“Now that Firefox has become the first viable contender to Internet Explorer in years, its popularity has brought with it some unwanted attention. Last week’s premature disclosure of a zero-day Firefox exploit came a few weeks after a zero-day exploit for Internet Explorer appeared on the Internet. Firefox not only has more vulnerabilities per month than Internet Explorer, but it is now surpassing Internet Explorer for the number of exploits available for public download in recent months.” Note: Read this article, and especially the update, carefully before commenting.
Wait a second…. isn’t that the guy that made the OOo.org and MS Office comparison full of mistakes?
Not all security flaws are created equal.
Regardless of this article, I think it would be always safer to utilise “alternative” (not_so_popular) network software. It just common sense.
The problem is this: what counts as “not-so-popular”? There is a glut of web browsers based on WebCore in Mac OS X. Similarly, several browsers use the Mozilla renderer. So if the problem is in the rendering engine, and the browser doesn’t try to patch around the bugs, how safe can you claim to be?
It’s not common sense. It’s security through obscurity. And there are plenty of reasons to avoid it.
My overall feeling is that Firefox is more secure than IE since they update it often are open about talking about security problems while Microsquish keeps is closed unless shamed into revealing something. Just the fact that ActiveX vulnerabilities are removed makes it more secure. I also like that Firefox is not embedded into the OS like IE is so there is another layer of security there. What we are seeing now is that Firefox is popuplar enough that hackers are seeing it as a potential target to introduce spyware, etc.
The Firefox extension system is incredibly powerful and easy to develop in-house web applications or extend the functionality of Firefox. It is not perfect but it is great to be able to add a feature to a browser that you find missing with ease. On the downside extensions can break easily as newer versions of Firefox are updated since they have dependencies to Firefox API’s.
The Firefox extension system is incredibly powerful and easy to develop in-house web applications or extend the functionality of Firefox. It is not perfect but it is great to be able to add a feature to a browser that you find missing with ease.
Hear, hear. Firefox is really a desktop platform of its own. Not an ideal crossplatform platform, but its there.
Now typically I would bash Firefox just to make fun of open source bible thumpers, but the important of Firefox getting a meaningful marketshare is in keeping Microsoft honest with regards to at least adhering to some standards.
IE has a faster renderer hands down, but it still doesn’t have tabs and I’d still trust FireFox in regards to security any day of the week.
Plus, I’m a little biased anyway since lately I’ve been getting interested in Mozilla as an application platform. By the way Mozilla has a new dev center.
http://developer.mozilla.org
Microsoft doesn’t publish all of their security holes doesn’t mean they don’t exist.
also, yes it is the guy that did the OO.o/MS Office comparision in Microsoft’s format.
yes, he was the same guy
and another thing… zdnet is always pro-microsoft… ALWAYS !
And what’s wrong with that? What about cases where Microsoft IS in fact better than opensores software?
If a site is pro-Linux and does a biased comparison, no one complains. When it’s the opposite, all of you Linux fanbois get riled up.
If a site is pro-Linux and does a biased comparison, no one complains. When it’s the opposite, all of you Linux fanbois get riled up.
Ummm…people bitch all the time, like your above statement. So I’ll stop bitching about you bitching if you stop bitching about other people bitching…deal?
Hey troll, this isn’t about Linux but about Firefox. Most Firefox installs are on Windows systems.
Now, will you acknowledge the fact that the IE vulnerabilities, while fewer, are rated as more sever than the FF ones? That’s the real issue, but of course you’ll ignore it since your agenda is to dump on open source software every chance you get…
Really? Show me a comparison list — you’ve stated it as fact, so you must have compared all of the vulnerabilities, right?
Most IE vulns would be much less harmful if only everyone didn’t use Administrator as their default account.
he was replying to “Linux is Poo”‘s post.. He was the one who brought Linux into the topic, not the guy who you incorrectly called a troll.
It’s a good browser on top of a insecure operating system.
It’s the raw egg form of security against the hard boiled egg kind like bsd, linux and mac os x.
Nothing is perfect when it first comes out into major circulation, the true test is if the problems continue, for like 20 years with Microsoft products.
Then one has to seriously consider there is a intentional plan to make people suffer.
Deep down, I think the control freeks in Washington DC doesn’t want everyone to have secure computers/internet.
Imagine the alternate borderless governments that could be set up?
Hmmm sounds like terrorism.
Then one has to seriously consider there is a intentional plan to make people suffer.
Deep down, I think the control freeks in Washington DC doesn’t want everyone to have secure computers/internet.
Imagine the alternate borderless governments that could be set up?
Hmmm sounds like terrorism.
Hehe, do you listen to Coast-to-Coast(Art Bell) much?
It’s a good browser on top of a insecure operating system.
Yup, damn those insecure Linux operating systems.
It’s the raw egg form of security against the hard boiled egg kind like bsd, linux and mac os x.
You mean like how they sweep all the BSD, Linux and OSX exploits under the rug? Security through obscurity indeed!
Nothing is perfect when it first comes out into major circulation, the true test is if the problems continue, for like 20 years with Microsoft products.
like Linux?
Then one has to seriously consider there is a intentional plan to make people suffer.
You must be talking about Linux then
Deep down, I think the control freeks in Washington DC doesn’t want everyone to have secure computers/internet.
Imagine the alternate borderless governments that could be set up?
Hmmm sounds like terrorism.
Tinfoil hats, ON!
Yes, I’m intentionally trolling your anti-MS bigotry.
