Firefox Exploit Adds Fuel to Browser Security Feud 510
An anonymous reader writes "Washingtonpost.com is reporting that a fairly nasty exploit has been released for a security hole that Firefox patched just yesterday. This is sure to add fuel to the ongoing heated debate over whether Mozilla is any safer the Internet Explorer." From the article: "This is not your run-of-the-mill proof of concept exploit code. It appears to be quite comprehensive, and would allow any attacker to use it with only slight modifications. According to the advisory, the code is designed to be embedded in a Web site so that anyone computer visiting the evil site with Firefox or Netscape would open up a line of communication with another Internet address of the attacker's choice, effectively letting the bad guys control the victim computer from afar."
Browser shmouser (Score:5, Insightful)
As an interesting aside: We just went through a two day outage at the university here because of a worm that infected a series of Windows systems. My question to IT guy#1 was: "Dude, why did you guys switch from Solaris to Windows?" His reply was that "the Windows solution was cheaper". I said "Dude, you guys need Macs!", to which he replied "yeah, no $#!t" when he caught himself and said something unintelligible. Guy #2 that I spoke to today gave me some song and dance about how Macs are really hard to integrate into mixed platform networks and then said something to the effect of "if Macs had greater market share, we would be in the same boat". I said something to the effect of "Bull$#1t". It comes down to management and OS design. Windows can be secure, but it requires much more oversight than do other alternatives. But fundamentally, all of the calls direct to the kernel that are available to applications are a problem that will not be solved until (hopefully) the next MS OS.
Even without root things can get nasty (Score:5, Insightful)
Even with just user-level access, it can erase all of your files or set up a spam relay. It may even be able to set up a keystroke logger or install a modified version of your browser (for you alone) that slurps up your credit card numbers. And it can modify your local
It's a heck of a lot easier to remove than a root-level exploit (you can log in as root and remove the code, which you can't necessarily do to a rootkit). But even though the lack of root can limit the damage, considerable damage can be done without it.
The solution? Well, partly it would be nice to have the OS provide fine-grained control, so that even if malicious code gets to execute it could be prevented from modifying your files without explicit permission or accessing the Internet to act as a spam relay. But such fine-grained controls are incredibly tedious; they exist in Java but they're rarely used.)
Failing that, the rest of the solution is to be write any program that downloads arbitrary content from the internet very, very carefully.
Re:Even without root things can get nasty (Score:5, Informative)
http://www.citi.umich.edu/u/provos/systrace/ [umich.edu]
It shouldn't be that hard to figure out what a simple program like a browser needs.
Re:Even without root things can get nasty (Score:4, Interesting)
Re:Even without root things can get nasty (Score:3, Informative)
It needs to be able to talk to X server to render graphics. If some webpage takes over the browser, and makes it execute arbitrary code, can it be made to hack the X server to delete the files in your home directory - for example, by launching xterm (or finding a running instance) and sending the neccessary commands to it ? Or, worse yet, can it use some X buffer overflow to insert code that runs at root privileges - afte
Re:Even without root things can get nasty (Score:3, Informative)
Hogwash. The grsecurity [grsecurity.net] patches to the Linux kernel provide one approach to fine-grained access control that greatly eases the tedium of managing fine-grained rulesets. In short, grsecurity's approach is based on automatic learning -- let the system run in a permissive mode doing the things it's supposed to do, then generate a ruleset based on that activity. The system then runs with the generated permissions ruleset. The admin may need to tweak the
Re:Tip-toe through the TPS. (Score:3, Interesting)
Re:Tip-toe through the TPS. (Score:3, Informative)
Unix, traditionally having a less granluar permissions model than NT, has a lot of programs that when run as a user, change themselves to run as Admi
Re:Tip-toe through the TPS. (Score:3, Interesting)
You trust it to perform specific actions. You do not mean to implicitly grant unlimited privileges. You expect, and trust, your web browser to render HTML. You do not grant it permission to delete all your files simply by the action of running it. So there has to be a trust within limits relationship. Applications should be able to execute in a non
Re:Tip-toe through the TPS. (Score:3, Informative)
Re:Browser shmouser (Score:3, Insightful)
And even preventing arbitrary code execution is only a partial step. What is code? It isn't just opcodes that are processed by the CPU's instruction decoder; it's also bytecode which is executed by a virtual machine, or even the FSM generated
Re:Browser shmouser (Score:3, Funny)
Re:Browser shmouser (Score:5, Funny)
Re:Browser shmouser (Score:5, Interesting)
Eh, it's multi-faceted. The problem is that many of the greatest security threats today are from buffer overflow attacks. (Or heap overflow in this case.) This is frustrating because we've had the technology for more than 20 years to write code that is invulnerable to these sorts of attacks. Unfortunately, the majority of OS and Desktop software has continued to rely on C and C++, making these holes not only possible, but probable.
