Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Is The Firefox Honeymoon Over?

Zonk posted about 9 years ago | from the back-to-reality dept.

Mozilla 560

prostoalex writes "With Firefox market share reaching a substantial level, is the popular Internet browser becoming a security nightmare for IT administrators? George Ou takes a look at the hard numbers. From the article: 'From March 2005 to September 2005 10 vulnerabilities were published for Microsoft Internet Explorer, 40 for Mozilla Firefox. In April-September timespan there were 6 exploits for MSIE, 11 for Firefox. Conclusion? As you can see, the facade that Firefox is the cure to the Internet Explorer security blues is quickly fading. It just goes to prove that any popular software worth hacking that has security vulnerabilities will eventually have to deal with live working exploits. Firefox mostly managed to stay under the radar from hackers before April of 2005.'"

cancel ×

560 comments

Sorry! There are no comments related to the filter you selected.

Re: Is the Firefox Honemoon Over? (5, Insightful)

Alternate Interior (725192) | about 9 years ago | (#13578693)

There is one significant difference. I'm a knowledgable user. I program and sys-admin. I practice good security. Regardless of the number of exploits out there, I've never been hit by a FF exploit. I have been hit by IE exploits.

But the submitter is right. Though code security is important, the number of users is also a huge factor.

Cue someone to mention Apache.

Yes, Apache is everywhere, exploit-free. So are lots and lots of other binaries. It's only when you compare Apache to IIS 4/5 that it's really such a perfect example. Compare it to WinAMP, or Bash, or Finder, and its no more, no less secure.

Re: Is the Firefox Honemoon Over? (-1, Offtopic)

Anonymous Coward | about 9 years ago | (#13578731)

Trip Funky Master Monkey
Oh yeah! Baby! Hang out wit ma mutha Fkin Wang out!

I gots the first post yo! Trip Master of Disater comin at you wit da ascii art, yo!!!

Re: Is the Firefox Honemoon Over? (3, Insightful)

Bloggins (783115) | about 9 years ago | (#13578741)

Remember the age of the code though, how long has IE been around as compared to firefox. I would expect that about 6 years of sniffing thru firefox will result in less exploits that the amount thats still found in IE

Re: Is the Firefox Honemoon Over? (1, Informative)

Anonymous Coward | about 9 years ago | (#13578788)

Actually, winamp is a bad example...
Type winamp exploit into google some time.
http://www.mashada.com/forums/index/show_topic/60/ 2/index.php [mashada.com]

Re: Is the Firefox Honemoon Over? (5, Interesting)

thc69 (98798) | about 9 years ago | (#13578846)

It's great that as a sysadmin/programmer using firefox, you've had less problems than with IE.

More importantly, when I switch my users to Firefox, they cease to have problems. More exploits or not, FF causes fewer headaches. When it's all said and done, I'll choose FF's problems over IE's problems.

Apache vs. IIS vs. PWS (1)

StreetFire.net (850652) | about 9 years ago | (#13578847)

And conversly how many exploits are there for Microsoft Personal Web Server?

The Difference isn't the number of users, it's the number of people actively looking for exploits. I could write a crappy piece of code with 100% market share, but if no one is trying to break it, it'll probably be pretty darn "secure"

-Adam

Re: Is the Firefox Honemoon Over? (5, Insightful)

Anonymous Coward | about 9 years ago | (#13578908)

This is exactly true. I administer over 2,000 machines (mixed platform environment). We started installing Firefox as part our standard package over a year ago. There has never been one report of a problem with security involving Mozilla Firefox. There have, in the same time period, been numerous security problems originating in the Microsoft Internet Explorer web browser. It doesn't matter how many exploits get published if they aren't being exploited or their exploit does not result in any significant harm. As posters below have noted, this article is a result of bad journalism.

Quality not Quantity (5, Insightful)

olympus_coder (471587) | about 9 years ago | (#13578699)

Well, this is a good example of bad journalism. I don't want to get into a flame ware about which browser is more secure (although I have an obvious bias). What I'm try to say is that this guy is quoting useless statistics and this is a great example of bad science/tech reporting in the media. [slashdot.org]

1) The number of vulnerabilities reported has almost nothing to do with the number in the code. At most it dictates a minimum number that exist. Perhaps the firefox community is much more active at searching for bugs in the much newer firefox code.

3) How effective are the fixes? MS seems to have the same recurring problems because they only do triage. They don't fix the bigger problem (VERY poor browser design). The firefox team appears to address the bigger problem, not just stop the current bleeding.

2) How critical are these vulnerabilities. The article makes no mention of any ranking. He lumps everything into the same category. MANY of the IE bugs over the last 5 years have been SUPER critical, allowing remote access with little or no user intervention and no settings work around. Are the fire fox bugs the same?

