Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Mozilla The Internet Security

Is The Firefox Honeymoon Over? 560

prostoalex writes "With Firefox market share reaching a substantial level, is the popular Internet browser becoming a security nightmare for IT administrators? George Ou takes a look at the hard numbers. From the article: 'From March 2005 to September 2005 10 vulnerabilities were published for Microsoft Internet Explorer, 40 for Mozilla Firefox. In April-September timespan there were 6 exploits for MSIE, 11 for Firefox. Conclusion? As you can see, the facade that Firefox is the cure to the Internet Explorer security blues is quickly fading. It just goes to prove that any popular software worth hacking that has security vulnerabilities will eventually have to deal with live working exploits. Firefox mostly managed to stay under the radar from hackers before April of 2005.'"
This discussion has been archived. No new comments can be posted.

Is The Firefox Honeymoon Over?

Comments Filter:
  • There is one significant difference. I'm a knowledgable user. I program and sys-admin. I practice good security. Regardless of the number of exploits out there, I've never been hit by a FF exploit. I have been hit by IE exploits.

    But the submitter is right. Though code security is important, the number of users is also a huge factor.

    Cue someone to mention Apache.

    Yes, Apache is everywhere, exploit-free. So are lots and lots of other binaries. It's only when you compare Apache to IIS 4/5 that it's really such a perfect example. Compare it to WinAMP, or Bash, or Finder, and its no more, no less secure.
    • Remember the age of the code though, how long has IE been around as compared to firefox. I would expect that about 6 years of sniffing thru firefox will result in less exploits that the amount thats still found in IE
      • by jiushao ( 898575 ) on Friday September 16, 2005 @02:38PM (#13579044)
        If this is so it just leads to the question: Why should people use Firefox now then? Lets wait until 2010 when it will actually be better and stick to IE which is better now.

        I don't really believe in this, but arguing like that is arguing against Firefox.

        My personal opinion on these things is: People care way too much about browser religion. Let people use IE, not that much wrong with it. Both IE and Firefox are huge complex applications processing huge amounts of diverse untrusted data. Sure it'd be great if they were secure, but it is just not happening that way yet.

        There might be some hope on the horizon with low-rights IE7. It might be that it really does manage to remove the impact of the bugs, which is really the best case scenario as things stand. If so we will no doubt see similar approaches integrated in Linux desktops and see Firefox refactored to use the same approach.

        • Let's go through your objections point by point

          If this is so it just leads to the question: Why should people use Firefox now then? Lets wait until 2010 when it will actually be better and stick to IE which is better now.

          Except then Firefox will not get developed to as high a level as IE has and will never reach that point. Note that this observer has the same problem as most observers who say, "It's better!" And that problem is that the numbers aren't exactly fairly proportioned. An IE hack that gives someone access to all your 'net data then wipes your entire hard drive is counted as one bug, as is a firefox flaw that gives someone access to your last ten sites viewed. That's a biased and unfounded example, but the reality stands regardless - THIS IS NOT A GOOD WAY TO DO A SECURITY STUDY.

          I don't really believe in this, but arguing like that is arguing against Firefox.

          It is arguing against the further development of Firefox, too. No users, no development.

          My personal opinion on these things is: People care way too much about browser religion. Let people use IE, not that much wrong with it.

          There's piles of things wrong with IE, they're just not user-visible all the time and that is a main portion of the problem's gestalt.

          Both IE and Firefox are huge complex applications processing huge amounts of diverse untrusted data. Sure it'd be great if they were secure, but it is just not happening that way yet.

          You can lock Firefox down if you want. Won't be able to see EVERYTHING, but it will definitely be secure. Not quite anywhere near as true with IE.

          There might be some hope on the horizon with low-rights IE7. It might be that it really does manage to remove the impact of the bugs, which is really the best case scenario as things stand.

          You can do this in linux. Natively. Just make yourself a different user with no rights to do certain things. Try that in Windows and see if it works for you. As to the, "Microsoft will solve everything in the end" mentality, well, I can't really argue with that.

          If so we will no doubt see similar approaches integrated in Linux desktops and see Firefox refactored to use the same approach.

          You're looking at it the wrong way. Microsoft is behind and has been so for a very long time. The stuff you want is part of the problem with their occasional 'buy instead of implement' business model.
    • by thc69 ( 98798 ) on Friday September 16, 2005 @02:23PM (#13578846) Homepage Journal
      It's great that as a sysadmin/programmer using firefox, you've had less problems than with IE.

      More importantly, when I switch my users to Firefox, they cease to have problems. More exploits or not, FF causes fewer headaches. When it's all said and done, I'll choose FF's problems over IE's problems.
      • by conJunk ( 779958 ) on Friday September 16, 2005 @04:18PM (#13580236)
        More exploits or not, FF causes fewer headaches. When it's all said and done, I'll choose FF's problems over IE's problems.

        exactly. and really, at the end of the day it's not just number of the exploits, is it? maybe firefox has 44 exploits, all of which are easily implemented by a supreme diety who speaks assembler like a native speakers, and which, once done, make the browser a little slower or the graphics render funny.

        whereas there may be only 6 exploits for IE, but my dog can (and does) routinely use them, and every single one of the roots the box the browser's running on.

        this is clearly exagerated a bit, but the simple *number* of exploits isn't too relevent
    • And conversly how many exploits are there for Microsoft Personal Web Server?