There is some truth to that. Firefox is a much younger code base than IE. What, 1998 vs 1994? And I think most of the problems in firefox are outside of the gecko engine and are actually problems with firefox code?
Mozilla is much more important than Gnome or KDE will ever be. But what we need is cross-browser XUL, SVG functionality. Microsoft gave us XMLHttpRequest and Mozilla and others adopted it, so I don’t think most people care if some interesting technology comes from Microsoft, the importance is getting it out there.
W3C standards don’t mean as much as just getting the major browsers to implement something to richen web programs.
Little things like home page hijacks keep me from ie. Got me in a load of trouble awhile back. I also believe a good market has 2 or more contenders to keep eachother in check.
If it weren’t for browsers like Firefox, illegal monpoliles like Microsoft would own the internet.
But how does it deal with the quality of Firefox? Are You going to claim that Firefox still deserved its 7% even in case of much less secure code than now?
The large number of Firefox bugs compared to IE6 could be down to the fact that IE6 has had years 4 years (since Windows XP in 2001) to iron out the bugs, while Firefox hasn’t nearly had that much time.
Perhaps it would be interesting to compare the number of bugs found for IE during it’s first year of public usage, compared with Firefox.
That wouldn’t be quite fair either. There’s probably a thousand times more firefox users now then there were IE users in 1995; simply because there are sooo many more web users and because IE was in the same minority position when it started.
Also, the average intelligence of web users has gone down significantly since then. And the average technical ability has gone down farther. Which means that web cracking is that much more attractive.
Also, the amount of money going across the web has gone up exponentially since then. Which means the incentive for web cracking goes way up.
It was a very different time. I think IE would win the question too. You’d probably seem more complaints about IE crashing.
People tend to forget that netscape was opensources around 1998 or something..
…ignore Opera, which has a long history of being the most secure, most functional, most innovative, and fastest browser around.
Meh. I don’t particularly care for opera, because 1) I don’t like the interface and 2) I don’t like paying for something as trivial and un-unique as a web browser.
-bytecoder
” I don’t like paying for something as trivial and un-unique as a web browser. ”
Obviosly you’re not a programmer. Browsers are essential tools, but that does not mean they are ‘trivial’. In fact, they are quite complex pieces of software.
Regardless of whether they are trivial or not, why would you pay for a piece of software when the alternatives are free, and work well? You might find value in Opera, but for the majority of web users, Opera isn’t something worth paying for.
” I don’t like paying for something as trivial and un-unique as a web browser. ”
You don’t have to pay for Opera anyway. They have a free version, albeit with a banner ad. Opera might not be your choice, and the interface issue is understandable, it’s not my favorite either. If nobody pays for any software (because lets face it all the stuff we use every day is “un-unique”), then who is going to bother developing it?
I wish Microsoft were in the car industry because right now all cars would be free, except maybe one, but you could get it for free if you liked as long as you had an ad on the back. Where do I come to that? Well… Microsoft would be crap at building cars, so they would have to make them free to compete with the other manufacturers. Then, once MS took everyone by surprise and grabbed 99.9% of the car market, other makers would have to give their cars away also.
Is it absolutely realistic to expect to get software for free? These projects (Firefox etc.) survive/succeed on the support of a community of developers, and of course financial support from donations etc. If we all took your attitude there wouldn’t be any “free” option.
You don’t have to pay for Opera anyway. They have a free version, albeit with a banner ad. Opera might not be your choice, and the interface issue is understandable, it’s not my favorite either. If nobody pays for any software (because lets face it all the stuff we use every day is “un-unique”), then who is going to bother developing it?
And yeah if you join their Affiliate Program and get 200 referalls [unique] they give a free license to remove those i ads too. This is an ideal way to go if you find paying for web browsers trivial!
na, with both systems you still have to buy hardware. its just that you would have to drive the microsoft car on mostly toll roads. and it would be a hummer, and require TONS of gas.
emagius is right. Opera does have a long history of being the most secure browser, but unfortunately it is often overlooked by articles like these.
opera is definitely not the most functional browser… i’ve used it a few times and been horribly disappointed by its dismal css support.
It is also the most expensive and most unstable browser from the other two…
At least firefox doesn’t control the whole shell, as well. It has crashed a number of times on me in linux, but I believe that’s an unrelated (and annoying) problem. Out of curiosity, does anyone know if the exploits are in firefox code or the mozilla code?
-bytecoder
*if* we surmise that browsers crash ‘cuz of
their cache, we can workaround…
I have a script I run after exiting Opera in BSD
which deleted the cache, run thusly
!zsh
translating as
‘shell, rerun the most recent .zsh file and have
it delete every file in this subdir starting with
the 5 characters which comprise filenames under
Opera’s cache’ aka
#zsh ./remove_cache_files.zsh
approximately.
I have a similar FireFox script in Win98 which
deletes the Firefox cache after *each* site, however
I discovered several days ago that setting the
cache to a fat16 ramdisk in about:config, nothing
is written there anyway, so I run FF thusly:
c:…firefox
(exit)
c:…firefox
(exit)
etc…
Internet Explorer equivalent to the above, messes
with the Internet Options, causing great instability
and I never fortunately run it anymore…
You can tell Opera to delete cache on exit.
RE: you can tell Opera to del the cache upon exit…
I know but sometimes I want to grep-for and
save some gif or htm file…before deleting…
I neglected to mention that I run each browser
from a terminal (or dos box) continually, in
opera’s case from its cache subdirectory.
I guess its good to have more reported bugs than to go unreported @ all. Besides how many bugs out of these have been as serious as the ones in IE.
