Peter Watson, chief security advisor at Microsoft Australia and New Zealand, said that the software maker did not get any pleasure from seeing Firefox suffer a string of security vulnerabilities, despite the open-source browser’s growth seemingly being stunted over recent months. “I don’t think it creates any benefit for us or anybody in the ecosystem to turn around and say, ‘it’s good that this company has a whole load of security vulnerabilities’,” said Watson.
“I don’t think it creates any benefit for us or anybody in the ecosystem to turn around and say, ‘it’s good that this company has a whole load of security vulnerabilities’,” said Watson.”
It does if you’re trying to convince people to stick with your browser.
I’m not Microsoft basher but what else did you expect them to say?
How about something like:
See!? We suck less!
In fact, maybe that could be their new tagline if open source projects keep getting bad press.
Microsoft. We suck less.
“Microsoft. We suck less.”
How do we know that Bill Gates ain’t gay?
Peter Watson is a security man…and as such, I’m sure he can appreciate the challenges/hassles of security-related issues. I’m not surprised that he doesn’t take joy in any firefox woes.
…but microsoft is *much* bigger than one person in one department.
Microsoft’s entire marketing department, for example, is probably baking cakes and pies over anything negative that happens w/ firefox…. it’s their only serious/significant competition (aside from *maybe* Opera)… and anything that can help them keep their #’s… is good news.
Is this what they mean when they say that the kettle is being called out by the pot?
The same is true to me as for the ‘flawed OS’ per excellence.
Nothing to gain from an OS installed on at least the 90% of the planet’s PC, if this OS is insecure by design, full of virii and made by a really mad company.
“I don’t think it creates any benefit for us or anybody in the ecosystem to turn around and say, ‘it’s good that this company has a whole load of security vulnerabilities’,” said Watson.
Ditto. Elementary, my dear Watson.
I’m surprised* the reporter let himself/herself get manipulated into putting things that way. Of course the Microsoft security guy says he takes no pleasure in Firefox’s flaws. What better way to rub in a string of security failures in a competitor’s product without looking like a bad sport? It’s a classic technique in politics: “I won’t mention my opponent’s shortcomings, such as [enumerate shortcomings], because I don’t think that would further our debate. Instead…”
* Actually, no I’m not. The computer industry press seems to be full of people too dumb to get jobs in media outlets. But that’s a seperate rant entirely…
My first thought as well. Reminded me of the indirect editorializing tactic that Fox News anchors use.
“Should people drop Firefox because of its security vulnerabilities? Some people believe so…”
As I posted to the C|net feedback:-
By coincidence, I had just compared the number of IE 6 fixes during the same period since Firefox’s release date of 8 Nov 2004. Firefox had 7 updates (of which you might have ignored 1.0.5 since 1.0.6 was know to be imminent) and IE6 on XP SP2 also had 7 (KB888240 hotfix, MS05-001, MS05-014, MS05-020, MS05-025, MS05-037, MS05-038 of which you also might have ignored the hotfix). IE on XP SP1 has a couple of extra fixes.
So really it’s a tie. Not that there can be any winners, I join Peter Watson in not getting any pleasure in seeing any vulnerabilities.
I find it funny how anti-Microsoft zealots find different excuses everytime a new Firefox flaw is found. The pure number of security flaws doesn’t prove much at all. You have to take a lot of different things into acount. For example who are the product’s users, how quickly does the developer respond to security flaws etc…
People just love to exploit Microsoft software purely, because it ships with Windows and most people use because of it. Who doesn’t or didn’t at some time use Outlook Express or IE. When you have more than 90% of internet users using the same brower it’s pretty obvious who to exploit if you want to make as much damage as possible, as quickly as possible.