      The Difference isn't the number of users, it's the number of people actively looking for exploits. I could write a crappy piece of code with 100% market share, but if no one is trying to break it, it'll probably be pretty darn "secure"

      -Adam
    • by Anonymous Coward on Friday September 16, 2005 @02:28PM (#13578908)
      This is exactly true. I administer over 2,000 machines (mixed platform environment). We started installing Firefox as part our standard package over a year ago. There has never been one report of a problem with security involving Mozilla Firefox. There have, in the same time period, been numerous security problems originating in the Microsoft Internet Explorer web browser. It doesn't matter how many exploits get published if they aren't being exploited or their exploit does not result in any significant harm. As posters below have noted, this article is a result of bad journalism.
    • by rtkluttz ( 244325 ) on Friday September 16, 2005 @02:37PM (#13579020) Homepage
      Also.. the most important factor. The Firefox community fixes the problems.

      There are flaws in IE that have been known for better than 6-8 months and still there is no fix.
      • by kevlar ( 13509 ) on Friday September 16, 2005 @03:08PM (#13579436)
        There are flaws in IE that have been known for better than 6-8 months and still there is no fix.

        Ok, sure... I'll bite. I don't buy it. Name ONE risky security flaw that has been known for 6 months without being patched by Microsoft.
        • by dmaxwell ( 43234 ) on Friday September 16, 2005 @03:19PM (#13579573)
          I'll give you not one but 19.

          http://secunia.com/product/11/ [secunia.com]

          Watch what you ask for, you just might get it.
          • Note that only one of those is a 'critical' flaw, and that one is an ActiveX buffer overflow than can be avoided by just not using ActiveX. The rest are spoofing or system information flaws.
            • Note that only one of those is a 'critical' flaw, and that one is an ActiveX buffer overflow than can be avoided by just not using ActiveX. The rest are spoofing or system information flaws.

              Actually, at least one other [secunia.com] involves the possible exploitation of malicious code, although it requires active user input to do so.

              But let's look at that one big famous doozie, the ActiveX [secunia.com] exploit. That was reported in August 2003 - that's over two years ago!! It requires no user intervention if ActiveX is enabled, ca
          • I can't believe the most critical vulnerability inherent in IE has not been mentioned yet. What I am referring to is the fact that IE is a shell to the operating system

            For the benefit of those who don't know what that means, opening up IE is effectively the equivalent of opening up a command prompt. Any command typed into IE will behave as if you typed it into a command prompt and will execute with whatever privileges you have. For most users, this will be Administrator. Another brilliant design choice.

            G

        • Just one?

          How bout this one?

          A vulnerability has been identified in a Microsoft ActiveX plugin called MCIWNDX.OCX, which possibly allows malicious HTML documents to execute arbitrary code on a vulnerable system.

          The problem is that a property called "Filename" isn't properly verified allowing malicious websites or HTML emails to cause a buffer overflow by supplying an overly long string. This could potentially be exploited to execute arbitrary code on the system.

          unpatched since: 2003-08-14

          Granted, thats only a
        • Name ONE risky security flaw that has been known for 6 months without being patched by Microsoft.

          ActiveX?

    • Knowledgable? Practice good security? I'd say the same about myself, and I've *NEVER* been hit by an IE exploit.

      I'd say a fundamental part of good practice with IE is to use it with an HTML rewriter. I use "The Proxomitron".
    • Not all vulnerabilities are created equal. As you assert, there doesn't seem to be (m)any people actually getting their system compromised from Firefox issues. Contrast that with IE, where we have seen numerous exploits in the wild which install malware, simply from the user visiting a web site. In large part, I believe this is due to IE's integration with the base operating systm.

    • by abscondment ( 672321 ) on Friday September 16, 2005 @03:03PM (#13579381) Homepage

      You need only to look at secunia.com's summaries to see through the idiocy of this article:

      Microsoft Internet Explorer 6.x - Highly Critical
      Currently, 19 out of 85 Secunia advisories, is marked as "Unpatched" in the Secunia database.

      vs.

      Mozilla Firefox 1.x - Less Critical
      Currently, 3 out of 22 Secunia advisories, is marked as "Unpatched" in the Secunia database.

      Firefox: 0% Extremely Critical
      IE: 14% Extremley Critical

      Need we say more?

    • But the submitter is right. Though code security is important, the number of users is also a huge factor.

      The coding standards and testing proceedures of the project/programmers matters also. I just switched from Netscape 7 to Moz 1.7.11 and found an annoying (non-security related) bug in Moz. Looked it up in Moz's bugzilla and found it had been a problem in 1.4, patches submitted, and it was marked "fixed." And yet, 3 versions later I've found exactly the same bug. Whatever testing proceedures Mozil
  • by olympus_coder ( 471587 ) * on Friday September 16, 2005 @02:11PM (#13578699) Homepage
    Well, this is a good example of bad journalism. I don't want to get into a flame ware about which browser is more secure (although I have an obvious bias). What I'm try to say is that this guy is quoting useless statistics and this is a great example of bad science/tech reporting in the media. [slashdot.org]

    1) The number of vulnerabilities reported has almost nothing to do with the number in the code. At most it dictates a minimum number that exist. Perhaps the firefox community is much more active at searching for bugs in the much newer firefox code.

    3) How effective are the fixes? MS seems to have the same recurring problems because they only do triage. They don't fix the bigger problem (VERY poor browser design). The firefox team appears to address the bigger problem, not just stop the current bleeding.

    2) How critical are these vulnerabilities. The article makes no mention of any ranking. He lumps everything into the same category. MANY of the IE bugs over the last 5 years have been SUPER critical, allowing remote access with little or no user intervention and no settings work around. Are the fire fox bugs the same?

    3) Different organizations handle the vulnerabilities: MS and the Mozilla Foundation. MS is known to sit on bugs as long as possible. Perhaps the Firefox team is just being more responsive to the people looking for them.