3) Different organizations handle the vulnerabilities: MS and the Mozilla Foundation. MS is known to sit on bugs as long as possible. Perhaps the Firefox team is just being more responsive to the people looking for them.

Remember 99% of people that have cancer have eaten pickles. That doesn't tell you squat about the relationship of pickles and cancer.

IAAITG (I am a IT guy)

No Software is Perfect (1, Interesting)

Anonymous Coward | about 9 years ago | (#13578783)

No software is perfect. The people who were touting Firefox as a defect-free product were lying. Typically, such liars have a day job as saleman or director of the marketing department.

The prime reason that we should support Firefox is that it is a well (but not perfectly) designed product and that it provides competition for Internet Explorer. One of the best innovations behind FireFox is the search-engine drop box, in which I can instantly do a search on any topic of interest. I set MSN Search as my default search engine on Firefox.

Re:No Software is Perfect (1)

hungrygrue (872970) | about 9 years ago | (#13578912)

I don't think anyone has ever claimed that Firefox is "defect-free", security issues aside I've had FF crash on me at least twice in the last year or so :-)

Re:No Software is Perfect (1, Informative)

PunkOfLinux (870955) | about 9 years ago | (#13578947)

I don't recall anyone ever saying firefox was defect free. All i recall is people saying it's BETTER -- there's a difference between 'better' and 'defect-free'.

Re:No Software is Perfect (1, Insightful)

MightyMartian (840721) | about 9 years ago | (#13578970)

It is unfortunate that some chose to try to sell Firefox as a more secure browser. While I'll still wager dollars to donuts that it is, I do think it was a mistake. Firefox, like every large software project, is going to have bugs and flaws.

But this bizarre notion that you can measure a software's quality by bug reports is ridiculous. It's a meaningless number until put into context. Microsoft is well known for sitting on flaws for great lengths of time, so though in some given period Firefox might have twice or thrice the number of reported problems, IE might have that many or more unreported flaws. It's the same old story; there are lies, damn lies and then there are statistics. Reporters, unfortunately, seem a pretty lazy lot who don't actually have much interest in educating themselves or others, so they do easy things like count the flaws and report. They pack in a lot of words, and give it a sexy title a bang-o, they get a cut a check for their discerning journalism.

Re:No Software is Perfect (5, Funny)

theskipper (461997) | about 9 years ago | (#13578976)

"I set MSN Search as my default search engine on Firefox"

I set my Firefox home page to open MSN search with the default search strings "openoffice.org google 'how do I replace microsoft windows with linux?'".

It's the little things that make life enjoyable.

Re:Quality not Quantity (4, Insightful)

thoromyr (673646) | about 9 years ago | (#13578786)

A very good set of points. One more (related to 3):

4) How many unfixed vulnerabilities are there. The one that comes to mind is ActiveX

Re:Quality not Quantity (0, Troll)

jerw134 (409531) | about 9 years ago | (#13578915)

ActiveX is not a vulnerability. Stop trolling.

Firefox's facade is still looking pretty good (4, Insightful)

drgonzo59 (747139) | about 9 years ago | (#13578805)

Counting the vulnerabilities is not really the way to assess the security implications of those vulnerabilities. There are different kinds of vulnerabilities. Perhaps, on Firefox the attacker can crash my browser - not that big of a deal, I'll just restart and then look for a patch (which comes out pretty fast). But there might an IE vulerability taht will give remove admin access to my machine. Now I think, one of those vulnerabilities outweigh 10 of the first kind. So you cannot really compare.

They should have separated vulnerabilities into classes then also taken into account the average time between discovery and fix and ease of patching. Anyone one of such a study?

What I love about Firefox (1, Informative)

Anonymous Coward | about 9 years ago | (#13578806)

1) Small memory footprint
2) Excellent stability on Linux and FreeBSD
3) The way extensions work no matter which version you have. Upgrade a minor or major version, the extensions are still there, all working properly.
4) How themes work no matter which version you have.
5) How the Firefox start page doesn't default to any specific commercial search engines, but lets you choose.
6) How the popups are blocked on sites like SitePoint.com

Causality vs. Correlation (4, Insightful)

Da_Biz (267075) | about 9 years ago | (#13578812)

What I'm try to say is that this guy is quoting useless statistics and this is a great example of bad science/tech reporting in the media.

AMEN! Your pickles example is a good reminder of the confusion many Americans have over causality vs. correlation.

Damned Lies and Statistics by Joel Best is an excellent primer in the dangers of poorly used and cited statistics. It's a must read:
http://www.amazon.com/exec/obidos/tg/detail/-/0520 219783 [amazon.com]

How's that number system work again? (0, Troll)

Apro+im (241275) | about 9 years ago | (#13578853)

1, 3, 2, 3, 3, 3, 4, 3, 5, 3...?

Re:Quality not Quantity (5, Funny)

Anonymous Coward | about 9 years ago | (#13578866)

Remember 99% of people that have cancer have eaten pickles. That doesn't tell you squat about the relationship of pickles and cancer.

