OSNews:

OSNews: http://www.osnews.com/story/18034/Mozilla_Plugs_Firefox_Thunderbird_Seamonkey_Security_Holes Exploring the Future of Computing en-us Copyright 2001-2009, David Adams adam+nospam@osnews.com Tue, 10 Nov 2009 10:31:49 GMT http://www.osnews.com/images/osnews.gif OSNews.com http://www.osnews.com Again? http://osnews.com/thread?245634 http://osnews.com/thread?245634 Again? Wed, 06 Jun 2007 11:29:00 GMT donotreply@osnews.com (Barnabyh) Comments RE: Again? http://osnews.com/thread?245636 http://osnews.com/thread?245636 Well, Security is an ongoing process...

If anybody came up with a final fix for security, I'm sure Symantic or McAffe would have them assassinated pretty soon. Wed, 06 Jun 2007 11:32:00 GMT donotreply@osnews.com (Kroc) Comments RE: Again? http://osnews.com/thread?245642 http://osnews.com/thread?245642 That was a pretty fast patch, ~48 hours?

Hopefully the builds will trickle out today so I can update my systems.

- chrish Wed, 06 Jun 2007 12:23:00 GMT donotreply@osnews.com (chrish) Comments RE[2]: Again? http://osnews.com/thread?245646 http://osnews.com/thread?245646 Here we go again...

Microsoft sucks!! open source sucks!! patched quickly!! hole shouldn't have existed in the first place!! open source no more secure than closed source!! closed source has less eyes so less secure!! mine is bigger than yours!!

All software has bugs and problems. This bad run of luck is no different to Microsoft patch Tuesday. It'll happen again, as will patch Tuesday. Wed, 06 Jun 2007 12:32:00 GMT donotreply@osnews.com (flanque) Comments RE[3]: Again? http://osnews.com/thread?245649 http://osnews.com/thread?245649 You don't get the point.

When Microsoft/Apple correct security holes, they suck.

BUT, when it's open source, they do NOT suck: they are just patching security holes to make the system more secure than before... Wed, 06 Jun 2007 12:50:00 GMT donotreply@osnews.com (Duffman) Comments RE[4]: Again? http://osnews.com/thread?245653 http://osnews.com/thread?245653 That's about as inaccurate a statement as "Being closed source is more secure". It's you who really doesn't get the point. Wed, 06 Jun 2007 13:24:00 GMT donotreply@osnews.com (Kroc) Comments RE[2]: Again? http://osnews.com/thread?245654 http://osnews.com/thread?245654 This is one of the reasons I like to use distributions which quickly put the latest software and/or patches in their repositories... some distro's I installed 2 months ago or so still had Firefox 1.5.x as the default... :=|Edited 2007-06-06 13:26 Wed, 06 Jun 2007 13:26:00 GMT donotreply@osnews.com (Darkelve) Comments RE[4]: Again? http://osnews.com/thread?245659 http://osnews.com/thread?245659 @duffman :

Its not a question of open vs closed or commercial vs free. It's just that microsoft has a very different way of advertising their products, they are very agressive and sometime fail to deliver what they promised. So people have great expectations, and when something goes wrong or a promised feature is not there they get angry, that's simple, it's the side effect of over-promising.
You could observe the same reactions of the public when nintendo and sony launched the wii and the ps3. Those are two big (bad

) corporations but people were a lot more indulgent with nintendo because they delivered exactly what they promised at the price they promised at the time they promised. If you looked at the ps3 forums at that time, people were just angry about anything.

(edit: grammar)Edited 2007-06-06 14:02 Wed, 06 Jun 2007 13:52:00 GMT donotreply@osnews.com (aldeck) Comments As the usage increases http://osnews.com/thread?245660 http://osnews.com/thread?245660 number of security flaws found in your code increases.

The same holds true for almost all the software including Linux etc.

Is anyone surprised by this btw? May be you are because OSS fanboys must be telling you all along how secure FF is (when it is really not)

So next time they tell you how secure Linux is...please do yourself a favor and ask them to STFU. Use a software which fulfill your needs rather than giving into propaganda spread by the OSS zealots.Edited 2007-06-06 14:01 Wed, 06 Jun 2007 13:58:00 GMT donotreply@osnews.com (CrazyDude0) Comments RE[5]: Again? http://osnews.com/thread?245664 http://osnews.com/thread?245664 ...not to mention that its so hard to stay mad at the Wii. Its just so dang cute... Wed, 06 Jun 2007 14:11:00 GMT donotreply@osnews.com (google_ninja) Comments RE: As the usage increases http://osnews.com/thread?245667 http://osnews.com/thread?245667 Just because something gets security patches now and again, it doesn't make it wholly "insecure".