    Remember 99% of people that have cancer have eaten pickles. That doesn't tell you squat about the relationship of pickles and cancer.

    IAAITG (I am a IT guy)
    • by thoromyr ( 673646 ) on Friday September 16, 2005 @02:19PM (#13578786)
      A very good set of points. One more (related to 3):

      4) How many unfixed vulnerabilities are there. The one that comes to mind is ActiveX
    • by drgonzo59 ( 747139 ) on Friday September 16, 2005 @02:20PM (#13578805)
      Counting the vulnerabilities is not really the way to assess the security implications of those vulnerabilities. There are different kinds of vulnerabilities. Perhaps, on Firefox the attacker can crash my browser - not that big of a deal, I'll just restart and then look for a patch (which comes out pretty fast). But there might an IE vulerability taht will give remove admin access to my machine. Now I think, one of those vulnerabilities outweigh 10 of the first kind. So you cannot really compare.

      They should have separated vulnerabilities into classes then also taken into account the average time between discovery and fix and ease of patching. Anyone one of such a study?

    • by Da_Biz ( 267075 ) on Friday September 16, 2005 @02:21PM (#13578812)
      What I'm try to say is that this guy is quoting useless statistics and this is a great example of bad science/tech reporting in the media.

      AMEN! Your pickles example is a good reminder of the confusion many Americans have over causality vs. correlation.

      Damned Lies and Statistics by Joel Best is an excellent primer in the dangers of poorly used and cited statistics. It's a must read:
      http://www.amazon.com/exec/obidos/tg/detail/-/0520 219783 [amazon.com]
    • by Anonymous Coward on Friday September 16, 2005 @02:25PM (#13578866)
      Remember 99% of people that have cancer have eaten pickles. That doesn't tell you squat about the relationship of pickles and cancer.

      Great, another apologist for the pickle manufacturers...

    • >Perhaps the firefox community is much more active at searching for bugs in the much newer firefox code.

      And perhaps not.
      And perhaps MS IE is exposed to more scrutiny because it's #1 browser? And perhaps not.
      As we can't tell for sure, it's best to ignore such speculations.

      >3 (sic)) How effective are the fixes? MS seems to have the same recurring problems because they only do triage. They don't fix the bigger problem (VERY poor browser design). The firefox team appears to address the bigger problem, not
      • by dolphinling ( 720774 ) on Friday September 16, 2005 @03:03PM (#13579375) Homepage Journal

        And look at the most recent Firefox fix - it's a temp fix which only disables the insecure feature.

        There are a couple reasons for this. First, that patch was easy to make and test, and could be pushed out in, if my research is right, exactly 6 hours from the time it was on Full Disclosure to the time the patch was publicly available. The actual patch needed more than six hours to be made, tested, etc.

        Also, several other security fixes are being put in to 1.0.7, which will be the patch for this.

    • Don't forget that Internet Explorer isn't a moving target. Firefox is in constant development and releases are being made at fairly regular intervals, thus there are bound to be bugs. Has Internet Explorer seen any development in the last few years other than just bugfixes (not including IE7)?
    • The biggest weakness of firefox is that most users will never patch it. For example, I've never been aware of a firefox patch, nor have I applied one. Windows on the other hand harasses me relentlessly now to install patches IMMEDIATELY even if I'm in the middle of a game or something.


      I still use firefox of course!

    • by Stack_13 ( 619071 ) on Friday September 16, 2005 @02:42PM (#13579089)
      Criticality of vulnerabilities is quite clearly determined in the Secunia reports.

      For Mozilla [secunia.com], there has been 0% of extremely critical vulnerabilities and 23% of highly critical in 2003-2005, whereas for IE [secunia.com] 14% were extremely critical and 29% highly critical in the same time period.

      Furthermore, a total of 31% (out of of 69 advisories, or 21 individual cases) of IE vulnerabilities may result in system access. In Mozilla, the corresponding numbers are 18% and 4 advisories.

  • Apples to Apples (Score:5, Insightful)

    by gbulmash ( 688770 ) * <semi_famous@noSpAM.yahoo.com> on Friday September 16, 2005 @02:12PM (#13578703) Homepage Journal
    I don't recall there being *that* many vulnerabilities and exploits for the browser itself, but that there were some serious ones for common extensions. Now, I can't say this for certain, but is it possible that he's lumping in the vulnerabilities/exploits for popular 3rd party extensions (like the recent pretty big one with GreaseMonkey) with vulnerabilities/exploits for the core browser?

    As well, how many of these vulnerabilities/exploits were "critical" and how severely did they expose your computer to running unauthorized code vs. the MS ones? How much effort did it take to repair them? The last vulnerability I recall patching required making a minor change to my Firefox config by hand rather than patching or upgrading.

    Because IE is so tied in not only to the OS, but to various Visual Studio API's, were Microsoft's vulnerabilities more far-reaching?

    I'm no MS apologist, but I'm also not a Linux or OSS zealot. I like to use what works best for my needs and habits, which ends up being a mix of Closed Source and Open Source products. I don't want to be biased on one side or another, but I'd like to be sure that comparisons like this are apples to apples.

    - Greg

    • Re:Apples to Apples (Score:2, Interesting)

      by Anonymous Coward
      Now, I can't say this for certain, but is it possible that he's lumping in the vulnerabilities/exploits for popular 3rd party extensions (like the recent pretty big one with GreaseMonkey) with vulnerabilities/exploits for the core browser?

      Also, many of the common extensions (Adblock & Noscript, for instance) block potential Firefox vulnerabilities.

