Linked by Thom Holwerda on Sat 9th Sep 2006 17:29 UTC, submitted by anonymous
Privacy, Security, Encryption "Is Browser Security getting better? That is tough to say but Firefox is definitely not leading the way. Despite all the hype, despite all the Myths, Firefox 1.x has a worse security record so far in 2006 than Internet Explorer 6.x."
Order by: Score:
A Note
by donatj on Sat 9th Sep 2006 17:36 UTC
donatj
Member since:
2006-02-27

I'd like to just say that I've never had something install it self just by visiting a page in firefox... happened a number of times when I was using IE

Reply Score: 5

RE: A Note
by nberardi on Sat 9th Sep 2006 21:21 UTC in reply to "A Note"
nberardi Member since:
2005-07-10

This doesn't happen anymore in IE6 SP1. Which has been out since late 2005.

Reply Score: 2

RE[2]: A Note
by joelito_pr on Sun 10th Sep 2006 01:06 UTC in reply to "RE: A Note"
joelito_pr Member since:
2005-07-07

IE6 SP1?

You certainly are not speaking about THE IE6 SP1 that has been around for much longer than that.

You may have been speaking about the aditional patches that were added to IE in Windows XP SP2.

And even with that, there are more unpatched exploits for that compared to Firefox.

Edited 2006-09-10 01:08

Reply Score: 1

RE[3]: A Note
by nberardi on Sun 10th Sep 2006 01:53 UTC in reply to "RE[2]: A Note"
nberardi Member since:
2005-07-10

Okay let me clarify IE 6 SP1 (post XP SP2).

>> And even with that, there are more unpatched exploits for that compared to Firefox.

Did you happen to read the article or are you just spouting the same old lines.

Honestly, I have to say I am posting this from Firefox right now. However you have to give credit where it is due and according to this article credit is due to Microsoft IE for not sucking as bad at Firefox when it comes to security.

Reply Score: 1

RE[4]: A Note
by joelito_pr on Sun 10th Sep 2006 03:25 UTC in reply to "RE[3]: A Note"
joelito_pr Member since:
2005-07-07

I read the article...

And visited Secunia myself to verify.

Reply Score: 1

RE[2]: A Note
by Bit_Rapist on Sun 10th Sep 2006 14:19 UTC in reply to "RE: A Note"
Bit_Rapist Member since:
2005-11-13

I would have thought the same thing but I experienced this last year with IE 6 SP1.

I was looking for information on spyware to help a friend and the dang page I found that supposedly contained information hijacked my browser upon simply viewing the page. Installed all sorts of crap.

I quit using IE that day for good.

Reply Score: 1

RE[2]: A Note
by Bit_Rapist on Sun 10th Sep 2006 14:26 UTC in reply to "RE: A Note"
Bit_Rapist Member since:
2005-11-13

*double post* - sorry guys

Edited 2006-09-10 14:26

Reply Score: 1

RE: A Note
by kaiwai on Sun 10th Sep 2006 04:17 UTC in reply to "A Note"
kaiwai Member since:
2005-07-06

Give me links to site which 'automatically install things'; maybe if you're visiting hacking/cracking and underage porn sites, its karma serving a good helping of punishment in the form of stuffing your PC up.

Reply Score: 1

RE[2]: A Note
by Kroc on Sun 10th Sep 2006 10:23 UTC in reply to "RE: A Note"
Kroc Member since:
2005-11-10

Myspace? (twice)

Reply Score: 1

RE[3]: A Note
by kaiwai on Sun 10th Sep 2006 16:49 UTC in reply to "RE[2]: A Note"
kaiwai Member since:
2005-07-06

And what was trying to get installed?

I'm running IE 6 SP2, and if an activeX control wishes to be installed, a bar at the top informs me that an activex component wishes to be installed, and I actually have to manually tell it to install it, if I want the said thing to do so.

Case in point, I visited a site, it had flash, I needed it installed, I was presented with the bar at the top, I clicked on the bar, I clicked on 'install component" the dialogue came up asking whether I wish to install Flash 9, I clicked on the install button, and voila, installed.

How is it Microsofts problem if people choose to ignore TWO dialogue boxes?!

Reply Score: 2

RE[4]: A Note
by Kroc on Sun 10th Sep 2006 17:10 UTC in reply to "RE[3]: A Note"
Kroc Member since:
2005-11-10

You obviously didn't hear the news. Mysapce had poisen adverts for a short period that installed spyware with zero popups, buttons, confirmations, anything. Literally, just installed by viewing the page. IE 6 SP2 is still far from secure.

Reply Score: 1

RE[5]: A Note
by kaiwai on Mon 11th Sep 2006 04:53 UTC in reply to "RE[4]: A Note"
kaiwai Member since:
2005-07-06

As quoted in the article: http://blog.washingtonpost.com/securityfix/2006/07/myspace_ad_serve...

Internet Explorer users who visited a Web page containing this ad and whose IE was not equipped with the WMF patch would not get that warning. Rather, their machines would silently download a Trojan horse program that installs junk software in the PurityScan/ClickSpring family of adware. This stuff bombards the user with pop-up ads and tracks their Web usage. Only a little more than half of the anti-virus programs used at anti-virus testing service AV-Test.org flagged the various programs that the Trojan tried to download as malicious or suspicious.

Interesting, this patch released for Internet Explorer 6 SP2 on February 14 2006, and the article is dated July 19, 2006, so assuming that the date is cloose enough to the event, one had over 6 months to install the update, and be protected against the vulnerability.

If a user refuses to install updates, then issue isn't with Microosft, but the user and their ignorance, and arrogance of not addressing that ignorance.

Reply Score: 1

RE[2]: A Note
by ma_d on Sun 10th Sep 2006 19:33 UTC in reply to "RE: A Note"
ma_d Member since:
2005-06-29

I believe there have been a couple of banner-ad providers who got caught doing it.

There are little homepages, which are all worthless but you don't always know until you click.