Great, another apologist for the pickle manufacturers...

Pickles cause cancer?!?! (0)

Anonymous Coward | about 9 years ago | (#13578899)

Please tell me you're going to legitimize that by blogging it... I bet you could make the front page of Slashdot!

Re:Quality not Quantity (1)

VATechTigger (884976) | about 9 years ago | (#13578905)

Data to support or disprove point #3 is in fact linked in the article. Click firefox 1.x or IE 6.x vulnerabilites in the first table. Or Here FF 1.x [secunia.com] and Here IE 6.x [secunia.com] for you lazy bones.

Im to lazy to go though it all but by looking at the pretty pie charts the IE bugs are indeed more critical.

Re:Quality not Quantity (2, Insightful)

Donny Smith (567043) | about 9 years ago | (#13578930)

>Perhaps the firefox community is much more active at searching for bugs in the much newer firefox code.

And perhaps not.
And perhaps MS IE is exposed to more scrutiny because it's #1 browser? And perhaps not.
As we can't tell for sure, it's best to ignore such speculations.

>3 (sic)) How effective are the fixes? MS seems to have the same recurring problems because they only do triage. They don't fix the bigger problem (VERY poor browser design). The firefox team appears to address the bigger problem, not just stop the current bleeding.

Gee!
And look at the most recent Firefox fix - it's a temp fix which only disables the insecure feature.
Not to mention that update alerts actually start blinking in your browser many days late.

I'm not defending MS IE, I'm just trying to point out that FF is pretty much the same. I use it a lot and it's got a bunch of problems - daily crashes, daily hangups with PDF files, frequent security problems and so on.
Originally it seemed a lot better. I still use it, but it doesn't seem that way any more - it's time to take a realistic look at it.

Re:Quality not Quantity (3, Insightful)

Alorelith (118865) | about 9 years ago | (#13578944)

Don't forget that Internet Explorer isn't a moving target. Firefox is in constant development and releases are being made at fairly regular intervals, thus there are bound to be bugs. Has Internet Explorer seen any development in the last few years other than just bugfixes (not including IE7)?

Apples to Apples (5, Insightful)

gbulmash (688770) | about 9 years ago | (#13578703)

I don't recall there being *that* many vulnerabilities and exploits for the browser itself, but that there were some serious ones for common extensions. Now, I can't say this for certain, but is it possible that he's lumping in the vulnerabilities/exploits for popular 3rd party extensions (like the recent pretty big one with GreaseMonkey) with vulnerabilities/exploits for the core browser?

As well, how many of these vulnerabilities/exploits were "critical" and how severely did they expose your computer to running unauthorized code vs. the MS ones? How much effort did it take to repair them? The last vulnerability I recall patching required making a minor change to my Firefox config by hand rather than patching or upgrading.

Because IE is so tied in not only to the OS, but to various Visual Studio API's, were Microsoft's vulnerabilities more far-reaching?

I'm no MS apologist, but I'm also not a Linux or OSS zealot. I like to use what works best for my needs and habits, which ends up being a mix of Closed Source and Open Source products. I don't want to be biased on one side or another, but I'd like to be sure that comparisons like this are apples to apples.

- Greg

Re:Apples to Apples (2, Interesting)

Anonymous Coward | about 9 years ago | (#13578804)

Now, I can't say this for certain, but is it possible that he's lumping in the vulnerabilities/exploits for popular 3rd party extensions (like the recent pretty big one with GreaseMonkey) with vulnerabilities/exploits for the core browser?

Also, many of the common extensions (Adblock & Noscript, for instance) block potential Firefox vulnerabilities.

I have run into the situation where I go to a "FF exploit proof of concept" page and the exploit doesn't work because Adblock blocks it.

Re:Apples to Apples (1)

japhmi (225606) | about 9 years ago | (#13578988)

Also, since we only have a chart and not more information, does this include multiple-OS exploits? Would an exploit on Linux and one on Windows count for 2 in the firefox column?

FUD (0)

oncee (216065) | about 9 years ago | (#13578704)

It's still more secure than IE.

Karma Whoring (2, Funny)

metternich (888601) | about 9 years ago | (#13578743)

Is still more fun than coming up with relevant comments.

Re:Karma Whoring (1)

halivar (535827) | about 9 years ago | (#13578910)

Hah! I see through your blatant attempt at karma-meta-whoring!

Or is it meta-karma-whoring?

And am I meta-meta-karma-whoring, or meta-karma-meta-whoring, or just plain karma-meta-meta-whoring?

Re:FUD (4, Funny)

Danse (1026) | about 9 years ago | (#13578780)

It's still more secure than IE.

You make a powerful argument. I'm daunted at the prospect of countering it. I think I'll back down in the face of your intellectual prowess.

