Slashdot Mirror
Is The Firefox Honeymoon Over?
prostoalex writes "With Firefox market share reaching a substantial level, is the popular Internet browser becoming a security nightmare for IT administrators? George Ou takes a look at the hard numbers. From the article: 'From March 2005 to September 2005 10 vulnerabilities were published for Microsoft Internet Explorer, 40 for Mozilla Firefox. In April-September timespan there were 6 exploits for MSIE, 11 for Firefox. Conclusion? As you can see, the facade that Firefox is the cure to the Internet Explorer security blues is quickly fading. It just goes to prove that any popular software worth hacking that has security vulnerabilities will eventually have to deal with live working exploits. Firefox mostly managed to stay under the radar from hackers before April of 2005.'"
Also, the number of security flaws reported is meaningless. A security hole could be very serious, or completely inconsequential.
And by the way, the article is extremely short, and doesn't actually give much useful info beyond what was in the slashdot summary, so please think twice before clicking through to TFA and steering ad revenue to zdnet.
Find free books.
Actually, winamp is a bad example.../ 2/index.php
Type winamp exploit into google some time.
http://www.mashada.com/forums/index/show_topic/60
1) Small memory footprint
2) Excellent stability on Linux and FreeBSD
3) The way extensions work no matter which version you have. Upgrade a minor or major version, the extensions are still there, all working properly.
4) How themes work no matter which version you have.
5) How the Firefox start page doesn't default to any specific commercial search engines, but lets you choose.
6) How the popups are blocked on sites like SitePoint.com
I don't recall anyone ever saying firefox was defect free. All i recall is people saying it's BETTER -- there's a difference between 'better' and 'defect-free'.
Show this to your friends and family that don't know what a real hacker is
Also.. the most important factor. The Firefox community fixes the problems.
There are flaws in IE that have been known for better than 6-8 months and still there is no fix.
Digital is, by definition, imperfect. Analog is the way to go.
I find it very interesting that 9 times out of 10, if I ask someone why they use Firefox, the response is "Tabbed Browsing" or "It's not Microsoft."
As a developer, I have found Firefox to be almost unusable in many instances:
1) They implemented CSS, but none of the old CSS. This means when you change a cursor to a "hand", it won't recognize it.
2) It also leaves you unable to create custom variables in HTML tags. This leaves out ease of use in dynamic information systems.
3) You cannot call a style of an document object directly, you must first call the object, then on a seperate line, call that object's style you want. Just plain inefficient.
4) You cannot use span tags or div tags even remotely how you can in IE (and some cases even in Safari!).
5) They took out many Javascript functionalities because they simply couldn't implement them correctly. (.focus())!
In the end, it's frustrating that in Firefox you must deal with coding around what they left out, because it's more "secure", and as we now know, it's not even more secure! And thank you to Firefox for making me have to download a plug-in every time I want something to work like it should. It's just not what everyone seems to think it is. Is it just an excuse to name drop something new??
Ubuntu, the way linux should be.
Try Ubuntu FREE! --
For Mozilla, there has been 0% of extremely critical vulnerabilities and 23% of highly critical in 2003-2005, whereas for IE 14% were extremely critical and 29% highly critical in the same time period.
Furthermore, a total of 31% (out of of 69 advisories, or 21 individual cases) of IE vulnerabilities may result in system access. In Mozilla, the corresponding numbers are 18% and 4 advisories.
Knowledgable? Practice good security? I'd say the same about myself, and I've *NEVER* been hit by an IE exploit.
I'd say a fundamental part of good practice with IE is to use it with an HTML rewriter. I use "The Proxomitron".
There are a couple reasons for this. First, that patch was easy to make and test, and could be pushed out in, if my research is right, exactly 6 hours from the time it was on Full Disclosure to the time the patch was publicly available. The actual patch needed more than six hours to be made, tested, etc.
Also, several other security fixes are being put in to 1.0.7, which will be the patch for this.
There are 11 types of people in the world: those who can count in binary, and those who can't.
You need only to look at secunia.com's summaries to see through the idiocy of this article:
vs.
Firefox: 0% Extremely Critical
IE: 14% Extremley Critical
Need we say more?
