Is The Firefox Honeymoon Over? 560
prostoalex writes "With Firefox market share reaching a substantial level, is the popular Internet browser becoming a security nightmare for IT administrators? George Ou takes a look at the hard numbers. From the article: 'From March 2005 to September 2005 10 vulnerabilities were published for Microsoft Internet Explorer, 40 for Mozilla Firefox. In April-September timespan there were 6 exploits for MSIE, 11 for Firefox. Conclusion? As you can see, the facade that Firefox is the cure to the Internet Explorer security blues is quickly fading. It just goes to prove that any popular software worth hacking that has security vulnerabilities will eventually have to deal with live working exploits. Firefox mostly managed to stay under the radar from hackers before April of 2005.'"
misleading (Score:3, Informative)
Also, the number of security flaws reported is meaningless. A security hole could be very serious, or completely inconsequential.
And by the way, the article is extremely short, and doesn't actually give much useful info beyond what was in the slashdot summary, so please think twice before clicking through to TFA and steering ad revenue to zdnet.
Re: Is the Firefox Honemoon Over? (Score:1, Informative)
Type winamp exploit into google some time.
http://www.mashada.com/forums/index/show_topic/60
What I love about Firefox (Score:1, Informative)
2) Excellent stability on Linux and FreeBSD
3) The way extensions work no matter which version you have. Upgrade a minor or major version, the extensions are still there, all working properly.
4) How themes work no matter which version you have.
5) How the Firefox start page doesn't default to any specific commercial search engines, but lets you choose.
6) How the popups are blocked on sites like SitePoint.com
Re:No Software is Perfect (Score:1, Informative)
Re: Is the Firefox Honemoon Over? (Score:5, Informative)
There are flaws in IE that have been known for better than 6-8 months and still there is no fix.
Users or Superusers?? (Score:3, Informative)
As a developer, I have found Firefox to be almost unusable in many instances:
1) They implemented CSS, but none of the old CSS. This means when you change a cursor to a "hand", it won't recognize it.
2) It also leaves you unable to create custom variables in HTML tags. This leaves out ease of use in dynamic information systems.
3) You cannot call a style of an document object directly, you must first call the object, then on a seperate line, call that object's style you want. Just plain inefficient.
4) You cannot use span tags or div tags even remotely how you can in IE (and some cases even in Safari!).
5) They took out many Javascript functionalities because they simply couldn't implement them correctly. (.focus())!
In the end, it's frustrating that in Firefox you must deal with coding around what they left out, because it's more "secure", and as we now know, it's not even more secure! And thank you to Firefox for making me have to download a plug-in every time I want something to work like it should. It's just not what everyone seems to think it is. Is it just an excuse to name drop something new??
Re:Quality not Quantity (Score:5, Informative)
For Mozilla [secunia.com], there has been 0% of extremely critical vulnerabilities and 23% of highly critical in 2003-2005, whereas for IE [secunia.com] 14% were extremely critical and 29% highly critical in the same time period.
Furthermore, a total of 31% (out of of 69 advisories, or 21 individual cases) of IE vulnerabilities may result in system access. In Mozilla, the corresponding numbers are 18% and 4 advisories.
Re: Is the Firefox Honemoon Over? (Score:3, Informative)
I'd say a fundamental part of good practice with IE is to use it with an HTML rewriter. I use "The Proxomitron".
Re:Quality not Quantity (Score:4, Informative)
There are a couple reasons for this. First, that patch was easy to make and test, and could be pushed out in, if my research is right, exactly 6 hours from the time it was on Full Disclosure to the time the patch was publicly available. The actual patch needed more than six hours to be made, tested, etc.
Also, several other security fixes are being put in to 1.0.7, which will be the patch for this.
Re: Is the Firefox Honemoon Over? (Score:5, Informative)
You need only to look at secunia.com's summaries to see through the idiocy of this article:
vs.
Firefox: 0% Extremely Critical
IE: 14% Extremley Critical
Need we say more?
Re:Quality not Quantity (Score:1, Informative)
Re: Is the Firefox Honemoon Over? (Score:3, Informative)
Author picked meaningless numbers... (Score:3, Informative)
Not to Troll, but ... (Score:2, Informative)
He recently published a PGP vs. PKI article (I would link the article, but I am not giving him another web hit) where he was continually debunked by posters and PKI implementers because he stated that PKI was "too difficult". He couldn't grasp the concept that each job requires a different tool and one that fits the requirements best.
He constantly replies back on his blog through the Talkback feature ZDNet has (not that responding to user input is a bad thing) and does so with a level of arrogance that drips off the page. I refuse to even read his columns anymore and refuse to +1 his counters. Many users have already commented - there are too many reports acting as technical experts disseminating information that is misleading.
Re:Firefox is harder to manage than IE (Score:3, Informative)
don't attribute your failings to the browser. just because you may not know a good way of managing updates doesn't mean it doesn't exist.
