Slashdot Mirror

← Back to Stories (view on slashdot.org)

Is The Firefox Honeymoon Over?

Posted by Zonk on from the back-to-reality dept.

prostoalex writes "With Firefox market share reaching a substantial level, is the popular Internet browser becoming a security nightmare for IT administrators? George Ou takes a look at the hard numbers. From the article: 'From March 2005 to September 2005 10 vulnerabilities were published for Microsoft Internet Explorer, 40 for Mozilla Firefox. In April-September timespan there were 6 exploits for MSIE, 11 for Firefox. Conclusion? As you can see, the facade that Firefox is the cure to the Internet Explorer security blues is quickly fading. It just goes to prove that any popular software worth hacking that has security vulnerabilities will eventually have to deal with live working exploits. Firefox mostly managed to stay under the radar from hackers before April of 2005.'"

6 of 560 comments (clear)

  1. Re: Is the Firefox Honemoon Over? by rtkluttz · · Score: 5, Informative

    Also.. the most important factor. The Firefox community fixes the problems.

    There are flaws in IE that have been known for better than 6-8 months and still there is no fix.

    --
    Digital is, by definition, imperfect. Analog is the way to go.
  2. Re:Quality not Quantity by Stack_13 · · Score: 5, Informative
    Criticality of vulnerabilities is quite clearly determined in the Secunia reports.

    For Mozilla, there has been 0% of extremely critical vulnerabilities and 23% of highly critical in 2003-2005, whereas for IE 14% were extremely critical and 29% highly critical in the same time period.

    Furthermore, a total of 31% (out of of 69 advisories, or 21 individual cases) of IE vulnerabilities may result in system access. In Mozilla, the corresponding numbers are 18% and 4 advisories.

  3. Re: Is the Firefox Honemoon Over? by abscondment · · Score: 5, Informative

    You need only to look at secunia.com's summaries to see through the idiocy of this article:

    Microsoft Internet Explorer 6.x - Highly Critical
    Currently, 19 out of 85 Secunia advisories, is marked as "Unpatched" in the Secunia database.

    vs.

    Mozilla Firefox 1.x - Less Critical
    Currently, 3 out of 22 Secunia advisories, is marked as "Unpatched" in the Secunia database.

    Firefox: 0% Extremely Critical
    IE: 14% Extremley Critical

    Need we say more?

  4. Can you count to 10 ? by pjrc · · Score: 4, Informative
    From March 2005 to September 2005 10 vulnerabilities were published for Microsoft Internet Explorer.

    Only ten?? Guess it depends on where Internet Explorer ends and where the "operating system" begins. Many of the worst bugs haven't "officially" been MSIE bugs, but the result is that a malicious web page can take control of your system or do other things you'd never imagine it ought to be able to.

    I did a quick search of the microsoft bulletins and found 13. And these aren't even exactly the same ones Secunia lists (two of which they say Microsoft hasn't even fixed).

    And why from March? Look at what an ugly month February was for MSIE.

    MS05-038 - aug 17
    JPEG Image Rendering Memory Corruption Vulnerability - CAN-2005-1988
    Web Folder Behaviors Cross-Domain Vulnerability - CAN-2005-1989
    COM Object Instantiation Memory Corruption Vulnerability - CAN-2005-1990

    MS05-037 - jul 12
    JView Profiler Vulnerability - CAN-2005-2087

    MS05-032 - jun 14
    Microsoft Agent Vulnerability - CAN-2005-1214

    MS05-028 - jun 14
    Web Client Vulnerability - CAN-2005-1207

    MS05-026 - jun 14
    HTML Help Vulnerability - CAN-2005-1208

    MS05-025 - jun 14
    PNG Image Rendering Memory Corruption Vulnerability - CAN-2005-1211
    XML Redirect Information Disclosure Vulnerability - CAN-2002-0648

    MS05-024 - may 10
    Web View Script Injection Vulnerability - CAN-2005-1191

    MS05-020 - april 12
    DHTML Object Memory Corruption Vulnerability - CAN-2005-0553
    URL Parsing Memory Corruption Vulnerability - CAN-2005-0554
    Content Advisor Memory Corruption Vulnerability - CAN-2005-0555

    MS05-015 - feb 8
    Hyperlink Object Library Vulnerability - CAN-2005-0057

    MS05-014 - feb 8
    Drag-and-Drop Vulnerability - CAN-2005-0053
    URL Decoding Zone Spoofing Vulnerability - CAN-2005-0054
    DHTML Method Heap Memory Corruption Vulnerability - CAN-2005-0055
    Channel Definition Format (CDF) Cross Domain Vulnerability - CAN-2005-0056

    MS05-013 - feb 8
    DHTML Editing Component ActiveX Control Cross Domain Vulnerability - CAN-2004-1319

    MS05-009 - feb 8
    (PNG buffer overflow, may not affect IE, remote code execution in MSN, WMP, etc)

    MS05-008 - feb 8
    Drag-and-Drop Vulnerability - CAN-2005-0053 (yes, exploitable via web page)

    MS05-006 - feb 8
    Cross-site Scripting and Spoofing Vulnerability - CAN-2005-0049

    --
    PJRC: Electronic Projects, 8051 Microcontroller Tools
  5. Re:Firefox is harder to manage than IE by jayloden · · Score: 4, Informative

    You know, at least one person posts on every slashdot article about Firefox that they won't use Firefox because it doesn't come in an MSI package.

    Well, as has been pointed out numerous times over the months, the first hit on Google for "Firefox MSI package" is:
    http://msi-repository.sourceforge.net/

    Where you can get thunderbird and firefox MSI packages of the current stable release.

  6. meh, get it right by smash · · Score: 4, Informative
    Look at the number, and severity of *exploits* not patches.

    Thats a true-er representation of security.

    Mozilla usually patch flaws fairly quickly - there's flaws in IE that have been known for *years* before they were patched, if at all.

    smash.

    --
    I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.