Links in e-mail attachments: I know, it's crazy to think viewing a webpage should be a safe activity (that was sarcasm).

Friends playing games on you.

Why would a cracking site do it? Do you honestly think they don't deny listing in their robots.txt? They don't want any joe finding their howtos....

Reply Score: 1

RE
by Kroc on Sat 9th Sep 2006 17:38 UTC
Kroc
Member since:
2005-11-10

Not by my first hand experience, and that of the several hundred computers I've installed it on.

Severity, not quantity, and if they're being exploited or not. Also some flaws are in Windows itself because of the IE integration. The Firefox Mac / Linux users are not affected by those.

Reply Score: 5

RE
by kwanbis on Sun 10th Sep 2006 00:16 UTC in reply to "RE"
kwanbis Member since:
2005-07-06

The problem is that they have to compare all the fixes since IE 6.x and FF 1.x (or FF 1.5x) appeared. If you stop developing an application, and you have only 5 years of bug patching, its obvious that at the 6th year, its probably going to be bugs free. Also, it is important to consider what the severity of the bugs are.

Edited 2006-09-10 00:31

Reply Score: 1

RE
by eMagius on Sun 10th Sep 2006 02:25 UTC in reply to "RE"
eMagius Member since:
2005-07-06

its obvious that at the 6th year, its probably going to be bugs free

Bug-free is bug-free, no matter how it got to be that way. Firefox has been around in various incarnations dating back to 1997 (Mozilla/Gecko; back to 1994 if you count Netscape). There has been plenty of time to fix bugs.

Reply Score: 0

RE
by NxStY on Sun 10th Sep 2006 06:39 UTC in reply to "RE"
NxStY Member since:
2005-11-12

Firfox has unlike IE6 been actively developed the last years. And IE6 certanly isn´t bug free.

Reply Score: 1

It's all about a user...
by misha on Sat 9th Sep 2006 17:40 UTC
misha
Member since:
2006-01-07

If user has enough brains, he will keep his browser secure, thankfully it's not so hard, both Windows and FF have auto-update features.

The question is how fast Mozilla or MS issue patches, how much time attacker has to exploit vuln.. Mozilla is better, if we're talking about speed of patching (imho).

Reply Score: 5

That is a blog entry!
by arctic on Sat 9th Sep 2006 17:44 UTC
arctic
Member since:
2006-04-19

Blog! Blog! Blog! That is not journalism, sorry (an offense to any serious journalist). It simply doesn't deserve a linkage to here. Especially as the guy did not look under the hood, examining how "critical" the bugs really were and under which OS. He failed to take a deeper look at a "problematic topic", thus creating a great flame-bait blog-entry that reads like a teenage "my-browser-is-better-than-yours" shoutout.

Reply Score: 5

RE: That is a blog entry!
by Thom_Holwerda on Sat 9th Sep 2006 17:46 UTC in reply to "That is a blog entry!"
Thom_Holwerda Member since:
2005-06-29

I explain it differently. He just listed what he found (the facts). Nothing more. Judging by number of security advisories from Secunia... He is simply right. Not that it really matters (I don't use IE because of the Spyware problem), but still.

Reply Score: 1

RE[2]: That is a blog entry!
by arctic on Sat 9th Sep 2006 17:59 UTC in reply to "RE: That is a blog entry!"
arctic Member since:
2006-04-19

Quantity is something very different than quality.

Let's take a look at it this way: I buy two boats and want to travel with them from Japan to Australia. The first boat has 5 holes. All of them are small in size (1x1 cm) and I have some tape to fix those holes. I might make it to Australia with that boat, although it is still a risky voyage.

Now I take the second boat. It has only three holes. But they are bigger in size, e.g. 10x10 cm. I can try to fix the holes with the same tape I used on the other boat. I might manage to make the boat water-proof, but chances are that it will stay very vulnerable and that I might drown on my way to Australia.

Now, which boat would you take? The one with five small holes or the one with only three (considerably bigger) holes?

Edited 2006-09-09 18:00

Reply Score: 5

RE[3]: That is a blog entry!
by Morgan on Sat 9th Sep 2006 21:52 UTC in reply to "RE[2]: That is a blog entry!"
Morgan Member since:
2005-06-29

Excellent analogy. I was considering posting a comment about the same point, that the number of bugs does not matter compared to the severity of the bugs, but you put it in much better words. Thank you.

Reply Score: 2

RE[2]: That is a blog entry!
by sappyvcv on Sat 9th Sep 2006 18:19 UTC in reply to "RE: That is a blog entry!"
sappyvcv Member since:
2005-07-06

Thom, that is simply not true. He did not "just list the facts". He made a conclusion from them: that IE is more secure. Number of vulnerabilities found does not have a direct correlation to the degree of security.

"Just listing the facts" would be listing the number of vulnerabilities and saying "Firefox 1.x had more newly reported vulnerabilities than IE 6.x in 2006", NOTHING MORE.

However, on the flipside, saying Firefox is "more secure" is disingenuous as well.

Reply Score: 5

RE[3]: That is a blog entry!
by Thom_Holwerda on Sat 9th Sep 2006 18:29 UTC in reply to "RE[2]: That is a blog entry!"
Thom_Holwerda Member since:
2005-06-29

Guys, take a look at this thing. This article defines browser security as the number of vulnerabilities as reported by Secunia in 2006. Operationalising browser security this way, IE is more secure than Firefox.

What is so difficult about that? You can disagree with the way this article operationalises browser security (in fact, operationalisation is the a common attack vector when critisizing scientific articles), but you can NOT say the guy has his facts wrong. Becuase they are CORRECT.

Like I said, I won't start using IE. But this article uses FACTS to come to its conclusion. Whether you like it or not.

