Forgot your password?
typodupeerror
Mozilla The Internet Security IT

Pros and Cons of Firefox Critically Evaluated? 674

Posted by timothy
from the but-all-I've-got-is-cancer dept.
A Dafa Disciple writes "Fred Langa of Information Week has written an article claiming to discuss the 'Pros and Cons of Firefox'. At first I was excited because I thought I was going to get to finally read an enlightening, in-depth article that critically examined the browser. I should have known better. Aside from the usual criticism of open source software, it contains a reference to a Symantec Internet Security Report which claims that more security vulnerabilities in the last six months of 2004 were found in Firefox than IE. I'll leave it to you to analyze Mr. Langa's opinion and scrutinize Symantec's study and reputation as a security software developer."
This discussion has been archived. No new comments can be posted.

Pros and Cons of Firefox Critically Evaluated?

Comments Filter:
  • by DeadSea (69598) * on Monday April 18, 2005 @01:53PM (#12271524) Homepage Journal

    Is all the plugins, extensions, chrome, files, and settings that have to be configured after you have the Firefox browser up and running [ostermiller.org]. It would be really nifty to be able to bundle all the things that I do when I install firefox into one mega "extension bundle" or some such that I could install with one click.
    • by Blaskowicz (634489) on Monday April 18, 2005 @01:59PM (#12271594)
      this extension should be useful :
      http://mozilla.doslash.org/infolister/
      InfoLister is an extension for Mozilla Firefox, Mozilla Thunderbird and Nvu that collects various information about Firefox/Thunderbird and saves it to a file. Currently it prints the list of installed extensions, themes and plugins.
    • by meisenst (104896) on Monday April 18, 2005 @01:59PM (#12271597) Homepage
      -Have to- install? I downloaded one additional theme for Firefox and apart from the occasional plugin such as Shockwave, I never have to do anything to enhance Firefox for daily use.

      It's nice that you have everything worked out -- but this is like saying that Internet Explorer is as much of a hassle because of all those security updates you have to download. No thanks.
    • by Eyeball97 (816684) on Monday April 18, 2005 @02:01PM (#12271632)
      ???

      Why is this a "downside"?

      Would you prefer a 50Mb download, with 45Mb of stuff you don't ever need or use, or a 4Mb download where you can optionally add bits you want

      Not everybody wants "chrome" (or themes), Flash, etc etc.

      Personally I love the lean approach, with the ability to add and tweak stuff that I want over the bloated, switch off all the crap you don't want approach...

      • by FreeLinux (555387) on Monday April 18, 2005 @02:11PM (#12271783)
        I'd prefer the 50 megger with all the plugins that my users would likely need as well as all the necessary performance tweaks, proxy settings, policy settings and anything else I can't think of right this minute.

        Oh, I'd also like it in the for of an MSI so that I can roll it out to 1,000 systems at a time via script or GPO.

        You see there are users out there besides home users and their requirements are a little different than your own.
        • by 0racle (667029) on Monday April 18, 2005 @02:21PM (#12271911)
          Create the site specific Firefox + Extensions environment and roll a MSI package yourself. 2000 Server and possibly Professional come with the tools to do this, chances are they are in 2003 as well. Do you really expect Mozilla to create a site specific MSI for you?
        • by cloudmaster (10662) on Monday April 18, 2005 @02:26PM (#12271963) Homepage Journal
          Firefox's "install" consists of one directory. Copied to many machines. The configuration consists of one file stored in a user's profile. The distribution of both is easily automated without requiring the use of an MSI.

          Plugins, BTW, are also in that folder in the user's profile. You know, the one that's stored on a central server in your large network? Just set up firefox once on a test machine, and copy the firefox profile folder to each user's windows profile, then distribute the program files however you prefer to do that kind of thing.

          This can't be the first program with a non-MSI install method that an admin of a large network has encountered...
        • by Eyeball97 (816684) on Monday April 18, 2005 @02:34PM (#12272064)
          Interesting perspective, but someone who wants to roll it out to 1000 systems at a time is hardly your "typical" user either?

          I can see and appreciate why you'd want all the tools necessary to make that easier.

          As others have already pointed out too, I like the "shopping basket" style of download too, something they should seriously consider implementing...

          When I was an ISP we used to roll out customised IE using the IEAK, wondering if there's anything like that for Mozilla/Firefox that would do the job for you.

          Failing that, there are a number of tools for mass rollout deployments such as you suggest (which you're probably already considerably more aware of than me if you're working in a 1,000 user environment) so I'm not sure I see what the problem is, aren't you already using such tools?

        • by Plug (14127) on Monday April 18, 2005 @05:39PM (#12274607) Homepage
          Check out FrontMotion's Firefox MSI page [frontmotion.com] for an excellent 3rd party MSI for Firefox (currently at 1.0.2 but regularly updated).

          Otherwise, it's a stated goal for 1.1 to have an official MSI installer.
      • by steeleye_brad (638310) on Monday April 18, 2005 @02:15PM (#12271838)
        Urg...I know people will hate me for posting this...but look at Opera. Without Java, the install file is about 4MB. This includes a mail reader, IRC client, newsgroup reader, mouse gestures, and highly configurable tabbed browsing. I see no reason for Firefox to toss in a few basic features. While I think Firefox is great, and I love the "feel" to it, I dislike downloading plugins for mouse gestures, tabbed browsing configuration, etc. Hell, basic plugins like this aren't large at all, it wouldn't hurt Firefox to put that in. Most people here aren't asking for hundreds of pre-installed plugins and a ton of themes, just some of the simpler things.

        I like the ideas posted by others, have a shopping cart or checkbox system, allowing you to sort of preinstall various plugins. Maybe create some standardized basic functionality plugins that one may choose to download, and have an option for popular, more advanced plugins as well. You'll still have a small initial download, and will still have the option to have a very small browser.
      • by cicho (45472) on Monday April 18, 2005 @02:41PM (#12272142) Homepage
        Download size is not an issue. My problem (I use Firefox exclusively) is that I am reluctant to upgrade, because I know some of the extensions I use won't be available for the new version. Indeed this is what caused me to move from Mozilla to Firefox about a year ago - I was fed up with having to use an old build because a few extensions I needed weren't being upgraded to match new releases. Now I'm still using FF 0.9, same reason.

