Is The Firefox Honeymoon Over? 560
prostoalex writes "With Firefox market share reaching a substantial level, is the popular Internet browser becoming a security nightmare for IT administrators? George Ou takes a look at the hard numbers. From the article: 'From March 2005 to September 2005 10 vulnerabilities were published for Microsoft Internet Explorer, 40 for Mozilla Firefox. In April-September timespan there were 6 exploits for MSIE, 11 for Firefox. Conclusion? As you can see, the facade that Firefox is the cure to the Internet Explorer security blues is quickly fading. It just goes to prove that any popular software worth hacking that has security vulnerabilities will eventually have to deal with live working exploits. Firefox mostly managed to stay under the radar from hackers before April of 2005.'"
It seems to me... (Score:2, Interesting)
No Software is Perfect (Score:1, Interesting)
The prime reason that we should support Firefox is that it is a well (but not perfectly) designed product and that it provides competition for Internet Explorer. One of the best innovations behind FireFox is the search-engine drop box, in which I can instantly do a search on any topic of interest. I set MSN Search as my default search engine on Firefox.
Re:Apples to Apples (Score:2, Interesting)
Also, many of the common extensions (Adblock & Noscript, for instance) block potential Firefox vulnerabilities.
I have run into the situation where I go to a "FF exploit proof of concept" page and the exploit doesn't work because Adblock blocks it.
Re:Security isn't the only reason (Score:3, Interesting)
Losing my mod points to say this but... (Score:3, Interesting)
J.
Usability. (Score:5, Interesting)
1. There is no reason a browser should lock your operating system.
2. There is no reason a browser should mysteriously slow down your computer.
3. There is no reason a browser should purposefully make it difficult to change some settings.
It's like the Messenger service that Microsoft seems DETERMINED to re-enable on my computer every time I update / patch. I know what settings I want, and the browser that lets me use those settings with a minimum of issues is the one I'll use. This isn't loyalty. It's a user-friendly program that doesn't pretend to believe it knows what I want better than I do.
Re: Is the Firefox Honemoon Over? (Score:5, Interesting)
More importantly, when I switch my users to Firefox, they cease to have problems. More exploits or not, FF causes fewer headaches. When it's all said and done, I'll choose FF's problems over IE's problems.
and how many have been fixed? (Score:2, Interesting)
I think these reports give the answer.
Firefox [secunia.com]
Internet Explorer [secunia.com]
To conclude firefox has three unpatched advisories of which the most severe is less critical. IE has nineteen unpatched advisories of which the most severe is highly critical. Notice that actually IE had more advisories both patched and unpatched.
Yeah? And how many of those are still unpatched? (Score:3, Interesting)
The most important thing this author should have asked is: what is the severity of these vulnerabilities? Something like a DoS is a PITA, but compared to a vulerability that opens a machine to remote system access-- come on! Let's compare: IE [secunia.com] Firefox [secunia.com]
IE integrated into the base OS gives a lot of those buffer overflows much more destructive potential than some regular old program. I'm not ruling FF out as a potential threat, but so far, it has shown itself to be far less dangerous than IE.
Pffft.. (Score:4, Interesting)
IE6 has been out for 4 years and built on code that has been used for many years before that. With no significant features being added to IE6 and two major service packs it would seem that the software should be (at this time) very secure. Its still not.
Firefox has been out for less than a year. Given the age, it would stand to reason that it would have more bugs that need to be fixed. With time, it would be anticipated these will reduce.
Firefox has more features and higher degree of compatibility with standards -- I'd expect these would introduce bugs as well that need to be fixed.
Firefox does not have access to the resources Microsoft has (some of the best developers, huge amount of capital, sophisticated testing facilities and networks, etc..) and as a result, it would be expected there are more bugs, etc..
Firefox is available for a wider range of platforms. Given this variance, it would be anticipated more bugs would occur as a result.