Reply Score: 1

RE[4]: That is a blog entry!
by smitty on Sat 9th Sep 2006 18:46 UTC in reply to "RE[3]: That is a blog entry!"
smitty Member since:
2005-10-13

I don't think anyone has said he lied. The issue is that he talks about 1 fact and says it supports Firefox, then talks about another and says it means the IE is more secure. The truth is that both facts are mostly worthless, and the blog makes no attempt to explain why we should care about these stats. The really galling problem is that his conclusion contradicts some really advanced and high quality analyses and is based on pretty much nothing. The only thing at all that is going for this is it's title: "Internet Explorer 6.x More Secure than Firefox 1.x in 2006," which is clearly a controversial stance designed to draw attention.

To be clear, his stats are right, they are just useless. If I wrote an article that said there were 50 states in the US and each of them have 2 senators, and then conclude that each state must be the same size. That is clearly wrong, but would you have linked to that?

Edited 2006-09-09 18:49

Reply Score: 5

RE[5]: That is a blog entry!
by ma_d on Sun 10th Sep 2006 19:27 UTC in reply to "RE[4]: That is a blog entry!"
ma_d Member since:
2005-06-29

At least you'd be doing something more than saying X > Y, therefore this. You'd have a real path of logic to try and argue against, instead of a statistic and some conjecture.

Of course, you'd still be horridly wrong, but one comment would easily demonstrate how.

Reply Score: 1

RE[4]: That is a blog entry!
by Lu-Tze on Sat 9th Sep 2006 19:12 UTC in reply to "RE[3]: That is a blog entry!"
Lu-Tze Member since:
2006-01-10

Let us not denigrate "scientific articles" by including this blog post in them. If this artcle was submitted for scientific peer-review, it would be rejected for cherry picking data. While I agree with you that the "facts that are used" are correct. And it is silly for people to say "that is not my experience". Also, it is silly to say that "millions of people's experience with Firefox cannot be wrong". For hundreds of millions of people, IE is the Internet, and we all know that they are wrong. SO let us not confuse anecdote and popularity with science either.

However, there is no excuse for incomplete use of available data - especially only using metrics that support your own hypothesis while overlooking other blatantly obvious ones like the speed of patching, severity of unpatched vulnerabilities, severity of all vulnerabilities, etc. (I am not a security expert, these are just the obvious things, I imagine are relevant). It appears the blog post was put out as flamebait (ad revenue?) after a cursory examination of some data that appears to support the author's belief but that does not make it Science.

Reply Score: 5

RE[4]: That is a blog entry!
by sappyvcv on Sat 9th Sep 2006 19:37 UTC in reply to "RE[3]: That is a blog entry!"
sappyvcv Member since:
2005-07-06

Anytime you come to a conclusion, ESPECIALLY from a small set of data, you can not say "It's just facts".

Is his article title a fact? No, it is not. It is not just facts. That, my friend, *is* a fact.

Reply Score: 3

RE[4]: That is a blog entry!
by l3v1 on Sat 9th Sep 2006 19:59 UTC in reply to "RE[3]: That is a blog entry!"
l3v1 Member since:
2005-07-06

This article defines browser security

Now this is my main problem with this linking: the day you start realizing such crap can't be called an article on this planet without a certain type of smile, and stop linking them like certain low quality link-piling sites do, now that day will be the one when maybe you'll see the light at the end of the tunnel.

Reply Score: 5

RE[4]: That is a blog entry!
by boots on Sat 9th Sep 2006 22:38 UTC in reply to "RE[3]: That is a blog entry!"
boots Member since:
2005-07-06

Those aren't facts. Those are statistics.

Reply Score: 4

RE[3]: That is a blog entry!
by kaiwai on Sun 10th Sep 2006 04:58 UTC in reply to "RE[2]: That is a blog entry!"
kaiwai Member since:
2005-07-06

Well, it depends on how you want to spin the information; in the case of Firefox, if it has 'more vulnerabilities' the spin could easily be, 'because it is opensource, it is more transparent, thus, enabling more people to analyse the code" - thus giving the spin that they're being proactive in their bug hunting

The same could be said for Internt Explorer, because more people are using it, and it is in higher rates of usage, there are more people able to probe and test for vulnerabilities, its merely a benchmark on how many people use the product, thus they can claim (like they do) that more vulnerabilities are found because more people use it, and thus, the exposure area is greater.

Reply Score: 1

RE[4]: That is a blog entry!
by sappyvcv on Sun 10th Sep 2006 14:51 UTC in reply to "RE[3]: That is a blog entry!"
sappyvcv Member since:
2005-07-06

Right. Spin is a good way to describe it. I couldn't put my finger on it.

Reply Score: 1

RE[2]: That is a blog entry!
by ma_d on Sat 9th Sep 2006 18:19 UTC in reply to "RE: That is a blog entry!"
ma_d Member since:
2005-06-29

You're smarter than this Thom. Security metrics can't be easily summed up into a single metric, and that metric definitely can't be any metric you choose. He chooses to ignore advisories and pay attention to number of vulnerabilities.

Besides that, you misquoted him, from the number of security advisories he's wrong. It's the number of vulnerabilities that support him.

Your parenthetical phrase serves as anecdotal evidence against his thesis as well, not to mention your mistype of "vulnerabilities" as "advisories" denotes the tiny jagged rock his thesis stands on, a misplaced word makes it seem silly.

Reply Score: 5

RE[2]: That is a blog entry!
by howard on Sat 9th Sep 2006 19:24 UTC in reply to "RE: That is a blog entry!"
howard Member since:
2006-01-08

My mother often warned me to brush my teeth. Those warnings are not my dental record. It is a fact that she warned me many times. That fact, however true, does not support a claim that I have a better dental record.

A security record consists of incidents, not advisories. My dental record shows the number of fillings, not the number of times I was given advice.

Faulty reasoning applied to true facts produces a meaningless conclusion. No one disputes the advisory count; the problem is whether any useful conclusion may be drawn from such a count. For example, Secunia lists 26 advisories against XP Pro for 2006, compared to 2 for Windows Millenium. Over all time, XP shows 150 versus 35 for Millenium. So Me must be more secure than XP?