Hey! (3, Funny)

Brandon K (888791) | about 9 years ago | (#13578712)

This is Slashdot! You're not allowed to talk about Mozilla like that!!!

Security isn't the only reason (5, Insightful)

kevin_conaway (585204) | about 9 years ago | (#13578713)

I use it because its a better browser. It has more (and better) features than the competition. THAT is why I use it and recommend it to those who ask, not because of its security track record.

Re:Security isn't the only reason (2, Interesting)

daniil (775990) | about 9 years ago | (#13578815)

Oddly enough, I use Opera for exactly the same reason. I used to be in the Firefox camp as well, but decided to try out Opera when they were handing out free registration keys. Long story short, I tried it, loved it, switched -- and never looked back.

Some information is actually missing (0, Redundant)

Z00L00K (682162) | about 9 years ago | (#13578725)

and that is about the severity of the security issues.

Anyway, maybe it's time to switch to Opera or Lynx now. Or maybe tkWWW... Does anybody know of any other browser out there that may be usable on a variety of OS:es???

Re:Some information is actually missing (0)

Anonymous Coward | about 9 years ago | (#13578809)

Maybe you should find another hobby, you waste of skin.

Slash Troll Alert (4, Insightful)

Sounder40 (243087) | about 9 years ago | (#13578726)

Another in a series of stories that seem to be written to raise the ire of /.'ers. You're smarter than this, fellow reader. Do not give in to the temptation to flame on. We all know better. Sad that the writer didn't.

These numbers (3, Insightful)

hungrygrue (872970) | about 9 years ago | (#13578732)

don't mean anything unless you do a side by side comparison of the security holes. What is the severity of each bug? Clearly, there is more activity and work in finding and actually fixing bugs in FF than there ever could be in IE, which could in and of itself account for the higher numbers.

What happens when IE Vista goes mainstream? (2, Insightful)

TEMM (731243) | about 9 years ago | (#13578736)

Yes there are a lot of problems with firefox, its being developed so there are going to be vulnerabilities and security problems, but at least its constantly being developed. When everyone moves over to Vista and uses the new version of IE for Vista its going to be the same old crap all over again and im sure that IE will once again have more problems then firefox.

Re:What happens when IE Vista goes mainstream? (2, Funny)

jerw134 (409531) | about 9 years ago | (#13578987)

I wouldn't count on that. You obviously don't know about the numerous security measures going into Vista and IE7.

One-sided (0)

Anonymous Coward | about 9 years ago | (#13578737)

What Ou does not consider are the number of vulnerabilities fixed.

Software Bugs (0, Insightful)

Anonymous Coward | about 9 years ago | (#13578739)

All software has bugs, lets just get over it and move on with life.

Choice... (5, Insightful)

gsfprez (27403) | about 9 years ago | (#13578740)

Here's the difference.

If the Firefox web browser sucks, the average Joe can uninstall that web browser from a Windows box....

if IE sucks...

Short and simple (4, Insightful)

cyberlotnet (182742) | about 9 years ago | (#13578746)

1. How many Critical IE vs Firefox
2. How fast where patches/new versions deployed
3. How many days was the browser open to the exploit

And Finally

4. Total number of days browser was exploitable - IE vs Firefox

I bet you will find issues in IE that are not even patched yet, turnaround for more Firefox issues however? In most cases a solution within hours a patch within days.

Re:Short and simple (1)

VENONA (902751) | about 9 years ago | (#13578975)

1. How many Critical IE vs Firefox

Criticality data will always be suspect. There are many weighting systems in use. In fairnessm it's a deep subject. But Microsoft has something of a history of severity denial.

2. How fast where patches/new versions deployed

Firefox is the clear winner here.

3. How many days was the browser open to the exploit
and
4. Total number of days browser was exploitable - IE vs Firefox

From some research I did back in June:

"Widely read reports indicate that IE enjoyed only seven days of 2004 without being subject to any known vulnerabilities. Those days were between 12 and 19 October. I rather doubt that--it seems likely that at least one vulnerability (specifically that would be gm014) reported to Microsoft 2/20/03 by GreyMagic. This is still unpatched, as I verified this morning with IE 6.0 SP1, on Win2K, SP4. Some security people aren't doing their homework."

I switched to safari (0)

Anonymous Coward | about 9 years ago | (#13578749)

Apple just always seems to come up with the right solution. Firefox suffers from the "sophmore slump" phenomena. Apple hung back and watched the mistakes being made. They learned the lessons and leapfrogged the competition. Apple may not be the pioneer; but they are the king of innovation.

haha Bitches (-1, Troll)

Anonymous Coward | about 9 years ago | (#13578750)

haha all you bitches. MSFT WINS AGAIN...

Linux sucks,
Firefox Sucks,
You suck if you believe any non MSFT product will survive

Look at SUN/APPLE for references..