Ummm, Firefox tells you when there is a new version out. It is the little green tree next to the spinning circle of dots when you load a page. If there is an urgent release, actually I don't know the criteria or the labelling, the tree is red to indicate there is a new version. It seems if there is a plug-in update, the tree is green. But like I said, I don't know the exact meaning nor have I looked it up, but it hasn't failed me yet. I wasn't really aware of this until I clicked on it and it asked me if I wanted to get the newest Firefox, and this was a minor 1.0.x version. Howver, I don't know when this was implemented. In addition, any reader of /. knows exactly when a new version is released because it is always anounced. That is how I usually find out about releases.
Note that only one of those is a 'critical' flaw, and that one is an ActiveX buffer overflow than can be avoided by just not using ActiveX. The rest are spoofing or system information flaws.
This author picked a date range that favored IE on the surface, and then quoted some pretty useless numbers which were skewed toward IE for the casual observer. Better numbers would be how many vulnerabilities REMAIN OPEN and HOW LONG they took to close from report date to fix date... I went to Secunia and pulled the following statistics In 2005 -- Firefox had 18 advisories posted. 1 remains unfixed, 1 remains partially fixed, 16 are fixed. -- IE 6.x had 11 advisories posted. 5 remain unfixed, 1 remains partially fixed, and 5 are fixed. Looking from 2003-2005 -- Firefox 1.x had 22 advisories posted (1 partial fix and 3 unfixed still) -- IE 6.x had 69 advisories posted (10 partial fix and 19 unfixed still) On Criticality of any advisory ever issued -- Firefox has had 0% extremely, 23% highly and 36% moderate -- IE has had 14% extremely, 29% highly and 20% moderate If you want tons more stats and graphs, go to... http://secunia.com/product/11/ (IE stats @ Secunia http://secunia.com/product/4227/ (Firefox stats @ Secunia)
... George Ou, on numerous occassions infuriates me and his editorials. I am not the Linux zealot that most Slashdot readers are (in fact I'm a .Net developer), but his articles and conclusions offend many educated readers.
He recently published a PGP vs. PKI article (I would link the article, but I am not giving him another web hit) where he was continually debunked by posters and PKI implementers because he stated that PKI was "too difficult". He couldn't grasp the concept that each job requires a different tool and one that fits the requirements best.
He constantly replies back on his blog through the Talkback feature ZDNet has (not that responding to user input is a bad thing) and does so with a level of arrogance that drips off the page. I refuse to even read his columns anymore and refuse to +1 his counters. Many users have already commented - there are too many reports acting as technical experts disseminating information that is misleading.
Hagrin.com
use wininstall, make your own MSI of the update changes
don't attribute your failings to the browser. just because you may not know a good way of managing updates doesn't mean it doesn't exist.
-dk
Dream with the feathers of angels stuffed beneath your head.
Rolling out updates to Firefox is insanely easy. "Firefox Setup 1.0.6.exe -ms" is the command line you need for a completely silent install. I haven't needed to repackage Firefox for distribution via SMS. If I didn't have SMS, I'd just have to set up a network share for the installer and then use Scheduled Tasks to run the command line as admin. Or create a batch file to do a "runas" and put it in the login script. If you're including extensions in your standard Firefox rollout, then you are definitely looking at repackaging Firefox with the extensions each time there's an update. It's not impossible, but it is more difficult than it should be.
Only ten?? Guess it depends on where Internet Explorer ends and where the "operating system" begins. Many of the worst bugs haven't "officially" been MSIE bugs, but the result is that a malicious web page can take control of your system or do other things you'd never imagine it ought to be able to.
I did a quick search of the microsoft bulletins and found 13. And these aren't even exactly the same ones Secunia lists (two of which they say Microsoft hasn't even fixed).
And why from March? Look at what an ugly month February was for MSIE.