If the buffer overflow attack were solved once and for all, then attackers would have to move higher up the stack. e.g. Embedded scripts in emails that run with full permission. This sort of attack is why Java has a built-in security manager that can prevent access to secure resources. Should our security problems ever escalate to this level, I'm sure you'll see a lot of similar security managed environments showing up.
Re:Browser shmouser (Score:4, Insightful)
Utter nonsense. Do you use Azureus [sourceforge.net]? Perhaps you've played WURM Online [wurmonline.com]? Do you need to clean up your hard drive [jgoodies.com]?
The Java is slow myth is a load of hogwash that opponents of the technology use to justify their stance against it. It's simply not true, and hasn't been true for a very long time. And if you don't believe me, talk to [sourceforge.net] NASA [sun.com].
Java myth revisited (Score:3, Informative)
Java is slow to start and requires more memory than an equally competently written native code program. Thi
Re:Java myth revisited (Score:4, Informative)
Also, why would you CARE about the VM utilization? Also, Azureus (as I recall) has a multi-megabyte (up to 32?) cache for blocks it have recently been sent to attempt to reduce I/O, so it's sensible that it would take up more memory, JIT aside.
I have noticed that Azureus generates incredibly copious amounts of garbage though.
Re:Java myth revisited (Score:3, Insightful)
I do run it under Windows, and I can't say that I've seen a finer client. The memory footprint is a side effect of what it's doing (caching large amounts of data), not the JVM. Java programs only have ~20% increase in footprint. This increase comes from the fact that running the Java VM requires that an OS be loaded on top of an OS. If the JVM was an OS, there would be no overh
Re:Browser shmouser (Score:4, Informative)
Azureus (Score:4, Interesting)
Why yes, yes I do. I love its features, but the interface is incredibly sluggish. Same goes for Eclipse. I've used it on Windows, Linux, and FreeBSD with various JDKs. It's slow. I'd go crazy if all the GUIs I use were the same way.
Re:Browser shmouser (Score:4, Informative)
The Java is slow myth is a load of hogwash that opponents of the technology use to justify their stance against it. It's simply not true, and hasn't been true for a very long time. And if you don't believe me, talk to NASA.
In fact I do use Azureus regularly (it's my primary BitTorrent client). But in all seriousness, it's horribly slow (enough to literally make your reference to it laughable). Try benchmarking creation of a torrent, and compare it to a native implimentation of the hash algorithm (SHA-1, I think it was). It's mind-bogglingly slow. Not only that, but it's mind-bogglingly bloated. It's not unusual for it to take 60-80 megs when I'm downloading one torrent (and runs some 3 threads or so per connected peer). A friend (who downloads way more stuff on BT than I do) says it's not unusual for Azureus to take hundreds of megs of RAM on his computer.
As for myself, I did some benchmarking of my own. When
Re:Browser shmouser (Score:2)
Running as root is certainly a bad thing. Of course, even within any reasonable permissions, we'd have to expect that a program has the ability to execute code that might not be desirable. For
Re:Browser shmouser (Score:2)
Why don't you just install OpenBSD [openbsd.org]? Works very fine as a desktop, unless you require hardware accellerated 3D.