Toolbars installing themselves , Popups loading up @ will, Popups loading up even when I am not web surfing?
I had all these in IE 6. But I havent encountered such behaviour since I blocked IE through Sygate Personal Firewall and used Firefox instead on Win2k.
I am not saying FF is the end word in security but atleast I am not getting notorious popups like ‘hey you got spyware click here to download abc’ while I am using FF and I hope I never would too [shudder]
OF course Adblock and Greasemonkey are big bonuses that arent landing on IE anywhere in the near future.
No mate, the honeymoon’s not over yet!
The honeymoon is not over for me either,
I installed it onto my two brothers PC’s. They both use Windows on their PCs. One has XP and the other has ME. Neither will switch to Linux.
They were both always on the phone, asking me to “fix” their computers… either they had trojans slowing them down, or they were clogged up with spy/adware.
Since I installed Firefox on both the machines, they have not called me about their machines.
When I visit, I run adaware or spybot, and the only things that are there are the odd tracking cookies.
So no, ZDNet, you MS sponsored site, the honeymoon will never be over.
Firefox is probably the best diplomat for oss so far.
Comparing the raw number of reports without looking at the severity of the exploits is a common ploy used by MS to try to confuse novice computer users. I’ll take a “potential phishing exploit” over a “remote code execution as Administrator” any day.
George Ou seems to have a definite pro-MS agenda. He’s either a paid shill or a major MS fanboy.
I’ve also noticed that Thom’s editorializing seems to indicate a strong pro-MS bias. Yeah, I read the blog posting carefully… its crap.
I’ve also noticed that Thom’s editorializing seems to indicate a strong pro-MS bias. Yeah, I read the blog posting carefully… its crap.
Leave Thom out of it, he is actually doing a good job with the site, and this is probably his first attempt at being a moderator.
Is Thom psychic ?
Does Thom have to filter out the pro-MS stories for you ?
‘ve also noticed that Thom’s editorializing seems to indicate a strong pro-MS bias. Yeah, I read the blog posting carefully… its crap.
I guess Thom is now finding out what a bunch of retarded, nutjobs the linux zealots really are. Unless Thom has a vehement anti-Microsoft bias then he’s somehow a bad guy.
ahh, so we’re not allowed to criticise (note to Americans: there’s no Z there in criticise) Thom or any other moderaters now? That’s a lovely system. Not. I would agree with the originally poster, I’ve detected an anti RMS/FSF/GNU/GPL/Linux smell come from osnews.com for some time now, and it’s getting stronger and stronger. Whether or not Thom is pro Microsoft, I don’t know him well enough to make a valid comment. But, anyways, this is getting off topic.
Dave
ve detected an anti RMS/FSF/GNU/GPL/Linux smell come from osnews.com for some time now
What smell is that, Stallman walking into your room to give you your daily cambodian-style, FSF/GNU/GPL indoctrination lesson?
But seriously, you’re so fucking blind by your rabid zealotry that you are incapable of perceiving reality anymore. That’s what happens when you get religious about software.
OSNews has never been an advocacy site, no matter how many demented fanboys want it.
Once you grow up you’ll understand these things.
I use Mozilla and prefer it to IE. People often complain about poor security in Microsoft’s products and I agree. However, I do think the widespread use of Microsoft’s products naturally make them targets for exploits. Just because other, lesser-used software is not targeted does not mean that the software is inherently more secure. But alot of people do believe that simply because the software or program they use hasn’t been attacked.
One of the key points in selling Firefox to the masses (before it became popular) was that it was much more secure than IE. But the initial limited usage was probably (partly) why the browser didn’t face many exploits.
Still, I have more confidence in the Firefox developers fixing and responding to security exploits than I do in Microsoft fixing faults in IE.
“widespread use of Microsoft’s products naturally make them targets”
OMG, how fed up I am with this kind of reasoning for many years now. You can’t reasonably explain flawed software with volume. Please understand already, that if you see a company as huge as MS, with as many developers as MS, with as much resources as MS, and you pay for the product they produce then you naturally should expect it 1) to work as expected, 2) to be as bug-free as humanly possible, 3) if bugs and exploits are discovered they should produce fixes faster than anyone else out there, since they have the most resources above anybody else. Still, they fail, time and time again.
Then some guy as the article writer always pops up picking useless statistics to prove one point: his own incompetence. Now come on, counting the last 7-8 months of exploits for a quite new product (with amazingly fast patch releases) with a 4-5 years old product, which naturally won’t have as much new exploits in the last 7-8 months as the newer product. Then again, these numbers along don’t prove a thing.
“Just because other, lesser-used software is not targeted does not mean that the software is inherently more secure.”
This reason is flawed – look at the Apache webserver, as the popularity has increased, it has maintained its reputation for stability and security, despite becoming a larger target over time.
It’s the development process that leads to quality, not the market share.
“Just because other, lesser-used software is not targeted does not mean that the software is inherently more secure.”
This reason is flawed – look at the Apache webserver, as the popularity has increased, it has maintained its reputation for stability and security, despite becoming a larger target over time.
It’s the development process that leads to quality, not the market share.
IE 6:
http://secunia.com/product/11/
Microsoft Internet Explorer 6.x with all vendor patches installed and all vendor workarounds applied, is currently affected by one or more Secunia advisories rated Highly critical
Firefox:
http://secunia.com/product/4227/
Mozilla Firefox 1.x with all vendor patches installed and all vendor workarounds applied, is currently affected by one or more Secunia advisories rated Less critical
i pointed this out day before yesterday as well ..
if you bother to check these stats, you will be able to figure out that firefox is still way better than ie6
Firefox http://secunia.com/product/4227/
Internet Explorer http://secunia.com/product/11/
from 03 to 05, out of only 22 advisories for firefox 14% are unpatched compared to 28% out of 69 vulnerabilties unpatched for internet explorer during the same period.