        Release notes for the latest 1.03 still insist you need to remove the previous version first and the installer diaables all extensions. I pass. IMO a 1.x codebase should be mature and stable enough to be installed over an existing earlier version.

        • Plugins/Extensions/Themes are third party software, and Mozilla cannot be responsible for their code/stability.

          And if you'd even bothered to do a little checking, you would know you can always open the install.rdf file in notepad/texturizer and change the "MaxVersion" to 1.0+ and it will work.
      • The problem lies in that not all users know anything beyond point and click. For these users, getting to a site that says "You will need the flash plug in to view this site correctly" is a deal breaker. Even more so when all they see is just some inocous little image that doesnt explain to them why it isn't working. (Ala the little jigsaw piece)

        I wholeheartedly agree that firefox needs to have two rollouts. One with and without extensions. The idea of having an application, with an appropriate disclaimer

        • by dolphinling (720774) on Monday April 18, 2005 @05:52PM (#12274767) Homepage Journal

          The problem lies in that not all users know anything beyond point and click. For these users, getting to a site that says "You will need the flash plug in to view this site correctly" is a deal breaker.

          Installing Flash is point-and-click. Yes, I just tried it. I'm even on Linux, and it's still point and click.

          Even more so when all they see is just some inocous little image that doesnt explain to them why it isn't working. (Ala the little jigsaw piece)

          It's a little puzzle piece that says "Click here to download plugin". After that, everything's automated. You just have to click next a few times and agree to a (Macromedia) license. You don't even have to restart the browser.

          If you have any suggestions on how it could be improved, please report them to bugzilla.mozilla.org, or even just post here in reply to me or email me, and I'll do it for you (assuming I agree they'd improve it).

          I wholeheartedly agree that firefox needs to have two rollouts. One with and without extensions.

          This introduces huge licensing problems. If mozilla.org were to bundle Flash, for example, they would first have to get Macromedia's approval, and even then it would cause other problems, e.g. including it in Debian, which would most likely reject it because of the non-free license.

          It also puts a lot more stress on the developers and release-candidate testers, as they have to do double the work.

          I currently sit on a standards committee for the school district I work in and we shot down firefox, even though many of the admins use it on thier machines themselves

          That's very unfortunate :-(

          No Active X support (many of our online applications use active X)

          You should fix your applications. You'll need to eventually, anyway, Firefox is just a good incentive to.

          Most people consider the lack of ActiveX a good thing, as it strengthens security considerably.

          Not as user friendly as other browsers (ease of use and clarity issues).

          Most people would take the opposite position here: Firefox has a much better user interface than other browsers and especially Internet Explorer. If you have any specific issues, again, either report them to bugzilla.mozilla.org or send them to me and I'll pass them along to there.

          Lack of a real centralized support center (The forums are a rich resource..if you have time to run searches or wait for someone to answer your post, which in a real world environment, is not conducive)

          Though most people I've talked to think the support you can get in those forums is better and faster than what you get from most corporate support centers, I can understand why you might need this in a school or company. I believe there are one or perhaps even several third-party companies starting up to provide equivelant support, but I can't be certain off the top of my head. If this is a strong issue, you may want to look into it.

          Potential for abuse by students of all age ranges (The tabbed browsing is an exceptional idea! however, most teachers are too sued to window browsing and wouldn't even notice the extra three or four tabs that are in the background hiding god knows what kind of sites from her view.)

          This I know is a real issue, because I've used it myself in school ;-) I'd point out, though, that there are plenty of other ways that students can hide what they're doing, and I've watched friends play games for hours without the teacher knowing it, even in Internet Explorer.

          Everytime we tried to see if there were possible solutions, we were either met with hostility on the forums for daring to suggest that firefox was lacking in any area or we got silence.

          That's unfortunate. I'm sorry the people that found you weren't as helpful.

    • by Zocalo (252965) on Monday April 18, 2005 @02:02PM (#12271637) Homepage
      Perhaps some kind of "shopping basket" download system on the Mozilla update site would be a good way to go. Personally, I quite like the "Download Basket" that Microsoft uses on its Windows Update site when you do a manual update. Something like a standard shopping cart to choose the plugins that you are interested in, followed by a Windows Update style confirmation and install process would be ideal. If you could also save the baskets and reuse them on multiple PCs that would make widescale deployment of Firefox sooo much easier...
    • by ikkonoishi (674762) on Monday April 18, 2005 @02:03PM (#12271659) Journal
      They have that.

      Its called mozilla.

      Firefox is mozilla with most of the extra stuff besides the browser cut out.
    • Easy fix to this in win 2k and xp.

      Install Firefox. Install all of your plugins, themes, decorations, bangles, tools.

      Copy the Mozilla folder from your home folder application data. Application data is a hidden folder. a little digging will find it though.

      On new machine install firefox.
      Copy folder to the same place on new machine.

      Presto. Nothing lost.

      Can be used to create a custom look for your firefox across the network if you'd like. Force a backup of the folder for each user and their prefs all s
    • Huh? (Score:4, Insightful)

      by misleb (129952) on Monday April 18, 2005 @02:52PM (#12272298)
      "have to be configured?" What are you talking about? Firefox works just great "out of the box." I don't really understand what you are criticizing. There are so many different extensions, I doubt you would want them all installed in a big bundle. It isn't like extensions are hard to install.

      -matthew

  • Enlightening... (Score:3, Insightful)

    by siphoncolder (533004) on Monday April 18, 2005 @01:55PM (#12271543) Homepage
    It's enlightening until it's critical. I see.