Reply Score: 5

RE[2]: That is a blog entry!
by sbenitezb on Sun 10th Sep 2006 07:44 UTC in reply to "RE: That is a blog entry!"
sbenitezb Member since:
2005-07-22

"I explain it differently. He just listed what he found (the facts). Nothing more. Judging by number of security advisories from Secunia... He is simply right. Not that it really matters (I don't use IE because of the Spyware problem), but still."

Facts can be missleading if you don't know how to interpret them. You really have to understand about software and security. So no, he is not simply right. Asserting that is a way to simplify the whole process to make it idiot understandable.

Reply Score: 1

v RE: That is a blog entry!
by tomcat on Sat 9th Sep 2006 17:59 UTC in reply to "That is a blog entry!"
RE: That is a blog entry!
by kaiwai on Sun 10th Sep 2006 04:20 UTC in reply to "That is a blog entry!"
kaiwai Member since:
2005-07-06

Excuse me, what is wrong with a blog entry, all he did was collate some information, and provide his own conclusion on how he looked at the facts - I hardly see that as a tresonist act.

If you want to 'counter' his claims, why don't you create your own blog entry on your own blog and reanalyse the facts which layout your case that he got is wrong.

Its called democracy toots, the ability to hold differing opinions, debate, and hopefully, the net result is a better understanding of the issues on both sides.

Reply Score: 0

RE[2]: That is a blog entry!
by Soulbender on Mon 11th Sep 2006 13:23 UTC in reply to "RE: That is a blog entry!"
Soulbender Member since:
2005-08-18

"I hardly see that as a tresonist act."

Sure, but it's not journalism and is it not a good "blog post"/article.

"Its called democracy toots, the ability to hold differing opinions, debate, and hopefully, the net result is a better understanding of the issues on both sides."

The good thing about the Internet is that anyone can publish whatever they want.
The bad thing about the Internet is that people publish whatever they want.

Reply Score: 2

RE: That is a blog entry!
by tomcat on Mon 11th Sep 2006 20:40 UTC in reply to "That is a blog entry!"
tomcat Member since:
2006-01-06

Blog! Blog! Blog! That is not journalism, sorry (an offense to any serious journalist). It simply doesn't deserve a linkage to here.

That's analogous to saying, "Einstein is only a patent clerk! Relativity is bunk!"

Here's a different take: Deal with the facts presented by the article rather than try to shoot the messenger.

I think he makes a good point. Based on Secunia statistics, he's right: Firefox is less secure. Despite all of the "that isn't my experience" testimonials from its advocates.

Reply Score: 2

RE[2]: That is a blog entry!
by Splinter on Tue 12th Sep 2006 11:44 UTC in reply to "RE: That is a blog entry!"
Splinter Member since:
2005-07-13

Replying to the "FACTS" in the artical....

Current information from Secunia, after all we are worried about what is the most secure browser NOW not yesterday etc.

Firefox (http://secunia.com/product/4227/)
Unpatched 11% (4 of 35 Secunia advisories)
Most Critical Unpatched... is rated Less critical
IE (http://secunia.com/product/11/)
17% (18 of 105 Secunia advisories)
Most Critical Unpatched... is rated Moderately critical
Opera 8.0 (http://secunia.com/product/4932/)
0% (0 of 15 Secunia advisories)
Most Critical Unpatched.... NONE
Opera 9.0 (http://secunia.com/product/10615/)
0% (0 of 0 Secunia advisories)
Most Critical Unpatched.... NONE (However you must note this is very new software)



Ok so Firefox currently has less unpatched advisories (by number and percent) than IE and is therefore currently the safer browser (also not the worst open advisory is less severe) and the last two Opera versions are better than both IE and Firefox

Reply Score: 1

Andrew, the well known Mozilla hater ?
by fredb1974 on Sat 9th Sep 2006 17:45 UTC
fredb1974
Member since:
2006-01-31

Is that person here ?

The strange point is that degree of danger is not defined for each browser, neither the dangerosity of each : a crappy page, just look at the other articles of this blog.

Reply Score: 4

Basil Brush Member since:
2006-09-12

Yes, he is posting as 'Mastertech' here, although you may know him as 'GeneralAres,' amd he has used multiple sock puppets in the past in blog comments.

http://www.webdevout.net/forums/viewtopic.php?t=37&sid=1986c7e6aea4...

Mozilla hater is right. At the Poptech forum he says of Firefox: 'Coded by amateurs for amateurs.'

http://s4.invisionfree.com/Popular_Technology/index.php?act=ST&f=2&...

Another Forum member says of Andrew: 'I would pay good money to get a psychologist in to post in this forum just to see his reaction to Drew's FF-Phobia.'

http://z4.invisionfree.com/Popular_Technology/index.php?showtopic=1...

Reply Score: 1

Misleading
by smitty on Sat 9th Sep 2006 17:50 UTC
smitty
Member since:
2005-10-13

Simply looking at the advisories between Firefox 1.x in 2006 and Internet Explorer 6.x in 2006 gives a misleading 9 to 13 advisory "win" for Firefox but once you add up the actual vulnerabilities for each it is clear Internet Explorer 6.x has been the more secure browser so far in 2006: 64 to 30 vulnerabilities

As if that isn't just as misleading a stat. This is nothing more than flamebait and I think the guy just wrote it to get more traffic to his blog.

Reply Score: 5

more
by deanlinkous on Sat 9th Sep 2006 17:50 UTC
deanlinkous
Member since:
2006-06-19

more flaws... maybe - at least KNOWN flaws since who knows how many IE actually has

more exploitable by flaws and due to integration and so forth - NO WAY!

Since switching my parents, in-laws, other family members to firefox I have seen a LOT less junk on their systems especially popup related ad junk and hijackings, and those forsaken do-everything toolbars...