For firefox 23% very highly critical and 0% extremely critical, compared to 29% highly critical and 14% extremely critical in Internet Explorer.
quality or quantity ?
Get the facts !
Looking at that data, the biggest component of Mozilla’s exploits is “Spoofing – 31%”. For IE its “System Access – 31%”.
I’ll deal with the miniscule spoofing risk. George can have his “remote system access”.
Is this editorialists Honeymoon over?
ROFL! Good Question !
The author fails to note the results of the attacks. While IE6’s security of late has been great, he doesn’t need to prove that to me, he fails to prove that Firefox’s has been bad. I’m sorry but… If there are so many vulnerabilities than why am I not seeing people with tons of crap installed on their PC?
A lot of the exploits with firefox have been in odd url conditions. Things that most people don’t seem to be running into?
If you want to trash the guys credibility, check out his theories on xml . He believes XML is bloated. Zipping xml files loses all the benefit of non-binary files (obviously he doesn’t understand that human readability is still there because zip is a common tool and the output is human readable). He uses Excel to see how XML is verses their time-tested native storage format (gee, I wonder why that is). He’s upset about waiting 45 seconds to open a 200MB spreadsheet… And he just generally seems to hate xml: http://blogs.zdnet.com/Ou/?p=97 .
What is with columnists lately and coming to big conclusions without really delving into the problem deeply?
Thing is – even if Firefox is as insecure (and has to be patched just like IE) as IE, it does not bother me – I will still use Firefox.
Firefox is a better, tidier, cleaner looking browser. It has tabs, popup blocking, extensions, themes, good security, and best of all, it’s far more standards compliant.
Oh, and I don’t run Windows so it’s all a mute point.
Debian keeps my Firefox updated, so I just sit back, and do very little
The truth is that that article is a huge STFU to the zealots from all over the world. 😉
Even if the number given stands, one has to wonder how many of them are critical (and easily exploitable) versus some that are only exploitable in very narrow circumstances. The number of exploit codes does not reflect the ease at which a script kiddie can use that vulnerability.
The latest IDN vulnerability, for example, is quite limited in scope because only a small subset of all Firefox browser users use IDN. This is in contrast to many IE exploits that affects majority of the users in the world.
So while I give George Ou’s compliments for doing comparisons such as this one (and the OO.O vs. MS Office one also), the metrics are just to simplistic to give any meaningful insights
http://secunia.com/product/4227/
http://secunia.com/product/11/
IE has more extremely critical problems. It has more unpatched problems. etc etc.
Does that prove anything useful? No.
http://secunia.com/product/4932/
But Opera sure looks stellar there doesn’t it .
This article should have been titled: Microsoft cleans up its act on IE Security. Instead of “oh look, Firefox sucks because it’s as bad as IE now that Microsoft is focusing on IE!”
Now that Firefox has become the first viable contender to Internet Explorer in years?
Both IE and Firefox are implementing features available in opera for years now.
Firefox is trying to use all RAM that my computer has.
The computer gets slow.
I was forced to switch to Opera.
I use FireFox at work and I’ve noticed this very issue as well. Certain pages just end up in huge memory leaks. Even closing FireFox doesn’t actually kill the application (it’s still visible from task manager as running). Also, I’ve never had Mozilla FireFox successfully open an embedded Adobe Acrobat pdf file from a website. Never (at least on Windows XP). Yes, I’ve tried Acrobat reader 5, 6, and 7. Yes, I’ve made sure that FireFox actually is mean to open it with Adobe reader, and embedded. This is across versions of Mozilla FireFox for the past year. I’ve got several mates who have the same problem. This is a critical bug that affects usability, and should have been solved a long, long time ago imho.
Myself, I personally feel that Mozilla FireFox is very much overrated. It’s nothing special. It looks as ugly as hell (to my eyes at least), it’s no faster than my preferred browser (Konqueror), it only renders pages slightly better, and then, that’s usually due to very poor coding on the page in question.
Dave
[i] It looks as ugly as hell (to my eyes at least)</>
Did u try the various themes @ update.mozilla.org ?
Some of them, yes. I’m not a fan of GTK, it looks plan ugly. Doesn’t matter which app you use (just my honest opinion).
Dave
Is IE more secure than FireFox? Does the environment matter? This is a little bit like counting terrorist acts and making a claim about the quality of government.
Consider that last year, in China, a totalitarian society, there were zero incidents of terrorism. Whereas in India, the largest democracy by population, there were more than 200. So would you give up democracy -um FireFox — for that?
FUD….pure FUD at play here again….not surprised here one little bit
In the larger picture…quite simply….the older I get and the longer I use
computing technologies…especially now in a diverse university environment
where many of my colleagues outright reject the one-size-fits-all corporate IT
model…that seems to have many trails leading directly back to
Microsoft…OSS-OpenSourceSoftware is clearly the future and (should be) the
choice of anyone who values personal freedom, ownership, innovation,
customization and the basic right to do with software and hardware as they
please without privacy-streamrolling DRM and/or other other heavy-handed
dracononian licensing controls and PR campaigns to chart their course and
determine their experiences.
IT (especially in an academic setting) should be a collection of
learning/researching/entertaining/management/productivity tools….not
controlling anything or placing us in a box with no choices…but being here to
serve us as we please and ask. We are customers and people…not simply users.