In that vein, Windows is as secure as Linux- because they both have security flaws.

This clearly isn't actually the case. Wed, 06 Jun 2007 14:18:00 GMT donotreply@osnews.com (Kroc) Comments RE: As the usage increases http://osnews.com/thread?245668 http://osnews.com/thread?245668 "As the usage increases..." so does the FUD. Wed, 06 Jun 2007 14:20:00 GMT donotreply@osnews.com (systyrant) Comments RE[2]: As the usage increases http://osnews.com/thread?245670 http://osnews.com/thread?245670 I guess you just proved your point. Wed, 06 Jun 2007 14:29:00 GMT donotreply@osnews.com (BluenoseJake) Comments RE: As the usage increases http://osnews.com/thread?245672 http://osnews.com/thread?245672 Use a software which fulfill your needs rather than giving into propaganda spread by the OSS zealots.

Or, use software that everyone knows is broken out of the box Wed, 06 Jun 2007 14:34:00 GMT donotreply@osnews.com (raver31) Comments Has anyone .... http://osnews.com/thread?245673 http://osnews.com/thread?245673 .. actually been bitten by a firefox/thunderbird security issue? Ex: some nasty website/email caused havoc with your system due to a security hole.

I know that I've been bitten on IE in the past. Back then firefox's market share was too low to be a target, so IE was targeted, but with firefox sitting at ~20% I would think that someone would have crafted a successful attack by now. Wed, 06 Jun 2007 14:35:00 GMT donotreply@osnews.com (openwookie) Comments Eehhhh? http://osnews.com/thread?245674 http://osnews.com/thread?245674 Nightmarish week? Wooot O_o ?

It's just a security fix for the old branch fixing pretty much the same theoretical issues in all the variations of Gecko.

But haven't you updated yet to 2.x? I do believe using 1.5.x equals using IE7... Wed, 06 Jun 2007 14:36:00 GMT donotreply@osnews.com (dylansmrjones) Comments A few points http://osnews.com/thread?245676 http://osnews.com/thread?245676 There's so many factual inaccuracies in this thread I don't even know where to start :S

1) Open source is no more or less secure than closed source.
2) Firefox is more secure than IE but (according to benchmarks) less secure then some other browsers such as Opera
3) A regular patch release does look bad from a perspective that there's holes to patch, but at least Mozilla are patching the holes. Some companies take months to get round to fixing security issues.
4) Firefox has bugger all to do with OS fanboy-isum as Firefox runs on most of the desktop OSs out there.
5) Firefox /is/ getting targeted more because of it's popularity. that doesn't make it less secure, just a bigger target - which in turn (hopefully) means people are more mindful about ensuring Firefox's security is up to date.
6) increased usage in software /will/ show up more security holes, but that doesn't mean that all software is equally secure or insecure. It just means that the existing security flaws become more apparent.

Quite frankly I'm surprised at the number of comments in this thread that are way off the mark given the usual standard set on OSNews.Edited 2007-06-06 14:52 Wed, 06 Jun 2007 14:44:00 GMT donotreply@osnews.com (Laurence) Comments RE: Has anyone .... http://osnews.com/thread?245677 http://osnews.com/thread?245677 "

.. actually been bitten by a firefox/thunderbird security issue? Ex: some nasty website/email caused havoc with your system due to a security hole.

I know that I've been bitten on IE in the past. Back then firefox's market share was too low to be a target, so IE was targeted, but with firefox sitting at ~20% I would think that someone would have crafted a successful attack by now.

"

I've had a few attacks when visiting website of an adult nature *coughs*. I believe the majorety of them were down to JPEGs with malicious code built into them.

