Linked by Thom Holwerda on Sun 18th Sep 2005 12:39 UTC, submitted by j-s-h
Internet & Networking A recent blog post on ZDNet contends that Firefox is not as secure as promised by counting exploits. Joseph Huang contends that severity and the number of unpatched vulnerabilites matters, not just the number of exploits discovered.
Thread beginning with comment 32976
To read all comments associated with this story, please click here.
Lies, damn lies and facts
by on Sun 18th Sep 2005 16:18 UTC

Member since:

Firefox probably isn't the best browser out there, but it surely is more secure than IE if you look at *all* facts.

Facts like this, taken from the article prominently linked on Mozilla Web page?

---
But Firefox has better security and privacy than IE. One big reason is that it won't run programs called "ActiveX controls," a Microsoft technology used in IE. These programs are used for many good things, but they have become such powerful tools for criminals and hackers that their potential for harm outweighs their benefits.

And it has a cool feature called "Extensions." These are small add-on modules, easy to download and install, that give the browser new features. Among the extensions I use are one that automatically fills out forms and another that tests the speed of my Web connection.
---

A man says it with the straight face, he is not sarcastic or something.

Now, tell me about *all* facts.

Reply Score: 0

RE: Lies, damn lies and facts
by Rehdon on Sun 18th Sep 2005 16:56 in reply to "Lies, damn lies and facts"
Rehdon Member since:
2005-07-06

What's the part you don't understand, "ActiveX is bad for security" or "FF has extensions"? Both statements are true, IE integration in the operating system is one of the reasons why any security exploit can have disastrous consequences.

So, what's your problem with facts? That IE has extensions too? We're talking about security here, in case you haven't noticed.

rehdon

Reply Parent Score: 0

RE: Lies, damn lies and facts
by JLF65 on Sun 18th Sep 2005 23:41 in reply to "Lies, damn lies and facts"
JLF65 Member since:
2005-07-06

---
But Firefox has better security and privacy than IE. One big reason is that it won't run programs called "ActiveX controls," a Microsoft technology used in IE. These programs are used for many good things, but they have become such powerful tools for criminals and hackers that their potential for harm outweighs their benefits.

And it has a cool feature called "Extensions." These are small add-on modules, easy to download and install, that give the browser new features. Among the extensions I use are one that automatically fills out forms and another that tests the speed of my Web connection.
---

A man says it with the straight face, he is not sarcastic or something.



You totally misunderstand the two.

ActiveX - little programs run by the browser when you visit a page the ActiveX program is attached to. As long as ActiveX is enabled, the ActiveX program ALWAYS runs simply by visiting the page. ActiveX programs can do almost anything in your system. Couple the facts that in IE ActiveX is enabled by default, permitted to do anything by default, and the user is running at administration level by default, and you see that ActiveX is a HUGE source of insecurity.

FF Extensions: little programs run by the browser if installed and enabled. They are NOT automatically installed - you have to actually download the extension and choose to install it in FF.

ActiveX programs are rarely open source and rarely peer reviewed. Extensions for FF are open source and peer reviewed to make sure they aren't malicious.

As mentioned above, ActiveX programs automatically run without notifying the user that they are even present. FF extensions require the user to download and install them. Plenty of time to decide if you wish to actually use it.

Hopefully now you have a better understanding of why ActiveX makes IE insecure while extensions don't not NECESSARILY make FF insecure.

Now if you download a closed source FF extension from an unknown party off some unknown web page and install it, you get what you deserve, but don't blame THAT on FF.

Reply Parent Score: 1

RE[2]: Lies, damn lies and facts
by on Mon 19th Sep 2005 02:40 in reply to "RE: Lies, damn lies and facts"
Member since:

As long as ActiveX is enabled, the ActiveX program ALWAYS runs simply by visiting the page.

Whether ActiveX controls run by default isn't the issue. The issue is download. Downloading behavior depends upon the "Zone" in which the page is running (ie. Internet Zone, Local Intranet, Trusted Sites, Untrusted Sites, etc) and the Security level of the user. By default, users run with "Medium" Security, which prompts the user with a dialog that identifies the source of the control and asks whether the user wants to install it.

Reply Parent Score: 0