FUD about Firefox, Linux and other OSS projects like OpenOffice is a natural
result of a threatened organization (and group of people) facing unsolvable
challenges that leave them feeling fearful, un-enpowered, leapfrogged and up
against the wall. I expect it to get worse before it gets better in this arena.
Cheers,
Jeffrey
“…nutjobs the linux zealots really are”
You are one of a very few people who have even mentioned Linux in the context this debate. Reading through the comments, it is apparent a lot of the Firefox users who have responded are also MS users. How about you stop attacking people who use a different OS than you? Mkay, thanks!
How about you stop attacking people who use a different OS than you? Mkay, thanks!
I’m not attacking people that use a different OS than I do. I use windows and linux. I’m attacking the fruitcakes that think that OSS is a religion and Microsoft is evil.
OSS is a political movement, deal with it.
Microsoft isn’t “evil” per say – they are a product of a society that believes that the pursuit of profit is fantastic (thats evil).
OSS is not a religion, but it certainly is a political movement.
“Microsoft isn’t “evil” per say – they are a product of a society that believes that the pursuit of profit is fantastic (thats evil).”
Do you (or your parents) take home a pay check? By your definition, you just described yourself as evil. Your “profit” is your paycheck. You received more in money than you spent in costs to earn that money.
Corporations exist to earn a profit so their shareholders, who have put their money at risk, can earn a reasonable return. Unless you really want a system where the government controls everything (think of everything run as efficiently as your local Department of Motor Vehicles), then capitalistic forces must operate.
That said, Microsoft IS evil. They created a monopoly through questionable means (too much to list in this post), then charge many times what it cost to produce their products. The persuit of profits is reasonable, and even noble (think of the employment it creates). Monopolies creates companies making unreasonable profits, and there are laws to protect the consumer. Eventually, Microsoft will have to answer to its behavior.
Microsoft isn’t “evil” per say – they are a product of a society that believes that the pursuit of profit is fantastic (thats evil).
OSS is not a religion, but it certainly is a political movement.
Yeah, OSS is a good fit for communists.
Yeah, OSS is a good fit for communists.
Yes, you are so right. They are communists just like all big telecom companies that give away free cell phones to make it easier for people to use and pay for their services.
The only difference is that software is almost free to give away while a cell phone isn’t. So I guess they are better comunists than the FOSS people. Come to think of it, Wodaphone even have logo that’s red.
Who cares.
I married this lady because,
She works.
The vulnerabilties are released to common knowledge and common sense.
The bugs get fixed and fixes are shared publicly.
The developer base and user base have shared useage knowledge and experiences.
She makes me smile.
Do not list vulnerabillities anymore, but just fix them as if they are normal bugs. If you can keep the number of listed vulnerabillities as low as possible, then you have a secure browser, according to this not-so-complete (understatement of the century) article.
http://news.com.com/IE+flaw+puts+Windows+XP+SP2+at+risk/2100-1002_3…
That was posted on slashdot today .
Firefox is insecure, but it will never nearly as bad as IE6 got. If a Mozilla browser was the main browser around the time of the internet/dotcom boom, would it have the same problems? Some, I’m sure. I still don’t think it would have been quite as bad as IE though.
There’s one problem with Mozilla/Firefox. There really is no good security process for reviewing code. Having it open-source so everyone can look at it works well, but it’s NOT good enough. You need a thourough security review of all new code, which I’m fairly certain Mozilla does not do.
The fragmentation of developers is also an issue. They have guidelines, but they aren’t going to get yelled at by their boss or fired because they didn’t do something right. It’s mainly the core developers that do the communication. Most of the developers aren’t in in the same area. They don’t work together every day where they can communicate more fluidly and be on the same page.
Take Opera for example. They are all on the same page. They work together almost every day and their jobs are on the line. They have formal security reviews that are a requirement of the job and company.
I also think Opera and Firefox have the advantage that while IE got almost all the attention, it was attacked and made a fool of. These 2 browsers were still pretty under the radar, and didn’t have to face the same scale of attacks. But they got the advantage of seeing what can happen and realizing they REALLY have to take security seriously. I know they both did already, but it’s a wake up call to make sure no one was slacking.
Firefox having “more vulnerabilities per month” is a wrong and misleading claim. It is still much more secure than Internet Explorer for which another new security warning in conjunction with SP2 has been issued just today: http://news.com.com/IE+flaw+puts+Windows+XP+SP2+at+risk/2100-1002_3…
Despite patching, our company had so many security issues and resulting data loss with Internet Explorer lately that we had to ban its use on company desktops and installed Firefox everywhere. In the long run we’ll migrate to Linux anyway.
I don’t know if this is what the author meant, but this is what I got, especially from the title.
He’s saying that the time when Firefox didn’t have to worry about being a major target is over (and has been since earlier this year). They were able to claim being more secure, because they were still slightly under the radar. They wouldn’t get the same scale of attacks as IE. This does NOT however imply that Firefox would become as insecure if it was as popular as IE.
The point is, Firefox has entered a time where it will really be tested and scrutizined, and the Mozilla employees and developers must stay on top of security, now more thane ver.
The wonderful publicity and being the media’s darling is over. Now it’s a solid known product that must take the true test. Hence, “the honeymoon is over”. It’s very serious now, it’s no longer fun and games, celebrating the success.
