Slashdot Mirror
Is The Firefox Honeymoon Over?
prostoalex writes "With Firefox market share reaching a substantial level, is the popular Internet browser becoming a security nightmare for IT administrators? George Ou takes a look at the hard numbers. From the article: 'From March 2005 to September 2005 10 vulnerabilities were published for Microsoft Internet Explorer, 40 for Mozilla Firefox. In April-September timespan there were 6 exploits for MSIE, 11 for Firefox. Conclusion? As you can see, the facade that Firefox is the cure to the Internet Explorer security blues is quickly fading. It just goes to prove that any popular software worth hacking that has security vulnerabilities will eventually have to deal with live working exploits. Firefox mostly managed to stay under the radar from hackers before April of 2005.'"
Also.. the most important factor. The Firefox community fixes the problems.
There are flaws in IE that have been known for better than 6-8 months and still there is no fix.
Digital is, by definition, imperfect. Analog is the way to go.
For Mozilla, there has been 0% of extremely critical vulnerabilities and 23% of highly critical in 2003-2005, whereas for IE 14% were extremely critical and 29% highly critical in the same time period.
Furthermore, a total of 31% (out of of 69 advisories, or 21 individual cases) of IE vulnerabilities may result in system access. In Mozilla, the corresponding numbers are 18% and 4 advisories.
Knowledgable? Practice good security? I'd say the same about myself, and I've *NEVER* been hit by an IE exploit.
I'd say a fundamental part of good practice with IE is to use it with an HTML rewriter. I use "The Proxomitron".
There are a couple reasons for this. First, that patch was easy to make and test, and could be pushed out in, if my research is right, exactly 6 hours from the time it was on Full Disclosure to the time the patch was publicly available. The actual patch needed more than six hours to be made, tested, etc.
Also, several other security fixes are being put in to 1.0.7, which will be the patch for this.
There are 11 types of people in the world: those who can count in binary, and those who can't.
You need only to look at secunia.com's summaries to see through the idiocy of this article:
vs.
Firefox: 0% Extremely Critical
IE: 14% Extremley Critical
Need we say more?
This author picked a date range that favored IE on the surface, and then quoted some pretty useless numbers which were skewed toward IE for the casual observer. Better numbers would be how many vulnerabilities REMAIN OPEN and HOW LONG they took to close from report date to fix date... I went to Secunia and pulled the following statistics In 2005 -- Firefox had 18 advisories posted. 1 remains unfixed, 1 remains partially fixed, 16 are fixed. -- IE 6.x had 11 advisories posted. 5 remain unfixed, 1 remains partially fixed, and 5 are fixed. Looking from 2003-2005 -- Firefox 1.x had 22 advisories posted (1 partial fix and 3 unfixed still) -- IE 6.x had 69 advisories posted (10 partial fix and 19 unfixed still) On Criticality of any advisory ever issued -- Firefox has had 0% extremely, 23% highly and 36% moderate -- IE has had 14% extremely, 29% highly and 20% moderate If you want tons more stats and graphs, go to... http://secunia.com/product/11/ (IE stats @ Secunia http://secunia.com/product/4227/ (Firefox stats @ Secunia)
use wininstall, make your own MSI of the update changes
don't attribute your failings to the browser. just because you may not know a good way of managing updates doesn't mean it doesn't exist.
-dk
Dream with the feathers of angels stuffed beneath your head.
Only ten?? Guess it depends on where Internet Explorer ends and where the "operating system" begins. Many of the worst bugs haven't "officially" been MSIE bugs, but the result is that a malicious web page can take control of your system or do other things you'd never imagine it ought to be able to.
I did a quick search of the microsoft bulletins and found 13. And these aren't even exactly the same ones Secunia lists (two of which they say Microsoft hasn't even fixed).
And why from March? Look at what an ugly month February was for MSIE.
MS05-038 - aug 17
JPEG Image Rendering Memory Corruption Vulnerability - CAN-2005-1988
Web Folder Behaviors Cross-Domain Vulnerability - CAN-2005-1989
COM Object Instantiation Memory Corruption Vulnerability - CAN-2005-1990
MS05-037 - jul 12
JView Profiler Vulnerability - CAN-2005-2087
MS05-032 - jun 14
Microsoft Agent Vulnerability - CAN-2005-1214
MS05-028 - jun 14
Web Client Vulnerability - CAN-2005-1207
MS05-026 - jun 14
HTML Help Vulnerability - CAN-2005-1208
MS05-025 - jun 14
PNG Image Rendering Memory Corruption Vulnerability - CAN-2005-1211
XML Redirect Information Disclosure Vulnerability - CAN-2002-0648
MS05-024 - may 10
Web View Script Injection Vulnerability - CAN-2005-1191
MS05-020 - april 12
DHTML Object Memory Corruption Vulnerability - CAN-2005-0553
URL Parsing Memory Corruption Vulnerability - CAN-2005-0554
Content Advisor Memory Corruption Vulnerability - CAN-2005-0555
MS05-015 - feb 8
Hyperlink Object Library Vulnerability - CAN-2005-0057
MS05-014 - feb 8
Drag-and-Drop Vulnerability - CAN-2005-0053
URL Decoding Zone Spoofing Vulnerability - CAN-2005-0054
DHTML Method Heap Memory Corruption Vulnerability - CAN-2005-0055
Channel Definition Format (CDF) Cross Domain Vulnerability - CAN-2005-0056
MS05-013 - feb 8
DHTML Editing Component ActiveX Control Cross Domain Vulnerability - CAN-2004-1319
MS05-009 - feb 8
(PNG buffer overflow, may not affect IE, remote code execution in MSN, WMP, etc)
MS05-008 - feb 8
Drag-and-Drop Vulnerability - CAN-2005-0053 (yes, exploitable via web page)
MS05-006 - feb 8
Cross-site Scripting and Spoofing Vulnerability - CAN-2005-0049
PJRC: Electronic Projects, 8051 Microcontroller Tools
You know, at least one person posts on every slashdot article about Firefox that they won't use Firefox because it doesn't come in an MSI package.
Well, as has been pointed out numerous times over the months, the first hit on Google for "Firefox MSI package" is:
http://msi-repository.sourceforge.net/
Where you can get thunderbird and firefox MSI packages of the current stable release.
Thats a true-er representation of security.
Mozilla usually patch flaws fairly quickly - there's flaws in IE that have been known for *years* before they were patched, if at all.
smash.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
I can't believe the most critical vulnerability inherent in IE has not been mentioned yet. What I am referring to is the fact that IE is a shell to the operating system
For the benefit of those who don't know what that means, opening up IE is effectively the equivalent of opening up a command prompt. Any command typed into IE will behave as if you typed it into a command prompt and will execute with whatever privileges you have. For most users, this will be Administrator. Another brilliant design choice.
Go ahead and type "c:\windows\system32\calc.exe" (or "c:\winnt\system32\calc.exe" depending on the name of your system directory) in IE and watch as Calc opens up. Try it with FF and you'll be prompted to save it--nothing more.
I don't know. You tell me. Which is the secure option and which is the security flaw so inexpressibly stupid it should be considered criminal negligence?
This isn't the sig you're looking for...