    The two aren't mutually exclusive. You weren't looking for enlightenment, you were looking to see someone agree with you.
    • Re:Enlightening... (Score:5, Insightful)

      by lpp (115405) on Monday April 18, 2005 @02:01PM (#12271627) Homepage Journal
      Disregarding the validity of the position, apparently the OP felt that the cons were based largely on positions already proven false. As a result, enlightenment in this case would have been based on cons based on results considered less inflammatory.

      Assuming the OP truly was not looking for a 'yes man' style of article, it is reasonable to believe a review detailing true failings of Firefox without resorting to questionable statistics would have met the requirements for 'enlightenment'.
      • Assuming the OP truly was not looking for a 'yes man' style of article, it is reasonable to believe a review detailing true failings of Firefox without resorting to questionable statistics would have met the requirements for 'enlightenment'.

        In fact, one that didn't detail its true failings would NOT meet the requirements, as the OP was looking for something that "critically examined" the browser.
    • Re:Enlightening... (Score:5, Insightful)

      by Rahga (13479) on Monday April 18, 2005 @02:05PM (#12271681) Homepage Journal
      Just because it's critical doesn't mean it's enlightening. I could give my five year old daughter a stack of printouts detailing vulnerabilites found by group XYZ, and in a second she can tell you which stack was bigger and might even count them out if she felt inclined to. That's not enlightening... What matters is quality, not quantity.

      Also, anybody can get access to the source of Firefox, while IE doesn't have publicly viewable source code. Comparing vulnerabilities among the two browsers is an apples and oranges afair thanks to this.
      • by Just Some Guy (3352) <kirk+slashdot@strauser.com> on Monday April 18, 2005 @02:31PM (#12272033) Homepage Journal
        I could give my five year old daughter a stack of printouts detailing vulnerabilites found by group XYZ, and in a second she can tell you which stack was bigger and might even count them out if she felt inclined to.

        My five year old daughter could prioritize them by severity and likelihood of exploit, add in a few of her own, and generate a patch that fixes them on the three most common platforms. What lame school are you sending your kids to?

    • I assume you haven't RTFA, but here's more or less the criticism that Firefox gets:

      1) "Oh look! It has more vulnerabilities than IE!" (tho they fail to state how critical these are. And don't forget that Firefox 1.03 was just released, fixing these. How long it took IE to release theirs?)

      and 2) "BWA! Firefox fails to render my favorite IE-only pages!" complains from users.

      And that was on the last 1 1/2 pages. The others were just straw words (your usual columnist intro).

      This columnist isn't enlightening, nor critical. He's just giving another misinformed opinion.
      • by rainman_bc (735332) on Monday April 18, 2005 @02:16PM (#12271842)
        Just to point out though, for the most part when any site that reads the http_user_agent header and rejects me, I just change my user agent using the user agent switcher extension, and most of those sites look quite fine.

        Even www.quicktaxweb.ca rejected my firefox on Linux install, but accepted firefox on Windows. Just change the user agent to appear like FF on Win and it was almost perfect.

        What pisses me off most about FF is that there still appears to be a memory leak if you leave it running for a while. I frequently leave my PC on overnight, and when I get it in the morning it takes a ltime for FF to maximize in XP. Both work and home PC's show the same symptoms. That doesn't occur on my Linux boxen though.

        And no, I didn't RTFA ;)
        • Does the slow restore time have to do, perhaps, with Windows' [poor] memory management and the subsequent swapping out of programs that aren't actively doing stuff in the foreground? Watch your drive acceess lights - I'll bet your swap file is getting used a tad when you restore in the morning.

          I'll leave Firefox running for weeks on Linux and Win2K (under VMWare), and it's fine.
      • by Ripley (654) on Monday April 18, 2005 @02:55PM (#12272332)
        "Oh look! It has more vulnerabilities than IE!"

        The quoted report was based on the last six months of 2004. Firefox 1.0 was officially released on November 9, 2004 http://mozillazine.org/articles/article5513.html [mozillazine.org]. So, the product was still in beta for four of the months covered by the report. Without further details from the report, it's impossible to say how many vulnerabilities were in Firefox when it was considered ready for production end-user use.
    • by rsborg (111459) on Monday April 18, 2005 @02:13PM (#12271811) Homepage
      It's enlightening until it's critical. I see.

      You missed the point of the poster. He wasn't unhappy about the article being critical, but being very BIASED and critical. You know, it'd be like saying that Democrats/Liberals should listen to Bill O'Riley... as if he listens to the other side.

      What I hate the worst is not those who are biased, but those who claim to be things like "Fair and Balanced" when it's clear they're not.

      Take for example this nice strawman argument that Mr. Langa puts forth:

      It's a very appealing concept, and has become part of computing's conventional wisdom: Non-Microsoft = More Secure.
      Which he then cuts down systematically, as if his misposed argument had any value:
      Trouble is, that's a falsehood based on a common error: Failure to adjust for the effects of the installed base.
      I can tell when people use Conversational Terrorism [vandruff.com], and I know then that they're highly partial and unreasonable to argue with.
      • All he's saying is that just like IE and other programs, Firefox has security flaws and bugs. And that just switching to it because "its more secure" without knowing how or why is a bit foolish. He says that Firefox isn't a magic cure; I could run a perfectly secure system using Maxthon (IE) with a combination of a firewall and anti-spyware. Firefox doesn't automatically make your system more secure, you're browsing habits do. And he goes out of his way to state that Firefox is good: "Firefox is free, open
  • symantec (Score:5, Insightful)

    by rizzo420 (136707) on Monday April 18, 2005 @01:55PM (#12271549) Homepage Journal
    i have begun to doubt symantec's expertise. i work in a college where virus outbreaks are pretty common. now i've seen a computer with the most up to date, newest version of norton/symantec anti-virus and it seems that it still does not find all the viruses. viruses and trojans that are relatively harmful to the system. i would take this story with a grain of salt...
    • Re:symantec (Score:3, Insightful)

      Geeee... lemme see. Until Symantec joined forces with Veritas, its products were primarily 100% windows based.

