Slashdot Mirror
Is The Firefox Honeymoon Over?
prostoalex writes "With Firefox market share reaching a substantial level, is the popular Internet browser becoming a security nightmare for IT administrators? George Ou takes a look at the hard numbers. From the article: 'From March 2005 to September 2005 10 vulnerabilities were published for Microsoft Internet Explorer, 40 for Mozilla Firefox. In April-September timespan there were 6 exploits for MSIE, 11 for Firefox. Conclusion? As you can see, the facade that Firefox is the cure to the Internet Explorer security blues is quickly fading. It just goes to prove that any popular software worth hacking that has security vulnerabilities will eventually have to deal with live working exploits. Firefox mostly managed to stay under the radar from hackers before April of 2005.'"
It seems to me that MS simply won't patch certain things in IE. They haven't from the very beginning. Firefox is pretty new and will always have more security issues early on. Seems simple to me.
bluespaceradio.com - New Wave, Indie and Alternative
The prime reason that we should support Firefox is that it is a well (but not perfectly) designed product and that it provides competition for Internet Explorer. One of the best innovations behind FireFox is the search-engine drop box, in which I can instantly do a search on any topic of interest. I set MSN Search as my default search engine on Firefox.
Now, I can't say this for certain, but is it possible that he's lumping in the vulnerabilities/exploits for popular 3rd party extensions (like the recent pretty big one with GreaseMonkey) with vulnerabilities/exploits for the core browser?
Also, many of the common extensions (Adblock & Noscript, for instance) block potential Firefox vulnerabilities.
I have run into the situation where I go to a "FF exploit proof of concept" page and the exploit doesn't work because Adblock blocks it.
Oddly enough, I use Opera for exactly the same reason. I used to be in the Firefox camp as well, but decided to try out Opera when they were handing out free registration keys. Long story short, I tried it, loved it, switched -- and never looked back.
Man is a slave because freedom is difficult, whereas slavery is easy.
J.
You're only jealous cos the little penguins are talking to me.
For me, it's not the number of vulnerabilities and never was. I, like most other people, used IE because it was preinstalled. I was lazy and figured "a browser's a browser". Only once I started using other browsers did I realize:
1. There is no reason a browser should lock your operating system.
2. There is no reason a browser should mysteriously slow down your computer.
3. There is no reason a browser should purposefully make it difficult to change some settings.
It's like the Messenger service that Microsoft seems DETERMINED to re-enable on my computer every time I update / patch. I know what settings I want, and the browser that lets me use those settings with a minimum of issues is the one I'll use. This isn't loyalty. It's a user-friendly program that doesn't pretend to believe it knows what I want better than I do.
It's great that as a sysadmin/programmer using firefox, you've had less problems than with IE.
More importantly, when I switch my users to Firefox, they cease to have problems. More exploits or not, FF causes fewer headaches. When it's all said and done, I'll choose FF's problems over IE's problems.
Procrastination -- because good things come to those who wait.
I think these reports give the answer.
Firefox
Internet Explorer
To conclude firefox has three unpatched advisories of which the most severe is less critical. IE has nineteen unpatched advisories of which the most severe is highly critical. Notice that actually IE had more advisories both patched and unpatched.
The most important thing this author should have asked is: what is the severity of these vulnerabilities? Something like a DoS is a PITA, but compared to a vulerability that opens a machine to remote system access-- come on! Let's compare: IE Firefox
IE integrated into the base OS gives a lot of those buffer overflows much more destructive potential than some regular old program. I'm not ruling FF out as a potential threat, but so far, it has shown itself to be far less dangerous than IE.
Should there be any surprise?
IE6 has been out for 4 years and built on code that has been used for many years before that. With no significant features being added to IE6 and two major service packs it would seem that the software should be (at this time) very secure. Its still not.
Firefox has been out for less than a year. Given the age, it would stand to reason that it would have more bugs that need to be fixed. With time, it would be anticipated these will reduce.
Firefox has more features and higher degree of compatibility with standards -- I'd expect these would introduce bugs as well that need to be fixed.
Firefox does not have access to the resources Microsoft has (some of the best developers, huge amount of capital, sophisticated testing facilities and networks, etc..) and as a result, it would be expected there are more bugs, etc..
Firefox is available for a wider range of platforms. Given this variance, it would be anticipated more bugs would occur as a result.
