Is The Firefox Honeymoon Over?

prostoalex writes "With Firefox market share reaching a substantial level, is the popular Internet browser becoming a security nightmare for IT administrators? George Ou takes a look at the hard numbers. From the article: 'From March 2005 to September 2005 10 vulnerabilities were published for Microsoft Internet Explorer, 40 for Mozilla Firefox. In April-September timespan there were 6 exploits for MSIE, 11 for Firefox. Conclusion? As you can see, the facade that Firefox is the cure to the Internet Explorer security blues is quickly fading. It just goes to prove that any popular software worth hacking that has security vulnerabilities will eventually have to deal with live working exploits. Firefox mostly managed to stay under the radar from hackers before April of 2005.'"

Re: Is the Firefox Honemoon Over?

[Alternate Interior]

There is one significant difference. I'm a knowledgable user. I program and sys-admin. I practice good security. Regardless of the number of exploits out there, I've never been hit by a FF exploit. I have been hit by IE exploits.

But the submitter is right. Though code security is important, the number of users is also a huge factor.

Cue someone to mention Apache.

Yes, Apache is everywhere, exploit-free. So are lots and lots of other binaries. It's only when you compare Apache to IIS 4/5 that it's really such a perfect example. Compare it to WinAMP, or Bash, or Finder, and its no more, no less secure.

Quality not Quantity

[olympus_coder]

Well, this is a good example of bad journalism. I don't want to get into a flame ware about which browser is more secure (although I have an obvious bias). What I'm try to say is that this guy is quoting useless statistics and this is a great example of bad science/tech reporting in the media. [slashdot.org]

1) The number of vulnerabilities reported has almost nothing to do with the number in the code. At most it dictates a minimum number that exist. Perhaps the firefox community is much more active at searching for bugs in the much newer firefox code.

3) How effective are the fixes? MS seems to have the same recurring problems because they only do triage. They don't fix the bigger problem (VERY poor browser design). The firefox team appears to address the bigger problem, not just stop the current bleeding.

2) How critical are these vulnerabilities. The article makes no mention of any ranking. He lumps everything into the same category. MANY of the IE bugs over the last 5 years have been SUPER critical, allowing remote access with little or no user intervention and no settings work around. Are the fire fox bugs the same?

3) Different organizations handle the vulnerabilities: MS and the Mozilla Foundation. MS is known to sit on bugs as long as possible. Perhaps the Firefox team is just being more responsive to the people looking for them.

Remember 99% of people that have cancer have eaten pickles. That doesn't tell you squat about the relationship of pickles and cancer.

IAAITG (I am a IT guy)

Apples to Apples

[gbulmash]

I don't recall there being *that* many vulnerabilities and exploits for the browser itself, but that there were some serious ones for common extensions. Now, I can't say this for certain, but is it possible that he's lumping in the vulnerabilities/exploits for popular 3rd party extensions (like the recent pretty big one with GreaseMonkey) with vulnerabilities/exploits for the core browser?

As well, how many of these vulnerabilities/exploits were "critical" and how severely did they expose your computer to running unauthorized code vs. the MS ones? How much effort did it take to repair them? The last vulnerability I recall patching required making a minor change to my Firefox config by hand rather than patching or upgrading.

Because IE is so tied in not only to the OS, but to various Visual Studio API's, were Microsoft's vulnerabilities more far-reaching?

I'm no MS apologist, but I'm also not a Linux or OSS zealot. I like to use what works best for my needs and habits, which ends up being a mix of Closed Source and Open Source products. I don't want to be biased on one side or another, but I'd like to be sure that comparisons like this are apples to apples.

- Greg

Security isn't the only reason

[kevin_conaway]

I use it because its a better browser. It has more (and better) features than the competition. THAT is why I use it and recommend it to those who ask, not because of its security track record.

Slash Troll Alert

[Sounder40]

Another in a series of stories that seem to be written to raise the ire of /.'ers. You're smarter than this, fellow reader. Do not give in to the temptation to flame on. We all know better. Sad that the writer didn't.

These numbers

[hungrygrue]

don't mean anything unless you do a side by side comparison of the security holes. What is the severity of each bug? Clearly, there is more activity and work in finding and actually fixing bugs in FF than there ever could be in IE, which could in and of itself account for the higher numbers.

What happens when IE Vista goes mainstream?

[TEMM]

Yes there are a lot of problems with firefox, its being developed so there are going to be vulnerabilities and security problems, but at least its constantly being developed. When everyone moves over to Vista and uses the new version of IE for Vista its going to be the same old crap all over again and im sure that IE will once again have more problems then firefox.

Software Bugs

[Anonymous Coward]

All software has bugs, lets just get over it and move on with life.

Choice...

[gsfprez]

Here's the difference.

If the Firefox web browser sucks, the average Joe can uninstall that web browser from a Windows box....

if IE sucks...

Re: Is the Firefox Honemoon Over?