Avast AV protected me on each and every occation though. Wed, 06 Jun 2007 14:46:00 GMT donotreply@osnews.com (Laurence) Comments RE[2]: As the usage increases http://osnews.com/thread?245679 http://osnews.com/thread?245679 I wouldn't call OSS broken out of the box... you have to enable that functionality (or lack thereof) in a text config file first. Wed, 06 Jun 2007 14:57:00 GMT donotreply@osnews.com (sappyvcv) Comments Nightmare? http://osnews.com/thread?245680 http://osnews.com/thread?245680 Since when is it "nightmarish" when many security holes are found and patched? Wed, 06 Jun 2007 15:19:00 GMT donotreply@osnews.com (Ford Prefect) Comments RE[3]: As the usage increases http://osnews.com/thread?245681 http://osnews.com/thread?245681 ha, that actually made me chuckle out loud.

Wed, 06 Jun 2007 15:27:00 GMT donotreply@osnews.com (helf) Comments RE: Has anyone .... http://osnews.com/thread?245682 http://osnews.com/thread?245682 Not quite an attack but have had the NSIS Media malware on my system which caused popups in firefox every 5 minutes or so. Wed, 06 Jun 2007 15:28:00 GMT donotreply@osnews.com (TaterSalad) Comments RE: A few points http://osnews.com/thread?245687 http://osnews.com/thread?245687 "Quite frankly I'm surprised at the number of comments in this thread that are way off the mark given the usual standard set on OSNews."

Can I read your OSNews? I think I get one from a different reality Wed, 06 Jun 2007 15:51:00 GMT donotreply@osnews.com (BluenoseJake) Comments RE: Has anyone .... http://osnews.com/thread?245688 http://osnews.com/thread?245688 There's a number of Spyware toolbars for Firefox now, something many people saw coming a long time ago Wed, 06 Jun 2007 15:58:00 GMT donotreply@osnews.com (Kroc) Comments RE[2]: Has anyone .... http://osnews.com/thread?245691 http://osnews.com/thread?245691

Avast AV protected me on each and every occation though.

That you know of buddy... that you know of.. Wed, 06 Jun 2007 16:42:00 GMT donotreply@osnews.com (Angel) Comments RE: Eehhhh? http://osnews.com/thread?245693 http://osnews.com/thread?245693 Using IE 7 would more equal using Fx 1.0x at best.

At least feature-wise. I'm not so sure about security, since Fx 1.0x is no longer officially supported and computer security was never my best subject. I think the only non-security-related feature IE7 has on Fx 1.0x is Quick Tabs.

Before the flames engulf me, allow me to say that I am by no means a Fx fanboy--hell, I'm a proud Opera user.

Wed, 06 Jun 2007 16:43:00 GMT donotreply@osnews.com (shykid) Comments RE[2]: A few points http://osnews.com/thread?245695 http://osnews.com/thread?245695 Seriously. Guy's gotta have his comment threshold on five or have some kind of amazing, never-before-seen stupidity filter. Or both. Wed, 06 Jun 2007 16:47:00 GMT donotreply@osnews.com (shykid) Comments RE: Nightmare? http://osnews.com/thread?245697 http://osnews.com/thread?245697 My idea of "nightmarish" would be security holes that go unpatched for long periods of time. I don't care how many holes are in the software I use, as long as they're all patched before they can be exploited, which is exactly what the Mozilla team is doing. Wed, 06 Jun 2007 16:49:00 GMT donotreply@osnews.com (shykid) Comments RE[3]: As the usage increases http://osnews.com/thread?245702 http://osnews.com/thread?245702 I'm not spreading FUD. So I didn't prove anything. =P Wed, 06 Jun 2007 16:58:00 GMT donotreply@osnews.com (systyrant) Comments RE: Has anyone .... http://osnews.com/thread?245703 http://osnews.com/thread?245703 ".. actually been bitten by a firefox/thunderbird security issue?"

Does spyware count? That was one of FF's big promises...no more spyware which is certainly not the case. That being said it's a small price to pay for all of FF's other capabilities. Wed, 06 Jun 2007 16:59:00 GMT donotreply@osnews.com (jayson.knight) Comments RE[2]: A few points http://osnews.com/thread?245704 http://osnews.com/thread?245704 "

Can I read your OSNews? I think I get one from a different reality

"

Maybe I just usually stop reading threads when they start turning into stupid flame wars or maybe I've just been lucky when discriminating against the threads I haven't read - but usually I find OSNews to be quite informative. Wed, 06 Jun 2007 17:00:00 GMT donotreply@osnews.com (Laurence) Comments RE[3]: Has anyone .... http://osnews.com/thread?245705 http://osnews.com/thread?245705 Maybe, but without going into the specifics of my set up, any security breach (short of a professional hacker manually accessing my system) would have been at least reported at some point (even if it's just from the hardware proxy reporting on the packets sent/recieved). Wed, 06 Jun 2007 17:02:00 GMT donotreply@osnews.com (Laurence) Comments When you start hitting so many posts.... http://osnews.com/thread?245706 http://osnews.com/thread?245706 ...without any facts or figures.