Reply Score: 5

check at secunia.com
by pedromatiello on Sat 9th Sep 2006 17:53 UTC
pedromatiello
Member since:
2005-07-13

Firefox: http://secunia.com/product/4227/?task=statistics_2006
IE6: http://secunia.com/product/11/?task=statistics_2006

Oddly, these page say:
Firefox 1.x: 9 advisories from 2006
IE6: 13 advisories from 2006
Maybe I'm doing some confusion or the author counted advisories from 0.x and 1.x?

Also in the links above:
Firefox: Most Critical Unpatched: Less critical
IE6: Most Critical Unpatched: Moderately critical

Check also:
http://secunia.com/graph/?type=cri&period=2006∏=4227
http://secunia.com/graph/?type=cri&period=2006∏=11

I just can't understand.


EDIT: Now I see he was couting vulnerabilities. Shame on me. Also, check the Unpatched number (FF:4, IE:18) and the Impact stats (System Access: Firefox: 22%, IE: 53%). Firefox looks better to me.

Edited 2006-09-09 18:03

Reply Score: 5

common sense
by Noremacam on Sat 9th Sep 2006 17:55 UTC
Noremacam
Member since:
2006-03-08

I'll remember this survey next time I spend a couple hours removing spyware and other badware from another computer. I work IT(per job) and I spend at least twice a week fixing a new computer and undoing the mess that IE allowed onto it...

Pure experience dictates the greater security of firefox over IE. Once again, I don't think numbers trump user experience.

Reply Score: 5

v RE: common sense
by tomcat on Sat 9th Sep 2006 18:01 UTC in reply to "common sense"
RE[2]: common sense
by Noremacam on Sat 9th Sep 2006 18:10 UTC in reply to "RE: common sense"
Noremacam Member since:
2006-03-08

Just out of curiosity, why are you allowing your users to run with admin privileges? If they were normal users, spyware wouldn't be able to root it

We're an outsourced IT company. We're not in a position to control what people can or cannot do on their computers. We deal with a number of clients with different needs. We deal with home user computers as well as company computers.

Reply Score: 3

RE[3]: common sense
by tomcat on Mon 11th Sep 2006 20:43 UTC in reply to "RE[2]: common sense"
tomcat Member since:
2006-01-06

We're an outsourced IT company. We're not in a position to control what people can or cannot do on their computers. We deal with a number of clients with different needs. We deal with home user computers as well as company computers.

It doesn't obviate the fact that you're not administering your computers as they should be administered (ie. running with reduced privileges, etc). I understand that you don't have the ability to do that but, rather than blame IE for spyware, you might consider blaming the folks that sign your checks for not allowing you to do your job properly.

Reply Score: 1

RE[4]: common sense
by Noremacam on Mon 11th Sep 2006 22:09 UTC in reply to "RE[3]: common sense"
Noremacam Member since:
2006-03-08

First of all, they're not "my" computers. I've recommended a safer browser for fewer headaches, and they're just as scared of changing browsers as they are reducing administrative rights, which(while being more secure as you said) will only cause more complications with software incompatible with such restrictions.

Reply Score: 1

RE[5]: common sense
by Mastertech on Tue 12th Sep 2006 06:52 UTC in reply to "RE[4]: common sense"
Mastertech Member since:
2006-09-09

That is unnecessary. Using some free software and some common sense you can quickly eliminate most of your problems. If the systems are not centrally managed turn AutoUpdates on Automatic, makes sure MSJVM is uninstalled, install Spyware Blaster and Windows Defender + your companies AV.

All major business related software should have documentation on setting up their software to work in a user priviledge environment if it does not out of the box. Otherwise you can get around alot of it by installing the offending apps to the user's My Documents folder.

Reply Score: 1

RE[6]: common sense
by Noremacam on Tue 12th Sep 2006 18:58 UTC in reply to "RE[5]: common sense"
Noremacam Member since:
2006-03-08

Using some free software and some common sense you can quickly eliminate most of your problems. If the systems are not centrally managed turn AutoUpdates on Automatic, makes sure MSJVM is uninstalled, install Spyware Blaster and Windows Defender + your companies AV.

That's actually what I do when I encounter systems infected with spyware

Reply Score: 1

RE[2]: common sense
by djohnston on Sat 9th Sep 2006 22:10 UTC in reply to "RE: common sense"
djohnston Member since:
2006-04-11

"Just out of curiosity, why are you allowing your users to run with admin privileges? "

Have you ever tried to run Microsoft Office without admin privileges?

Reply Score: 1

RE[3]: common sense
by eMagius on Sun 10th Sep 2006 02:17 UTC in reply to "RE[2]: common sense"
eMagius Member since:
2005-07-06

Have you ever tried to run Microsoft Office without admin privileges?

All the time. Everyone at work does so, too, with no problems.

Reply Score: 2

RE[4]: common sense
by Gryzor on Sun 10th Sep 2006 15:11 UTC in reply to "RE[3]: common sense"
Gryzor Member since:
2005-07-03

Have you tried to program in Visual Studio without Admin?

Possible, yet so annoying that you definitely dump it and go the admin road..

Reply Score: 1

RE[5]: common sense
by eMagius on Sun 10th Sep 2006 16:44 UTC in reply to "RE[4]: common sense"
eMagius Member since:
2005-07-06

Have you tried to program in Visual Studio without Admin?

The only problem with non-admin accounts and Visual Studio is that the debugger can't be run. This is rectified by adding such users to the Debugger Users group.

Note that granting debugging privileges to malicious users is a security risk.

Reply Score: 1

RE[5]: common sense
by tomcat on Mon 11th Sep 2006 20:45 UTC in reply to "RE[4]: common sense"
tomcat Member since:
2006-01-06

Nonsense. I do it every day. Office runs fine with reduced privileges.

Reply Score: 1

Thom...
by ma_d on Sat 9th Sep 2006 18:02 UTC
ma_d
Member since:
2005-06-29

Is it normal practice to post blog entries which are clearly not thought out on a controversial subject, most likely in the interest of generating comment traffic for your site?

Apparently "Andrew" believes that within 3 paragraphs, and a couple short statistics, he can disprove the beliefs of millions, the analysis of others, and the purpose of more complex security metrics (like impact of holes, time to fix, occurance of zero-day exploits, etc, etc).