      Hmm.... since they favor Microsoft so heavily, wouldn't it be natural for them to talk smack about non-M$ browsers like Firefox.

    • Re:symantec (Score:5, Informative)

      by jim_v2000 (818799) on Monday April 18, 2005 @02:11PM (#12271774)
      I used to work for Symantec's tech support (used to--now Mike in India handles it) and the official line that we gave customers when they get a virus that Norton didn't detect was "Wait for the new definition file...it comes out next Wednesday." And when Norton wouldn't get rid of a virus, the line was "Norton Antivirus is a detection tool, not a removal tool." Which is total BS. If you read their website, the advertising for Norton AntiVirus says "Removes Viruses". That always troubled me, and I'm actually glad to be working elsewhere now.

      I personally run Grisoft's AVG for free, and Zone Alarm, and not only have I never had a virus/worm, they run a zillion times faster than Norton AntiVirus and Personal Firewall.

      Symantec makes bloatware that doesn't work well. Avoid it like the plague.
    • Re:symantec (Score:5, Informative)

      by LnxAddct (679316) <sgk25@drexel.edu> on Monday April 18, 2005 @02:13PM (#12271805)
      This [secunia.com] says it all [secunia.com]. Not only has Firefox had 1/7 the vulnerabilities of IE, but those that it did have were patched quicker and were of less severity in most cases.
      Regards,
      Steve
  • by hanssprudel (323035) on Monday April 18, 2005 @01:56PM (#12271565)
    At first I was excited because I thought I was going to get to finally read an enlightening, in-depth article that critically examined the browser.

    And I thought my life was dull. You need help my friend. Now!
  • by rizzo420 (136707) on Monday April 18, 2005 @01:58PM (#12271585) Homepage Journal
    one question should be asked... who releases patches and security updates in a more timely manner? mozilla or microsoft? while firefox may have had more security flaws than IE, it gets patched almost immediately.
    • I would have to agree with that. The number of bugs isn't as important and the number of -unpatched- bugs. Want to really impress me? Who has the fewest unpatched bugs that are a week old?
      A month?
      A *year*?

      Seriously, you can't have critical bugs floating around out there. Sure not everyone updates the instant a patch comes out, but I want to know that a fix is at least available.
  • by Anonymous Coward on Monday April 18, 2005 @01:59PM (#12271599)
    Print version of the article [informationweek.com] fitting nicely onto one page.
  • by nacks1 (60717) on Monday April 18, 2005 @01:59PM (#12271607) Homepage Journal
    Its a little odd that this article would be posted without a note that Firefox 1.0.3 has just been released: http://www.mozilla.org/products/firefox/releases/1 .0.3.html [mozilla.org]
  • by jimboisbored (871959) on Monday April 18, 2005 @02:01PM (#12271629)
    I used to run adaware with IE, I've run it once and a while since I switched to firefox and it'll occasionally find a cookie or two that doesn't bother me. With IE it'd find a couple hundred problems.
    Security vulnerabilites my ass.
    (yes I know spyware and security is different, but firefox sure is a lot less of a pain in the ass)
  • there's no cure-all (Score:3, Interesting)

    by QQoicu2 (797685) on Monday April 18, 2005 @02:02PM (#12271643)
    Maybe Firefox is a more stable, more secure browser than IE, but everything is gonna have its flaws. And the more people use it, the more it's gonna get targeted. This sounds kinda selfish, but I almost wish the geek crowd would have "hoarded" Firefox and kept it as their own. It's nice to give Microsoft the shaft, sure, but the more Firefox creeps into the mainstream, the more it's gonna inherently open itself up to exploits.
    • by Anonymous Coward on Monday April 18, 2005 @02:09PM (#12271746)

      And the more people use it, the more it's gonna get targeted.

      Just because more people drive cars than armoured vans, doesn't mean that cars are targeted more just because they're greater in number. In fact, the payload would be greater attacking armoured cars. In reality, some things are just designed with greater security in mind, from the offset.

    • by khasim (1285) <brandioch.conner@gmail.com> on Monday April 18, 2005 @02:52PM (#12272294)
      Maybe Firefox is a more stable, more secure browser than IE, but everything is gonna have its flaws.
      That depends upon how you define "flaws".
      And the more people use it, the more it's gonna get targeted.
      "Targeted" doesn't really matter.

      My Linux box is frequently targetted, but it's all Windows exploits so it doesn't matter.
      It's nice to give Microsoft the shaft, sure, but the more Firefox creeps into the mainstream, the more it's gonna inherently open itself up to exploits.
      Ah, so there is no such thing as "security" then.

      Just "marketshare".

      No matter how many software experts put in how much effort, the end result will spontaniously generate "flaws" as more people use it.

      By that "logic", there is no difference between a browser ("A") written by a team of experts who focused on security ... and a browser ("B") written by a 1st year student who cared nothing about security.

      Flaws do NOT appear just because more people use the software.

      Code is not magic.
  • by GigsVT (208848) on Monday April 18, 2005 @02:03PM (#12271651) Journal
    Since the article concentrated on security, but didn't mention this:

    If you leave autocomplete on, Firefox will save your credit card numbers in plaintext on your hard disk.

    This bug has been known about for years. They won't fix it.
    • by Anonymous Coward
      How does Fx know it's your CC number? Should Fx start refusing to store all 16-digit numeric entries? That would defeat the purpose of "auto-complete", wouldn't it?