MS05-038 - aug 17
JPEG Image Rendering Memory Corruption Vulnerability - CAN-2005-1988
Web Folder Behaviors Cross-Domain Vulnerability - CAN-2005-1989
COM Object Instantiation Memory Corruption Vulnerability - CAN-2005-1990
MS05-037 - jul 12
JView Profiler Vulnerability - CAN-2005-2087
MS05-032 - jun 14
Microsoft Agent Vulnerability - CAN-2005-1214
MS05-028 - jun 14
Web Client Vulnerability - CAN-2005-1207
MS05-026 - jun 14
HTML Help Vulnerability - CAN-2005-1208
MS05-025 - jun 14
PNG Image Rendering Memory Corruption Vulnerability - CAN-2005-1211
XML Redirect Information Disclosure Vulnerability - CAN-2002-0648
MS05-024 - may 10
Web View Script Injection Vulnerability - CAN-2005-1191
MS05-020 - april 12
DHTML Object Memory Corruption Vulnerability - CAN-2005-0553
URL Parsing Memory Corruption Vulnerability - CAN-2005-0554
Content Advisor Memory Corruption Vulnerability - CAN-2005-0555
MS05-015 - feb 8
Hyperlink Object Library Vulnerability - CAN-2005-0057
MS05-014 - feb 8
Drag-and-Drop Vulnerability - CAN-2005-0053
URL Decoding Zone Spoofing Vulnerability - CAN-2005-0054
DHTML Method Heap Memory Corruption Vulnerability - CAN-2005-0055
Channel Definition Format (CDF) Cross Domain Vulnerability - CAN-2005-0056
MS05-013 - feb 8
DHTML Editing Component ActiveX Control Cross Domain Vulnerability - CAN-2004-1319
MS05-009 - feb 8
(PNG buffer overflow, may not affect IE, remote code execution in MSN, WMP, etc)
MS05-008 - feb 8
Drag-and-Drop Vulnerability - CAN-2005-0053 (yes, exploitable via web page)
MS05-006 - feb 8
Cross-site Scripting and Spoofing Vulnerability - CAN-2005-0049
PJRC: Electronic Projects, 8051 Microcontroller Tools
You know, at least one person posts on every slashdot article about Firefox that they won't use Firefox because it doesn't come in an MSI package.
Well, as has been pointed out numerous times over the months, the first hit on Google for "Firefox MSI package" is:
http://msi-repository.sourceforge.net/
Where you can get thunderbird and firefox MSI packages of the current stable release.
http://secunia.com/product/4227/
This shows you all the vulnerabilities they mention. The article doesn't link the exploits unfortunately.
ActiveX is not a big part of the bugs or of a poor design. It is just a misfeature. Microsoft could overnight throw out ActiveX and be in the same position as Firefox when it comes to those controls, as such it is not a fundamental design flaw. On the other side of the coin: ActiveX is a bad idea in practice. It is not due to Microsoft bugs or flawed design, it is just a fundamentally flawed idea since application developers deploy stupid things and users do stupid things. Microsoft has mae moves to improve the situation, demoting the ActiveX confirmation dialog to be a right-click option on the "popup"-bar in SP2 was a move in the right direction for instance.
You mean like Unix? What an innovation!
Microsoft has been behind in security design for over a decade. I was working in Unix, which is capable of doing the things you're calling revolutionary, when I was in junior high a full uhm.... Longer than I want to think about... ago. Everything is a file and files have - while not a perfect permissions system - at least something which is designed for multi-user and therefore easily modifiable to multi-permission. Call BS all you want, but M$ has a lot of spaghetti code in your computer....
Sure it is something. But it is not used well in desktop applications (applications can all write to your home directory with your session startup scripts and so, wreck your data or whatever else they please). One could run them as dummy users that can't write to your home directory, but that'd make for an extremely confusing and inconvenient application. One could with some care and a whole lot of dummy users and setuid scripts copying things about in intelligent ways create the same kind of security model that Microsoft are doing for IE7. Problem is that it isn't a very good design and more importantly; no one appears to be doing it.
Even if possible it does not help if no one does it, and even if it gets done it will not be as nice as Microsofts framework that utilizes the much better security model provided by NT. Now, as I said, if it works out for Microsoft there will no doubt be some movement to get something going on Linux as well, but credit where credit is due. Microsoft is doing something interesting here.
Thats a true-er representation of security.