I suppose the next article will be entitled: "Microsoft is better because it's gots more moneys." (sic)

Reply Score: 5

RE: Thom...
by Trollstoi on Sat 9th Sep 2006 22:06 UTC in reply to "Thom..."
Trollstoi Member since:
2005-11-11

He did it for the lulz

Reply Score: 1

Good one Thom
by j-s-h on Sat 9th Sep 2006 18:15 UTC
j-s-h
Member since:
2005-07-08

Yeah, he presents the "facts" leaving out other facts that are more important. If there were 30 vulnerabilities of paltry severity, that are patched, that is quite more secure than having 5 unpatched vulnerabilities of high severity. Of course, since Thom agree with the conclusion, he must be perfectly correct, and only presenting "facts", right?

Browser: Links (1.00pre12; Linux 2.6.17-2-k7 i686; 80x25) (Debian pkg 0.99+1.00pre12-1)

Reply Score: 5

WORST ARTICLE on OSNEWS EVAR!
by Milo_Hoffman on Sat 9th Sep 2006 18:21 UTC
Milo_Hoffman
Member since:
2005-07-06

Is this REALLY the sort of "quality" that OSNews want's to be known for?


Good greif what a joke.

Reply Score: 5

IE7 Convert from Firefox
by buff on Sat 9th Sep 2006 18:36 UTC
buff
Member since:
2005-11-12

Two weeks ago I upgraded to IE7 beta on Windows XP and I like it a lot. For the last two years I was a Firefox user. I have to admit it that Microsoft did a good job of borrowing some of the best browser UI features out there and cleanly brought them together in IE7. I set all the security options to high and enabled only Flash and Acrobat reader as plugins. I used to be a heavy Firefox user but now I find myself using IE7 a lot when I have to use XP. Having Firefox, Opera, and others around has been good for IE since it needed to be updated in order for it to remain competitive.

Reply Score: 2

RE: IE7 Convert from Firefox
by fredb1974 on Sun 10th Sep 2006 09:35 UTC in reply to "IE7 Convert from Firefox"
fredb1974 Member since:
2006-01-31

Well, let's see how many time it will take to have a critical (or 0 day) exploit in IE7 before anything else.

I am an old firefox user (started with phoenix 0.1 back in 2002), and I used it on the crappy copy of MacOS (named Windows), linux and MacOS-X

It could had been named IE 6.5 in order to be honest with the rendering engine and security settings... But trying to secure the swiss-cheese OS...

Reply Score: 0

...
by Claymore on Sat 9th Sep 2006 18:38 UTC
Claymore
Member since:
2006-06-14

Just another *unix vs windows fight....

Reply Score: 1

RE: ...
by djohnston on Sat 9th Sep 2006 22:15 UTC in reply to "..."
djohnston Member since:
2006-04-11

"Just another *unix vs windows fight...."

Does Firefox only run on *nix? I can run Firefox on Windows. Does IE6 only run on Windows? I can run IE6 on Linux.

Reply Score: 3

RE: ...
by fredb1974 on Sun 10th Sep 2006 09:36 UTC in reply to "..."
fredb1974 Member since:
2006-01-31

No.

Firefox is available on more OS than IE7. Not really hard too.

The bad point is that a lot of people are still using Win2k (and I understand them easily)...

Reply Score: 1

Gezzz
by Governa on Sat 9th Sep 2006 18:51 UTC
Governa
Member since:
2006-04-09

So many flamebaits latelly. Whats going on? This is ridiculous...

Who cares about the number of exploits found in 2006? The overall numbers makes IE look like a swiss cheese anyway. Does anything still believe IE to be more secure than virtually any other browser?

This is a really poor quality flamebait... boring!

Edited 2006-09-09 18:55

Reply Score: 5

RE: Gezzz
by NotParker on Sat 9th Sep 2006 19:44 UTC in reply to "Gezzz"
NotParker Member since:
2006-06-01

"The overall numbers makes IE look like a swiss cheese anyway."

Not fair. Firefox has tons of Mozilla code in it. In fact the first 40 or 50 (or more) security holes in Firefox were also in Mozilla.

So, to be fair, you have to count Mozilla holes back as far as you count IE holes.

I think you would be embarrassed as to how many are in the combined Mozilla/Firefox.

Reply Score: 5

MAC
by netpython on Sat 9th Sep 2006 19:27 UTC
netpython
Member since:
2005-07-06

Any OS with a proper configured Mandatory Access Controll mechanism amongst other defences is more secure than any other OS without.

You can't trust any browser so why bother.

Reply Score: 1

A little common sense would be useful...
by looncraz on Sat 9th Sep 2006 19:34 UTC
looncraz
Member since:
2005-07-24

The reality for 2006 is that I have had (by my official records) more than 380 service calls JUST for spyware through Internet Explorer since the start of 2006. I have not had one for Firefox, which I "forced" onto most machines with dead or infected IE. Not one machine has become re-infected which has Firefox on it, and as many safeguards securing up IE as possible (primarily loads of tricks to prevent it from running at all unless opening a local document, and some of those should to be denied to prevent re-infection).

The truth *IS* that while Internet Explorer may be seemingly becoming more secure, it is simply that many of the old exploits are still unresolved so the rate of discovery has slowed as researchers likely end the near of the road for cataloguing the thousands of bugs/holes/vulnerabilities/(exploits)^10000.

Also, Firefox asked for this to happen, in a way, by claiming straight-up that Firefox's security was better than IE's. Everyone set out to prove that true (or false in many cases, I'm sure). Then everyone is upset when a few flaws are found and the first few Firefox-targeted spyware apps show up.

To really know which is more secure, I.E. and Firefox, you could just have to wait for about 18 months or so, when Vista is mainstream, and Firefox has hit a few more revisions.

I.E. is nearly at 7.0 now... Firefox is early at 2.0.
I.E. has FIVE generations of code that has to be fuddled with.. can't be too pretty.

