Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox Users Surf Safer

Posted by ryuzaki0 on from the loose-browsers-sink-ships dept.

SenseOfHumor writes "According to two University of Washington Professors, Firefox users have a safer browsing experience than users of IE. These researchers sent their crawlers to 45,000 websites and studied the impact on Firefox and IE." From the article: "Levy and Gribble, along with graduate students Alexander Moshchuk and Tanya Bragin, set up IE in two configurations -- one where it behaved as if the user had given permission for all downloads, the other as if the user refused all download permission -- to track the number of successful spyware installations. During Levy's and Gribble's most recent crawl of October 2005, 1.6 percent of the domains infected the first IE configuration, the one mimicking a nave user blithely clicking 'Yes;' about a third as many domains (0.6 percent) did drive-by downloads by planting spyware even when the user rejected the installations."

12 of 240 comments (clear)

  1. Or 100% if its a new installation... by Anonymous Coward · · Score: 0, Informative

    Installing from an original Windows XP CD, I get infected before I can apply windows patches, without vising *ANY* websites! ARGH!

    1. Re:Or 100% if its a new installation... by Durinthal · · Score: 2, Informative

      It may be flamebait, but it's true. About a year ago I was helping set up a friend's computer with a clean install of XP, and a couple of minutes after first booting it was already infected, despite never opening a browser.

    2. Re:Or 100% if its a new installation... by drinkypoo · · Score: 4, Informative

      Heh heh. Here's how you avoid that: On XPSP1 installs, turn on the firewall before connecting. On XP without SP, you use the IP Filtering option, which has been there at least since NT4, and probably 3.51. Filter all incoming connections of all three filterable types (ICMP, TCP, UDP.)

      I know you were just making a funny but maybe this will help someone clueless... or, if you were serious, someone more clueless.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    3. Re:Or 100% if its a new installation... by Anonymous Coward · · Score: 1, Informative

      A better idea is to keep a hardware firewall handy.

      Or even better yet, keep a copy of SP2 slipstreamed into Windows XP. Saves alot of time with having to patch too.

    4. Re:Or 100% if its a new installation... by Aeiri · · Score: 2, Informative

      big deal...last year, you could install a fresh linux server install while connected to the internet, and within 5 minutes 2 scripts running out of the west coast would have your root password changed...we tested it first hand several times with red hat...intall it while connected to the ethernet through a router/firewall ot the internet...and boom...root password changed within 5 minutes. The sources of these scripts were california and alaska..and there are/were many more like it that we researched and found.....so by the logic on this board, linux is now crappy insecure bloatware constructed by an evil corporation.....

      I'm not quite sure what to say to that...

      I don't think you could have a telnet server running on a system with a blank root/admin password behind a router and get hacked in 5 minutes, that's Windows, Linux, FreeBSD, Solaris... ANYTHING.

      Even if your router is extremely old and unsupported, people probably won't have worms/malware/viruses/whatever searching for routers like that constantly, that's absurd. New-ish and Newer routers are usually supported by their company, so I'm not quite sure what you are talking about.

      I've had a fresh install of Windows XP installed on my network (behind a router), no SP1, no SP2, no patches, no firewall, nothing, and it has never been infected by viruses (I periodically run HouseCall and NAV, which has auto-protect disabled), spyware (at that time I also run spybot (no teatimer), adaware and a couple other spyware removal things on it), or any type of malware on it.

      It's been up for years, and it's never had any problems. Considering the proliferation of Windows attacks out there, the router seems to be more than enough to protect that PC. How in the world did Linux of all things (small marketshare, I'm not going to get into a security discussion) get rooted in 5 minutes?

      Mods, your Insightful rating for this post was way off. I call -1, Bullshit.

    5. Re:Or 100% if its a new installation... by pclminion · · Score: 4, Informative
      He might not be bullshitting (well, the part about being firewalled might be crap). Back in the late 90's I had a Red Hat machine get rooted before it was even done installing. I'd configured the network information with a public IP address, there was no firewall. Flaw in ftpd if I remember right. Since then I leave the network unplugged until the install is complete and I've got the network set up safely.

      I don't remember the particular release of Red Hat.

  2. Re:Post this in Public Somewhere by CyricZ · · Score: 2, Informative

    If we're dealing with solid software, written by those with a clue, a lack of security should have no relation to the market share.