I actually really like Firefox (been using it since 0.6 I think), but I was surprised to see so much exploits after such little time with such a low (relatively speaking) market share. You could argue that IE6 (when released) had the same number of flaws reported. The big picture however is that IE6 was installed (and used) on pretty much every Windows PC out there at the time of release. While Firefox had something like 2% at the time of release and its market share has been climbing slowly (depends on how you look at it) and yet it has the same number of flaws reported as IE6 had in the same timeframe. As I said before, pure numbers don’t mean much and I’m not here to argue which is safer (I’ll leave this to the trolls), but I personally don’t think Firefox is any more safer than IE and if Firefox ever reaches even the near market share that IE had over the last 6-7 years, I think my point would have been proven.
On a side note; people seem to think open source somehow provides better security, because everyone can look at the code. The truth is that almost no one looks at the code to see if there are any bugs or flaws (if that’s not the case, then why do we have alphas and betas?), but they are done through testing and exploiting compiled builds. And in both camps (MS, Mozilla) the bug is reported privately so no one knows for sure how many flaws exist in todays browsers, because developers hide that from us – which is good, because otherwise there’d been a chaos.
The only “better” thing with open source software as I see it, is that everyone can write a patch for a reported exploit therefor fixes tend to be faster than with closed source applications. Though that might not be completely true with Firefox as its developers are rumoured not to like new developers or give them CVS access.
Firefox has “flaws”. These flaws are security vulnerabilities that could, if not promptly addressed, lead to Bad Things. IE on the other hand has “exploits” — these expoits are generally based on “flaws” that MS refuses to acknowlege, and takes far too long to fix, which does lead to Bad Things.
Additionally, Firefox flaws are typically less serious than those typically found in IE, and so would be less dangerous to actual users even if they were not fixed so very much more quickly.
Additionally, the experience with web-servers (MS IIS vs Open Source Apache) demonstrates quite clearly that arguements based on relative numbers of installations does not explain why MS software is cracked far more often than its competition, as the MS webservers suffer far more and more serious depradations despite being a distinct minority on the internet.
Firefox has “flaws”. These flaws are security vulnerabilities that could, if not promptly addressed, lead to Bad Things. IE on the other hand has “exploits” — these expoits are generally based on “flaws” that MS refuses to acknowlege, and takes far too long to fix, which does lead to Bad Things.
Of course. How could I have misunderstood that. Firefox “flaws” while IE has “exploits”. Cut the crap. No matter how it’s called it’s a vulnerabillity and it shouldn’t be there in the first place. A quick look at Secunia’s Firefox page will discover sentences like “a vulnerability in Firefox, which can be exploited by malicious people to compromise a user’s system”, “a vulnerability in Firefox, which can be exploited by malicious people to cause a DoS (Denial of Service) or to compromise a user’s system”, “A seven year old vulnerability has been re-introduced in Mozilla and Firefox, which can be exploited by malicious people to spoof the contents of web sites”,… and so on. I will leave it to you to read the IE page.
Additionally, the experience with web-servers (MS IIS vs Open Source Apache) demonstrates quite clearly that arguements based on relative numbers of installations does not explain why MS software is cracked far more often than its competition, as the MS webservers suffer far more and more serious depradations despite being a distinct minority on the internet.
That pretty much concludes the point that you’re clueless. If you had AT LEAST bothered to look up Secunia’s IIS and Apache page… Let me help you:
IS 6: 2 security advisories (0 unpatched)
http://secunia.com/product/1438/
Apache 2.0: 27 advisories (2 unpatched)
http://secunia.com/product/73/
I’ve seen a lot of people posting the same “facts” that you did about IIS-Apache. If only those idiots would have bothered to actually check for themselves. Hey, if you can’t prove it, spread FUD. It might work.
For additional reading regarding IIS vs Apache you might want to click the below links.
http://blogs.msdn.com/michael_howard/archive/2004/10/15/242966.aspx
http://blogs.msdn.com/michael_howard/archive/2004/10/18/244181.aspx
I’ve seen a lot of people posting the same “facts” that you did about IIS-Apache. If only those idiots would have bothered to actually check for themselves. Hey, if you can’t prove it, spread FUD. It might work.