--The loon

Reply Score: 3

kaiwai Member since:
2005-07-06

Firefox is based on the Gecko core, which is around 6 years ago, and like IE, it has its own issues that need resulving.

Reply Score: 2

fredb1974 Member since:
2006-01-31

Erh... ?!

"Also, Firefox asked for this to happen, in a way, by claiming straight-up that Firefox's security was better than IE's. Everyone set out to prove that true (or false in many cases, I'm sure). Then everyone is upset when a few flaws are found and the first few Firefox-targeted spyware apps show up."

Which is windows only one. God bless, I am using a true OS ;)

"I.E. is nearly at 7.0 now... Firefox is early at 2.0."

Which means NOTHING !

Windows XP => NT 5.1, but there were not NT 1.x, NT 2.x !

Firefox had its root back in 1998 when Netscape opened his source code. And Netscape was founded in 1993-1994.

IE 1.x was born in 1995. So, in some way, Firefox is older than IE.

"I.E. has FIVE generations of code that has to be fuddled with.. can't be too pretty."

Firefox 1.0.0 (which is based on Mozilla 1.7.5) has at least 7 generations of mozilla.org code behind it !

I mean : Mozilla 0.x (starting with 0.6 aka Netscape 6.0), Mozilla 1.0, 1.1, 1.2, 1.3, 1.4, 1.6, and 1.7

IE is only running on Windows, Firefox on Windows, Linux, Solaris, OS/2, BeOS, Free/Net/OpenBSD, MacOS-X.

So finding more flaws will be a firefox problem not an IE one.

So IE is crappy from start, denying it...

Reply Score: 1

Lesson to learn here
by ronaldst on Sat 9th Sep 2006 19:41 UTC
ronaldst
Member since:
2005-06-29

Even being "open source" doesn't make a product safer by default. People still have to volunteer to do the dirty work (plug whole, make embedded SWF work, etc...)

Reply Score: 2

l3v1
Member since:
2005-07-06

Internet Explorer 6.x more secure than Firefox in 2006.

Luckily, experience easily beats such blog-conclusions.

Now seriously, how many times have we and you been over such and similar "news" ? How many times have we concluded that it's useless ? Right. So why is it now you link to such a two-liner on a blog ?

Maybe your target should be aimed a bit higher than this digg-level.

Edited 2006-09-09 19:54

Reply Score: 5

So much for nothing
by acobar on Sat 9th Sep 2006 20:40 UTC
acobar
Member since:
2005-11-15

Lets first remember that old adage:
Lies, damn lies and statistics. - Mark Twain

That's right! No matter how long we live we always see people being caught on the same trap. They use "facts" based on raw data to explain their beliefs. We see this all the time on economics, psychology, engineering, politics, and so on.

While there is nothing wrong in doing that we should think twice (at least) before spill the "truth" or "reality" (being it whatever it is, physics don't know what is made of).

How many times "proofed" things turned on partially "true" or, even worse, false assertions (sometimes with a triumphant come back)? There is nothing on science that could assure us with 100% of certainty (putting math definitions apart) about pretty much anything.

But people has this strange inclination to believe on something "absolute".

Reply Score: 1

One more thing
by acobar on Sat 9th Sep 2006 20:48 UTC
acobar
Member since:
2005-11-15

It is a bit old reading, but good to make us scratch our heads: http://www.bbc.co.uk/dna/h2g2/A1091350.

Reply Score: 1

a voice in the wild
by nzMM on Sat 9th Sep 2006 21:08 UTC
nzMM
Member since:
2006-06-22

Regardless of the merits of these claims i would just like to say that,

Opera has always been the best browser ... Opera ASA has failed at marketing and community up till now, they've learnt allot from Firefox in that respect.

Reply Score: 1

numbers?
by broch on Sat 9th Sep 2006 21:56 UTC
broch
Member since:
2006-05-04

I don't know how he count it:
31% unpathed IE
22% unpatched FF

Next thing would be checking severity of unpatched vulnerabilities.

this is FUD

Reply Score: 3

Wow
by tmack on Sun 10th Sep 2006 02:11 UTC
tmack
Member since:
2006-04-11

Way to verify the info before posting, Thom.

Reply Score: 1

Using more accurate "Facts"
by Splinter on Sun 10th Sep 2006 04:47 UTC
Splinter
Member since:
2005-07-13

From Secunia...

Current information, after all we are worried about what is the most secure browser NOW not yesterday etc.

Firefox (http://secunia.com/product/4227/)
Unpatched 11% (4 of 35 Secunia advisories)
Most Critical Unpatched... is rated Less critical
IE (http://secunia.com/product/11/)
17% (18 of 105 Secunia advisories)
Most Critical Unpatched... is rated Moderately critical
Opera 8.0 (http://secunia.com/product/4932/)
0% (0 of 15 Secunia advisories)
Most Critical Unpatched.... NONE
Opera 9.0 (http://secunia.com/product/10615/)
0% (0 of 0 Secunia advisories)
Most Critical Unpatched.... NONE (However you must note this is very new software)



Ok so Firefox currently has less unpatched advisories (by number and percent) than IE and the last two Opera versions are better than both.

Edited 2006-09-10 04:54

Reply Score: 5

OHH!
by SK8T on Sun 10th Sep 2006 05:07 UTC
SK8T
Member since:
2006-06-01

to say which browser is more secure by counting the fixed bugs is damn stupid!

OK may there was only 30 bugs fixed in IE and more than 60 in Firefox. But could there be about 2000 more bugs in IE still unfixed?

Reply Score: 2

protagonist
Member since:
2005-07-06

This is just another case of someone using a few statistics to see what they want to see. The same statistics could be used to make the case that Firefox is more secure.

As for me I use a number of browsers on my Mac and Fire fox is one of them. On the Windows box I only use IE when I check for updates. I still work on computers from time to time for people running Windows. and the ones that are the most loaded with garbage are on the systems where the people run IE 6. When I put the insecure browser Firefox on these systems and clean them up most of the problems seem to go away. I get tired of opening up IE on peoples systems and finding all kinds of toolbars added on.