      If you're entering your CC number on a publically-shared computer, shouldn't you be manually clicking "clear" yourself? Or should the Fx developers be forced to protect you from your own carelessness?
    • formhistory.dat (Score:3, Informative)

      by krygny (473134)

      formhistory.dat is encrypted.
  • Wait a minute (Score:3, Insightful)

    by KinkifyTheNation (823618) on Monday April 18, 2005 @02:03PM (#12271655) Journal
    Isn't finding more vulnerabilities a good thing? I mean as long as they're getting patched and all, the browser is becoming more secure with every bugfix.
  • by nizo (81281) * on Monday April 18, 2005 @02:03PM (#12271656) Homepage Journal
    Pros: It isn't explorer*
    Cons: It isn't explorer**


    *potentially more secure
    **some pages don't render right since some people only test with explorer

    • **some pages don't render right since some people only test with explorer

      Oddly enough, IE doesn't render any of the pages I go to correctly. Large numbers of them have these little flashing irritating images that Firefox/Adblock doesn't have. Until IE can render the web properly I can't imagine anyone actually wanting to use it. Microsoft really needs to buck up their ideas, how can anyone read a web page when the text is obscured and broken up with these images that constantly get in the way of the

  • by rben (542324) on Monday April 18, 2005 @02:07PM (#12271710) Homepage

    Firefox is still under active development. It's not surprising that occasionally a new bug, including ones that compromise security will be introduced. IE, on the other hand, has been unchanged, asside from bug fixes. All development work on IE was stopped until Firefox forced their hand. I don't think there have yet been any new releases of IE since Service Pack 2, which put 6.0.2900.2180 out in the world.

    So, I wouldn't be surprised if more new security problems were located in Firefox in the recent past than in IE during the same time period. That doesn't imply that there are fewer problems in IE than in Firefox, just that fewer were found in a given time period.

    Which means.... practically nothing. The relevant information would be total numbers of security problems over the total number of lines of code or some similar metric, if you want to discuss the quality of the code.

    If you want to know which browser is the most secure, you should look at the total number of security bugs known to exist and the severity of those bugs.

    For my money, Firefox is the only browser that I trust. I run IE only when I have no choice and when that happens I send an email to the manager of the site telling them why I won't visit again.

    Microsoft abandoned good engineering practices in order to grab at market share. As a result, they crippled both their browser and their operating system.

    • by gosand (234100) on Monday April 18, 2005 @02:41PM (#12272150)
      So, I wouldn't be surprised if more new security problems were located in Firefox in the recent past than in IE during the same time period. That doesn't imply that there are fewer problems in IE than in Firefox, just that fewer were found in a given time period.

      Exactly. Not that vulnerabily counts aren't important, but you have to dig for more information. The article said there were 13 reported for IE and 21 for Firefox in the same time period. OK. How many of those have been fixed in IE and in Firefox? What was the breakdown on severity? What platforms were affected?

      If the author didn't want to go into all this detail to give a more accurate picture, he shouldn't have just thrown out those numbers. I won't go as far as to say they are meaningless, but they don't paint an accurate picture.

  • Issues with numbers (Score:5, Interesting)

    by ppz003 (797487) on Monday April 18, 2005 @02:10PM (#12271759) Homepage
    <rant>
    I have an issue with people who quote numbers of security notices and the like. They always seem to fail to mention the average severity of these notices or even the account for duplicates.

    We see a large number of nitpick vulerabilities for open source because everyone can look at the source code and try to break it every which way. OTOH, finding exploits in IE is done by testers and hackers.

    Regarding dupes, visiting Secunia shows many vulnerabilies for linux distros, but you see the same ones over and over again for each distrobution.

    So while I agree that no software is perfect, and Firefox does have problems that arise from time to time, as does any software, I'll still be using the fox for my net browsing.

    As for those testimonies in the article from people who can't get Firefox or Thunderbird working properly, wow. I've switched people's grandparents with no computer literacy with no problem. All I can say is that their system must be jacked up.
    </rant>
  • If Firefix is as (Score:5, Insightful)

    by g0bshiTe (596213) on Monday April 18, 2005 @02:11PM (#12271772)
    iffy a program as IE then how come in 5 years of using Mozilla based browsers ( on Windows ) have I not been befuddled with the plethora of malware ( autodownloaders, backdoor spyware, ad nauseum ) products that freinds using IE recieve? He can say "it's the userbase" till he turns blue in the face, I wanna know why when I go to a site using IE I immediately get inudated with BHO's yet in a Mozilla based browser they get shrugged off? Yet it is just as unsafe as IE states the author?

    In my opinion of using the software as long as I have, I would never use IE again unless forced to. And that small amount of time I do use IE, I spend twice as much afterwards cleaning out the damn mess made by malware.

    I think because of it's Open Source nature when Moz or some derivative gains market share and becomes the primary target of ad companies, it still won't make that much of an impact on the browser as a whole.
    Given enough eyes all bugs are shallow
  • He has a web site (Score:3, Insightful)

    by Jaspers (876338) <linuxjaspers AT yahoo DOT com> on Monday April 18, 2005 @02:12PM (#12271789)
    Well Mr. Langa seems to have a web site. Here is the link [langa.com]! And here you have a link [langa.com] to the article on his homepage (in case it gets /.ed on the front page).

    Well taking a quick look at what he wrote i think it's the type of guy who actually enjoys starting flame wars so i wouldn't bother too much by him!
    I would only like to tell him that I dissagree with him and he is a terrible writer cause he is using too much sarcasm in his writing. take for example this part from his essay:

    The last time I mentioned a similar US-CERT finding, by the way, Linux partisans leapt up to tell me that US-CERT didn't know what it was doing. Linux *couldn't* have more security flaws than Windows! Everyone *knows* that Open Source software is so much better than anything from Microsoft--- right?

    Also take from example this:

    I wrote that article to try to help readers interested in FireFox in particular and Open Source in general to make an informed decision. There are many, many excellent, proven, objective benefits to switching to Open Source software--- but there's also a lot of misinformation, and some very, very *bad* reasons to switch.

    I think that he is doing what he is preaching against: Misinformation
  • US Cert (Score:3, Informative)

    by flokemon (578389) <florence AT hotbox DOT ru> on Monday April 18, 2005 @02:16PM (#12271844) Homepage
    In most cases in the more recent issues, you'll see the list of IE's vulnerabilities is shorter than those for Firefox, Mozilla, and the other alternate browsers. Likewise, with the more recent bulletins, you'll also see the list of Windows' vulnerabilities is actually much shorter than that for the other operating systems, even though Windows is far more widely installed.