Well, I for one, used to work at a medium web hosting company (which was a department at a corporate ISP) here in Brazil where they sell web hosting services on both platforms, Linux and Windows and I can tell you that the flaws on IIS compared to Apache are not a myth but a FACT. IIS servers requires a lot of knowledge from your average MCSE to keep it at least the same uptime of Apache servers when you need virtual hosting (SPECIALLY when you use virtual hosting). I´ve seen tons of bad coded ASP scripts degrade the performance and even bring it down completely sometimes. The only time that I´ve seen Apache failing, the culprit was a piece of hardware.
You can say that ISP people are more knowledgeable on *nix, that the fault lies in the MSCE responsible for that server or whatever you want but it doesn´t change the fact that Apache is a lot more reliable than IIS for the job.
It is true that IIS 6 is a lot more stable than previous releases but it has much more to go to match Apache on stability and features. I know a lot of Microsoft specialists that admit it so there is no shame for you to acknowledge it, too.
I can’t admit anything, because I don’t have nearly enough knowledge and experience to say which is better. But I’ve seen both camps complain about their products. I’m not a fanboy to support something that’s inferior to something else. All that I said was that Apache has had a lot more security vulnerabilities than IIS judging by Secunia’s advisories (and those tempt to be pretty accurate). At the moment I’m writing a PHP enabled site and am using Apache for testing simply because I cannot afford IIS for my script kiddying. When the site is complete I will probably choose an Apache server simply because that’s what I’m most farmiliar with. I will however take a look at IIS 7, because it has some promising features.
Did IIS5 have problems? Yes. There were vulnerabilities being found every week. Does IIS6 have problems? NO. It has had 2, count it 2, vulnerabilities found since its launch in 2003.
Apache 2 on the other hand has had lots of problems and has been a real letdown since its launch.
Not saying its a bad product, or that IIS is better… But you do need to get your facts straight.
Did IIS5 have problems? Yes. There were vulnerabilities being found every week. Does IIS6 have problems? NO. It has had 2, count it 2, vulnerabilities found since its launch in 2003.
Apache 2 on the other hand has had lots of problems and has been a real letdown since its launch.
Not saying its a bad product, or that IIS is better… But you do need to get your facts straight
No, I don’t. I was the one dealing with angry customer all the time because one or two clueless users were f*cking up server performance with all sort of tricks that they could find on ASP 101 kind of sites on a daily basis. It didn’t take deep knowledge to it either. These sites always assume that the user has full permissions on the environment whereas LAMP articles tends to take restricted environments like shared hosting into account (and it makes sense, since it is the most common and cheaper solution for web hosting).
I don’t care how many security vulnerabilities Microsoft *allows* (Yes, I said ALLOWS! Anyone old enough in this biz remembers the MS x SecurityFocus fiasco a couple of years ago…) security websites publish because anyone who do this for a living can tell you the nightmare it is. Just take a brief look at websites like http://www.webhostingtalk.com/ and make your own conclusions.
Yes… IIS works and I won’t argue that but it takes quite some effort to run and mantain it properly compared to Apache. Yes, Apache 2 still has some room to grow but then, it still is not the standard in the industry (at least, not around here). Apache 1.3 is still king.
And please don’t get me started on those damn FrontPage Extensions. I can curse this thing an entire day and I swear that if I could get rid of it back at the time, it would cut half of the support requests that we had to deal with.
Disclaimer: I worked on the web hosting business for quite sometimes and before the Brazilian webhosting companies, I used to be a Rapidsite Premier Partner in Latin America (now owned by Verio). Over there, they even sold WH accounts on SGI/IRIX servers and I can tell you… Those were the times! 🙂
It is true that IIS 6 is a lot more stable than previous releases but it has much more to go to match Apache on stability and features.
Features, definitely. I deal with an IIS server at work and I’m constantly finding useful tricks… that only work with UNIX and apache. E.g., I found that you can control whether directory listings are shown/hidden for a specific directory using .htaccess files. But no, only works with Apache – IIS doesn’t support that htaccess feature.
And there are so many free PHP-based content management/blog/ecom packages that rely on specific UNIX features and don’t work on IIS.