Hey, a new game! (Score:5, Funny)
I'd like to propose a new game here on Slashdot, called "Six Degrees of Microsoft." The objective is to relate *any* story, from browser exploits, to RFID tags, to new features on Google maps back to some oversight, corruption, or other evil perpetrated by Microsoft.
Understand, I'm not even saying I necessarily disagree with the parent post, I just think that every Slashdot post in the future should have at least one response titled "Six Degrees of Microsoft." Firefox/IE posts are easy, but "GBA SP Updated with Brighter Backlit Screen" might be a bit more of a challenge.
Good luck...
Re:Browser shmouser (Score:2)
I don't know about that. How many cross-browser vulnerabilities are caused by OS level URL handlers?
Just something to think about.
Re:Browser shmouser (Score:3, Funny)
Welcome (Score:2, Funny)
Woo! Finally! (Score:5, Funny)
Re: (Score:3, Insightful)
Re:The real problem--SpyWare (Score:5, Insightful)
So you can install anything onto the computer (such as spyware, adware, malware, etc.) but the browser is still safe? I agree with the other poster... what a crock! Also note that it's possible to install extensions into Firefox. Just because nobody has written a spyware/adware extension for Firefox doesn't mean that Firefox is immune. In fact, one of the benefits of Firefox is the ability to extend it. Do you even *know* what you're talking about?
Re:The real problem--SpyWare (Score:3, Informative)
Security through obscurity? (Score:5, Insightful)
The sad thing is that it also comes on the heels of zdnet.com claiming that Firefox is having significantly more security issues than IE [slashdot.org].
I guess, though, this does give some credence to the "security through obscurity" theory, as the number and frequency of issues seems to have increased as Firefox adoption has increased. And if that's the case, can we expect to see these issues become even more frequent if Firefox adoption continues to grow?
All the arguments that open source is more secure because there are more eyes to spot problems and more hands to fix them are starting to ring a bit hollow as I upgrade/patch my Firefox install on what seems like a monthly basis.
Given, I still trust MSFT as far as I can throw a Volkswagen, but my laughs at their FUD aren't so loud or haughty today.
- Greg
Re:Security through obscurity? (Score:2)
Re:Security through obscurity? (Score:3, Informative)
Not really. I use firefox everywhere and there is only two sites I cannot use.
One is our local in house bug program called TestDirector. The other is Windows Update.
So I use IE to go to TestDirector or Windows Update, and Firefox for everything else, and never had an issue with ActiveX being needed. Every site I visit is either in Flash or in Jave or just in plain HTML, with the exception of those two, which I don't just meander to anyway, so it
Re:Security through obscurity? (Score:2)
Then I'm pretty safe with links [mff.cuni.cz] on Mac? :)
Re:Security through obscurity? (Score:5, Insightful)
Re:Security through obscurity? (Score:3, Informative)
Everyone else is giggling at you, but I'll spoil the joke.
Run firefox. Go to the "Edit" menu, and pick Preferences. In the icons on the left, hit "Web Features". Six checkboxes come up in the main panel. Look at the ones labelled "Load Images" and "Enable Javascript", and think hard about what they might do.
Re:Security through obscurity? (Score:5, Insightful)
I hear this is a lot, and it often leads to a misrepresentation of what makes OSS 'more secure'. The more eyes/hands claim doesn't assert that there will be less bugs, it means they are suppose to be spotted and corrected more quickly.
Security isn't a state of being, it's a state of mind. I believe there are more white hats than black hats, so OSS leads to better code. If you believe otherwise, you will probably feel more secure using closed source software (but that won't necessarily mean you ARE more secure.)
Publicity (Score:5, Insightful)
No software is universally perfect.
Good news! (Score:5, Funny)
Also on the plus side, the Washington Post link crashes my IE, so I can't even read the anti-Firefox news. Score another for Mozilla!.
Re:Good news! (Score:3, Insightful)
Sorry to shill, but hey, Opera got dumped on for so long on Slashdot just for having banner ads (you know, just like Slashdot's banner ads...), and now that it's free, there's no reason not to use it full-time. Your tabbed browsing came from Opera, after all...