      I have run into the situation where I go to a "FF exploit proof of concept" page and the exploit doesn't work because Adblock blocks it.
  • Hey! (Score:3, Funny)

    by Brandon K ( 888791 ) on Friday September 16, 2005 @02:13PM (#13578712)
    This is Slashdot! You're not allowed to talk about Mozilla like that!!!
  • by kevin_conaway ( 585204 ) on Friday September 16, 2005 @02:13PM (#13578713) Homepage
    I use it because its a better browser. It has more (and better) features than the competition. THAT is why I use it and recommend it to those who ask, not because of its security track record.
    • Oddly enough, I use Opera for exactly the same reason. I used to be in the Firefox camp as well, but decided to try out Opera when they were handing out free registration keys. Long story short, I tried it, loved it, switched -- and never looked back.
  • Slash Troll Alert (Score:5, Insightful)

    by Sounder40 ( 243087 ) * on Friday September 16, 2005 @02:14PM (#13578726)
    Another in a series of stories that seem to be written to raise the ire of /.'ers. You're smarter than this, fellow reader. Do not give in to the temptation to flame on. We all know better. Sad that the writer didn't.
  • These numbers (Score:4, Insightful)

    by hungrygrue ( 872970 ) on Friday September 16, 2005 @02:14PM (#13578732) Homepage
    don't mean anything unless you do a side by side comparison of the security holes. What is the severity of each bug? Clearly, there is more activity and work in finding and actually fixing bugs in FF than there ever could be in IE, which could in and of itself account for the higher numbers.
  • by TEMM ( 731243 ) on Friday September 16, 2005 @02:15PM (#13578736)
    Yes there are a lot of problems with firefox, its being developed so there are going to be vulnerabilities and security problems, but at least its constantly being developed. When everyone moves over to Vista and uses the new version of IE for Vista its going to be the same old crap all over again and im sure that IE will once again have more problems then firefox.
  • Choice... (Score:5, Insightful)

    by gsfprez ( 27403 ) * on Friday September 16, 2005 @02:15PM (#13578740)
    Here's the difference.

    If the Firefox web browser sucks, the average Joe can uninstall that web browser from a Windows box....

    if IE sucks...
  • Short and simple (Score:5, Insightful)

    by cyberlotnet ( 182742 ) on Friday September 16, 2005 @02:15PM (#13578746) Homepage Journal
    1. How many Critical IE vs Firefox
    2. How fast where patches/new versions deployed
    3. How many days was the browser open to the exploit

    And Finally

    4. Total number of days browser was exploitable - IE vs Firefox

    I bet you will find issues in IE that are not even patched yet, turnaround for more Firefox issues however? In most cases a solution within hours a patch within days.
  • misleading (Score:3, Informative)

    by bcrowell ( 177657 ) on Friday September 16, 2005 @02:16PM (#13578759) Homepage
    The article is misleading. Firefox is open source. Anybody who wants to inspect the source code for security holes can do so. If a bug is found, either by inspecting the code or by some other method, there's a community around Firefox that will happily publicize that information, fix the bug, and release a fixed version promptly for free.

    Also, the number of security flaws reported is meaningless. A security hole could be very serious, or completely inconsequential.

    And by the way, the article is extremely short, and doesn't actually give much useful info beyond what was in the slashdot summary, so please think twice before clicking through to TFA and steering ad revenue to zdnet.

  • I read thru some of Ou's other blogs, and I have to say he seems to be a MS Troll.
  • It seems to me... (Score:2, Interesting)

    by WVDominick ( 860381 )
    It seems to me that MS simply won't patch certain things in IE. They haven't from the very beginning. Firefox is pretty new and will always have more security issues early on. Seems simple to me.
  • by uberdave ( 526529 ) on Friday September 16, 2005 @02:18PM (#13578775) Homepage
    Yes, the honeymoon is over, and now the more enjoyable adventure of building a life together begins.
  • by Anonymous Coward
    The number of vulnerabilities and exploits make some difference, but what about the average time it takes to fix the vulnerabilities? If one takes an average of 2 weeks and the other 2 days, I'd rather have the latter.
  • This is always an argument used against open source, but its a poor one.

    With general software development practices as well as because of other things, both open and closed source software will have securtiy issues.

    But the probability of finding them in open source software is much greater because you have access to the source. It does not mean that open source software may have more bugs.

    With the benifit of having the source code, its more likely that it will be found and fixed before an exploit is develop
  • I'm not excusing Firefox for having security vulnerabilities, but you have to look at the fact that Firefox is relatively young and is rapidly growing. IE has had time to work out a lot of the bugs over the years since IE6 went live. How many years has IE6 been around with little or no modifications? There's less chance of introducing a bug because of this, but the browser is nearly featureless compared to Firefox because of it. Which would you rather have?

    Secondly, Firefox's exploit to patch time is
  • Or is it just that, with source fully available for people to examine (and a community of die-hards willing to spend a Saturday evening actually looking at same), flaws can be more easily found?

    I don't know if that really would make much of a difference, but then again, we can't really know for sure since the IE source code isn't available to make it a fair test.

    Anyone out there who does seek out flaws care to shed some insight on how you go about doing it? I imagine some is like with old school video game
  • by aug24 ( 38229 ) on Friday September 16, 2005 @02:21PM (#13578823) Homepage
    When FF is ten years old, like IE, he'll have a point. Right now, a 2-year-old piece of software is getting a similar number of exploits to an application that should be mature and stable and secure... but isn't.

    J.