Additionally, the experience with web-servers (MS IIS vs Open Source Apache) demonstrates quite clearly that arguements based on relative numbers of installations does not explain why MS software is cracked far more often than its competition, as the MS webservers suffer far more and more serious depradations despite being a distinct minority on the internet.
60% of American Fortune 1000 corporations run IIS. Guess what brings more fame to a hacker: breach of a Fortune 1000 Web site running IIS in America or Joe Shmoe’s one-hit-a-month Web site runing Apache, in Burumbia?
Ever seen an article in CNN that Mozilla Firefox Web site was hacked again? Nope. Homeland Security does not send memos about something like http://www.debian.org running rootkit for 3 months.
If nobody writes in USA Today about breaches of LAMP Web sites, it does not mean they do not exist.
I was surprised to see so much exploits after such little time with such a low (relatively speaking) market share. You could argue that IE6 (when released) had the same number of flaws reported. The big picture however is that IE6 was installed (and used) on pretty much every Windows PC out there at the time of release. While Firefox had something like 2% at the time of release and its market share has been climbing slowly (depends on how you look at it) and yet it has the same number of flaws reported as IE6 had in the same timeframe.
I don’t think that’s entirely surprising. IE is a much older codebase, so it should presumably be much more mature and have had more time and effort spent on making it secure. And while the Firefox marketshare is relatively small compared to IE, it’s still pretty big – when I google, I see numbers mostly in the 25 million to 50 million range, higher than (say) the total number of OS X users, I’d wager.
I also think that Firefox’s userbase makes it a disproportionately large target: many users have switched to it in order to avoid similar problems in IE. I think there are a lot of unscrupulous folks who have a vested interest in finding and exploiting flaws in Firefox (witness the increasing number of attempts to circumvent FF’s popup blocking, and FF “compatible” malware installers). It makes the same sort of ruthless sense as a attacking a refugee camp.
Could we really expect them to say anything else?
“It’s good that this company has a whole load of security vulnerabilities’,” said Watson.
Has a *whole load* of security vulnerabilities. Hmmmm…where is *that* coming from? I don’t see how they can say Firefox has a *whole load* of security vulnerabilities.
Nice try.
>Has a *whole load* of security vulnerabilities. Hmmmm…where is *that* coming from? I don’t see how they can say Firefox has a *whole load* of security vulnerabilities.
Probably because its a rhetorical statement designed to show that they don’t feel that way. Try reading the the whole sentence in italics.
Yes, but the thetorics in thsi case works in the exact same manner as if Tony Blair called a press conference to say that “George W Bush did under no circumstances kiss me on the mouth during our latest talks”.
All of a sudden, 99% thinks George W Bush is gay although Blair didn’t say so…
Come one Dude! This is basic psychology. It’s not what he’s saying explicitly. It’s what he’s saying within.
In reality, Firefox has on average a lot less vulnerabilities that IE, and even less compare to Microsoft as a whole. Of course, this could be due to many different reasons, including age, but that’s not the point here.
The issue is that by saying…
“I don’t think it creates any benefit for us or anybody in the ecosystem to turn around and say, ‘it’s good that this company has a whole load of security vulnerabilities'”
…he’s clearly emphasizing right there that Firefox has indeed a LOT of vulnerabilities, particularly in comparison to IE, while he’s at the same time saying that that’s something that won’t benefit from.
The average dumb reader will think Microsoft is the good guy, and will leave with a new sense that Firefox is plagued with vulnerabilities.
To quote 69.255.5.—,
“In reality, Firefox has on average a lot less vulnerabilities that IE, and even less compare to Microsoft as a whole. Of course, this could be due to many different reasons, including age, but that’s not the point here. ”
Thus far, Firefox has a lot fewer thus far detected and patched vulnerabilities. Now, keep in mind, I’m not trying to say either one is better than the other: merely that something as large and complex as a web browser, even with “many eyes” reviewing it, has many possible lurking spots for vulnerabilities. If it can crash, chances are it’s vulnerable to some degree. Guess what: Firefox is not uncrashable as of yet, based on my experience, and neither is IE. I doubt either one will reach that point, personally, because they’re constantly being upgraded to support new things, and fixed to (hopefully) properly support old things, too. And invariably, something suffers somewhere because people eventually want to get something out the door while it’s still relevant to users.