1.5 Beta 1 is also impacted...beware (Score:3, Interesting)
The story here... (Score:5, Insightful)
Not quite... (Score:5, Insightful)
I have little time for browser wars, but it is notable that despite the 1.0.7 announcement even making Slashdot yesterday, it's not showing up as an automatic download yet. Worse, it doesn't show up even if you manually check for updates.
There's not much point patching a security issue if you can't distribute the patch and even conscientious users won't find out about it by the expected method.
Patch (Score:5, Insightful)
Pardon, but rather than using this exploit as some kind of evidence that Firefox is on-par, security-wise, with IE, shouldn't we be viewing this as a victory for the patch/version-release cycle of the Mozilla foundation?
There will always be new security holes found. The difference is that patched versions of the browser, fixing the security hole in question, are not always released before the hole is announced.
Two cents.
B
Re:Patch (Score:2, Interesting)
What patch? (Score:5, Informative)
Please note my comments earlier in the thread: since the patch hasn't hit the auto-updates yet, even if you check for it manually, this patch does not exist for most users. There is an exploit for it in the wild. Hence most Firefox users are not safe from this exploit.
There, I put the actually relevant bits in bold for you, just to make it clear. Firefox is a great product for many reasons, but let's not kid ourselves that its security policy is perfect right now, OK? If my Firefox browser had popped up within a few minutes of the patch being released and invited me to download it, you'd have had a case, but it didn't.
Re:What patch? (Score:5, Insightful)
I'm afraid I have been unclear. I am not challenging the facts of your posts. I am simply saying that, for most people, they are irrelevant.
Within the first few minutes of this discussion starting, I lost track of the number of posters making smart-ass comments about how Firefox rocks compared to IE, because the patch was already out when the exploit hit. I nearly suffocated under the smugness coming off the geek brigades.
And yet, they (and, based on your most recent post, you) seem completely ignorant of the fact that nearly all security flaws in IE are patched well before exploits are found in the wild, too. Most (all?) of the major outbreaks that have hit mainstream media headlines in recent months would have been completely avoided if people had patched their systems; sometimes there were months before the exploits appeared.
So, if the Firefox patch was out but not applied, then the fact that it exists on a web site somewhere really doesn't matter to most people, and neither is it a particular advantage of Firefox over any alternative browser. This may not have been the point you were trying to make, and perhaps I picked the wrong initial post to reply to when making mine, but it's certainly a strange thing a lot of people around here today seem to believe.
Maybe patch was reverse engineered (Score:3, Insightful)
Did it occur to you the patch may have been reverse engineered, and the exploit created from the patch? There is a reason MS doesn't like to patch holes that haven't been exploited.
The version of firefox I'm using is unpatched and vulnerable since the IT guy here hasn't bothered to patch it yet.
Question (Score:5, Insightful)
So why the constant drumbeat of breathless stories about bugs (flaws) and exploits in Firefox? Could it be that the MSM is being seeded by someone? Say
sPh
Re:Question (Score:3, Interesting)
Re:Question (Score:5, Funny)
No... because it's hideously expensive to print 10lb newspapers every day.
Re:Question (Score:3, Funny)
Me thinks you've never read the print version of the washington post then.. It really _does_ weigh ten pounds already.
Re:Question (Score:3, Interesting)
I'd say it's most appropriate for these same news outlets to follow up when those claims aren't upheld by reality.
Wouldn't you expect the same if this were a Microsoft app?
Re:Question (Score:3, Interesting)
Re:Question (Score:3, Insightful)
Probably because the Firefox crowd has been very vocal about screaming "Firefox is more secure than IE! Firefox is more secure than IE!" "Switch to Firefox, it's more secure!". If they were more quietly touting it as a good alterative browser (like Opera does), you wouldn't hear as much about it. When is the last time you saw a front page story about an Opera flow? Probably not in a long time. Then again, the
drama baby (Score:3, Insightful)
People die every single day on the hiway.