Blah, just see the news
http://news.com.com/IE+flaw+puts+Windows+XP+SP2+at+risk/2100-1002_3…
IE flaw puts Windows XP SP2 at risk
Published: September 16, 2005, 7:08 AM PDT
By Dawn Kawamoto
Staff Writer, CNET News.com
TrackBack Print E-mail TalkBack
A flaw has been discovered in Internet Explorer that could enable a remote attack on systems running Windows XP with Service Pack 2, eEye Digital Security has warned.
The flaw, which also affects systems running Windows XP, is found in the default installations of Microsoft’s IE, according to an advisory released by the security company on Thursday.
“The flaw is not wormable but allows for the remote execution (of code) with some level of end-user intervention,” said Mike Puterbaugh, eEye’s senior director of product marketing.
The discovery of this IE flaw comes just over a month after Microsoft issued a cumulative patch addressing three vulnerabilities for IE.
The new IE flaw also adds to another vulnerability, discovered last month, that affects systems using Windows XP SP2.
Speaking just for myself, the day I stopped using IE and ordered my kids to also stop and learn Firefox instead – that was the day when my Windows virus problems stopped completely. Nothing’s perfect in the absolute, I suppose, but Firefox sure has been perfect for me. Thankyou Firefox – you took the nightmare out of internet access for us.
and women too…w3m. As soon as firefox gets a big enough share, it will become one of the ‘hated’ ones, and some other smaller browser will become the latest cool browser to have.
Why do you think Apple has so many zealous fans? Because it’s the ‘giant killer’. Wait until (if) Linux gets some market share. People will be bashing it as bloated and buggy soon enough.
Why are these things always like high school popularity contests…
Mister Ou does compare the OSS with commercial code in terms of security by comparing the number of bugs found. But the opensource software is recognized as economically preferable because the bugs and exploits _ARE_EASIER_TO_FIND_ there, so we can say that every OSS program will have more bugs and expolits commited just because it’s OSS.
Still talking about firefox security we can say that using it cannot be secure just because it has 7% of market share. So if You want feel Yourself secure, use text browser or Dillo or – at last – Opera. And only than You’ll have a chance.
Once you start IE in an normal account with admin richts, you are invaded by SpyWare, etc.
Thats the big difference and why I still think FireFox is better. (thought I use Safari und Mac all the time now, since I rarely use my Windows box anymore)
IE runs faster on all of my machines at home. I can open yahoo video, yahoo musics, etc etc. I still remember when I had my FreeBSD laptop running Firefox, which then I switched to Opera because Firefox loads longer than Opera, not just a tiny bit longer, but _WAY_ longer. The same laptop I used win2k on it with Internet Explorer 6 and no patches, no anti virus (just the fact that it is behind a gateway), I have not dealt with _ANY_ viruses, malicious codes, self-installing software or any other stuff. Isn’t IE has a pop-up blocker as well in XP ? I know it does not work in some sites, well, NEITHER does firefox one. So what if Firefox has themes; I’m not interested at it.
By the way, those who received a lot of viruses, spyware installed automatically, you guys opened too many PORN and WAREZ sites eh. (Or maybe your children did it, either way it is someone in your house )
Opera 8 takes me longer to load than firefox 1.0 here. I don’t know what it does, spends a bunch of time in io waits…
Several of the Firefox flaws were specific to a single platform that it runs in. Just quickly looking through the security holes, I noticed AT LEAST one was specific to Macs, one was specific to Linux, and one was specific to Windows, which means at least 2 of the exploits in this article are not valid regardless of the operating system used. There are others which are OS specific which would help further reduce the number to a number below that of IE.
Fair enough, firefox has more published expolits. This is all well and good. Sure, anyone can write a document and write up an expolit that they’ve discovered and then post it to a security board for review. The question that should be asked is how many of these published security holes are being exploited by script kiddies. For the most part, script kiddies are still going to go after the big target. That is still IE.
Even if they used all the 40 expolits of Firefox and only 1 of the IE.. the fact still remains that the amount of exploits succesfully exploited will occure in IE due to shear ammount of users still using IE.
All I know is, there is no way for a website to modify the startup process or alter the registry through Firefox. That right there makes it 1 million times more secure than Internet Explorer.
*LOL* Thom keeps attacking the FLOSS movement…
Look at the links to Secunia:
Critical level for Firefox:
http://secunia.com/product/4227/
Critical level for IE:
http://secunia.com/product/11/
As you can see, the exploits for FireFox are non issues. They are not really critical (despite their number). However IE has (by now) fewer exploits, however, they are highly critical.
This is to be expected. IE is way older than Firefox and therefore has more small exploits fixed, however: Firefox does not have critical exploits.
@ Thom Holwerda
You should have written:
“Media manipulates with truth: Firefox not 100% secure, but still most secure. This is because the exploits in Firefox are less critical, while IE exploits almost always are highly critical.”
dylansmrjones
kristian AT herkild DOT dk
Using Internet Explorer is suicide nowadays. Its code base is so huge and messy that, even besides the well known DirextX exploits, you can expect numerous other vulnerabilities that just haven’t been discovered or disclosed yet.
Firefox is well written and is still far more secure. The few bugs that have been found are not nearly as critical as most of the IE ones. The upcoming version of Firefox will be even more secure.
Even more secure? How do you know?
Also, Firefox code base is REALLY BIG. It’s gigantic. The source code is a few hundred at least, IIRC.
Also, wtf does DirectX have to do with IE?