It’s got a name – presupposition – and it’s used in marketing all the time.
A couple of classic examples:
In Apple’s switch campaign, one user says “I always thought it was my fault Windows didn’t work properly…” (the quote may not be exact)
“Have you stopped beating your wife yet?”
In either statement if you respond to the direct statement, the presupposition is confirmed.
I think it works both ways. It really doesn’t benefit MS to have vulnerable applications on their platform. However, it does make IE look a little better.
As their security guy, I’m sure Watson is more concerned about the former.
Off-topic: anybody here runnin’ Firefox 1.5 beta 2?
I am currently running it right now…it cooks man
Open-source/Linux zealot out there will pee his/her pants with excitement when a critical flaw is found in Windows….
Just shows the maturity level between the cultures.
“pee his/her pants with excitement”
OT, and no offense intended (really, I mean it), but if you could just begin to get a sense of how ridiculous this kind of politically correct formulation sounds to the rest of the world…….
You’re comparing what some high-up on Microsoft says on record to what anonymous people say on the internet? How stupid are you to make that comparison?
Even “mature” people take pleasure in the failings of their competitors. You can’t tell me that President Bush wasn’t the tiniest bit happy whenever Senator Kerry did something stupid in public. Of course, would he ever say that to the media? No! It would be bad for him politically. Would his supporters, regardless of their level of maturity, say that? Sure! They have nothing to lose, and no incentive to hide their true feelings.
Even “mature” people take pleasure in the failings of their competitors. You can’t tell me that President Bush wasn’t the tiniest bit happy whenever Senator Kerry did something stupid in public. Of course, would he ever say that to the media? No! It would be bad for him politically.
Aka he has the maturity (or at least the sense) to exercise restraint. Damn, never thought I’d write that about GWB.
Now if only his FOX News Channel would exhibit the same restraint…
Open-source/Linux zealot out there will pee his/her pants with excitement when a critical flaw is found in Windows….
I know. What rational person would want to hang around with these people. They are truly demented.
Any relation to Doctor Watson?
All my problems with the internet browsing stopped when I have started using firefox; If I go to bad sites that will immediately high jack my system when I use IE as a test for vulnerability I get zero problems from firefox. So the vulnerabilities of firefox they talk about is just a hype or rare to affect or less serious, while for IE vulnerabilies are for real. I have seen this with my systems, my friends and clients. for example running firefox on Xandros will be with zero problems for as long as the system hardwar function. With IE the situation is completely different; you need to be a support guy for the computer you use if you have IE installed on it; MS firewall and other countermeasures seems insufficient to stabilize windows boxes thanks mostly to IE.
i dont want to see a bunch of infected Windoze machines online as spamming zombie bots or spewing worms a mile a minute because all they do is hog up bandwith…
The article doesn’t seem to have any … real purpose. It’s not that I disagree with it (since it seemed to lack a central point I don’t know how to anyway), it’s just a bunch of quotes ripped out of context…
Definitely a blurb that doesn’t tell us anything new…
The subtext of the original article reveals an interesting acknowledgement that some people within Microsoft are aware they’re operating in a shared environment and are humble enough to realise their own products have potential shortcomings. This isn’t something I’m used to hearing from Microsoft and, I think, that somebody had the courage to say it should be applauded. By giving it credit, it rewards sociable and responsible behaviour, and might give some pause for thought to other people in Microsoft. After all, if this leads to success other people will follow.
I’m sure some will mod this down to -200 so no one will see it but face it, with all the security issues the MicroBorg experiences why does anyone even bother to consider or read anything coming from their so called security people?
I’ve seen better security on a dog’s ass against fleas.