[Bloggins]

Remember the age of the code though, how long has IE been around as compared to firefox. I would expect that about 6 years of sniffing thru firefox will result in less exploits that the amount thats still found in IE

Short and simple

[cyberlotnet]

1. How many Critical IE vs Firefox
2. How fast where patches/new versions deployed
3. How many days was the browser open to the exploit

And Finally

4. Total number of days browser was exploitable - IE vs Firefox

I bet you will find issues in IE that are not even patched yet, turnaround for more Firefox issues however? In most cases a solution within hours a patch within days.

How do I moderate the Orignial Poster (-5 Troll)

[dup_account]

I read thru some of Ou's other blogs, and I have to say he seems to be a MS Troll.

What about the time to fix?

[Anonymous Coward]

The number of vulnerabilities and exploits make some difference, but what about the average time it takes to fix the vulnerabilities? If one takes an average of 2 weeks and the other 2 days, I'd rather have the latter.

Re:Quality not Quantity

[thoromyr]

A very good set of points. One more (related to 3):

4) How many unfixed vulnerabilities are there. The one that comes to mind is ActiveX

Firefox's facade is still looking pretty good

[drgonzo59]

Counting the vulnerabilities is not really the way to assess the security implications of those vulnerabilities. There are different kinds of vulnerabilities. Perhaps, on Firefox the attacker can crash my browser - not that big of a deal, I'll just restart and then look for a patch (which comes out pretty fast). But there might an IE vulerability taht will give remove admin access to my machine. Now I think, one of those vulnerabilities outweigh 10 of the first kind. So you cannot really compare.

They should have separated vulnerabilities into classes then also taken into account the average time between discovery and fix and ease of patching. Anyone one of such a study?

Causality vs. Correlation

[Da_Biz]

What I'm try to say is that this guy is quoting useless statistics and this is a great example of bad science/tech reporting in the media.

AMEN! Your pickles example is a good reminder of the confusion many Americans have over causality vs. correlation.

Damned Lies and Statistics by Joel Best is an excellent primer in the dangers of poorly used and cited statistics. It's a must read:
http://www.amazon.com/exec/obidos/tg/detail/-/0520 219783 [amazon.com]

I seem to recall...

[Anonymous Coward]

that some of the Firefox issues were not because of coding bugs on the mozilla side of things, but because of how Microsoft's OS handled things. Essentially, Firefox was protecting itself against the evils of the OS that it is forced to run upon. Even if all 11 security issues were purely because of Mozilla code, how are we to truly know that there were only 6 for IE? Those are just the ones that Microsoft fessed up to and actually fixed - there's likely plenty more that they're working on - just waiting slowly to release the updates to make themselves look better than the better equipped competition.

Re: Is the Firefox Honemoon Over?

[Anonymous Coward]

This is exactly true. I administer over 2,000 machines (mixed platform environment). We started installing Firefox as part our standard package over a year ago. There has never been one report of a problem with security involving Mozilla Firefox. There have, in the same time period, been numerous security problems originating in the Microsoft Internet Explorer web browser. It doesn't matter how many exploits get published if they aren't being exploited or their exploit does not result in any significant harm. As posters below have noted, this article is a result of bad journalism.

Attacker is also better off with the open code

[Anonymous Coward]

Anybody who wants to inspect the source code for security holes can do so.

Precisely. But why do you assume that once the bug is found, it will be fixed? If the bug is found by a malicisous pair of eyes, an exploit will be written instead.

Open source helps both the attackers and defenders, and thereore does not have an inherent advantage in security, in my opinion. Now, the formerly closed code that has leaked is indeed more vulnerable after the leak.

misleading

[FLoWCTRL]

I would like to see a comparison of the seriousness of the vulnerabilities - how many of those IE exploits gave remote users full control over the victims computer, vs those of Firefox? Given that IE is so deeply tied into the OS, security problems with it tend to be much worse. For Firefox, the vulnerabilities tend to be trivial, such as browser crashes.

Re:Quality not Quantity

[Donny Smith]

>Perhaps the firefox community is much more active at searching for bugs in the much newer firefox code.

And perhaps not.
And perhaps MS IE is exposed to more scrutiny because it's #1 browser? And perhaps not.
As we can't tell for sure, it's best to ignore such speculations.

>3 (sic)) How effective are the fixes? MS seems to have the same recurring problems because they only do triage. They don't fix the bigger problem (VERY poor browser design). The firefox team appears to address the bigger problem, not just stop the current bleeding.

Gee!
And look at the most recent Firefox fix - it's a temp fix which only disables the insecure feature.
Not to mention that update alerts actually start blinking in your browser many days late.

I'm not defending MS IE, I'm just trying to point out that FF is pretty much the same. I use it a lot and it's got a bunch of problems - daily crashes, daily hangups with PDF files, frequent security problems and so on.
Originally it seemed a lot better. I still use it, but it doesn't seem that way any more - it's time to take a realistic look at it.

Re:Quality not Quantity

[Alorelith]

Don't forget that Internet Explorer isn't a moving target. Firefox is in constant development and releases are being made at fairly regular intervals, thus there are bound to be bugs. Has Internet Explorer seen any development in the last few years other than just bugfixes (not including IE7)?

Re:No Software is Perfect

[MightyMartian]

It is unfortunate that some chose to try to sell Firefox as a more secure browser. While I'll still wager dollars to donuts that it is, I do think it was a mistake. Firefox, like every large software project, is going to have bugs and flaws.