Re:haha Bitches (2, Funny)

The Angry Mick (632931) | about 9 years ago | (#13578856)

Thanks, Steve [microsoft.com] . It's nice to see you're still paying attention to things over here.

The honeymoon may be over, (1)

markass530 (870112) | about 9 years ago | (#13578751)

but I think the marriage will last. I for one, have more faith in the open souce community to fix whatever issues hackers eploit. I also trust that firefox will just strive to be the best browser possible, as opposed uber-integration-domination-bloatation, and I've been told trust is the most important thing in a good marriage.

It took me a long time, but.... (1)

Dark_Link2135 (812614) | about 9 years ago | (#13578752)

the minute I tried out Opera, I was hooked. A couple of my friends spent months trying to convince me to try it out, and I never really did. Opera is absolutely beautiful, very clean, functional, and customizable. I love it. I dropped FireFox like a....well a something once I'd tried out Opera. But, to stay on topic :D don't take this story for face value. Like an earlier poster said, its Quality, not Quantity. There might be a few tiny little security holes and maybe just 2 gaping security holes in IE - which one would you rather use? Plus theres the obligatory "download our new patch to fix the patch that was designed to fix the patch for the security hole" deal thats involved with IE.

Open Source Security (1)

ranton (36917) | about 9 years ago | (#13578755)

I think that this is an important point about Microsoft's security issues that I know I never considered before. When you have any software that is so widely used it is going to have more security breaches than an equal but less mainstream peice of software. Looks like the problems that Microsoft has had over the years have more to do with being too widely used than actual poor design (or more likely they are on par with eachother). And with the kind of money Microsoft has at its disposal, they are finally cutting down on those security issues.

I wonder if this will be a problem for open source software in general if it starts to become more mainstream. Maybe it will be found that without a large amount of money to be put into security that there will be massive security holes in the future for OS software.

Gosh... (1)

WayneTheGoblin (843267) | about 9 years ago | (#13578756)

It's like you're comparing apples and ......... PC's! Actually, I use IE, Safari, Firefox, and Opera, for quite some time, and the only browser I've ever had issues with is IE. Just my $2x10^-2

misleading (2, Informative)

bcrowell (177657) | about 9 years ago | (#13578759)

The article is misleading. Firefox is open source. Anybody who wants to inspect the source code for security holes can do so. If a bug is found, either by inspecting the code or by some other method, there's a community around Firefox that will happily publicize that information, fix the bug, and release a fixed version promptly for free.

Also, the number of security flaws reported is meaningless. A security hole could be very serious, or completely inconsequential.

And by the way, the article is extremely short, and doesn't actually give much useful info beyond what was in the slashdot summary, so please think twice before clicking through to TFA and steering ad revenue to zdnet.

Re:misleading (2, Funny)

Anonymous Coward | about 9 years ago | (#13578916)

Anybody who wants to inspect the source code for security holes can do so.

Don't rush people, please get in line, there's enough source code for everyone.

Seriously. Is that anywhere on the priority list of anyone? No better way to spend the afternoon?

Attacker is also better off with the open code (2, Insightful)

Anonymous Coward | about 9 years ago | (#13578917)

Anybody who wants to inspect the source code for security holes can do so.

Precisely. But why do you assume that once the bug is found, it will be fixed? If the bug is found by a malicisous pair of eyes, an exploit will be written instead.

Open source helps both the attackers and defenders, and thereore does not have an inherent advantage in security, in my opinion. Now, the formerly closed code that has leaked is indeed more vulnerable after the leak.

How do I moderate the Orignial Poster (-5 Troll) (2, Insightful)

dup_account (469516) | about 9 years ago | (#13578760)

I read thru some of Ou's other blogs, and I have to say he seems to be a MS Troll.

It seems to me... (2, Interesting)

WVDominick (860381) | about 9 years ago | (#13578767)

It seems to me that MS simply won't patch certain things in IE. They haven't from the very beginning. Firefox is pretty new and will always have more security issues early on. Seems simple to me.

The honeymoon IS over (4, Funny)

uberdave (526529) | about 9 years ago | (#13578775)

Yes, the honeymoon is over, and now the more enjoyable adventure of building a life together begins.

Re:The honeymoon IS over (1)

thedustbustr (848311) | about 9 years ago | (#13578897)

Are you kidding? The honeymoon is the height of marriage, it's downhill from there...

What about the time to fix? (2, Insightful)

Anonymous Coward | about 9 years ago | (#13578776)

The number of vulnerabilities and exploits make some difference, but what about the average time it takes to fix the vulnerabilities? If one takes an average of 2 weeks and the other 2 days, I'd rather have the latter.