    Where did he get this from??
    Latest 10 vulnerabilities on front page are all Windows.

    If you look at the bulletins like he does, you get a collection of vulnerabilities that have been patched.

    US-Cert Vulnerability Notes [cert.org] is where he should be searching if he wants a proper comparison.
    Firefox returns 11 results.
    I didn't count how many results Internet Explorer returned, but even if you don't count pre-2004 vulnerabilities, the number is still twice as high as it is for Firefox.
  • Symantec (Score:3, Informative)

    by eno2001 (527078) on Monday April 18, 2005 @02:19PM (#12271882) Homepage Journal
    In a word... sucks. Where I work, there was a trojan/worm that we were tracking and Symantec Corporate Edition wasn't finding it. After talking to them, it turns out they already knew about the problem but weren't going to be releasing any definition updates for mass deployment for a week. Instead they sent us a link to the early updates that we could apply manually. This stuff should be automated! Total suck in my opinion. Of course, I'm not the Windows admin here thankfully. That's a job I don't think I'd really want.
  • by DumbSwede (521261) <slashdotbin@hotmail.com> on Monday April 18, 2005 @02:23PM (#12271930) Journal
    One of the main things Langa complains about in his article is that some websites do not render properly under Firefox. Of course these sites are probably using IE proprietary extensions and not W3C suggested standards. So Firefox is broken in his eyes, because it fails to follow Micosoft's high-jacking of HTML standards.

    I have found Firefox to be more logical looking in its layout using CSS elements and have had to rework pages more often for IE than the other way around. The problem is that many websites don't bother to check the look of a page in anything other than IE. So how is this FireFox's fault? Langa just assumes IE is getting it right and that there is no ambiguity in the way some HTML elements are specified.

    In theory there may be more bugs and possible security threats lying in wait in FireFox, but here it the thing, since switching to FireFox I have had FAR fewer virus problems. Now it could just be the smaller market thing, but so what - what I care about is how many real viruses I am exposed to. You could argue that should FireFox continue to grow in popularity, so will the attacks on it by virus writers, bring it back to parity with IE. That may be, but hasn't happened yet. BUT it could just be that the open software model means more work on the code and better more secure code when it gains an even wider audience. In fact this is the horse I would bet on.

  • No Yahoo Logo? (Score:5, Informative)

    by chill (34294) on Monday April 18, 2005 @02:24PM (#12271944) Journal
    I read the comment about Firefox not displaying the Yahoo logo and I couldn't believe it. Then, I popped over to Yahoo.com and sure enough, no logo.

    A quick check of the source told me what was going on. I recognized the yimg URL as one that I had *BLOCKED* images from long ago. Yahoo serves tons of graphics ads all over the Internet and I just blocked them all using Firefox's native ability to block images from a particular URL.

    It seems Yahoo serves their own graphics from the same server as their ads. Silly rabbit.

    So, it isn't a rendering bug with Firefox, it is a feature! And a damned useful one at that.

    feature + ignorance = bug? Sad.

    -Charles
  • Can't RTFA (Score:3, Funny)

    by Monoman (8745) on Monday April 18, 2005 @02:25PM (#12271954) Homepage
    Too funny. I read the first page of the article using Firefox. None of the subsequent page links work. IE works fine.

    I guess I will miss it.
  • by greed (112493) on Monday April 18, 2005 @02:29PM (#12272003)
    ...except that the links he gives are just to pages of reports, and I'm not sure which ones are worth reading.

    But, by writing off all of Internet Explorer's problems to the "installed base" scale factor is extremely dangerous to his readers.

    The problem being, since MSIE is embedded into the OS, a flaw in MSIE can be exploited from any program which uses an HTML viewer, not only the "iexplore.exe" application itself. Firefox, even when it's your default browser, still pops up in full "visiting the Web" paranoia.

    Another problem, of course, relates to MSIE's very strange handling of text/plain and application/octet-stream data types. (It will actually reject the Content-type: header from the server and make up a new one based on filename suffix and/or file content... imagine sending a text/plain file from a CGI URL that has ".doc" in it and it turning into a Word file. Note that the ".doc" is in the URL, not in the downloaded file name....) I've got a CGI I just can't make with MSIE properly because it rejects my server's claim that file "foo.log" with "inline" presentation is type "text/plain" and it can display it--it insists on saving to disk... only to find out that Notepad is the right application. To work around it, I'd have to change the extra path information fed to the CGI... and I can't do that--it means something, of course.

    But that problem ("feature", if you read the MS knowledgebase) is one way how people are tricked into downloading seemingly "safe" content that turns dangerous.

    Plus, he makes no assessment of the security problems. He doesn't mention ANY, from ANY browser, not even as illustration--he just leaves it to the reader to plow through pages of cryptic reports from Synamtec and CERT.

    And he's got no analysis of the "trouble reports" he provides for Firefox. Missing images? 99 times out of 100, that's because the Web page has backslashes in the IMG URLs--which are not part of the hierarchical URI syntax [rfc-editor.org]. (They work only in MSIE on Windows. MSIE for Macintosh will not process them the same way.)

    Plus... how do we really know what security problems are fixed in MSIE? On my XP box at home, and the W2K boxes I have to use at work, the Windows Updates just say things like, "A security problem could allow an attacker access to your computer." How am I to know what that security problem is, what part of the system it affects? I don't even know if it is function I use, or even have enabled--the update information is just too terse--at that's after clicking, "Show Details".

    (My main systems are Linux and Mac, so there may be a way to get more information from Windows Update, but it isn't as obvious... unlike Mac OS X Software Update, where it lists the major components right there, and links that take you to the Apple web site for more information.)