But this bizarre notion that you can measure a software's quality by bug reports is ridiculous. It's a meaningless number until put into context. Microsoft is well known for sitting on flaws for great lengths of time, so though in some given period Firefox might have twice or thrice the number of reported problems, IE might have that many or more unreported flaws. It's the same old story; there are lies, damn lies and then there are statistics. Reporters, unfortunately, seem a pretty lazy lot who don't actually have much interest in educating themselves or others, so they do easy things like count the flaws and report. They pack in a lot of words, and give it a sexy title a bang-o, they get a cut a check for their discerning journalism.

Strange...

[devaldez]

What I find most fascinating is that no one seems willing to recognize that the more users you have, the greater the interest in hacking becomes. If you have a paltry penetration for your technology, hackers ignore you.

Now, is Firefox more secure? In theory it should be. Are the exploits in Firefox less problematic? Well, until hackers care to exploit it, who the heck really knows? I remember when Firefox pop-up blocking worked. Now, there are known methods to circumvent the technology...go figure...the folks who care have found new methods because Firefox was eating their lunch.

Now, I heard someone say that Apache is a model...what about all those worms that have been attacking, and defeating, Apache for the last 3 years (slapper, scalper, etc.)? Apache's only grace is that the developers move FAST when a new exploit is found. However, most attacks are not day zero attacks, which means that the vast majority of attacks are based on known, patched or patchable flaws.

So, it is incumbent on any admin to keep their systems up-to-date AND recognize that patch management is one of the key hallmarks of a secure system.

What does this mean for Firefox? Same patch management must be implemented for Firefox as should be in place for Exploder. Moreover, perimeter firewalls and intrusion detection systems must be in place and up-to-date themselves. And even with this diligence, per the CSI FBI Computer Crime & Security Survey 2005, 95% of Enterprises experienced system penetration and 55% were attacked by worms or viri.

Guess what? Software development methodology is not a panacea anymore than anything else.

Diligence, not arrogance, will protect your computing assets.

Re: Is the Firefox Honemoon Over?

[jiushao]

If this is so it just leads to the question: Why should people use Firefox now then? Lets wait until 2010 when it will actually be better and stick to IE which is better now.

I don't really believe in this, but arguing like that is arguing against Firefox.

My personal opinion on these things is: People care way too much about browser religion. Let people use IE, not that much wrong with it. Both IE and Firefox are huge complex applications processing huge amounts of diverse untrusted data. Sure it'd be great if they were secure, but it is just not happening that way yet.

There might be some hope on the horizon with low-rights IE7. It might be that it really does manage to remove the impact of the bugs, which is really the best case scenario as things stand. If so we will no doubt see similar approaches integrated in Linux desktops and see Firefox refactored to use the same approach.

Re:Quality not Quantity

[truesaer]

The biggest weakness of firefox is that most users will never patch it. For example, I've never been aware of a firefox patch, nor have I applied one. Windows on the other hand harasses me relentlessly now to install patches IMMEDIATELY even if I'm in the middle of a game or something.

I still use firefox of course!

Re:Losing my mod points to say this but...

[ahoehn]

Losing my mod points to say this but...

Really; are you in imminent danger of being modded down on Slashdot because you posted something negative about Microsoft and positive about Firefox?

Are you also worried about being flamed because you compress your music with ogg?

Do you live in fear of being outed to the slashdot community for creating documents in Open Office?

You're such a rebel.

[smile]

Re:Open Source Security

[Perl-Pusher]

And with the kind of money Microsoft has at its disposal, they are finally cutting down on those security issues.

They have been at it over ten years, and still new bugs keep coming. With more cash than some countries, there is no excuse for any new exploits by your logic.

1) Firefox is newer, it's code is less mature.

2) The entire world is privy to the source code of Firefox, the more exploits initially is good for open source. That means their getting fixed faster too.

3) What these 'known exploits' are, is people reviewing that code finding faults and reporting them. Since the code is readily available this makes it easier and quicker. This is a good thing. Closed source makes it harder to find the bugs, they tend to be found out by exploit, more often than review.

4) All bugs are not the same, a bug in an option is not the same as a bug in something that can't be turned off. Severity of the bug was compared here, as has been pointed out numerous time this is dumb.

5) Money is a reason to hide exploits and fix them only when absolutely necessary. When you donate time and effort freely, pride in your work provides the opposite motivation.

6) You can uninstall firefox and use something else, try that with IE.p

"From March 2005 to September 2005"

[l3v1]

I mean, From March 2005 to September 2005 ?! Good god, I thought ignorance could no longer make me mad, but yes, it can. Educate us please, 1) how many versions of IE were released in this timespan, 2) how many vulnerabilities were disclosed about IE6 since it was released, 3) how many vulnerabilities had IE when it had the same [release] age as Firefox has now, 4) how does the patch release speed of Firefox and IE compare, 5) how does the feature set of Firefox and IE compare, 6) how does the size, stability, platform support, plugin support of Firefox and IE compare, 7) how many vulnerabilties of IE's and how many of Firefox's were/could in fact be exploited by worms and trojans in this period.