    Look at Apache, for instance. It is used by an estimated 60% (if not more) of all web sites. But we rarely hear about serious security issues. Sure, bugs and exploits do crop up occasionally, but nowhere near at the rate of its competitors.

    Likewise, if Firefox is a well-written application, then it should be secure if it has one user, or if it has hundreds of millions of users. Unfortunately, the recent 1.5.x release of Firefox went poorly, and many these days are doubting its degree of security. A rushed development cycle, built upon a base that isn't exactly ideal, can lead to security issues.

    Let me reiterate: the security of a program is based on its development process and developers, not on the number of users it has.

    --
    Cyric Zndovzny at your service.
  3. They used unpatched browsers by I'm+Don+Giovanni · · Score: 3, Informative

    According to the article, "We can't say IE is any less safe," explained Levy, "because we choose to use an unpatched version [of each browser.] We were trying to understand the number of [spyware] threats, so if we used unpatched browsers then we would see more threats."

    So reporting this on CNN and the like wouldn't have the impact that you hope it would. In fact, this study might be useful in studying malware but is meaningless in comparing FF with IE regarding security (as they rightfully admit).

    --
    -- "I never gave these stories much credence." - HAL 9000
  4. Re:How about a four-way matchup... by Spy+Hunter · · Score: 5, Informative
    They used computers running Windows XP without Service Packs 1 or 2. They tested IE 6.0 (no details about any patch installs separate from the [lack of] service packs) against Firefox 1.0.6. This is all from their paper (warning pdf), which has numerous other details.

    Somebody should start a news site that takes all the top news stories, finds the original research or primary source, and links to that instead of the dumbed-down yet sensationalistic news wire blurbs and blog whores. I know I'd appreciate it.

    --
    main(c,r){for(r=32;r;) printf(++c>31?c=!r--,"\n":c<r?" ":~c&r?" `":" #");}
  5. Re:Post this in Public Somewhere by TheRaven64 · · Score: 2, Informative
    I wonder if you are familiar with the phrase 'ex falso quodlibet.' If FireFox is a well-written application, then it should be secure. Over the last year or two, however, I have noticed a strong tendency amongst the developers to prefer adding features to fixing 'minor' bugs.

    Ever wondered why OpenBSD is so secure? In part, it's because they don't differentiate between bugs which they know how to exploit, and ones they don't. If they find a bug, they categorise it and scour the code base for instances of the same class of bug. Then they go back to adding features. Then, when someone else works out a way of exploiting that kind of bug, they find that OpenBSD is not vulnerable.

    If a program is well written, then exposing it to a larger audience will make it a larger target, but it will still be difficult to hit. If it is not, then more exposure makes it an easy, and more attractive target.

    --
    I am TheRaven on Soylent News
  6. Re:Does it count if Spyware... by drinkypoo · · Score: 2, Informative

    AdAware's obsolete if you don't pay for it anyway - they stopped updating the free version a long time ago. I would pay for spybot if I needed a corporate version, because it's free, but I would now NEVER EVER pay for AdAware and I try to encourage everyone else in the same direction, just because I'm a bitchy fucker and I don't think that security should cost money.

    I, too, have not been infected with anything since I stopped using IE and started using a firewall - which was quite some time ago. You do need the firewall though, because you never know when someone's going to find a hole in some service that should never have been open to the world at large anyway, like RPC...

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  7. Re:Who was the target? by argent · · Score: 2, Informative

    Of course IE is unsafe, because it is the primary target.

    IE is the primary target because it is unsafe.

    Even back when IE was the minority browser, in 1997, when MS introduced "Active Desktop" it opened up a MASSIVE flood of malware targeting the gaping hole they created. There was no similar attack on netscape or Mosaic.

    No, IE is the primary target because it is unsafe, and it (or more properly the HTML control) is unsafe because it is inherently unsafe to give one component that kind of responsibility over rights when it has no mechanism to unambiguusly determine whether a document can be trusted.

    The security zones model is unfixable without changing the API. ALL existing applications that use the HTML control will have to be modified to control the execution of active content if Microsoft is to have a hope in hell of solving the problem.

    This was true last century, it's true this century. That is is the most common browser makes things worse, but it's an unacceptably insecure one regardless.