People are murdered just about every day.
Thousands of people are starving to death in Africa.
A plane with a busted nose gear makes huge news.
Reporting about an IE exploit would be as excting as reporting a flu death. The rare events make for more drama. The news is about drama, not NEWS.
Where's the beef? (Score:4, Insightful)
Re:Where's the beef? (Score:3, Insightful)
Exploits as remote administration tool? (Score:5, Interesting)
I just have to wonder... have people ever used exploits like this to do any purposeful remote-administration?
What's a net guy to do? (Score:2)
I'm going to stop hitting those pr0n, warez and gambiling sites on my work computer. I'm going to stop opening those emails saying I have to apply the latest hotfixes. I'm going to disable javascript, images, and popups.
Wait - maybe I should just use Lynx. Naahh.
I cannot believe that exploits are coming so fast and furious.
Install NoScript and Disable IDN (Score:2)
I'm sure you were being sarcastic ... you were being sarcastic, right? Yes? Phew.
If you want to browse the wilder reaches of the web, you really owe it to yourself to ensure that you have Javascript disabled. You really don't want to visit any site that requires that Javascript be enabled
Menh (Score:5, Insightful)
The general response: As always with open source, if the Mozilla guys drop the ball and you know what you're doing, you can patch it yourself. With closed source, you're kinda at the mercy of the makers (usually Microsoft).
Anecdotal evidence: Yes, this is in the past, but I let two total newbies use a box of mine for about a year, with the only relevant modifications being: Installed Firefox, Deleted shortcuts to IE, Spybot's resident protection, Spyware Blaster, Windows autoupdates on, and Nod32 (not even a firewall). They never had ANY problem until they figured out how to open IE, at which point they managed to get a bit of spyware in.
Re:Menh (Score:3, Insightful)
No Meh! (Score:5, Insightful)
I am very scared about this turn of events. I used to see unpatched IE all over the place. Thankfully, that is a lot more rare now. Microsoft has made it hard not to patch IE and Windows. Not so with Firefox. I have seen unpatched Firefox installs all over the place. Ostensibly Firefox is there as the secure alternative to IE. People have actually said to me that "unpatched Firefox is more secure than patched IE" and that they aren't worried about it. Firefox Update is way too easy to ignore and a lot of people do. This is going to come back to bite them big time. And Firefox is going to have a PR-nightmare with some big security disasters over the next few months.
Is it really Firefox's fault if users don't patch their systems? The answer to that is yes, because they're trying to be the market-dominant browser. In order to be market-dominant, you have to have a browser equally suited to idiots as well as the technically adept. Firefox Update needs to be to be impossible to ignore and hard to disable unless you really know what you're doing. Because it is a weak feature right now, Firefox puts users at risk.
Re:Menh (Score:4, Insightful)
Sure. I imagine at least a dozen people in the world have the in-depth knowledge of the relevant area of the Firefox codebase, out of the hundreds of thousands or millions who now use it. Maybe I'll just go spend two weeks finding my way around myself, and become lucky 13.
Sorry for the sarcasm, but that argument is getting a bit tired these days.
Re:Menh (Score:3, Insightful)
Re:Menh (Score:3, Insightful)
At least you have that option. With Internet explorer I do not have that ability. If I want to patch IE, first I have to get Microsoft to hire me (possible, they are hiring all the time, though I don't know if they would hire me personally), then I need to get access to the IE code (I don't know about Microsoft, but most big companies do not give all employees all their source code, you only get access to the parts you will work on), next I need to make my changes, last I need to convince the powers that
Commence the Microsoft conspiracy theories... (Score:5, Funny)
Re:Commence the Microsoft conspiracy theories... (Score:2)
But it's worth pointing out... (Score:3, Insightful)
It's becoming a target of technical attacks because it's becoming higher profile. However, it's doing a very good job of fixing vulnerabilities overall, at least compared to IE.