I could go on with this, but for me, even these questions are more important, by a magnitude, than how many exploits were discovered.

Firefox is harder to manage than IE

[akmolloy]

I really want to give Firefox to all my users, but there's no good way of managing the updates for my users. Until the Firefox comes packaged as an MSI so that I can force an upgrade via Group Policy, I won't install it on my users machines. And when they do make an MSI for it, how am I to keep people up-to-date with extensions? The Grease Monkey extension had a vulnerability awhile back, and I don't see a way for Firefox to allow me to force an upgrade to everyone for extensions. IE works well because I can release patches for it via WSUS. And since SP2 for XP, we've had less calls about spy/adware installs.

Looking at the wrong statistics

[Jugalator]

It just goes to prove that any popular software worth hacking that has security vulnerabilities will eventually have to deal with live working exploits.

What can I say? I pity the administrator that need "proof" to realize this.
Straight to the "Security 101" class you go, as you should have before getting a job.
Or if not having one, thank god for that.

As you can see, the facade that Firefox is the cure to the Internet Explorer security blues is quickly fading.

Here's the hard facts according to Secunia...
IE 6: 19 of 85 unpatched issues, the most severe classed Highly Critical.
Firefox 1.x: 3 of 22 unpatched issues, the most severe classed Less Critical.
Opera 8.x: 0 of 7 unpatched issues.

I don't know about you, but as long as a product is auto-updating (which the Firefox 1.5 beta and onwards indeed is, like IE 6, and unlike Opera 8), what does it matter how many exploits are found? Isn't it how many issues you're affected by that matters?

Yes, this was a problem with Firefox before 1.5 as you can't excuse having to manually upgrade your browser while monitoring security sites (at least not from the audience Firefox is targeting), and that's why I recommend people to upgrade to 1.5 ASAP. The minor instabilities still present from being in beta isn't as bad as missing out security fixes.

Re:No Software is Perfect

[Feyr]

security defects aside, i've had firefox crash on me at least twice a DAY in the last year or so.

annoying as it may be, it's still less annoying than the alternative

Re: Is the Firefox Honemoon Over?

[FuzzyBad-Mofo]

Not all vulnerabilities are created equal. As you assert, there doesn't seem to be (m)any people actually getting their system compromised from Firefox issues. Contrast that with IE, where we have seen numerous exploits in the wild which install malware, simply from the user visiting a web site. In large part, I believe this is due to IE's integration with the base operating systm.

Re: Is the Firefox Honemoon Over?

[MrAnnoyanceToYou]

Let's go through your objections point by point

If this is so it just leads to the question: Why should people use Firefox now then? Lets wait until 2010 when it will actually be better and stick to IE which is better now.

Except then Firefox will not get developed to as high a level as IE has and will never reach that point. Note that this observer has the same problem as most observers who say, "It's better!" And that problem is that the numbers aren't exactly fairly proportioned. An IE hack that gives someone access to all your 'net data then wipes your entire hard drive is counted as one bug, as is a firefox flaw that gives someone access to your last ten sites viewed. That's a biased and unfounded example, but the reality stands regardless - THIS IS NOT A GOOD WAY TO DO A SECURITY STUDY.

I don't really believe in this, but arguing like that is arguing against Firefox.

It is arguing against the further development of Firefox, too. No users, no development.

My personal opinion on these things is: People care way too much about browser religion. Let people use IE, not that much wrong with it.

There's piles of things wrong with IE, they're just not user-visible all the time and that is a main portion of the problem's gestalt.

Both IE and Firefox are huge complex applications processing huge amounts of diverse untrusted data. Sure it'd be great if they were secure, but it is just not happening that way yet.

You can lock Firefox down if you want. Won't be able to see EVERYTHING, but it will definitely be secure. Not quite anywhere near as true with IE.

There might be some hope on the horizon with low-rights IE7. It might be that it really does manage to remove the impact of the bugs, which is really the best case scenario as things stand.

You can do this in linux. Natively. Just make yourself a different user with no rights to do certain things. Try that in Windows and see if it works for you. As to the, "Microsoft will solve everything in the end" mentality, well, I can't really argue with that.

If so we will no doubt see similar approaches integrated in Linux desktops and see Firefox refactored to use the same approach.

You're looking at it the wrong way. Microsoft is behind and has been so for a very long time. The stuff you want is part of the problem with their occasional 'buy instead of implement' business model.

Proximo-what?

[ComputerSherpa]

"Fundamental" as in "never heard of by anyone else"?

Re:Quality not Quantity

[hebie]

Add 2 more points to the above: 1. The period of the lifecycle of the software. There is usually an exponential decline in the number of bugs as the software ages. Having such a large number in IE speaks volumes on quality. 2. Prevalency of the software. A software as prevalent as IE has much more people working on the exploits and that even to date, exploits of a severe nature are being reported again is not something to be proud of

Red Herring Fish Sticks

[ezweave]

So they found more exploits to FF. FF is also newer. Does this mention the hundreds of IE exploits in the back catalog? Does this mention some of the fatal flaws that MS has not repaired since IE 5? I know because I have had to hack fixes for web apps in IE... never had to do it for Firefox. Read through MSDN and count all the bugs, then read through Bugzilla.