More interesting stats from the secunia page…”extremely” and “highly” critical vulnerabilities combine for 43% of IE’s total exposure. Firefox has _zero_ extremely critical vulnerabilities, and “highly” critical vulnerabilities account for only 23% of the total. So IE has twice the proportion of really serious vulnerabilities that Firefox has. just more to prove that all ‘vulnerabilities’ are not created equal…
this was posted on slashdot yesterday… pretty pathetic
http://it.slashdot.org/article.pl?sid=05/09/16/182232&tid=154&tid=1…
and this isn’t news worthy, not all exploits are equal. also if we want a fair comparision on the two browsers then why don’t we also factor in the amount of time it took for the exploits to be patched.
Tell me now the number of FF exploits which are really dangerous on non-MS platform?
Almost all time i read that something more or less dangerous was found in FF/Mozilla (and usually nothing of that was brought any worm or trojan in system! See the difference with IE) – it appears that in reality this danger/exploit is purely “MS Windows internal vulnerability”(TM).
It is like reading numerous articles “E-Mail is dangerous! New e-mail virus discovered!”, while in reality it appears again that it is Outlook-only vulnerability. And more, this vulnerability is directly related to IE and, in most cases, VBS.
Unfortunately 99% of journalists do think that e-mail is synonim for Outlook:(
Wait, are you trying to blame Microsoft Windows for Firefox vulnerabilities? HAHAHAHAHA.
Hey osnews.com, might be cool if you separate these people into two websites so they won’t attack or call you the axis of evil by putting some links and said something about it. How about this ? linux.osnews.com for linux fanboy, microsoft.osnews.com for microsoft fanboy :-).
I know this is a little bit off topic, but I grew tired to see Linux zealots giving poor statements regarding improvement done by Microsoft. I used to think that Microsoft product is usable but has specific problems due to being targetted by many haters. And I used to have this interest to switch to Linux one day and completely leaving Windows.
But then again these zealots with poor comments, and fanatics always badmouthing MSFT really turned me off. So no more Linux for me. But on the other hand, I’m still sticking with BSD.
Oh.. a little bit of side note
http://www.forbes.com/intelligentinfrastructure/2005/06/16/linux-bs…
I don’t like Theo but this is fun to read 🙂
Yeah, that article is funny. I can’t comment on the validity of Theo’s comments because linux has always been relatively stable for me, but the comment about fanboys using linux becaue they hate microsoft and the BSD guys using *BSD because they love Unix was pretty funny.
You’re not alone in your sentiments. Many people won’t use linux because there are too many nutjobs advocating it.
I’m not a kernel developer so I can only give opinions, assumptions or guesses.
Of course Linux is stable, but maybe what Theo referred to is the data structure, algorithm and all sort of CS technical issues. Of course Linux runs OK, but maybe it’s just like windows ? built on top of another crappy solutions ?
I know this fact below won’t be used as a measurement but this is what I found out recently:
Linux 2.6.1x kernel is around 120 MB (all src)
FreeBSD 4.10 or 5.4 (forgot) kernel is around 70-78 -ish MB
Remember that FreeBSD also comes with all the gnu tools and docs as well (and games too) while Linux only comes as a kernel.
If those nutjobs advocate Linux in the right way I’ll buy it and I’ll move to Linux (although unfortunately I can see video streaming using Firefox, or the double click actions as smooth as Windows)
OK, so your talking about security flaws. Amazingly, no one seems to think spyware/adware is a security flaw. I’ve had my entire family using Firefox and it stopped all the junk that was getting on our Windows machines. Most virus protection software doesn’t consider spyware/adware a problem either. So, internet explorer allows a single click or even viewing a page to infect your computer with programs you didn’t ask for, and that’s no flaw. I’ll still take firefox anyday. If you want to use Internet Explorer you better be an expert at security or hire someone who is.
Used Firefox for a few weeks, but went back to IE. Why? In all honesty, IE hasnt given me any problems. With the changes made to SP2 IE’s security isnt all that bad. Any computer in the hand of an idiot will have problems.
The other reason I stopped using Firefox? I just dont think it was quite as good as IE when it came to being able to view multimedia stuff off the net. I had problems trying to view word files, pdf files, and the most annoying thing: anytime I click on a video file I get this save dialog and I have to download before viewing. Things may have changed since I last used Firefox. Hey, IE still works for me so why bother switching?
You better look at this link which is a latest news claiming
“IE flaw puts Windows XP SP2 at risk”
http://news.com.com/IE+flaw+puts+Windows+XP+SP2+at+risk/2100-1002_3…
It’s that way by default when you buy a computer or Windows, also safe mode has no password set as administrator.
This article is funny.
Firefox is open-source-software (OSS). MSIE is closed-source proprietary software ($). I can download Firefox source, pour through it and find a little hole in it, and report it. Which then makes it publicly available. If I were a MSIE employee I would file it in an internal only bug tracking system where no one can see it other than specific MS employees. MS discourages outside groups from publicly disclosing their security holes until after they have had time to develop a patch.
So, I would be shocked to see that an OSS had fewer bugs and security holes found than proprietary software. Because at the nature of OSS, the shear strength of the platform rests on the fact that you have many more eyes and hands on the source code, which should result in more bugs and security holes found. It also rests on the fact that bugs and security holes are publicly disclosed as soon as they are found.
What the author should have written about is a more interesting piece of information to investigate. That is, how effective is Firefox and MSIE in patching known (public) security holes. The critical piece is how fast they provided a full patch.
I know the answer to this, and I bet you can guess too.
“There are three kinds of lies: lies, damned lies, and statistics.” – Benjamin Disraeli
Bob has two pennies, John has a nickel. Since 2 > 1, Bob has more money.