Now that would be an article worth reading!!!! The above article @ news.com.com is pointless.
“Additionally, the experience with web-servers (MS IIS vs Open Source Apache) demonstrates quite clearly that arguements based on relative numbers of installations does not explain why MS software is cracked far more often than its competition, as the MS webservers suffer far more and more serious depradations despite being a distinct minority on the internet.”
—-
The “badness” of IIS (at least of version 6) is a myth. It was true for the older versions, but…
http://secunia.com/product/1438/ (IIS 6)
“The Secunia database currently contains 0 Secunia advisories marked as “Unpatched”, which affects Microsoft Internet Information Services (IIS) 6.
This is based on the most severe Secunia advisory, which is marked as “Unpatched” in the Secunia database. Go to Unpatched/Patched list below for details.
Currently, 0 out of 2 Secunia advisories, is marked as “Unpatched” in the Secunia database.”
http://secunia.com/product/73/ (Apache 2.0x):
“Apache 2.0.x with all vendor patches installed and all vendor workarounds applied, is currently affected by one or more Secunia advisories rated Less critical
This is based on the most severe Secunia advisory, which is marked as “Unpatched” in the Secunia database. Go to Unpatched/Patched list below for details.
Currently, 2 out of 27 Secunia advisories, is marked as “Unpatched” in the Secunia database.”
—–
oops.. someone was faster..
when I help friends, family and coworkers with computers, it is always the ones who run IE that have problems with Viruses, Malware, and the like, and not those who run Firefox.
<p>
In spite of the purported “tie” in updates, in spite all of the purported patches, IE is STILL insecure, especially when compared to actual experience.
Why would anyone use firefox? It is so insecure and a memory hog.
IE on the other hand is stable and secure.
And i have no idea why any Open Source crap is any good.
Microsoft makes the best Operating System and Web Browser.
People should just use what is best and that is MS apps.
IE, Firefox, Safari, KHTML, etc…. all have flaws. Who really cares? If anyone expects 100% flawless software you might as well bite the bullet and go to heaven because you wont see anything perfect on this plane of existence… well except for the word ‘a’… its really perfect eh..).
(Sorted by Alphabet LOL)
BSD = good… well probably great no one really says anything bad about it.
Linux = good
Mac = good
Windows = good
All apps could use features XYZ and fixes ABC, and some apps could do without ABC and XYZ, but saying software M is better than N because M has X while N doesn’t (it only has QUTIP) and my ears have wax… is just silly… (Literally what I have said makes no sense…. but at least it does not say negative things for no good reason, unlike many posts I have read on many tech forums on the net including OSNews)
Note I don’t really like Tequila but its all I have… now vote me up to 5 and smile.
(Spell checked in star office, on windows XP, using firefox)… next time I will use word, osx and safari to mix things up)
Did anyone say Buls**!?
The earlier report from Symantec was all about the errors that respectively MS and Mozilla had recogniced and working on (so called vendor-confirmed vulnerabilities).
The problem is that MS had 19 serious error not cofirmed by them (and thereby not in the report).
This makes Explorer more vulnerable with more security challenges.
Now, who do we trust? The one that says they have a secure product (but don´t) or the one that sys ´o dear, lets work on those errors´.
By manipulating the statistics in the first place i´d say MS is not to be trusted.
http://it.slashdot.org/article.pl?sid=05/09/20/1359203&tid=172&tid=…
(and please read the comments blow this)
Is it possible that in fact what MS says is true, that they don’t derive any pleasure from others’ failures – especially when they know first hand the pain security compromises wrought on the industry in general.
I humbly suggest that we maintain fair and tenable arguments when analyzing the actions of Microsoft. Apply pschobabble or attempting to paint any response as negative serves no purpose other than to foster an irrational paranoia – thus painting OSS advocates as looney idealogues.
It has nothing to do with loony ideologues. Of course people take pleasure in the failures of their competitors. It’s human nature. It’s also human nature to see people finding taking pleasure as bad sportsmanship. Therefore, it is human nature to pretend, at least for publicity, to pretend not to take pleasure in the failure of one’s competitors.