  • Usability. (Score:5, Interesting)

    by Puls4r ( 724907 ) on Friday September 16, 2005 @02:22PM (#13578837)
    For me, it's not the number of vulnerabilities and never was. I, like most other people, used IE because it was preinstalled. I was lazy and figured "a browser's a browser". Only once I started using other browsers did I realize:

    1. There is no reason a browser should lock your operating system.
    2. There is no reason a browser should mysteriously slow down your computer.
    3. There is no reason a browser should purposefully make it difficult to change some settings.

    It's like the Messenger service that Microsoft seems DETERMINED to re-enable on my computer every time I update / patch. I know what settings I want, and the browser that lets me use those settings with a minimum of issues is the one I'll use. This isn't loyalty. It's a user-friendly program that doesn't pretend to believe it knows what I want better than I do.
    • Re:Usability. (Score:3, Insightful)

      by Alomex ( 148003 )
      There is no reason a browser should mysteriously slow down your computer.

      Really? Firefox dramatically slows the de-hibernation procedure in my laptop if I happened to access the CNN page before sometime before hibernating.

  • i would consider this a good sign for firefox; all the attempted exploits, in my mind, point to the fact that firefox is grabbing mindshare as well as marketshare - you know your close to the top when someone tries to knock you off..
  • So what this article says is that the open source development model finds and fixes bugs much quicker than a single company could ever hope to. Cool. I'd much rather have security holes discovered and fixed quickly - also I wonder how many of these holes in FF only effected Windows users?
  • IE exploits fsck with your entire system. you know, it's a built in component. FF problems are more limted and deal more with windows alone. i've had no problems with FF on os x nor linux. FF and IE exploits are apples and oranges.
  • misleading (Score:3, Insightful)

    by FLoWCTRL ( 20442 ) on Friday September 16, 2005 @02:29PM (#13578921) Journal
    I would like to see a comparison of the seriousness of the vulnerabilities - how many of those IE exploits gave remote users full control over the victims computer, vs those of Firefox? Given that IE is so deeply tied into the OS, security problems with it tend to be much worse. For Firefox, the vulnerabilities tend to be trivial, such as browser crashes.
  • Strange... (Score:5, Insightful)

    by devaldez ( 310051 ) <devaldez@comcasP ... t minus language> on Friday September 16, 2005 @02:35PM (#13579009) Homepage Journal
    What I find most fascinating is that no one seems willing to recognize that the more users you have, the greater the interest in hacking becomes. If you have a paltry penetration for your technology, hackers ignore you.

    Now, is Firefox more secure? In theory it should be. Are the exploits in Firefox less problematic? Well, until hackers care to exploit it, who the heck really knows? I remember when Firefox pop-up blocking worked. Now, there are known methods to circumvent the technology...go figure...the folks who care have found new methods because Firefox was eating their lunch.

    Now, I heard someone say that Apache is a model...what about all those worms that have been attacking, and defeating, Apache for the last 3 years (slapper, scalper, etc.)? Apache's only grace is that the developers move FAST when a new exploit is found. However, most attacks are not day zero attacks, which means that the vast majority of attacks are based on known, patched or patchable flaws.

    So, it is incumbent on any admin to keep their systems up-to-date AND recognize that patch management is one of the key hallmarks of a secure system.

    What does this mean for Firefox? Same patch management must be implemented for Firefox as should be in place for Exploder. Moreover, perimeter firewalls and intrusion detection systems must be in place and up-to-date themselves. And even with this diligence, per the CSI FBI Computer Crime & Security Survey 2005, 95% of Enterprises experienced system penetration and 55% were attacked by worms or viri.

    Guess what? Software development methodology is not a panacea anymore than anything else.

    Diligence, not arrogance, will protect your computing assets.
  • by raddan ( 519638 ) on Friday September 16, 2005 @02:36PM (#13579012)
    According to Secunia (the same source of this author's data, BTW), there are still 19 of 85 [secunia.com] reported vulnerabilities unpatched for IE 6.x. Contrast that to the 3 of 22 [secunia.com] unpatched vulnerabilities in Firefox. This is a much more important figure to me. The Mozilla crew gets their fixes out faster, and this is why FF is deployed company-wide for us.

    The most important thing this author should have asked is: what is the severity of these vulnerabilities? Something like a DoS is a PITA, but compared to a vulerability that opens a machine to remote system access-- come on! Let's compare: IE [secunia.com] Firefox [secunia.com]

    IE integrated into the base OS gives a lot of those buffer overflows much more destructive potential than some regular old program. I'm not ruling FF out as a potential threat, but so far, it has shown itself to be far less dangerous than IE.

  • by DoubleDangerClub ( 855480 ) on Friday September 16, 2005 @02:39PM (#13579050) Homepage
    I find it very interesting that 9 times out of 10, if I ask someone why they use Firefox, the response is "Tabbed Browsing" or "It's not Microsoft."

    As a developer, I have found Firefox to be almost unusable in many instances:

    1) They implemented CSS, but none of the old CSS. This means when you change a cursor to a "hand", it won't recognize it.

    2) It also leaves you unable to create custom variables in HTML tags. This leaves out ease of use in dynamic information systems.

    3) You cannot call a style of an document object directly, you must first call the object, then on a seperate line, call that object's style you want. Just plain inefficient.

    4) You cannot use span tags or div tags even remotely how you can in IE (and some cases even in Safari!).

    5) They took out many Javascript functionalities because they simply couldn't implement them correctly. (.focus())!