Mozilla usually patch flaws fairly quickly - there's flaws in IE that have been known for *years* before they were patched, if at all.
smash.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
Best for the user right now is probably Opera - noone is willing to pay for a browser so there aren't really that many people willing to mess around with writing viruses and crap for it.
Opera is free as in beer btw. And it's the exactly the same browser as if you pay for it. Unless you think about the tiny Google ad bar at the top.
You only need to pay if you want the banner away and get official support by the company.
Nicolas Mendoza
Prepare for MSIE 7
I installed Firefox myself. Until I read your post, -I- didn't know about said red arrow. Of course, I periodically update it anyway, so it's not a big deal, and since I don't see what you're talking about, I assume I'm up-to-date enough, but....
Anyway, I sort-of like the "There is an update available. Would you like to install it?" dialog on launch that a lot of apps do. Just so long as it isn't broken like the one in Adobe Acrobat Reader. Running 1.5.0 and it says "A new version 1.50 is available," which turns out to be the same version.... (That's probably not the right version number, but you get the idea.)
Check out my sci-fi/humor trilogy at PatriotsBooks.
Nowhere near the (28% + 3% + 13%) = 44% for MSIE6, of course, but 24% is still pretty high.
Comparing Criticality, FF has 23% "Highly Critical" whilst IE has 14% Extremely Critical + 29% Highly Critical = 43%. That really is bad for IE.
Of course, numbers prove very little, and there's lots of room for reinterpreting these figures (availability of FF source can make vulns easier to find and exploits easier to write; huge IE install base increases likelihood of discovery and increased incentive to exploit, etc).
Author, Shell Scripting : Expert Re
ActiveX is not a big part of the bugs or of a poor design. It is just a misfeature. Microsoft could overnight throw out ActiveX and be in the same position as Firefox when it comes to those controls, as such it is not a fundamental design flaw.
Actually, (for example) IE implements the XMLHTTPRequest (javascript) object as an ActiveX control. This is a favourite new toy for very spiffy interactive webpages (think AJAX). Examples of things that break if you turn ActiveX off: Gmail, google maps, google suggest.. etc.
This in turn causes users to not turn off ActiveX (the tin-foil-hat crowd would tell you this isn't a coincidence) because it would fundamentally break many really useful websites.
Reinard
I do some Web development and, while I'm not the ultimate Web Guru, some people actually pay me to do it. I don't follow security as closely as I should, perhaps, but this is about browser choice. And security is not the only factor to consider.
I have not invested in a subscription to MSDN. So, most of my references are either from books with strange animals on the covers or from the W3C recommendations.
I use my references and create a Web site for a client. Then I proceed to testing with Firefox, Mozilla, Netscape, Opera, and IE. What I have found is that, in Firefox, Mozilla, and (most of the time) Netscape, it usually all works just as expected. In Opera, a few changes are required. In IE, however, it almost never works like it should.
To be completely fair, I have to say that none of the popular browsers seem to get the W3C recommendations right 100% of the time (but that might be me getting it wrong :)). Sometimes (rarely), I must admit, it even seems like IE's interpretation of the W3C recommendation makes more sense. However, after using all of the browsers I test with, and a few others, I have to say that I choose Firefox.
Yes, I'm looking at the Secunia statistics for both browsers. If you know a more complete list, show me it.
That said, when I view Firefox's "Criticality" breakdown, it says "(Based on 22 Advisories from 2003-2005)".
When I view the criticality breakdown for IE, it says "(Based on 69 advisories from 2003-2005)".
I can't believe the most critical vulnerability inherent in IE has not been mentioned yet. What I am referring to is the fact that IE is a shell to the operating system
For the benefit of those who don't know what that means, opening up IE is effectively the equivalent of opening up a command prompt. Any command typed into IE will behave as if you typed it into a command prompt and will execute with whatever privileges you have. For most users, this will be Administrator. Another brilliant design choice.
Go ahead and type "c:\windows\system32\calc.exe" (or "c:\winnt\system32\calc.exe" depending on the name of your system directory) in IE and watch as Calc opens up. Try it with FF and you'll be prompted to save it--nothing more.
I don't know. You tell me. Which is the secure option and which is the security flaw so inexpressibly stupid it should be considered criminal negligence?
This isn't the sig you're looking for...