Ever watch a professional sports game? Ever notice how, when interviewed after a win, the players always say something like “well, we both played great, but our team just gave it that extra bit to come out in the end. That’s all it was”. Do you honestly believe that’s what they’re saying in the locker room?
Trying to analyze this trivial bit of social posturing is useless. Microsoft isn’t bad for drawing attention to a competitor’s failings while trying to make themselves look good, and nobody is a looney ideologue for pointing out that the spade is, in fact, a spade.
>>”I don’t think it creates any benefit for us or anybody in the ecosystem to turn around and say, ‘it’s good that this company has a whole load of security vulnerabilities’,” said Watson.
Using the phrase “whole load” was deliberate, a way of saying something while looking like he wasn’t saying it. His goal was to spread the meme that Firefox has had a “whole load’ of security vulnerabilities (which is bullshit) and that he, as a representative of Microsoft, is above pointing that out.
Certain politicians, and I’m not going to mention any names like Bush or anything, use this tactic quite often.
Yup. It’s a well known tactic. It’s really efficient (and sometimes one just can’t help using it against opponents – it’s too damn easy
However.. it doesn’t work on the most enlightened people, but it usually works on ordinary people.
The downside is when you get caught. So I wouldn’t recommend using it. Anyway I prefer to say things right out
IE has more security issues than FF according to Secunia.
According to Secunia security issues in FLOSS is usually less critical, e.g. nothing to worry about as such. Just keep your eyes open.
According to Secunia (I like that danish company, it’s ethical, unlike some other companies. And I won’t mention Microsoft in that sentence.) Microsoft mostly suffers from highly critical flaws very often unpatched for a very long period.
Hiihii
Opera isn’t FLOSS or even OSS. Heck, until recently it wasn’t even free. Yet it’s the most secure modern browser around — whilst also having the best performance and most features, to boot.
Pretending that IE is representative of closed-source software at large and Firefox is likewise representative of OSS is foolish.
Watson’s statement is at least classy. Look at how the OSS trolls leap upon every small problem Microsoft has to see how one could act if one was so inclined.
There is NO classy about Watson’s move.
It’s a classical way of bashing your enemy, while making it look like you’re not.
You’re too dumb, if you cannot see that.
Opera is something special. Opera’s user base is so small, that I cannot surely say how safe it is. But it looks to be really good. Cannot say that it’s the safest – but it looks like it. However, performance and features can be discussed. Because performance and features is something which is very user dependent. One might consider it bloated, other consider Opera too little and so on. There is a lot of testing still to do before I will consider Opera safer. And better in terms of performance and features? Nope… Don’t forget FF is modular
But your statement: Pretending that IE is representative of closed-source software at large and Firefox is likewise representative of OSS is foolish. doesn’t make sense, since I wasn’t pretending such a thing.
What’s really funny is the diehard MS-sucks people are getting their panties into a knot even over this. I guess it really is true that you’ll try to find issue with everything MS does and try to take everything out of context.
“this OS is insecure by design”
Guess what, Sherlock? UNIX and Linux are insecure by design too. In fact all OSes are not secure by design, save for the ones explicity built for a very specific purpose.
*nix is secure by design, and insecure by use of incompetent administrators.
Windows is insecure by design, and somewhat secure by use of competent administrators.
What’s really funny is all the MS-lovers which cannot se anything wrong with MS, not even when they make a nasty comment like this one from P. Watson.
BTW: Don’t forget that several FF-flaws are Windows Only flaws, since they are based on flaws in the underlying OS. Basically FF developers are fixing security holes in Windows
There are many reports circulating in the ‘Security World’ concerning the relative safety of Internet Explorer vs. Mozilla Firefox. Many architectural differences exist between these two browsers. The main differences being:
1. Internet Explorer can be thought of as an extension of Windows. Internet Explorer has roots that penetrate into the foundations of the operating system.