    In the end, it's frustrating that in Firefox you must deal with coding around what they left out, because it's more "secure", and as we now know, it's not even more secure! And thank you to Firefox for making me have to download a plug-in every time I want something to work like it should. It's just not what everyone seems to think it is. Is it just an excuse to name drop something new??
    • Firefox developers implemented STANDARDS, not just allowing any convoluted mixure of tags. IE's improper rendering of DIVs inside SPAN or A tags has resulted in a web full of noncompliant sites, and required all major browsers to implement a slow parser to try and guess what the "web developer" meant.
  • by l3v1 ( 787564 ) on Friday September 16, 2005 @02:45PM (#13579121)
    I mean, From March 2005 to September 2005 ?! Good god, I thought ignorance could no longer make me mad, but yes, it can. Educate us please, 1) how many versions of IE were released in this timespan, 2) how many vulnerabilities were disclosed about IE6 since it was released, 3) how many vulnerabilities had IE when it had the same [release] age as Firefox has now, 4) how does the patch release speed of Firefox and IE compare, 5) how does the feature set of Firefox and IE compare, 6) how does the size, stability, platform support, plugin support of Firefox and IE compare, 7) how many vulnerabilties of IE's and how many of Firefox's were/could in fact be exploited by worms and trojans in this period.

    I could go on with this, but for me, even these questions are more important, by a magnitude, than how many exploits were discovered.

  • by akmolloy ( 686919 ) on Friday September 16, 2005 @02:46PM (#13579136)
    I really want to give Firefox to all my users, but there's no good way of managing the updates for my users. Until the Firefox comes packaged as an MSI so that I can force an upgrade via Group Policy, I won't install it on my users machines. And when they do make an MSI for it, how am I to keep people up-to-date with extensions? The Grease Monkey extension had a vulnerability awhile back, and I don't see a way for Firefox to allow me to force an upgrade to everyone for extensions. IE works well because I can release patches for it via WSUS. And since SP2 for XP, we've had less calls about spy/adware installs.
  • by spoonyfork ( 23307 ) <spoonyfork&gmail,com> on Friday September 16, 2005 @02:47PM (#13579153) Journal

    Firefox ... is the popular Internet browser becoming a security nightmare for IT administrators

    Not a statement of fact but by asking it as a question you give the meme credibility. Get those ad servers warmed up.

    As you can see, the facade that Firefox is the cure to the Internet Explorer security blues is quickly fading.

    Really, need some straw?

    [statistics of vulnerabilities provided without context] ... It just goes to prove that any popular software worth hacking that has security vulnerabilities will eventually have to deal with live working exploits.

    Oh, I see you are already building your straw man [wikipedia.org]. What was your point again... FF is no better than IE so don't bother trying to use it? Nice. Not sure which is worse, the the zdnet Microsoft shill or this poseur inciting a flame war to embiggen ad server revenues. Bravo, your internship at FoxNews is waiting.

  • by Jugalator ( 259273 ) on Friday September 16, 2005 @02:48PM (#13579164) Journal
    It just goes to prove that any popular software worth hacking that has security vulnerabilities will eventually have to deal with live working exploits.

    What can I say? I pity the administrator that need "proof" to realize this.
    Straight to the "Security 101" class you go, as you should have before getting a job.
    Or if not having one, thank god for that.

    As you can see, the facade that Firefox is the cure to the Internet Explorer security blues is quickly fading.

    Here's the hard facts according to Secunia...
    IE 6: 19 of 85 unpatched issues, the most severe classed Highly Critical.
    Firefox 1.x: 3 of 22 unpatched issues, the most severe classed Less Critical.
    Opera 8.x: 0 of 7 unpatched issues.

    I don't know about you, but as long as a product is auto-updating (which the Firefox 1.5 beta and onwards indeed is, like IE 6, and unlike Opera 8), what does it matter how many exploits are found? Isn't it how many issues you're affected by that matters?

    Yes, this was a problem with Firefox before 1.5 as you can't excuse having to manually upgrade your browser while monitoring security sites (at least not from the audience Firefox is targeting), and that's why I recommend people to upgrade to 1.5 ASAP. The minor instabilities still present from being in beta isn't as bad as missing out security fixes.
  • Pffft.. (Score:4, Interesting)

    by naelurec ( 552384 ) on Friday September 16, 2005 @02:58PM (#13579303) Homepage
    Should there be any surprise?

    IE6 has been out for 4 years and built on code that has been used for many years before that. With no significant features being added to IE6 and two major service packs it would seem that the software should be (at this time) very secure. Its still not.

    Firefox has been out for less than a year. Given the age, it would stand to reason that it would have more bugs that need to be fixed. With time, it would be anticipated these will reduce.

    Firefox has more features and higher degree of compatibility with standards -- I'd expect these would introduce bugs as well that need to be fixed.

    Firefox does not have access to the resources Microsoft has (some of the best developers, huge amount of capital, sophisticated testing facilities and networks, etc..) and as a result, it would be expected there are more bugs, etc..

    Firefox is available for a wider range of platforms. Given this variance, it would be anticipated more bugs would occur as a result.

    The source to Firefox is freely available. As a result, it is very possible for a wider amount of people to look at the code and find bugs MUCH easier than with IE. As a result, more bugs should be reported.

    I could go on and on and on.. but needless to say, the fact there are more security/bug reports shouldn't be that big of a surprise. The biggest question is if the fundamental architecture of the software keeps security issues minor and if the development team is capable of keeping their software secure in a quick and efficient manner.

    I think it is pretty clear from looking at the links provided in the article that this indeed is the case. The vulnerabilities are far less critical, there are less outstanding issues, etc..

    I'm curious how the picture will change a year or two down the road.. IE has been pretty consistent with security issues -- I really expect Firefox security issues to decline.
  • by ezweave ( 584517 ) on Friday September 16, 2005 @02:59PM (#13579317) Homepage

    So they found more exploits to FF. FF is also newer. Does this mention the hundreds of IE exploits in the back catalog? Does this mention some of the fatal flaws that MS has not repaired since IE 5? I know because I have had to hack fixes for web apps in IE... never had to do it for Firefox. Read through MSDN and count all the bugs, then read through Bugzilla.