Any new product will have more flaws found per month than an existing product. This is common sense. The difference with FF is the turn around of the fixes. You could imply as much from the article. 40 down to 11. Notice how IE6 has the same amount still found (10 and 6 are alot closer than 40 and 11), and it is a product that has been on the market how long( 4 years [wikipedia.org])?

There is no news here, just FUD and a normal software lifecycle. This is perfectly normal.

Re: Is the Firefox Honemoon Over?

[bheer]

Are you saying that knowledgable users necessarily get hit, even on IE? I develop on Windows (and on Linux too, though my architectural understanding of Win32 exceeds Linux (which is pretty much limited to POSIX)) and you know what? I've never had a problem with an IE exploit in my life. Like someone else said a few stories ago, a user who knows what he's doing can make even Win98 safe.

Yes, IE pre-XPSP2 UI+security model of Yes by default and ActiveX definitely required vigilance; but today it's a function of user skill on both Firefox and IE to *not* be infected.

Someone here mentioned their users don't have problems with Firefox. Well, disabling ActiveX certainly helps. But if Firefox users visit RandomScreenSaver.tld and download with abandon (as many IE users do), compromising Firefox will be a piece of cake. And there is the gaping hole in Firefox's armor -- even many of its biggest boosters think nothing of installing unsigned extensions.

Btw, I'm not sure anyone who developed on Apache through the late 90s would call it 'exploit free' in the sense (say) vsftpd is exploit free. Apache's strength is cross-platform ubiquity and a rich plugin environment, not perf or security. I doubt any Apache dev would claim Apache to be unexploitable even today.

MOD ARTICLE REDUNDANT!

[Spy der Mann]

Oh please, not again. "Firefox has more security bugs! firefox is teh evil! omgomgomg"
I'd expect this kind of comments from a /. comment, but from a STORY SUBMISSION?
In any case I already know the answer: "more bugs, but some less critical, and all patched in less time".

Or am I wrong?

Whaa...?

[glwtta]

Honeymoon is over because the FF people fixed more security bugs than IE6? I don't follow.

missed the point...

[buhatkj]

I am SOOO tired of seeing these stories about how firefox has this many bugs vs IE has this many blah blah blah....
They totally miss the point.

First off, anybody who switched to firefox because they thought it (or any other browser) was "safer" than any IE is totally deluding themselves. The fact is the web is just a dangerous place to be, and no browser no matter how "bug-free" or "tested" can ever really protect you. If you are an idiot and go to phishing sites or places that give you spyware or whatever, you deserve what you get.

the reason to use firefox is because it is a BETTER browser. It's hard for me to overstate just how awesome tabbed browsing is, but that feature by itself convinced me. That, and it's 100% free.

what else do you really need?

so the bottom line is, all browsers are unsafe, pick the one that you can use most effectively.

For me, that's firefox.

misunderstood

[barryfandango]

"the facade that Firefox is the cure to the Internet Explorer security blues [...]"

It's not a product specific issue. Diversity is the cure to monoculture security blues. The more mainstream a product becomes, the more malicious users will target it. And if it's the only game in town it might as well have a big bullseye pinned on it.

Re:Losing my mod points to say this but...

[aug24]

No you prat, I have mod points but won't be able to use them in this story! I'd say you must be new here, but you must've been around a while ;-)

J.

Re: Is the Firefox Honemoon Over?

[jiushao]

I'll do the same for your points then:

Except then Firefox will not get developed to as high a level as IE has and will never reach that point. Note that this observer has the same problem as most observers who say, "It's better!" And that problem is that the numbers aren't exactly fairly proportioned. An IE hack that gives someone access to all your 'net data then wipes your entire hard drive is counted as one bug, as is a firefox flaw that gives someone access to your last ten sites viewed. That's a biased and unfounded example, but the reality stands regardless - THIS IS NOT A GOOD WAY TO DO A SECURITY STUDY.

Right, I don't really buy this study either. I were just stating that if one says that Firefox is worse now one can't argue that people should switch. Also, sure, if people switch over in masses the development effort will go faster, but this was not really about what was best for Firefox, but what is best for the user now.

There's piles of things wrong with IE, they're just not user-visible all the time and that is a main portion of the problem's gestalt.

This is one that shows up over and over, that IE's basic design is flawed. Which is, as far as I can tell, unfounded. All the external interfaces and architecture seems clean and nice enough, and since I (and I would guess; you) have no way to look at the source I can't say that we have any reason to believe that the IE source is in a bad state.

You can lock Firefox down if you want. Won't be able to see EVERYTHING, but it will definitely be secure. Not quite anywhere near as true with IE.

This does not say anything meaningful, it is true that if one keeps removing things sooner or later one will have removed all bugs. The point is to have a working browser with as good security as possible.

You can do this in linux. Natively. Just make yourself a different user with no rights to do certain things. Try that in Windows and see if it works for you. As to the, "Microsoft will solve everything in the end" mentality, well, I can't really argue with that.