  • by cuijian (110696) * on Monday April 18, 2005 @02:32PM (#12272036)
    Compare IE and Firefox security with Safari:
    http://secunia.com/product/1543/ [secunia.com]

    - Open source engine
    - Less vulnerabilities discovered
    - ZERO Unpatched Vulnerabilities
  • by edmicman (830206) on Monday April 18, 2005 @02:32PM (#12272041) Homepage Journal
    I've never understood the argument that the more people that user firefox (or linux for that matter), then hackers will begin to target those users, too. Isn't the point of OSS that ANYBODY can see the source code? If a vulnerability is found, why would anyone think it will stay there?!? It will be reviewed and fixed by any number of people in a timely manner. I think that's the core of what makes firefox and the like "more secure". What am I missing here?
  • by HerculesMO (693085) on Monday April 18, 2005 @02:35PM (#12272071)
    But if I install Firefox and don't use IE on ANY PC, even an OUTDATED version of Firefox, my computer stays immaculate and free of malware/adware/trojans/spyware.

    If I use IE6 from the beginning, fully patched... my computer still gets a boatload of garbage attached to it.

    So tell me again Mr. Langa, how is it that IE is superior, in any way? Is it superior technologically? No, you say as much yourself -- no innovation since 2001. Is it more secure? Well, with all the updates that have come out for IE, I am still not secure from spyware and malware. Does Microsoft like to patch as early and often as Mozilla? Nope -- Mozilla has set a monthly timetable to release updates and does it even earlier if the security necessitates it.

    The arguement Mr. Langa presents is profoundly stupid -- and this is coming from a Microsoft advocate. More entertaining is the fact, that he refers to US-CERT listings of vulnerabilities for browsers, yet fails to mention that they do NOT recommend IE -- but rather Firefox. Go figure.

    I have no problem saying that IE is an impressive browser -- especially considering that it's going on 5 years old. However, that impressiveness doesn't last, especially in the world of computing. Firefox is the next generation browser, and they have focused resources in keeping it up to date, and well built. Microsoft ABANDONED its IE team entirely -- it goes to show you the indulgence they had in pursuing the product. The NUMBER of problems Firefox has had is greater, sure... they have more dedicated testers, a more competent userbase, and discover more flaws than IE, and list them as such. Some may be very, very minor, but they are LISTED, nonetheless. Microsoft has time and time again, taken note of IE's 'small' vulnerabilities and passed them over because it doesn't necessitate the cost of fixing them versus the potential return for anything.

    So yea, Firefox has more bugs. They also fix more bugs. Firefox works faster, has more features, and takes up less resources. It will NOT give me spyware, popups, and virii. IE does all of that and worse.

    So tell me again Mr. Langa, does having the ABILITY to get more problems overshadow actually GETTING more problems? Microsoft is like Valve -- great products, with no updates. Which makes them damn near unusable. It's software like Office that I love, which even if there are security problems -- they still freaking work. Which is less than I can say for IE.
  • by ehiris (214677) on Monday April 18, 2005 @02:44PM (#12272188) Homepage
    If you're so afraid it of its security vulnerabilities you can always uninstall FireFox. Can you do that with IE?
  • by metoc (224422) on Monday April 18, 2005 @02:46PM (#12272227)
    The article reads better if you consider it a response to the question "Will Firefox save me from the evils of the Internet?".

    The author pretty much buries IE and M$ on security, and then proceeds to remind us not to be to fast jumping to Firefox, as it isn't perfect either. It is fairly new as software goes and we will have to wait and see now that it has enough of an installed base to attract the cyber villians.

    If anything the author implied that you should walk, not run to Firefox and remember to apply your bug repellent.

    BTW. I use Firefox almost exclusively, and have watched as websites have slowly gotten around the pop-up blocker, and how 1.01 came out to block the multi-language DNS hack, which IE isn't vulnerable too because it is so old.
  • Goes both ways. (Score:5, Insightful)

    by Sylver Dragon (445237) on Monday April 18, 2005 @02:54PM (#12272327) Journal
    Having read the article, and also followed the author's advice to read the security bulletins, I found that the article is mostly bullshit, which stumbles upon lucid points occasionally, though I think this is mostly by accident.
    I didn't bother to do a count of items in the bulletins, as this is an utterly worthless metric. Nor do I agree that percentage of complaints is a worthwhile way to judge two competing products.
    Just to dispel that idea. Consider for a moment that in his example of 1000 users of A vs. 50 users of B, a 2 person anomoly would be a 0.2% shift in the numbers for A and a 4% shift in the numbers for B. That margin of error for product B is so large as to make the whole study worthless.
    On the other hand, of the items in the bulletins, Firefox did have some serious flaw, e.g. the kind that end in "would allow a malicious user to execute arbitrary code." So, the author is right that Firefox is not some panacea for security, he just fails to explain the real reason why.
    Now, is Firefox more secure overall? I haven't the slightest clue. I really don't have the time and or will to go through the bulletins, aggregate all of the flaws for each browser, assign a numerical value to each severity, and then come up with a score. I offer this idea to any of those who surf /. all day, have a desire to defend Firefox, and don't have a job.
    The author also brings up the old argument of, its not currently a target, so its more secure because of obscurity. I think this argument was valid, right up until Firefox hit 1.0. Before that, it was an obscure little browser which didn't get much attention. However, once it hit 1.0 it got a lot of press; and, the way I see it, this would have given a huge incentive for the black hats to start hitting Firefox, for the right to say that they had one of the first working exploits for this new browser. So, I think this argument falls apart.
    So, without a real study to backup and/or revoke the idea that Firefox is more secure than IE, the only thing I have to go on is antecdotal evidence. Right now I support about 100 computers. And, because of the way we do business, each user has administrative access to their own box (fun on a bun!). Now, because of this, I have a mix of IE users and Firefox users. For the most part, the computers which I am cleaning up spyware/adware on all of the time tend to be the IE user's computers. While I do have to do an occasional cleanup of a Firefox computer, the problems tend to come from other third party apps bundled with spyware, as opposed to the IE, browsed to the wrong page and got infected spyware.
    Does this mean Firefox is more secure? No, one factor, which I can't really rule out, is that the people who use Firefox also tend to be the more knowledgable computer users; so, they may simply be better at avoiding infection. As a counter example, our network engineer runs IE, and doesn't have a problem with spyware/adware, so maybe its just the person at the keyboard making the difference. But, still the preponderence of the evidence would suggest that the Firefox machines tend to be less infected, so there is some correlation, if not outright causation.
    One other thing, which helps keep me on Firefox, have you ever tried to re-install IE6 SP2? Fucking pain in the ass. Some spyware/adware will attach itself to the IE DLL's, and is near impossible to get rid of. Also, I have had more than one machine where the removal of the spyware/adware has broken the IE scripting engine. This is also ignoring that crapware that damages winsock as it gets removed. Thank <insert diety here> for the automated winsock repair tool.
    MS has made re-installing IE harder and harder as they have released updates. In IE5 I could do an add/remove programs on it, and get a reinstall out of it. In IE6 SP1, I could futz with the registry and get it to allow a re-install. Now that seems to be broken, as the MS recommended registry change to allow a reinstall seems to be broken. Th
  • by iceT (68610) on Monday April 18, 2005 @02:56PM (#12272353)
    especially compared to SPYWARE.