How do the other browsers fair? (1)

link915 (900930) | about 9 years ago | (#13578782)

I'm a big Firefox fan and don't user other browsers (IE at work doesn't count cuz I'm quitting in 1 week) so I am wondering what the stats are for browsers like Opera, Mozilla, Netscape, Dillo, Konqueror, Epiphany, and Galeon. Does anyone have this information? Honestly though, there aren't many developers out there that make perfectly secure software...IMHO it the open-source communities response to the problem that keeps me sticking with it.

Re:How do the other browsers fair? (1)

link915 (900930) | about 9 years ago | (#13578862)

WTF...I really need to start using the Preview button!

M$ has still to patch the biggest bug. (0)

Anonymous Coward | about 9 years ago | (#13578787)

ActiveX

Need someone to answer the bugs (0)

Anonymous Coward | about 9 years ago | (#13578789)

Could someone please contrast the bugs in MSIE and Firefox on something other than numbers alone (lies, damn lies, statistics). For example, number critical (remote access), number that will crash the application, number that are theoritical (no known exploit or very difficult to exploit), number that are in 3rd party extensions (i.e., not in the core product). These are FAR more useful figures than 40 bugs for FF and 10 for MSIE. Lets have some facts here (of course, I digress, this is slashdot and facts often are secondary criteria).

im a standard user... (1)

tont0r (868535) | about 9 years ago | (#13578792)

and while im concerned with security, its not a huge concern. if you are going to start saying that IE and firefox are equal when it comes to vulnerability, then im still going to stick with firefox just from the useability alone.
plus (which im sure everyone will have mentioned by the time this gets posted)
time for mozilla to fix a bug: few days?
time for MS to fix a bug: god knows...
so to call it a 'IT nightmare is a bit over the top.

Open source vs closed source (1)

Datasage (214357) | about 9 years ago | (#13578794)

This is always an argument used against open source, but its a poor one.

With general software development practices as well as because of other things, both open and closed source software will have securtiy issues.

But the probability of finding them in open source software is much greater because you have access to the source. It does not mean that open source software may have more bugs.

With the benifit of having the source code, its more likely that it will be found and fixed before an exploit is developed. WIth closed source, its more likely the knowlege of the issue will be known publically with the release of an exploit.

Expliot to Patch Time (1)

Richardsonke1 (612224) | about 9 years ago | (#13578796)

I'm not excusing Firefox for having security vulnerabilities, but you have to look at the fact that Firefox is relatively young and is rapidly growing. IE has had time to work out a lot of the bugs over the years since IE6 went live. How many years has IE6 been around with little or no modifications? There's less chance of introducing a bug because of this, but the browser is nearly featureless compared to Firefox because of it. Which would you rather have?

Secondly, Firefox's exploit to patch time is miniscule compared to Microsoft's. The last exploit that came out had a "fix" within days. Although that fix didn't actually correct the error, but turned off the functionality that was broken. Then again, this is compared to Microsoft which says "don't click on links you don't trust" when a vulnerability comes out, until it comes out with its patch a month or more later. Pick your poison.

Well (1)

6OOOOO (600000) | about 9 years ago | (#13578800)

Firefox was never a panacea. Using Firefox never guaranteed anyone immunity against the various pitfalls that come with using Windows. And, so far as I know, Firefox was never entirely free of vulnerabilities.

That said, Firefox will always retain a competitive advantage over IE. Fixes and workarounds are released with astonishing speed, especially when compared with IE--this is because Firefox is Open Source, but more importantly because it is free. The developers have nothing to lose by releasing a patch, by admitting to having written something less than perfect. There is no corporate reputation at stake; therefore, using Firefox will always be inherently safer than using IE. That safety gap will only widen with time.

How about clearing a few things up. (1)

TomTraynor (82129) | about 9 years ago | (#13578808)

1. Define the threat level.
2. How long before notification that it was acknowledged.
3. How long until the fix.
4. For the fixes, did it work?

MS has the bad habit of not letting us know of a hole until they have the patch ready. This is a real pain as the ones who can use the hole can, without me knowing!. Also, Firefox is a new product, it has an excuse. MS is a mature product, why are there serious holes still in this product?

More flaws? (1)

thesandtiger (819476) | about 9 years ago | (#13578811)

Or is it just that, with source fully available for people to examine (and a community of die-hards willing to spend a Saturday evening actually looking at same), flaws can be more easily found?

I don't know if that really would make much of a difference, but then again, we can't really know for sure since the IE source code isn't available to make it a fair test.

Anyone out there who does seek out flaws care to shed some insight on how you go about doing it? I imagine some is like with old school video game hacking - you notice strange behavior and experiment - but I'd also imagine some is looking at source and saying "Hm, this seems off..." and then trying something without actually noticing "off" behavior.

So, who here REALLY wants linux on all desktops? (0)

Anonymous Coward | about 9 years ago | (#13578813)



So, who here REALLY wants linux on all desktops, again? Not that it WILL happen, but don't wish for it!

This script-graphic was very hard to get.