The source to Firefox is freely available. As a result, it is very possible for a wider amount of people to look at the code and find bugs MUCH easier than with IE. As a result, more bugs should be reported.
I could go on and on and on.. but needless to say, the fact there are more security/bug reports shouldn't be that big of a surprise. The biggest question is if the fundamental architecture of the software keeps security issues minor and if the development team is capable of keeping their software secure in a quick and efficient manner.
I think it is pretty clear from looking at the links provided in the article that this indeed is the case. The vulnerabilities are far less critical, there are less outstanding issues, etc..
I'm curious how the picture will change a year or two down the road.. IE has been pretty consistent with security issues -- I really expect Firefox security issues to decline.
So what makes these people think that because IE has fewer fixes going in, they have fewer problems to start with?
Remember that Firefox has far more people looking at the code base for errors - so fixes generated are for problems people have seen in code that can cause an issue, even if in practice they might never be used for an exploit.
Meanwhile in IE you have fewer people just looking over the code for errors, so patches that come out are likley because someone, somewhere, is actually USING that hole right this second!!
Then look at the numbers for patches and see if using IE doesn't just creep you out in all sorts of ways.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Since Ou is too much of a prude to post the links to the exploits, can anyone here post them so we can get a better understanding of what the real differences are behind the different exploits?
ôó
I'll give you not one but 19.
http://secunia.com/product/11/
Watch what you ask for, you just might get it.
Just one?
How bout this one?
A vulnerability has been identified in a Microsoft ActiveX plugin called MCIWNDX.OCX, which possibly allows malicious HTML documents to execute arbitrary code on a vulnerable system.
The problem is that a property called "Filename" isn't properly verified allowing malicious websites or HTML emails to cause a buffer overflow by supplying an overly long string. This could potentially be exploited to execute arbitrary code on the system.
unpatched since: 2003-08-14
Granted, thats only a little more than 2 years...
hey...not important.
But there are oodles more at:
http://secunia.com/product/11/#advisories
God may be on your side, but Lady Luck is MY bitch
I have to disagree with you on this. I know a lot of people that have installed Firefox with the help or suggestion from me. When I come back to them months later and see the red arrow in the top right hand corner, I ask them "why haven't you installed your security updates". They always respond with "oh, I didn't know what that was up there so never clicked on it".
So I would say that many FF users are probably still on older versions based on my experience.
But the submitter is right. Though code security is important, the number of users is also a huge factor.
The coding standards and testing proceedures of the project/programmers matters also. I just switched from Netscape 7 to Moz 1.7.11 and found an annoying (non-security related) bug in Moz. Looked it up in Moz's bugzilla and found it had been a problem in 1.4, patches submitted, and it was marked "fixed." And yet, 3 versions later I've found exactly the same bug. Whatever testing proceedures Mozilla & Firefox are using look pretty weak and if they don't take regression testing more seriously, I predict that they will be hit again and again by the same bugs, some of which will be security issues.
The big advantage of Firefox is that it is not integrated with the OS in the same way that IE is. That alone is a big factor in reducing the number and severity of security bugs.
FreeSpeech.org
You can't simply look at the numbers, imagine 2 vulnerabilities:
Browser A has a vulnerability, it opens access to a virus or spyware to enter your computer and get all your information while selling your children into slavery.
Browser B has a vulnerability that hides the true url you're looking at, but makes it look funky as hell.
Browser A get an update 6 months down the road that fixes this problem.
Browser B is fixed by an immediate change to the configuration, and an updated version is issued disabling that featureset. Then, shortly after, another new version is available, with that featureset back on.
These are hypothetical, IE doesn't really sell your children into slavery. =) And I doubt my FF history is correct. But what's worse? A problem where your car explodes when driving down the "wrong street" or your seatbelt being a little sticky? Both count as 1 problem, and thus looking at numbers becomes flawed.
Firefox finds the problems and tries to fix them asap, with 1.5 it has automatic updates and binary patching, hell yeah. IE has delayed some problems until IE7, period. FF is actively finding and fixing probs, IE fixes major ones and pushes others to the back of the line.
And that UI guy was right, Security doesn't interest non-programmers really. It's something to consider, especially in business/corporate enviroments, but "by the numbers" is really just asking to get yourself screwed.