2. Internet Explorer has ActiveX and scripting support. This means, in effect, an ActiveX control has the ability to reach from a web page, through Internet Explorer and into the heart of Windows itself. This can (and does) lead to all manner of malicious activity.
Mozilla, on the other hand, is simply another application. It can’t touch Windows in the sensitive ways that Internet Explorer does. Mozilla has no ActiveX support. Programs cannot ‘hijack’ Mozilla and have a direct pipeline into the operating system. In short, the vulnerabilities in Internet Explorer are MUCH more serious than any vulnerability in Mozilla will ever be.
To be perfectly fair and account for intentions, I won’t try to argue that IE having ActiveX support leads it to having a much more vulnerable environment than Mozilla. However, what that also means (the flip side) is that Mozilla isn’t as powerful for the end-user or the web developer in terms of providing maximum performance/flexibility. The fact that Mozilla is cross-platform means it has the issue of being jack-of-all-trades-master-of-none in terms of platform support, while x86 IE has the capacity to target a much more precise platform, and give it a lot more power.
In an ideal world, the power IE x86 gives with ActiveX support (or even in a world where you could actually trus assertions of security certificates and users to read the blasted things to verify what they’re looking at: I know, not realistic!) would be superior in many ways for the TUE to Mozilla because it provides a way to run added stuff at native compiled speeds. The sad thing is that in the real world, you can’t count 100% to have even the honest developers create ActiveX controls that don’t have nasty bugs that cause problems, and you can’t count on ActiveX controls to not have been written with malicious intents or to have been hijacked, either.
Basically, the security issues being discussed between the added surface ActiveX support gives in IE versus Mozilla not supporting it comes down to the issue that you can’t get something for nothing, and you can either have more power and flexibility with reduced potential security, or less power and flexibility with comparatively increased security, at least in theory.
Now, what the reality is in practice is something that Mozilla/FireFox simply hasn’t been around long enough to give an absolute answer to, compared to other things or even itself, and we must factor in that as long as there’s interest in it as a viable application, it will always be changing to attempt to fix existing bugs or weaknesses, or adding new features, or simply remodeling the appearance, which gives an ever-moving target for assuring the “perfectly secure” application with no possible exploits.
>Internet Explorer has roots that penetrate into the foundations of the operating system.
I wonder how XPLite manages to cut these roots.
>an ActiveX control has the ability to reach from a web page, through Internet Explorer and into the heart of Windows itself.
ActiveX control is a small applciation you start through the Web browser. Like Java application (not applet) you can start with JVM. Every application has ability to reach as deep into the OS as user that started it.
>Mozilla, on the other hand, is simply another application… In short, the vulnerabilities in Internet Explorer are MUCH more serious than any vulnerability in Mozilla will ever be.
A hole was just patched in FireFox that allowed to start any application hacker wants by providing malformatted URL to the browser. How much more serious can it get?
>Mozilla has no ActiveX support.
It did not help.
To tell you the truth a well-engineered extension for FireFox can also act as a bad Active/X control. But that does not happen because we download all our extensions from the official website but in the near future as the FireFox market share increases phishy websites will begin to bundle a few harmful extensions that could probably dig in for your passwords, preferences, and probably even do a little bit of juggling with your system.
Microsoft try to play the concerned “good guy” while politely backhanding Mozilla by saying things like…
“I don’t think it creates any benefit for us or anybody in the ecosystem to turn around and say, ‘it’s good that this company has a whole load of security vulnerabilities’,”
This is the definition of FUD.
How could anyone believe or support a company like Microsoft when they try to manipulate people and their customers in this way?
“I don’t think it creates any benefit for us or anybody in the ecosystem to turn around and say, ‘it’s good that this company has a whole load of security vulnerabilities’,” said Watson.”
MS would, by attempting to mabipulate people in sticking with their browser.
NOTE TO ALL THAT MIGHT BELIEVE THIS KIND OF FUD:
All the slander and marketing tactics in the world won’t be able to buy IE the security it needs.
get real security here: http://www.mozilla.org/products/firefox/