Losing my mod points to say this but... (3, Interesting)

aug24 (38229) | about 9 years ago | (#13578823)

When FF is ten years old, like IE, he'll have a point. Right now, a 2-year-old piece of software is getting a similar number of exploits to an application that should be mature and stable and secure... but isn't.

J.

exploits / bugs (1)

true_majik (588374) | about 9 years ago | (#13578829)

does n bugs translate to M exploits?

is exploit A which has bugs a,b,c,d,e,f,g,h, and i
the same (quantitively) as exploit B which is due to bugs y, and z?

just because IE list 6 exploits doesn't mean they are due to 6 bugs.

Usability. (4, Interesting)

Puls4r (724907) | about 9 years ago | (#13578837)

For me, it's not the number of vulnerabilities and never was. I, like most other people, used IE because it was preinstalled. I was lazy and figured "a browser's a browser". Only once I started using other browsers did I realize:

1. There is no reason a browser should lock your operating system.
2. There is no reason a browser should mysteriously slow down your computer.
3. There is no reason a browser should purposefully make it difficult to change some settings.

It's like the Messenger service that Microsoft seems DETERMINED to re-enable on my computer every time I update / patch. I know what settings I want, and the browser that lets me use those settings with a minimum of issues is the one I'll use. This isn't loyalty. It's a user-friendly program that doesn't pretend to believe it knows what I want better than I do.

Differences (1)

Namronorman (901664) | about 9 years ago | (#13578838)

There are many differences between the two and what I think makes Firefox sound more desirable is mainly the fact that Mozilla will release patches much faster for Firefox than MS for IE and that it is also a much more stable program.

a good sign.. (1)

segfault_0 (181690) | about 9 years ago | (#13578843)

i would consider this a good sign for firefox; all the attempted exploits, in my mind, point to the fact that firefox is grabbing mindshare as well as marketshare - you know your close to the top when someone tries to knock you off..

Re: Is The Firefox Honeymoon Over? (2)

kurt_ram (906111) | about 9 years ago | (#13578852)

Honestly, whatever Firefox had was hardly a honey-moon. The number of people using firefox is insignificant when compared to those using IE. And, it will always be.

Is The Firefox Honeymoon Over? (1)

Karma_fucker_sucker (898393) | about 9 years ago | (#13578855)

No, it still makes me hard an I still enjoy having sex with it.

Kick ass! (1)

hungrygrue (872970) | about 9 years ago | (#13578857)

So what this article says is that the open source development model finds and fixes bugs much quicker than a single company could ever hope to. Cool. I'd much rather have security holes discovered and fixed quickly - also I wonder how many of these holes in FF only effected Windows users?

Warning (0)

Anonymous Coward | about 9 years ago | (#13578859)

There is a new crashing bug in Deer Park Firefox, but not in Firefox 1.0.x. There is no patch either! Disabling IDN or using the latest nightlies doesn't stop it from crashing. It's being reported by Tom Ferris [security-protocols.com] again and he has a test page here [security-protocols.com] .

Salt anyone ? (0)

whysanity (231556) | about 9 years ago | (#13578865)

Does it count as a bug/exploit if it's fixed before anyone discovers it?

Microsoft has a habit of reactivity, "Oh shit, someone released an exploit, let's fix it".

I'd like to say Mozilla has a habit of proactvity, "Oh shit, there's this bug, let's fix it before someone exploits it".

Also, if you RTFA, you see things like Note that this is not a count of the number of advisories because advisories can contain multiple vulnerabilities. This is a count of the actual number of vulnerabilities. The article is short on substantial evidence or proof (author refuses to provide links). Furthermore, he doesn't even attempt to qualify what he claim.

Take it with a grain of salt.

useless article (1)

suezz (804747) | about 9 years ago | (#13578874)

this is the most useless article I have read.

I have read it and still don't know what to make of it. He doesn't really define a vulnerability first of all.

If anything this tells me firefox is being actively developed and improved and is easily upgradeable.

I think Microsoft is just putting security updates out and not improvements. So it makes me wonder what he defines a vulnerability.

huge differences (1)

b17bmbr (608864) | about 9 years ago | (#13578877)

IE exploits fsck with your entire system. you know, it's a built in component. FF problems are more limted and deal more with windows alone. i've had no problems with FF on os x nor linux. FF and IE exploits are apples and oranges.

ha (1)

Apreche (239272) | about 9 years ago | (#13578880)

Firefox vulnerabilities are fixed within a day, two at most. Just about every time I see a Firefox vulnerability it is published before a fix is available. Also, I've never seen an instance of someone actually exploiting a Firefox vulnerability for evil.

IE on the other hand doesn't publish vulnerabilities until they are fixed. So 10 means they fixed only 10, how many are there? Also, IE exploits are actually exploited all the time. Usually it happens after the patch is released and the exploit published. Firefox upgrades itself now with very little user interaction whenever there is a fix. IE only updates on Black Tuesday, if you're lucky.