This one I am actually a bit tired of, but I'll go over what has impressed me with what Microsoft is doing for Vista and IE7:
This is not a process-level permission thing (which would wreck the way the application works, you need to be able to save files, change settings and so on for it to be a sane desktop application). Rather Microsoft is finally getting around leveraging and extending the rather advanced and fine-grained NT security model for something. The basic idea is that most of the application runs with very restricted permissions and can launch subcomponents like a download or settings panel that have a higher level of permission. This is set on a very fine-grained level. There is no need to have separate components, nor is it all-or-nothing, a component can have access to specific system calls according with specific parameters, they may change only some given parts of the registry and so on.

Now this is not new as such. It is however leveraging well-known and well-implemented security technology to make a desktop application simultaneously relativly locked down but still as usable as it would be running at full permissions in all parts. It is not limited to IE7 either but there is supposed to be new tools and libraries to make it easy to take advantage of for new applications. As I said, Linux will have this real quick if it works out nicely. There are better security models for Linux already implemented and running in specialized distributions, they would no doubt be brought into mainline is they appear useful.

You're looking at it the wrong way. Microsoft is behind and has been so for a very long time. The stuff you want is part of the problem with their occasional 'buy instead of implement' business model.

This I call bullshit, we don't know the actual state of the IE code but I can't say that I see any reason why it should be bad. What Microsoft did do

Something doesn't make sense

[Thu25245]

Vulnerabilities are a product of mistakes on the part of the people who write the code. The number of bugs in a piece of code is a function of the experience, skill, and coding/QC practices of the programmer(s) who wrote that code.

There is no relationship between popularity and vulnerabilities in software. Period.

There may be a relationship between popularity and exploits in code (hackers targeting the biggest slice in the pie.) But this wasn't about exploits, it was about vulnerabilities.

More appropriately, there may be a relationship between the popularity of a codebase and the likelihood that any inherent vulnerabilities will be discovered. Whether this is good or bad for the users of the software depends entirely on whether any discovered vulnerabilities are fixed, or allowed to fester so that they can be exploited.

Re:Usability.

[Alomex]

There is no reason a browser should mysteriously slow down your computer.

Really? Firefox dramatically slows the de-hibernation procedure in my laptop if I happened to access the CNN page before sometime before hibernating.

Firefox Zealots are REALLY Sensitive!

[SwashbucklingCowboy]

Why are Firefox zealots SO sensitive to any criticism or perceived criticism of FF?

FF has problems, so does any software of any significant size. There's no need to be so defensive!

Firefox is definitely losing some momentum

[Sivaram_Velauthapill]

Firefox is definitely losing some momentum. Its growth rate seems to have stagnated, and it is starting to show some of the problems that have plagued other browsers. Namely, firefox is quite unstable with the latest official release (it takes up a lot of memory and slows down if you have multiple tabs open with somewhat sizeable (1MB) images. I think there is something wrong with the way it allocates and frees memory.) There is also some increase in vulnerabilities.

I think the real test will be to see what happens when the new version of Internet Explorer comes out in a few months. Is that going to steal back some of the lost market share or will firefox out-innovate it?

Re:Short and simple

[LordoftheWoods]

Yes, there are facts, and these may well be reliable. The conclusion however is not. He just fell into the trap of more vulnerabilities reported => more vulnerable. TFA is not considering other explanations for the data. We are not questioning the data, only the conclusion.

right, and the statistics are bad anyway

[conJunk]

More exploits or not, FF causes fewer headaches. When it's all said and done, I'll choose FF's problems over IE's problems.

exactly. and really, at the end of the day it's not just number of the exploits, is it? maybe firefox has 44 exploits, all of which are easily implemented by a supreme diety who speaks assembler like a native speakers, and which, once done, make the browser a little slower or the graphics render funny.

whereas there may be only 6 exploits for IE, but my dog can (and does) routinely use them, and every single one of the roots the box the browser's running on.

this is clearly exagerated a bit, but the simple *number* of exploits isn't too relevent

Re: Is the Firefox Honemoon Over?

[TopherC]

This is one that shows up over and over, that IE's basic design is flawed. Which is, as far as I can tell, unfounded. All the external interfaces and architecture seems clean and nice enough, and since I (and I would guess; you) have no way to look at the source I can't say that we have any reason to believe that the IE source is in a bad state.

I'm no expert on this stuff, but I think some of the basic design flaws in IE were Active X (what were they thinking?!), overly-tight system integration (inflating minor security flaws into complete system compromise), and the way it handled MIME types based on file extensions (part of the former design flaw, really). We don't need to read the code to know about these flaws. They are manifest in the way the program behaves.

As for IE7, I haven't seen any features promised that Firefox doesn't already have. And I think Firefox is still more standards-compliant, which is a pretty big deal to me. Also, Microsoft's general attitude toward their web services has been contrary to the spirit of common standards with multiple implementations, and has almost always been some kind of maneuver to force a lock-in. They thought they had that with IE 4.0, which explains why they didn't really take the broswer any further until maybe now.

This presents a kind of moral argument for using Firefox over IE. It sounds ridiculous on the surface, and it would be in any kind of sane universe. But we have Microsoft.

Re: Is the Firefox Honemoon Over?