Yeah, there are response time problems and masked bugzilla bugs, but being open about a bug before a patch is available isn't always the best idea; just because it's open source doesn't mean the discoverer is going to come up with, or be able to come up with, a patch immediately, but one generally turns up; the team is being pretty damn good. It may have been patched properly yesterday, but it was very quick to release a mitigation (disabling IDN).
IE, meanwhile, has a YEARS old vulnerability that MSRC are trying to keep under wraps (even from their partners), because it's a SERIOUS design fault hidden in IE/Shell integration that allows a way of launching ActiveX controls that completely ignores the killbit. Seen Illwill laughing about it, so I know I'm definitely not the only person to independently discover it, and he's been gloating on F-D. And, if you do it right, the 'sploit ignores security zones and settings entirely; you can 0wn a fully patched, fully locked down IE, just by viewing a webpage, with no prompts.
I have a working exploit for it. I won't release it, 'cause if I did, that's a million Windows boxes 0wned by Istbar and some scummy affiliate.
Firefox is an excellent browser overall. If you don't like it, might I suggest Opera 8.50, which is now ad-free, registration-free freeware and also has an extremely responsive security team.
Reality Check (Hand Check Too) (Score:5, Insightful)
When's the patch? Oh, yea... (Score:3, Insightful)
Vunerability counts say nothing. (Score:5, Insightful)
The security of a web-browser is in no way related to the number of vulnerabilities found per year. There are two mystical numbers out in the ether which related to the exact number of security flaws in Firefox and IE. Now not all vunerabilities are created equally. IE could have ten minor vulnerabities for every major vulnerability found in Firefox and IE could still come out on top. What I'm trying to say is the number of vulnerabilities is a very poor metric for security.
This vunerability is yet another heap based attack. Another attack that could have been avoided if people compiled the programs with the various heap/stack protection switchs. Please don't bitch about how it makes pointer arithmetic too slow. It just isn't true, what you should be doing is compiling the entire program with the switch then if it turns out to be too slow, factor out the code in to a seperate library and compile it without the switch. You can then do focused code reviews on this unsafe code to hunt out overflows/heap.
If you remember nothing else today remember this sentence: "Security costs CPU cycles..". Guess what gents? XOR is a really fast cipher but it doesn't give you any security. You need a whole bunch more clock cycles to get it. The funny thing is people only apply this thinking to cryptography when in fact it's a general security principle. All the string checks you do cost CPU cycles as the program will function just fine without them. You decide to spend CPU cycles on this task to get security because you feel it is important. To get security you have to spend a metric-fuckton of CPU cycles. Fact. What I want people to recognise is that it is worth making your programs slower to consign buffer overflows to the history book.
For a web-browser on a PC there is really no excuse because we have multi-GHz computers that are sat around idling most of the time. For all the naysayers who prounce almost with religious zeal that the performance hit will be dramatic and thus be unaccepetable. I ask them two questions:
Join me and spread the word. Tell the world to spend CPU cycles on getting security because it hurts us all that we have such insecure software. Remember, "Security costs CPU cycles"
Simon.
"is any more security?" (Score:2, Troll)
Still safer (Score:2)
Re:Still safer (Score:2)
and posted on slashdot.
lazy CastrTroy...
ActiveX (Score:3, Informative)
It's also the major reason large numbers of huge companies aren't adopting Firefox, since it's the technology many of them base their Intranets on. It's a security risk when outside sites can use it, but not having it for internal pages is a PITA at times.
Fast. (Score:3, Insightful)
Re:Fast. (Score:3, Insightful)
I don't have to admit any such thing. A patch can't be applied until it's out, so it has a direct effect on how fast it's applied by millions of users.
When Microsoft releases patches and people don't update their computers, Microsoft is to blame.
If it releases a patch. This can take literally years and in one case they just paid the website that was reporting t
That can only mean one thing .... (Score:3, Funny)
Screw it...I'm moving to Lynx! (Score:5, Funny)
Re:Screw it...now I'm moving to Opera (Score:3, Insightful)
(Come on...it was a joke!)
did anyone else notice... (Score:3, Funny)
Automatic Updates (Score:5, Interesting)
Re:Automatic Updates (Score:3, Interesting)
Most linuxes/bsd's etc. come with centralised automatic updates for all programs, which are inheritely easier. I expect to see a flashing warning next morning, telling me a security update had been downloaded for firefox and if I want to install the patch.