I seem to recall... (1, Insightful)

Anonymous Coward | about 9 years ago | (#13578881)

that some of the Firefox issues were not because of coding bugs on the mozilla side of things, but because of how Microsoft's OS handled things. Essentially, Firefox was protecting itself against the evils of the OS that it is forced to run upon. Even if all 11 security issues were purely because of Mozilla code, how are we to truly know that there were only 6 for IE? Those are just the ones that Microsoft fessed up to and actually fixed - there's likely plenty more that they're working on - just waiting slowly to release the updates to make themselves look better than the better equipped competition.

Na na na na Na na, Firefox is STILL better (0, Flamebait)

EraserMouseMan (847479) | about 9 years ago | (#13578895)

Open Source will always be a better idea than the Microsoft solution!!! Besides, I'm almost sure Microsoft is developing Firefox exploits just to make Firefox look bad. And I could probably argue that the combination of the 11 exploits that Firefox had were less dangerous than the 6 that IE had. So THERE!

bugzilla for IE? (1)

c-reus (852386) | about 9 years ago | (#13578911)

As I recall, IE does not have anything even remotely similar to bugzilla (as FF has).
So, if I find a bug in FF, I'll report it in bugzilla. If I find a bug in IE, where do I report? send an e-mail to wishes@microsoft.com?

I'm sure there are some people that know that better than me -- enlighten me. How does one submit a bug found in IE?

Re:bugzilla for IE? (1)

paradizelost (689394) | about 9 years ago | (#13578984)

you go to your local store and pay an m$ tax of $299* for a newer version of the product



*taxes vary from $99.00 to $1699.00

Simple Solution (0)

Anonymous Coward | about 9 years ago | (#13578913)

We need more exploits for IE

misleading (2, Insightful)

FLoWCTRL (20442) | about 9 years ago | (#13578921)

I would like to see a comparison of the seriousness of the vulnerabilities - how many of those IE exploits gave remote users full control over the victims computer, vs those of Firefox? Given that IE is so deeply tied into the OS, security problems with it tend to be much worse. For Firefox, the vulnerabilities tend to be trivial, such as browser crashes.

tfr0ll (-1, Offtopic)

Anonymous Coward | about 9 years ago | (#13578928)

Obse5sed - give If you answered people's faces at unpleasant slin-gs are limited, percent of the *BSD when IDC recently about who can rant

ActiveX (1)

Casandro (751346) | about 9 years ago | (#13578932)

As long as there's still ActiveX support in IE it _will_ be the less secure browser. ActivX is, and will always be the most critical hole in IE.
It's insane to execute binary code from the internet with just a few clicks.

When Microsoft turns off ActiveX by default, we can start comparing browsers.

Privacy and Security are icompatible (0)

Anonymous Coward | about 9 years ago | (#13578933)

The main question is: Does M$ want IE (and Windoze in geenral) to be secure ?
I believe not. An important activity at most corporations is spying on employees. Some of the flaws are used for that particular purpose.
Moreover, the Firefox community is calling "bug" a vulnerability that M$ would completely ignore. Why would they care that you get a lot more leakage through 5 one-meter holes than through 40 one-milimeter ones.

What about the ones M$ doesn't tell us about? (1)

paradizelost (689394) | about 9 years ago | (#13578937)

How many bugs/vuln's are there in IE that microsoft either doesn't want us to know about, are too serious for them to consider releasing info on before they have a fix, or just don't care about? Most FF bugs are revealed relatively quickly, and a patch is made, but M$ can keep them a secret to keep their numbers down to promote studies like this one.

Paul from Greyhats (0)

Anonymous Coward | about 9 years ago | (#13578953)

I am Paul from Greyhats Security. I found and submitted several of those Firefox vulnerabilities, a total of 5 that I received bug bounties for.

I have to back up the article writer on this issue. The fact is, Firefox was a lot easier to exploit than Internet Explorer, and believe me, I have experience in both browsers. Also, I have been testing Internet Explorer 7, and I must say that it is very secure. I haven't found a single vulnerability in it yet.

How many solved (0)

Anonymous Coward | about 9 years ago | (#13578957)

More important than how many bugs appeared in a span of time is how many of those bugs were solved ?

fading facade (1)

snarkh (118018) | about 9 years ago | (#13578973)



Or no, facade is fading. But the rear is still ok.

and how many have been fixed? (2, Interesting)

eelke_klein (676038) | about 9 years ago | (#13578990)

I think these reports give the answer.

Firefox [secunia.com]

Internet Explorer [secunia.com]

To conclude firefox has three unpatched advisories of which the most severe is less critical. IE has nineteen unpatched advisories of which the most severe is highly critical. Notice that actually IE had more advisories both patched and unpatched.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>