[MrAnnoyanceToYou]

Right, I don't really buy this study either. I were just stating that if one says that Firefox is worse now one can't argue that people should switch. Also, sure, if people switch over in masses the development effort will go faster, but this was not really about what was best for Firefox, but what is best for the user now.

Best for the user right now is probably Opera - noone is willing to pay for a browser so there aren't really that many people willing to mess around with writing viruses and crap for it. As to whether Firefox or IE is better, well... Hard to say. I'd have to sift through exactly what the holes found in Firefox were, but last time I read up in any detail on the security holes found in an Open Source project, I was pleasantly surprised to find that they were all holes in tertiary stuff... Linux server software (and this is not necessarily true of Firefox, I'm really going way out on a limb here, and it will take backup from someone who keeps completely on top of this to really help me out... hint hint...) has bugs and problems and security patches, yes, but they're for a minor exploit that crashes or allows someone in through highly obscure software. Microsoft, since it's all one big piece, ends up handing you the keys to the castle. Therefore, one Microsoft bug can be seen as an unequivocal disaster and twenty Linux bugs can be seen as a biteme.

This is one that shows up over and over, that IE's basic design is flawed. Which is, as far as I can tell, unfounded. All the external interfaces and architecture seems clean and nice enough, and since I (and I would guess; you) have no way to look at the source I can't say that we have any reason to believe that the IE source is in a bad state.

This is where I do have proof. All those security patches for IE? Yeah, design flaw. It's not an arms race to fight off the hackers at the gate because you wrote effective, stable software. It's an arms race to fight off the hackers at the gate because you wanted to lock Netscape and friends out of the browser industry by making ActiveX mildly attractive and highly proprietary / dangerous to work in due to its features which were promised but under-tested. Or badly designed. Take your pick.

This is not a process-level permission thing (which would wreck the way the application works, you need to be able to save files, change settings and so on for it to be a sane desktop application). Rather Microsoft is finally getting around leveraging and extending the rather advanced and fine-grained NT security model for something. The basic idea is that most of the application runs with very restricted permissions and can launch subcomponents like a download or settings panel that have a higher level of permission. This is set on a very fine-grained level. There is no need to have separate components, nor is it all-or-nothing, a component can have access to specific system calls according with specific parameters, they may change only some given parts of the registry and so on.

You mean like Unix? What an innovation!

This I call bullshit,

Microsoft has been behind in security design for over a decade. I was working in Unix, which is capable of doing the things you're calling revolutionary, when I was in junior high a full uhm.... Longer than I want to think about... ago. Everything is a file and files have - while not a perfect permissions system - at least something which is designed for multi-user and therefore easily modifiable to multi-permission. Call BS all you want, but M$ has a lot of spaghetti code in your computer....

I'm trying not to be biased here, but I obviously am very much so.

Re:What happens when IE Vista goes mainstream?

[LordoftheWoods]

Read: this is what MS is telling you. It may have no effect whatsoever. It IS possible and it SOUNDS good. "We will have it fixed, soon." Of course they're not keeping their plans to fix your life Real Soon(tm) a secret. This page is only slightly technical, and is made to market Vista. If these take the form of real architectural changes in Windows which make it true, then great! My point is that experience has taught us to be skeptical of Microsoft.

Things like not giving services rediculous privileges is something that has been possible on *NIX for years. Also, sane defaults (ie, not creating everyone as an Administrator on setup) were also not just now discovered Microsoft. They just never were in Microsoft's interests (their customers didn't care) so they never bothered to implement them that way. Now that their home customers have realized that maybe security is a good idea, they are telling you everything you want to hear.

Re:Users or Superusers??

[epsalon]

Firefox developers implemented STANDARDS, not just allowing any convoluted mixure of tags. IE's improper rendering of DIVs inside SPAN or A tags has resulted in a web full of noncompliant sites, and required all major browsers to implement a slow parser to try and guess what the "web developer" meant.

It's a matter of attitude matters most

[ramsj900]

Microsoft has the attitude of them against the world. They will conquer spam, hackers, or any flaws in the system. Founded in a belief that because they created windows and hold the code that it is their right to take on any malicious code themselves. The problem is that with such a god-complex stance they end up challenging every hacker to show them how they are so wrong. The introduction of Sp-2 was the solution? One flimsy firewall was all that was needed to keep the 'bad-men' at bay? Mozilla Firefox developers attitude is that security is important and that is a real pain in the ass for almost everyone involved. Firefox is an alternative to IE not as a solution to the problem, but because they offer tools to deal with the problem. Switching to firefox and doing nothing is not a solution to anything. Firefox offers meaningful tools to address security problems, but users still have to implement them. If one user is a paranoid freak that wants no porn, no spam, no interaction with the web he can structure firefox to be so prohibative through the many extensions that he can feel all safe in spite of not getting a very interactive web experience. Much harder to do in IE6. If another user is willing to trade web experience for security firefox allows for that too. After beta testing Deerpark Alpha it is apparent that the mozzila team is really stepping up the security options as well as making it easy to use them. Offering strong security options as a choice allows user to get what they want out of their browser. Ultimately, the answer to internet security is the same as the answer to any large social problem. Until society makes the rewards for negative behavior worthless the negative behavior will continue. If your house is full of goodies...it matters not how many locks you have. The solution is to make hacking worthless or at least less of a challenge

Re:No Software is Perfect

[jesser]

i've had firefox crash on me at least twice a DAY in the last year or so.

