someone like Dell or HP to be preinstalled on their new computers.
That is probably the best way for Firefox to snag any significant market share.
Being that Mozilla.org is nonprofit, I can't see that happening and that's too bad.
Netscape did it for while, a few years a while back. They even still have the default home page on new HP desktops (in Internet Explorer, interestingly enough).
But then, Time Warner can afford such deals.
Scott
©20014 angrykeyboarder & Elmer Fudd. All Wights Wesewved