    Any new product will have more flaws found per month than an existing product. This is common sense. The difference with FF is the turn around of the fixes. You could imply as much from the article. 40 down to 11. Notice how IE6 has the same amount still found (10 and 6 are alot closer than 40 and 11), and it is a product that has been on the market how long( 4 years [wikipedia.org])?

    There is no news here, just FUD and a normal software lifecycle. This is perfectly normal.

  • by SuperKendall ( 25149 ) * on Friday September 16, 2005 @02:59PM (#13579325)
    So what makes these people think that because IE has fewer fixes going in, they have fewer problems to start with?

    Remember that Firefox has far more people looking at the code base for errors - so fixes generated are for problems people have seen in code that can cause an issue, even if in practice they might never be used for an exploit.

    Meanwhile in IE you have fewer people just looking over the code for errors, so patches that come out are likley because someone, somewhere, is actually USING that hole right this second!!

    Then look at the numbers for patches and see if using IE doesn't just creep you out in all sorts of ways.
  • by Spy der Mann ( 805235 ) <spydermann.slash ... minus physicist> on Friday September 16, 2005 @03:08PM (#13579437) Homepage Journal
    Oh please, not again. "Firefox has more security bugs! firefox is teh evil! omgomgomg"
    I'd expect this kind of comments from a /. comment, but from a STORY SUBMISSION?
    In any case I already know the answer: "more bugs, but some less critical, and all patched in less time".

    Or am I wrong?
  • Whaa...? (Score:3, Insightful)

    by glwtta ( 532858 ) on Friday September 16, 2005 @03:09PM (#13579448) Homepage
    Honeymoon is over because the FF people fixed more security bugs than IE6? I don't follow.
  • links? (Score:3, Interesting)

    by binarybum ( 468664 ) on Friday September 16, 2005 @03:11PM (#13579471) Homepage
    Since Ou is too much of a prude to post the links to the exploits, can anyone here post them so we can get a better understanding of what the real differences are behind the different exploits?
  • misunderstood (Score:5, Insightful)

    by barryfandango ( 627554 ) on Friday September 16, 2005 @03:17PM (#13579555)

    "the facade that Firefox is the cure to the Internet Explorer security blues [...]"

    It's not a product specific issue. Diversity is the cure to monoculture security blues. The more mainstream a product becomes, the more malicious users will target it. And if it's the only game in town it might as well have a big bullseye pinned on it.

  • by Thu25245 ( 801369 ) on Friday September 16, 2005 @03:25PM (#13579645)
    Vulnerabilities are a product of mistakes on the part of the people who write the code. The number of bugs in a piece of code is a function of the experience, skill, and coding/QC practices of the programmer(s) who wrote that code.

    There is no relationship between popularity and vulnerabilities in software. Period.

    There may be a relationship between popularity and exploits in code (hackers targeting the biggest slice in the pie.) But this wasn't about exploits, it was about vulnerabilities.

    More appropriately, there may be a relationship between the popularity of a codebase and the likelihood that any inherent vulnerabilities will be discovered. Whether this is good or bad for the users of the software depends entirely on whether any discovered vulnerabilities are fixed, or allowed to fester so that they can be exploited.
  • by jebilbrey ( 764968 ) on Friday September 16, 2005 @03:32PM (#13579734) Homepage
    This author picked a date range that favored IE on the surface, and then quoted some pretty useless numbers which were skewed toward IE for the casual observer. Better numbers would be how many vulnerabilities REMAIN OPEN and HOW LONG they took to close from report date to fix date... I went to Secunia and pulled the following statistics In 2005 -- Firefox had 18 advisories posted. 1 remains unfixed, 1 remains partially fixed, 16 are fixed. -- IE 6.x had 11 advisories posted. 5 remain unfixed, 1 remains partially fixed, and 5 are fixed. Looking from 2003-2005 -- Firefox 1.x had 22 advisories posted (1 partial fix and 3 unfixed still) -- IE 6.x had 69 advisories posted (10 partial fix and 19 unfixed still) On Criticality of any advisory ever issued -- Firefox has had 0% extremely, 23% highly and 36% moderate -- IE has had 14% extremely, 29% highly and 20% moderate If you want tons more stats and graphs, go to... http://secunia.com/product/11/ [secunia.com] (IE stats @ Secunia http://secunia.com/product/4227/ [secunia.com] (Firefox stats @ Secunia)
  • Firefox is definitely losing some momentum. Its growth rate seems to have stagnated, and it is starting to show some of the problems that have plagued other browsers. Namely, firefox is quite unstable with the latest official release (it takes up a lot of memory and slows down if you have multiple tabs open with somewhat sizeable (1MB) images. I think there is something wrong with the way it allocates and frees memory.) There is also some increase in vulnerabilities.

    I think the real test will be to see what happens when the new version of Internet Explorer comes out in a few months. Is that going to steal back some of the lost market share or will firefox out-innovate it?
  • by pjrc ( 134994 ) <paul@pjrc.com> on Friday September 16, 2005 @04:23PM (#13580288) Homepage Journal
    From March 2005 to September 2005 10 vulnerabilities were published for Microsoft Internet Explorer.

    Only ten?? Guess it depends on where Internet Explorer ends and where the "operating system" begins. Many of the worst bugs haven't "officially" been MSIE bugs, but the result is that a malicious web page can take control of your system or do other things you'd never imagine it ought to be able to.