My http://yahoolian.dyndns.ws:3000/articles/2005/09/17/firefox-vs-ie-s… in response to the number maniupulation.
if you god damned idiots didn’t always run it as Administrator. Learn how to use Windows before you whinge about it and switch to Linsucks.
[quote]if you god damned idiots didn’t always run it as Administrator. Learn how to use Windows before you whinge about it and switch to Linsucks.[/quote]
Heh, that’s a good point. Except I would still rather use Firefox and avoid the hassle. I can’t do without all the extensions anymore, its now unsurpassed adblocking capabilities, and I find it to be faster than IE. The ONLY complaint I have about Firefox is its handling of streaming video, haven’t had any other problems with it.
Uuhh… extensions… I can’t live without Firefox and the extensions
And it has a high rate of security.
dylansmrjones
he is comparing published exploits. NOT exploited exploits.
just because an exploit gets published, Does not necessecarily mean it was used by anyone. I still feel safer in firefox….
Firefox rules, this guy is an MS stooge, OSS means you’re safer even if people can exploit it more (love that one), and Opera doesn’t count and Bill Gates smells bad!
Yep, thats about the long and short of the arguments here. Well done.
The article misses several key points and that being the majority of browser security flaws have indicated through research (something which the author made a poor attempt) that IE is the worst ( reference http://securityfocus.com/ ). While browsers such as Firefox don’t gurantee being secure 100% 24/7 which no software developer does it has been pointed out previously that Firefox is the preferred browser for security concious individuals and as such gaining more wide spread usage globally.
While I prefer and support the Linux community I don’t appreciate the comments in this thread from those that make both comments for and against Linux in general. Reason for this is that the comments have no basis in regards to the author’s article. Such posts should be removed so as to keep the thread organized.
This is the problem with both allowing people to post comments with out logging in with a username and also the voting system which appears to be a useless extension of this site’s features.
it has been pointed out previously that Firefox is the preferred browser for security concious individuals
I am security concious individual but I like the challenge. That is why I am using IE. Just to prove the point that if you know what are you doing IE is good enough browser.
FireFox is preferred browser for people who prefer security through obscurity. These people are extremely pissed off that their obscurity comes to end with FireFox getting more attention from the bad guys, and so does their security.
and as such gaining more wide spread usage globally.
That’s exactly the problem.
Of course, if you patch-patch-patch browser and don’t-don’t-don’t go to bad Web sites and never-never-ever download crapware – you are just fine. Newsflash: you didn’t have to dump IE if you are such a good computer user.
*LOL* You really don’t know what’s going on?
Firefox is safer. Check Secunia and see for yourself.
Of course with firewall and antivirus and high security settings and a reasonable level of common sense, you can avoid trouble with IE. But it’s just so much easier for ordinary users to get in trouble with IE than with Firefox.
This has nothing to do with security through obscurity. This is a matter of coding the right way or the wrong way. MS coded IE (and parts of OS) the wrong way.
EOD
dylansmrjones
kristian AT herkild DOT dk
Simply by existing and being used, multiple browsers improves the security for the web as a whole, and for all the separate browsers individually. The biggest problem with IE is not in the browser itself, but in the monoculture environment its near-universal use has created.
Furthermore, the widespread adoption of competing browsers strengthens standards and undercuts proprietarism, something which again benefits the industry as a whole.
I really do know what is going on. As article said: honeymoon is over. Expect more and more cracks in the FireFox facade of ideal browser for dummies.
It may become ‘good enough’ browser, or ‘faster patched then ever’ browser, or ‘opensource just good for you’ browser- but not ‘very secure no matter what are you doing and what sites are you visiting’ browser. Not any more.
It is so much easier for ordinary users to get in trouble with IE than with Firefox because criminals used to target IE. There is 10+ years knowledge of how to exploit IE vunerabilities and how to trick IE users. These exploits and tricks are different for FireFox just because it’s a different browser.
Boldly stating that FireFox is safer just because it is patched faster or it is opensource or it has less known vulnerabilities- is to miss the fact that very many IE exploits are based on a user clicking Yes, or installing crapware that specifically targets IE, or visiting Web sites that exploit IE vulns patched 1 year ago- and not because of what Securina says.
It has everything to do with security through obscurity. This is not a matter of coding the right way or the wrong way. A crapware targeting FireFox can embed extension into it when users install that crapware on their computers, redirect browser to fake site using HOSTS file or installed HTTP proxy, or just plain replace your FireFox binary executable file with the spiced executable- and you’ll never notice unless you have a habit of running checksum verifications on a regular basis.
A web site targeting FireFox will just use exploits, even patched- 95% visitors will have their browsers patched but 5% will be infected- that will be attractive target number for bad guys when FireFox is widely used.
IE was not part of the OS- it were exploited. IE became part of the OS- it were exploited same way. If it is not true- demonstrate how IE exploits changed after IE became an integral part of the OS. No matter how MS coded IE (and parts of OS)- FireFox will be used as a door to user data the same way IE is used now.
All is necessary- for FireFox to get out of its relevant obscurity, and gain even larger user base.
Zealots can lie that there is a browser that is the pillar of security- and hurt people trusting them. The fact is- there is no pillar of security between browsers, user must run firewall and antivirus and high security settings and have a reasonable level of common sense. No matter what browser.
An advisory will be published for both browsers near the end of September or in October.
Like it or not, a year ago most people would have not thought Firefox would become this way. Firefox gives unix users the same necessity to update the browser that IE gives to windows users.
You want absolute security?
use lynx
lol
-nX