The source to Firefox is freely available. As a result, it is very possible for a wider amount of people to look at the code and find bugs MUCH easier than with IE. As a result, more bugs should be reported.
I could go on and on and on.. but needless to say, the fact there are more security/bug reports shouldn't be that big of a surprise. The biggest question is if the fundamental architecture of the software keeps security issues minor and if the development team is capable of keeping their software secure in a quick and efficient manner.
I think it is pretty clear from looking at the links provided in the article that this indeed is the case. The vulnerabilities are far less critical, there are less outstanding issues, etc..
I'm curious how the picture will change a year or two down the road.. IE has been pretty consistent with security issues -- I really expect Firefox security issues to decline.
Number of fixes not the same as error count (Score:3, Interesting)
Remember that Firefox has far more people looking at the code base for errors - so fixes generated are for problems people have seen in code that can cause an issue, even if in practice they might never be used for an exploit.
Meanwhile in IE you have fewer people just looking over the code for errors, so patches that come out are likley because someone, somewhere, is actually USING that hole right this second!!
Then look at the numbers for patches and see if using IE doesn't just creep you out in all sorts of ways.
links? (Score:3, Interesting)
Re: Is the Firefox Honemoon Over? (Score:5, Interesting)
http://secunia.com/product/11/ [secunia.com]
Watch what you ask for, you just might get it.
Re: Is the Firefox Honemoon Over? (Score:3, Interesting)
How bout this one?
A vulnerability has been identified in a Microsoft ActiveX plugin called MCIWNDX.OCX, which possibly allows malicious HTML documents to execute arbitrary code on a vulnerable system.
The problem is that a property called "Filename" isn't properly verified allowing malicious websites or HTML emails to cause a buffer overflow by supplying an overly long string. This could potentially be exploited to execute arbitrary code on the system.
unpatched since: 2003-08-14
Granted, thats only a little more than 2 years...
hey...not important.
But there are oodles more at:
http://secunia.com/product/11/#advisories [secunia.com]
Re: Is the Firefox Honemoon Over? (Score:2, Interesting)
So I would say that many FF users are probably still on older versions based on my experience.
Re: Is the Firefox Honemoon Over? (Score:3, Interesting)
The coding standards and testing proceedures of the project/programmers matters also. I just switched from Netscape 7 to Moz 1.7.11 and found an annoying (non-security related) bug in Moz. Looked it up in Moz's bugzilla and found it had been a problem in 1.4, patches submitted, and it was marked "fixed." And yet, 3 versions later I've found exactly the same bug. Whatever testing proceedures Mozilla & Firefox are using look pretty weak and if they don't take regression testing more seriously, I predict that they will be hit again and again by the same bugs, some of which will be security issues.
The big advantage of Firefox is that it is not integrated with the OS in the same way that IE is. That alone is a big factor in reducing the number and severity of security bugs.
Difference in "Vulnerabilities" (Score:4, Interesting)
Browser A has a vulnerability, it opens access to a virus or spyware to enter your computer and get all your information while selling your children into slavery.
Browser B has a vulnerability that hides the true url you're looking at, but makes it look funky as hell.
Browser A get an update 6 months down the road that fixes this problem.
Browser B is fixed by an immediate change to the configuration, and an updated version is issued disabling that featureset. Then, shortly after, another new version is available, with that featureset back on.
These are hypothetical, IE doesn't really sell your children into slavery. =) And I doubt my FF history is correct. But what's worse? A problem where your car explodes when driving down the "wrong street" or your seatbelt being a little sticky? Both count as 1 problem, and thus looking at numbers becomes flawed.
Firefox finds the problems and tries to fix them asap, with 1.5 it has automatic updates and binary patching, hell yeah. IE has delayed some problems until IE7, period. FF is actively finding and fixing probs, IE fixes major ones and pushes others to the back of the line.
And that UI guy was right, Security doesn't interest non-programmers really. It's something to consider, especially in business/corporate enviroments, but "by the numbers" is really just asking to get yourself screwed.