Re:Firefox is harder to manage than IE (Score:2, Informative)
Can you count to 10 ? (Score:5, Informative)
Only ten?? Guess it depends on where Internet Explorer ends and where the "operating system" begins. Many of the worst bugs haven't "officially" been MSIE bugs, but the result is that a malicious web page can take control of your system or do other things you'd never imagine it ought to be able to.
I did a quick search of the microsoft bulletins and found 13. And these aren't even exactly the same ones Secunia lists (two of which they say Microsoft hasn't even fixed).
And why from March? Look at what an ugly month February was for MSIE.
MS05-038 - aug 17 [microsoft.com]
JPEG Image Rendering Memory Corruption Vulnerability - CAN-2005-1988
Web Folder Behaviors Cross-Domain Vulnerability - CAN-2005-1989
COM Object Instantiation Memory Corruption Vulnerability - CAN-2005-1990
MS05-037 - jul 12 [microsoft.com]
JView Profiler Vulnerability - CAN-2005-2087
MS05-032 - jun 14 [microsoft.com]
Microsoft Agent Vulnerability - CAN-2005-1214
MS05-028 - jun 14 [microsoft.com]
Web Client Vulnerability - CAN-2005-1207
MS05-026 - jun 14 [microsoft.com]
HTML Help Vulnerability - CAN-2005-1208
MS05-025 - jun 14 [microsoft.com]
PNG Image Rendering Memory Corruption Vulnerability - CAN-2005-1211
XML Redirect Information Disclosure Vulnerability - CAN-2002-0648
MS05-024 - may 10 [microsoft.com]
Web View Script Injection Vulnerability - CAN-2005-1191
MS05-020 - april 12 [microsoft.com]
DHTML Object Memory Corruption Vulnerability - CAN-2005-0553
URL Parsing Memory Corruption Vulnerability - CAN-2005-0554
Content Advisor Memory Corruption Vulnerability - CAN-2005-0555
MS05-015 - feb 8 [microsoft.com]
Hyperlink Object Library Vulnerability - CAN-2005-0057
MS05-014 - feb 8 [microsoft.com]
Drag-and-Drop Vulnerability - CAN-2005-0053
URL Decoding Zone Spoofing Vulnerability - CAN-2005-0054
DHTML Method Heap Memory Corruption Vulnerability - CAN-2005-0055
Channel Definition Format (CDF) Cross Domain Vulnerability - CAN-2005-0056
MS05-013 - feb 8 [microsoft.com]
DHTML Editing Component ActiveX Control Cross Domain Vulnerability - CAN-2004-1319
MS05-009 - feb 8 [microsoft.com]
(PNG buffer overflow, may not affect IE, remote code execution in MSN, WMP, etc)
MS05-008 - feb 8 [microsoft.com]
Drag-and-Drop Vulnerability - CAN-2005-0053 (yes, exploitable via web page)
MS05-006 - feb 8 [microsoft.com]
Cross-site Scripting and Spoofing Vulnerability - CAN-2005-0049
Re:Firefox is harder to manage than IE (Score:5, Informative)
Well, as has been pointed out numerous times over the months, the first hit on Google for "Firefox MSI package" is:
http://msi-repository.sourceforge.net/ [sourceforge.net]
Where you can get thunderbird and firefox MSI packages of the current stable release.
Re:Apples to Apples (Score:2, Informative)
http://secunia.com/product/4227/ [secunia.com]
This shows you all the vulnerabilities they mention. The article doesn't link the exploits unfortunately.
Re: Is the Firefox Honemoon Over? (Score:3, Informative)
ActiveX is not a big part of the bugs or of a poor design. It is just a misfeature. Microsoft could overnight throw out ActiveX and be in the same position as Firefox when it comes to those controls, as such it is not a fundamental design flaw. On the other side of the coin: ActiveX is a bad idea in practice. It is not due to Microsoft bugs or flawed design, it is just a fundamentally flawed idea since application developers deploy stupid things and users do stupid things. Microsoft has mae moves to improve the situation, demoting the ActiveX confirmation dialog to be a right-click option on the "popup"-bar in SP2 was a move in the right direction for instance.
You mean like Unix? What an innovation!
Microsoft has been behind in security design for over a decade. I was working in Unix, which is capable of doing the things you're calling revolutionary, when I was in junior high a full uhm.... Longer than I want to think about... ago. Everything is a file and files have - while not a perfect permissions system - at least something which is designed for multi-user and therefore easily modifiable to multi-permission. Call BS all you want, but M$ has a lot of spaghetti code in your computer....