Here's what you can do:

1. Upgrade to Firefox 1.5 Beta 1 (at least). Do a custom install and check the box for the "Quality Feedback Agent" (Talkback crash reporter).

2. If Firefox ever crashes, let Talkback send the crash reports to the server.

3. If you continue seeing lots of crashes, send me some Talkback IDs and I'll try to determine whether it's a known problem and whether there is a workaround by searching Bugzilla or examining the stack trace.

let's see...

[The Master Control P]

Rather than simply counting vulnerabilities, take at look at the reports for Firefox [secunia.com] and Internet Explorer 6 [secunia.com]. Firefox 1.x shows 22 holes, 3 unpatched and rated 'less critical.' IE6 has 85 holes, 1/4 unpatched, and a 'highly critical' buffer overflow in ActiveX that's been open since 2003. Now, tell me, which one is more secure?

[Insert usual mantra of anyone being able to fix F/OSS but only MS being able to fix MSIE here] [Append snide remark about companies trying to hide rather than fix vulnerabilities here] [Insert random Zeeky Boogy Doog here]

I don't care what anyone says

[jambarama]

I am a computer assistant at a very busy computer lab. In fact the most used lab at my university (a private university of over 40,000 students). Whenever blackboard or webapps act funny I direct people to firefox, and problems disappear. There may be security problems, but they get fixed, machines get re-imaged, and firewalls protect. But having a usable, working browser is priceless.

Re: Is the Firefox Honemoon Over?

[mangobrain]

So in other words, you've installed a little known, third party tool, to shield your browser from those dastardly Internets. This is not "good practice" - it should not, under any circumstances, be necessary to transparently doctor a program's input stream in order to keep said program happy. Not when said program is as frequently and widely used - indeed relied upon - as a web browser. If such a feature is genuinely useful in achieving robust security, then it can damn well be a feature of the core program, not something the user has to go above and beyond to utilise. IE is not made inherently more secure by using such tools; instead, you have simply introduced more developers into the arms race, who may or may not be more agile than MS when it comes to catching new exploits.

Congratulations - you've fitted your browser with a pair of rose-tinted glasses while it slept.

Doesn't this happen every couple months?

[Sj0]

Seriously, doesn't this happen every couple months -- some idiot notices that active Open Source projects get more bug reports than Commercial projects, and suddenly the worlds on fire and the OSS model is unsound and the software is useless?

I'm not going to reiterate the truth of the matter, because if you don't know it by now, you are probably one of the few who don't WANT to know.

Re: Is the Firefox Honemoon Over?

[shellbeach]

Note that only one of those is a 'critical' flaw, and that one is an ActiveX buffer overflow than can be avoided by just not using ActiveX. The rest are spoofing or system information flaws.

Actually, at least one other [secunia.com] involves the possible exploitation of malicious code, although it requires active user input to do so.

But let's look at that one big famous doozie, the ActiveX [secunia.com] exploit. That was reported in August 2003 - that's over two years ago!! It requires no user intervention if ActiveX is enabled, can do just about anything it wants to and it affects any MS ActiveX enabled product that can read HTML. The only solution is to turn off ActiveX, or to get it to prompt the user before it installs anything (which is not guarantee of safety). This is far, far worse than any exploit Firefox has ever had!

But even if it wasn't so potentially disasterous, don't you think MS would have been interested in fixing something that involves their pride-and-joy, ActiveX?? How could anyone ever look at such incompetence and claim that IE is more secure?!

Does ActiveX support limited capabilities?

[tepples]

Not everyone uses HTML as an interface to the masses - DHTML has proven itself to be a compelling application front end.

DHTML is scripted manipulation of the HTML DOM. It needs no custom ActiveX controls. AJAX as I know it is just DHTML + XMLHttpRequest.

I've been developing exclusively with IE & HTML & Binary Behaviours (a form of activex) with AJAX style architecture for more than six years because it's just so easy to turn out great looking apps.

Where were these apps deployed? On the Internet or on intranets? Unlike Java applets, ActiveX controls do not run in a sandbox by default, and they have full access to everything the user can read and write. Given that most users on Windows XP Home Edition still run as a user with administrative privileges, this can be and has been exploited as a major security hole for, say, adding spyware to a machine.

Given that the IE DOM is written in COM (something that Mozilla tipped their hat to with XPCom after the terrible architecture in netscape) does it not make sense to use activeX controls within IE? (ActiveX controls are COM components).

But does Mozilla Firefox allow random web pages to run arbitrary XPCOM controls with the user's full access rights?

Please explain why MIME types on file extensions are a bad idea?

Problem is that in certain circumstances, the Internet Explorer suite will ignore the Content-type provided by the server in favor of guessing a Content-type based on the last few characters of the URL. Not only does this behavior violate the RFCs that govern the Web and Internet e-mail, but authors of malicious programs for Windows have managed to exploit this misbehavior.