    I used to spend a lot of time fixing friends computers because of viruses. Now, I spend it in cleaning up spyware. Spyware that was installed compliments of Internet Explorer, and has forced their machine to a GRINDING HALT.

    Yet, I am still waiting for the first person that I have to spend 4 hours cleaning up spyware after they've switched to Mozilla/Firefox/Thunderbird.

    Until I have confidence in IE to block popups, and stop installing apps w/out question (and I won't even to into FEATURES, like tabbed browsing, in-page document search, etc.), I'll stick to Firefox, thanks.
  • by sootman (158191) on Monday April 18, 2005 @03:04PM (#12272461) Homepage Journal
    "...more security vulnerabilities in the last six months of 2004 were found in Firefox than IE..."

    WHO THE FUCK CARES?!?!? All these dumbass writers need to learn that all bugs are NOT created equal. There is a BIG ASS DIFFERENCE between "small flaw that could theoretically be exploited but the good guys found it first and fixed it in two days anyway" and "gaping hole in the default configuration with thousands of exploits in the wild for months on end." I mean, fucking A, how awesome is it to run Windows Update and see a warning like this [microsoft.com]? "Identified security issues in Internet Explorer could allow an attacker to compromise a Windows-based system... This affects all computers with Internet Explorer installed ( even if you don't run Internet Explorer as your Web browser ). [emphasis added]"

    Which would you rather live in: a city with a hundred arsonists or a thousand litterbugs?
  • by D_Lehman(at)ISPAN.or (799775) on Monday April 18, 2005 @03:08PM (#12272520) Homepage Journal
    First the "IE-only" page problems, is a problem for website operators, not Mozilla (get a UserAgent editor plugin, and fake IE if you wish, or better yet, send them an e-mail every day that you visit and can't access something).

    However, the article does make good arguements... that is, if the article was written 5 years from now. Firefox is not a mature browser. 4 years after release, IE 6 still has bugs, no new verson yet. Firefox has only been 1.0 for less than a year. There is certainly a break in period after software of this type reaches critical mass before every bug is vetted.

    What the author fails to understand is that by it being open source, more bugs can be found, faster, and fixed, faster. I would certainly HOPE that there are more bugs in Firefox found on a month to month basis. Internet Explorer keeps chugging alone, spitting out new vulnerabilities like breadcrumbs. Firefox on the other hand is now very public, and getting a large influx of bug reports and fixes. However, after Firefox has killed 99.9% of its bugs, Internet Explorer will keep popping out exploits like an assymbly line because limitting the source code means that:

    A) A small number of coders can actually look for exploits. Everyone else is basically left to hope that the next IE hacker publishes their exploit. And, once found, you sit back and wait for MS to fix it, instead of coding the fix yourself, or at least submitting fix code, or just even pointing out the area of code that is the problem. With IE, it's not as though you can e-mail them and say, "I found exploit X... It's occurring around line 7934 of file Y."

    B) Firefox can truly change focus on a dime, just like with the IDN issue a few months ago. It doesn't take a manager of a manager of a manager to hold 50 meetings, talk with investors, talk with worldwide vendors, talk with politicians, and then make a decision at Mozilla. And, if you don't like Mozilla's decisions, it's open source, and you can always go "fork" yourself. :)

    Is Firefox more secure? No. It's not supposed to be right now. Does it have more features? Yes. Is it easier to use? For me, yes. WILL it be more secure than IE once the initial round of exploits have been found? Damn skippy! And THAT is why Firefox is more secure, and why Lynx is still used today. Open Source projects, especially ones that have a great single goal in mind, like just browsing (leaving all the fluff to 3rd parties) eventually turns out something rock hard solid and stable.

    It's just the "new" or "continually growing" ones that will have many of the same pitfalls of closed source. The only difference, is that even with those pitfalls, open source still has all of its other benefits.

    Good article on statistics. Wrong conclusion and timing. Just another example of some writer trying to make themselves heard over the masses by trying to sail against the current. Unfortunately, his dingy is too small for this trip.
  • by aixou (756713) on Monday April 18, 2005 @03:30PM (#12272781)
    How about the huge fucking memory leak in Firefox? On my Linux box, Firefox is a huge memory whore, and will completely overtake the system within about 2 days if I have significant number of pages open. We're talking about 1.2 gigs of memory (including my entire swap) just for Firefox. I found a potential remedy online, but its more of a hack than anything.

    Is this problem being addressed? If they can't fix such a gigantic memory leak how could I expect them to fix more obscure security issues?

Some people carve careers, others chisel them.

Working...