Sure it is something. But it is not used well in desktop applications (applications can all write to your home directory with your session startup scripts and so, wreck your data or whatever else they please). One could run them as dummy users that can't write to your home directory, but that'd make for an extremely confusing and inconvenient application. One could with some care and a whole lot of dummy users and setuid scripts copying things about in intelligent ways create the same kind of security model that Microsoft are doing for IE7. Problem is that it isn't a very good design and more importantly; no one appears to be doing it.
Even if possible it does not help if no one does it, and even if it gets done it will not be as nice as Microsofts framework that utilizes the much better security model provided by NT. Now, as I said, if it works out for Microsoft there will no doubt be some movement to get something going on Linux as well, but credit where credit is due. Microsoft is doing something interesting here.
meh, get it right (Score:5, Informative)
Thats a true-er representation of security.
Mozilla usually patch flaws fairly quickly - there's flaws in IE that have been known for *years* before they were patched, if at all.
smash.
Re: Is the Firefox Honemoon Over? (Score:2, Informative)
Opera is free as in beer btw. And it's the exactly the same browser as if you pay for it. Unless you think about the tiny Google ad bar at the top.
You only need to pay if you want the banner away and get official support by the company.
Re: Is the Firefox Honemoon Over? (Score:3, Informative)
I installed Firefox myself. Until I read your post, -I- didn't know about said red arrow. Of course, I periodically update it anyway, so it's not a big deal, and since I don't see what you're talking about, I assume I'm up-to-date enough, but....
Anyway, I sort-of like the "There is an update available. Would you like to install it?" dialog on launch that a lot of apps do. Just so long as it isn't broken like the one in Adobe Acrobat Reader. Running 1.5.0 and it says "A new version 1.50 is available," which turns out to be the same version.... (That's probably not the right version number, but you get the idea.)
Re:Compare Also (Score:3, Informative)
Nowhere near the (28% + 3% + 13%) = 44% for MSIE6, of course, but 24% is still pretty high.
Comparing Criticality, FF has 23% "Highly Critical" whilst IE has 14% Extremely Critical + 29% Highly Critical = 43%. That really is bad for IE.
Of course, numbers prove very little, and there's lots of room for reinterpreting these figures (availability of FF source can make vulns easier to find and exploits easier to write; huge IE install base increases likelihood of discovery and increased incentive to exploit, etc).
Re: Is the Firefox Honemoon Over? (Score:3, Informative)
Actually, (for example) IE implements the XMLHTTPRequest (javascript) object as an ActiveX control. This is a favourite new toy for very spiffy interactive webpages (think AJAX). Examples of things that break if you turn ActiveX off: Gmail, google maps, google suggest.. etc.
This in turn causes users to not turn off ActiveX (the tin-foil-hat crowd would tell you this isn't a coincidence) because it would fundamentally break many really useful websites.
One Developer's Perspective: choose Firefox (Score:2, Informative)
I do some Web development and, while I'm not the ultimate Web Guru, some people actually pay me to do it. I don't follow security as closely as I should, perhaps, but this is about browser choice. And security is not the only factor to consider.
I have not invested in a subscription to MSDN. So, most of my references are either from books with strange animals on the covers or from the W3C [w3.org] recommendations.
I use my references and create a Web site for a client. Then I proceed to testing with Firefox, Mozilla, Netscape, Opera, and IE. What I have found is that, in Firefox, Mozilla, and (most of the time) Netscape, it usually all works just as expected. In Opera, a few changes are required. In IE, however, it almost never works like it should.
To be completely fair, I have to say that none of the popular browsers seem to get the W3C recommendations right 100% of the time (but that might be me getting it wrong :)). Sometimes (rarely), I must admit, it even seems like IE's interpretation of the W3C recommendation makes more sense. However, after using all of the browsers I test with, and a few others, I have to say that I choose Firefox.
Re: Is the Firefox Honemoon Over? (Score:1, Informative)
Yes, I'm looking at the Secunia statistics for both browsers. If you know a more complete list, show me it.
That said, when I view Firefox's "Criticality" breakdown [secunia.com], it says "(Based on 22 Advisories from 2003-2005)".
When I view the criticality breakdown for IE [secunia.com], it says "(Based on 69 advisories from 2003-2005)".
Inherent Design Flaw (Score:3, Informative)
I can't believe the most critical vulnerability inherent in IE has not been mentioned yet. What I am referring to is the fact that IE is a shell to the operating system
For the benefit of those who don't know what that means, opening up IE is effectively the equivalent of opening up a command prompt. Any command typed into IE will behave as if you typed it into a command prompt and will execute with whatever privileges you have. For most users, this will be Administrator. Another brilliant design choice.
Go ahead and type "c:\windows\system32\calc.exe" (or "c:\winnt\system32\calc.exe" depending on the name of your system directory) in IE and watch as Calc opens up. Try it with FF and you'll be prompted to save it--nothing more.
I don't know. You tell me. Which is the secure option and which is the security flaw so inexpressibly stupid it should be considered criminal negligence?