I regard automatic program updates on application level as clutter on my machine, so please do not advocate these methods!
Re:Automatic Updates (Score:3, Insightful)
The way Firefox handles update notifications is particularly bad. The little red arrow is way too easy to ignore, particula
Well that tears it! (Score:5, Funny)
Why Firefox is still better than IE... (Score:3, Funny)
I also just tried to remove IE... no luck.
Firefox is still better.
Comment removed (Score:5, Insightful)
Where's the update? (Score:4, Informative)
This was well over a day after the release of 1.0.7. What URL is used to check for updates, and do they have appropriate options set on server to prevent long caching?
Weird logic. (Score:4, Insightful)
That has always sounded weird to me. Windows or IE have had dozens, maybe hundreds of holes and exploits, and yet, when Linux or Firefox have one, they're "just as insecure"?!?
Is this thing binary? No holes = secure, one hole = as insecure as a hundred holes?
Fine, Firefox has one now. Not really "exploited", since it's already been patched, but never mind that. So what? How many IE holes have there been? How many PCs are full of spyware, viruses, or sending thousands of spam emails a day because of an IE hole?
Can Firefox even begin to compare to that? I don't think so. It's at least dozens of really bad exploits (not to mention the "less than really bad" ones) behind.
Re:Weird logic. (Score:4, Insightful)
http://secunia.com/product/4227/ [secunia.com]
23 since the release of 1.0. We're now on 1.07. Seven major security releases.
Is it better than IE? Probably. Firefox vulnerabilities tend to be fixed more quickly and are less secure than IE vulnerabilities. That said, IE is considerably easier to update for both corporate users and home users.
Firefox can do better. Fortunately, the update mechanism is much-improved in 1.5. But, remember, Firefox is supposed to be the darling of the Open Source movement. We can do better.
Where do exploits come from? (Score:3, Insightful)
Kudos to Firefox for releasing a patch the day before the exploit was announced though.
Forced Security (Score:5, Insightful)
I play poker at Fulltiltpoker.com. Every time I want to play, the software connects to their server, checks for any updates, and then asks me to login. Granted, the poker software client is not as complicated as a web browser, but how difficult would it be make Firefox check and install updates every time the user ran the program? I imagine it would be pretty simple. Have this enabled by default, and the active security-aware users can disable it if they would rather do it themselves or are if they're paranoid. Think it might cost too much time to check every single time you run the program? Simply solved, a line of code telling it skip the check if it's checked in the past 12 hours.
One of the simplest ideas in security is that if the end-user has to do it themselves, like not opening random e-mail attachments, then it's likely going to get fucked up. It's that simple. Take it out of their hands.
For those of you that are paranoid about Firefox contacting servers on it's own, how do you think it knows when there are updates? It certainly didn't find out through telepathy.
Just my two cents.
Aero
GPL Exploits -- interesting side effects. (Score:5, Interesting)
This, of course presumes that (1) the original exploit author is a proper white-hat, and (2) we catch the person who creates the worm.
People are dumber than any browser (Score:3)
Demographics (Score:3, Insightful)
So people should keep using alternate browsers based on their merit up until they stop becoming alternate browsers. Then, maybe IE's GLORIOUS interface and GLORIOUS functionality can Lure Us Back.
Oh, please.
Firefox bad press and Black Hats (Score:3, Insightful)
We shouldn't forget that bad press for FF is in the interests of the Black Hats who make money off of IE exploits. FF is harder to crack than IE. Not impossible just harder. Their aim is most likely to maintain the "good times" of IE. So we shouldn't be surprised that not only is an exploit released but a nasty application of it as well. The black hats wouldn't release the app for the IE version because it would be too useful, but by releasing the FF one they support their investment in IE.
Re:IE7 will doom Firefox (Score:5, Insightful)