    I did a quick search of the microsoft bulletins and found 13. And these aren't even exactly the same ones Secunia lists (two of which they say Microsoft hasn't even fixed).

    And why from March? Look at what an ugly month February was for MSIE.

    MS05-038 - aug 17 [microsoft.com]
    JPEG Image Rendering Memory Corruption Vulnerability - CAN-2005-1988
    Web Folder Behaviors Cross-Domain Vulnerability - CAN-2005-1989
    COM Object Instantiation Memory Corruption Vulnerability - CAN-2005-1990

    MS05-037 - jul 12 [microsoft.com]
    JView Profiler Vulnerability - CAN-2005-2087

    MS05-032 - jun 14 [microsoft.com]
    Microsoft Agent Vulnerability - CAN-2005-1214

    MS05-028 - jun 14 [microsoft.com]
    Web Client Vulnerability - CAN-2005-1207

    MS05-026 - jun 14 [microsoft.com]
    HTML Help Vulnerability - CAN-2005-1208

    MS05-025 - jun 14 [microsoft.com]
    PNG Image Rendering Memory Corruption Vulnerability - CAN-2005-1211
    XML Redirect Information Disclosure Vulnerability - CAN-2002-0648

    MS05-024 - may 10 [microsoft.com]
    Web View Script Injection Vulnerability - CAN-2005-1191

    MS05-020 - april 12 [microsoft.com]
    DHTML Object Memory Corruption Vulnerability - CAN-2005-0553
    URL Parsing Memory Corruption Vulnerability - CAN-2005-0554
    Content Advisor Memory Corruption Vulnerability - CAN-2005-0555

    MS05-015 - feb 8 [microsoft.com]
    Hyperlink Object Library Vulnerability - CAN-2005-0057

    MS05-014 - feb 8 [microsoft.com]
    Drag-and-Drop Vulnerability - CAN-2005-0053
    URL Decoding Zone Spoofing Vulnerability - CAN-2005-0054
    DHTML Method Heap Memory Corruption Vulnerability - CAN-2005-0055
    Channel Definition Format (CDF) Cross Domain Vulnerability - CAN-2005-0056

    MS05-013 - feb 8 [microsoft.com]
    DHTML Editing Component ActiveX Control Cross Domain Vulnerability - CAN-2004-1319

    MS05-009 - feb 8 [microsoft.com]
    (PNG buffer overflow, may not affect IE, remote code execution in MSN, WMP, etc)

    MS05-008 - feb 8 [microsoft.com]
    Drag-and-Drop Vulnerability - CAN-2005-0053 (yes, exploitable via web page)

    MS05-006 - feb 8 [microsoft.com]
    Cross-site Scripting and Spoofing Vulnerability - CAN-2005-0049

  • by bahwi ( 43111 ) on Friday September 16, 2005 @04:38PM (#13580453)
    You can't simply look at the numbers, imagine 2 vulnerabilities:

    Browser A has a vulnerability, it opens access to a virus or spyware to enter your computer and get all your information while selling your children into slavery.

    Browser B has a vulnerability that hides the true url you're looking at, but makes it look funky as hell.

    Browser A get an update 6 months down the road that fixes this problem.

    Browser B is fixed by an immediate change to the configuration, and an updated version is issued disabling that featureset. Then, shortly after, another new version is available, with that featureset back on.

    These are hypothetical, IE doesn't really sell your children into slavery. =) And I doubt my FF history is correct. But what's worse? A problem where your car explodes when driving down the "wrong street" or your seatbelt being a little sticky? Both count as 1 problem, and thus looking at numbers becomes flawed.

    Firefox finds the problems and tries to fix them asap, with 1.5 it has automatic updates and binary patching, hell yeah. IE has delayed some problems until IE7, period. FF is actively finding and fixing probs, IE fixes major ones and pushes others to the back of the line.

    And that UI guy was right, Security doesn't interest non-programmers really. It's something to consider, especially in business/corporate enviroments, but "by the numbers" is really just asking to get yourself screwed.
  • meh, get it right (Score:5, Informative)

    by smash ( 1351 ) on Friday September 16, 2005 @05:35PM (#13580941) Homepage Journal
    Look at the number, and severity of *exploits* not patches.

    Thats a true-er representation of security.

    Mozilla usually patch flaws fairly quickly - there's flaws in IE that have been known for *years* before they were patched, if at all.

    smash.

  • let's see... (Score:3, Insightful)

    by The Master Control P ( 655590 ) <ejkeever&nerdshack,com> on Friday September 16, 2005 @06:45PM (#13581398)
    Rather than simply counting vulnerabilities, take at look at the reports for Firefox [secunia.com] and Internet Explorer 6 [secunia.com]. Firefox 1.x shows 22 holes, 3 unpatched and rated 'less critical.' IE6 has 85 holes, 1/4 unpatched, and a 'highly critical' buffer overflow in ActiveX that's been open since 2003. Now, tell me, which one is more secure?

    [Insert usual mantra of anyone being able to fix F/OSS but only MS being able to fix MSIE here] [Append snide remark about companies trying to hide rather than fix vulnerabilities here] [Insert random Zeeky Boogy Doog here]
  • by Sj0 ( 472011 ) on Friday September 16, 2005 @07:22PM (#13581607) Journal
    Seriously, doesn't this happen every couple months -- some idiot notices that active Open Source projects get more bug reports than Commercial projects, and suddenly the worlds on fire and the OSS model is unsound and the software is useless?

    I'm not going to reiterate the truth of the matter, because if you don't know it by now, you are probably one of the few who don't WANT to know.

Talent does what it can. Genius does what it must. You do what you get paid to do.

Working...