Would I love a serious OSS vs Proprietary security comparison. I would love one, but this isn't it.

Is anyone showing a serious amount; severity; time-to-patch comparison. I know these figures can be heavily massaged to interpret anything, but at least opinions can be offered.

On a side note.
http://marketshare.hitslink.com/report.aspx?qprid=6

People should be aware that the largest browser on the market today is IE6. I think what is surprising is the amount of people on Firefox1.5 considering 2.0 is free in every sense of the word. Wed, 06 Jun 2007 17:07:00 GMT donotreply@osnews.com (cyclops) Comments RE[3]: A few points http://osnews.com/thread?245708 http://osnews.com/thread?245708 It's simple: using the Digg API, you diff the Digg comments with OSNews, thus filtering out all the inane, moronic, trolls Wed, 06 Jun 2007 17:10:00 GMT donotreply@osnews.com (Kroc) Comments RE[4]: As the usage increases http://osnews.com/thread?245711 http://osnews.com/thread?245711 You're just not being used enough yet, then... or did I misunderstand anything ?

Wed, 06 Jun 2007 17:55:00 GMT donotreply@osnews.com (AlexandreAM) Comments RE[3]: Again? http://osnews.com/thread?245712 http://osnews.com/thread?245712 """
Here we go again...

Microsoft sucks!! open source sucks!! patched quickly!! hole shouldn't have existed in the first place!! open source no more secure than closed source!! closed source has less eyes so less secure!! mine is bigger than yours!!
"""

You've done this before! ;-)

I guess we all have.

So let me put my votes in for:

1. OpenSource, in general, is more secure.

2. The holes shouldn't have existed in the first place.

And I will add a couple of predictions:

2a. 3rd party extensions are going to be the Achilles' Heel of Firefox and Mozilla Corp will deal with the issue by passing the blame to the 3rd parties, like MS does with drivers, etc.

2b. Mozilla Corp has worked out this scenario and already has a plan in place.

I can't help but feel that Mozilla Corp, like Microsoft before it, recognizes the value of the PR department regarding security issues.Edited 2007-06-06 18:07 Wed, 06 Jun 2007 18:03:00 GMT donotreply@osnews.com (sbergman27) Comments RE[3]: Again? http://osnews.com/thread?245713 http://osnews.com/thread?245713 Dup. Sorry. ISP weirdness, today.Edited 2007-06-06 18:04 Wed, 06 Jun 2007 18:04:00 GMT donotreply@osnews.com (sbergman27) Comments RE: As the usage increases http://osnews.com/thread?245714 http://osnews.com/thread?245714 """
As the usage increases
...
number of security flaws found in your code increases.
"""

CrazyDude0,

You are glossing over the very important point that here, today, in the real world, it is IE that is being targeted by real exploits, living in the wild. It does not matter why. What matters most is that it is.

I'm intentionally not addressing which browser is more secure, intrinsically. Not because I do not have an opinion on the matter, but because it is irrelevant to the point I am making.

Assuming, for the sake of argument, that FF and IE are equally insecure, on an intrinsic level... IE's users are still in far greater danger, from a practical perspective.

And that's a fact.Edited 2007-06-06 18:39 Wed, 06 Jun 2007 18:22:00 GMT donotreply@osnews.com (sbergman27) Comments RE[3]: As the usage increases http://osnews.com/thread?245718 http://osnews.com/thread?245718 I was not talking about OSS, I was of course talking about Windows.....

However, you did make a very funny point about OSS !

:) Wed, 06 Jun 2007 19:11:00 GMT donotreply@osnews.com (raver31) Comments RE[5]: As the usage increases http://osnews.com/thread?245721 http://osnews.com/thread?245721 I'm a skeptic tank. All the FUD comes in, but only gets flushed out once a month.

Wed, 06 Jun 2007 20:22:00 GMT donotreply@osnews.com (systyrant) Comments