The author needs to get out in the real world with an open mind. Statistics can be very misleading.

Reply Score: 2

sandorfal Member since:
2006-02-22

"I get tired of opening up IE on peoples systems and finding all kinds of toolbars added on"

Yes, same for me. Friends, friends of friends etc... I'm tired of removing things that came by the way of IE.
Each time I replace their IE icon by FF icon, and then they have no more problem.

And about blogger vs real journalist : I hope to read articles written by real journalist. An article must bring more materials, handled by a professional which gives food for brain.
A journalist reports facts, please stop reporting in OSNews such poor bloggers oriented opinions.

Reply Score: 4

Another blog entry about this "article"
by smitty on Sun 10th Sep 2006 05:47 UTC
smitty
Member since:
2005-10-13
Firefox Version used by Andrew
by Frobozz on Sun 10th Sep 2006 06:58 UTC
Frobozz
Member since:
2005-12-04

It seems interesting that nobody has yet mentioned it, but Andrew is referencing Firefox 1.5.0.5 in his comparison. Current version is 1.5.0.6 and that was out before his blog.

And for those that don't think a minor version does much, check the vulnerability count he gives for 1.5.0.2 and 1.5.0.4. That's a difference of 17 problems.

Reply Score: 3

v How the title sounds
by hraq on Sun 10th Sep 2006 10:59 UTC
Re: User habits
by aGNUstic on Sun 10th Sep 2006 16:06 UTC
aGNUstic
Member since:
2005-07-28

It doesn't matter how secure you make your browser. User habits will determine how secure your system is.

Reply Score: 1

Low-water mark
by RequestedUsername on Mon 11th Sep 2006 00:09 UTC
RequestedUsername
Member since:
2006-09-11

I've read OSNews for years. This is my first post. I consider linking to this article a low-water mark in OSNews history. You might as well start linking the latest news about Britney or Paris or whatever. Seriously, more crap like this and I'm not coming back.

Reply Score: 2

Are you nuts?
by kurtlinux on Mon 11th Sep 2006 00:57 UTC
kurtlinux
Member since:
2006-06-20

Show this article to our 146 desktop users who have been using IE before I ditched it in favor of Firefox. I have NEVER had any problems with malware ever since I switched ALL 146 browsers to Firefox. NEVER. In comparison, we've been having problems with IE (take note, from a fully-patched windows XP machine) since I can remember when.

This article was probably written by a Microsoft employee who is using only ONE computer AND browses ONLY THE MICROSOFT WEBSITE. I doubt any administrator with a network of more than 100 PCs will EVER AGREE with what this author is saying. This is pure crap.

Reply Score: 1

Too much truth?
by Mastertech on Mon 11th Sep 2006 04:08 UTC
Mastertech
Member since:
2006-09-09

The MySpace issue had to do with an exploit in flash and had nothing to do with IE, SP2 or any IE or Windows vulberabilities, simply update Flash and your safe. I use IE 24/7 with full admin rights and so do all of my clients with no problems. It is all simply a matter of security and user awareness.

Reply Score: 1

RE: Too much truth?
by ma_d on Mon 11th Sep 2006 16:31 UTC in reply to "Too much truth?"
ma_d Member since:
2005-06-29

If you use noscript on firefox those annoying flash ads just dissappear from untrusted sites ;) .

There's fixing bugs, and then there's preventative care. I really wish they'd add some method for blocking media until you ok it from untrusted websites in Firefox. Sort of like popup blocking.
Noscript isn't the best solution to that though, there are too many legitimate uses for JavaScript today.

Edited 2006-09-11 16:32

Reply Score: 1

Statistics are great...
by Soulbender on Mon 11th Sep 2006 13:19 UTC
Soulbender
Member since:
2005-08-18

...for proving whatever point you're trying to make.

Reply Score: 1

Not only
by libray on Mon 11th Sep 2006 19:27 UTC
libray
Member since:
2005-08-27

is this flaimbait its not even concerning "OS News".
As far as advsories go between IE AND Firefx, there should be an RSS link for that data.

Reply Score: 1

Sock puppet
by Basil Brush on Tue 12th Sep 2006 08:25 UTC
Basil Brush
Member since:
2006-09-12

For those not in the know, 'Mastertech' is a sock puppet of the author of the poptech blog, Andrew.

Andrew, commenting on your own blog without identifying yourself as the author is not really on, is it?

This character has a history of using multiple sock puppets:

http://www.webdevout.net/forums/viewtopic.php?t=37&postdays=0&posto...

Just a heads up!

I also notice that the number of comments on the blog has gone down fro, 22 yesterday to 19 today. Censoring the comments, are we, Andrew?

Reply Score: 1

CreateTextRange, anybody?
by Basil Brush on Tue 12th Sep 2006 12:48 UTC
Basil Brush
Member since:
2006-09-12

IE more secure than Firefox in 2006? I seem to remember that on of these browsers had a vulnerability which allowed the auto-install of spyware, and that this vulnerability remained unpatched for two weeks, with an expoit avilable and 200+ sites using this exploit to install malware. Which browser was this? It must have been Firefox! No, of course it was the 'more secure IE'. Andrew, the author of the blog, can only claim that IE was more secure by ignoring incidents like this, in fact flatly refusing to admit them ever happed:

"The reality is Microsoft was not seeing any indications of it being exploited and neither did I. Funny how few security sites covered this “widespread” exploit being exploited. Maybe because it wasn’t?"

http://grantlairdjr.com/wp/2006/05/18/firefox-myths/

In fact, even Microsoft admitted attacks were occuring and advised caution:

http://www.microsoft.com/technet/security/advisory/917077.mspx

The attacks were reported by Websense and Sophos amoungst others, and a video of an attack occuring even appeared on the Sunbelt blog.

Reply Score: 0