Is the Firefox honeymoon over

[theMan]

i dont really care how secure it is. i like FF. i like the features, and the way it works. i have plenty of protection from other places.

 

[P0ldy]

How can this thread go on for 3 pages without a critique of the article? He makes no attempt to qualify any of the vulnerabilities, only quantify them.

Microsoft Internet Explorer 6.x - Highly Critical
Currently, 19 out of 85 Secunia advisories, is marked as "Unpatched" in the Secunia database.

Mozilla Firefox 1.x - Less Critical
Currently, 3 out of 22 Secunia advisories, is marked as "Unpatched" in the Secunia database.

Firefox: 0% Extremely Critical + 23% Highly Critical = 23%
IE: 14% Extremely Critical + 29% Highly Critical = 43%

Not to mention the "Highly Critical" advisory about ActiveX reported in 2003 that's unpatched.

A little perspective, please.

 

[Smilin]

Originally posted by: JonnyBlaze
can someone explain to me what someone can do if im running ie or ff? iv ran both and never had any problems. is it all just a matter of what sites you visit?

Kinda. Stay out of the "dark alleys" of the internet.

I've got an external firewall and a local firewall. When I check the logs of the local firewall...nada.
I run a virus scan on my PC...nada.
I run a spyware scan on my PC...nada.

I'm not saying I'll never get nailed with a vulnerability, virus, identity theft or whathaveyou. I've just never been nailed so far and it's not entirely due to luck. A big part of security is simply keeping your head out of your ass

 

[rh71]

Originally posted by: STaSh

Originally posted by: MrChad
But whereas Firefox has only 14% of its vulnerabilities unpatched, IE has twice that number.

You miss the point of the article. Yes IE6 has some serious issues with security. The point is, FF has been made out to be the nirvana of web security, when it is clearly not.

d.u.h. Please tell me people KNEW that it was only a matter of time. Don't be naive.

 

[PatboyX]

Originally posted by: STaSh

Originally posted by: MrChad
But whereas Firefox has only 14% of its vulnerabilities unpatched, IE has twice that number.

You miss the point of the article. Yes IE6 has some serious issues with security. The point is, FF has been made out to be the nirvana of web security, when it is clearly not.

the reality of the situation is only people who dont know what they are doing would believe anything to be the "nirvana of web security."
the people that use FF and believe that are probably being told to do that by the computer users in their life, an IT guy or their college kid. the increase in use makes it more of a target but it is so hard to get someone to change their computer habits in the direction of being more secure.
more often than not it involves regular scans and other simple procedures that they dont have the time for or do not feel are worth it. when more mainstream and (more importantly) lazy users begin to use a decently secure program, the program begins to take the heat.
im not saying FF is perfect but its better than the alternative.

 

[stash]

im not saying FF is perfect but its better than the alternative.

But that's the point of the article. It really isn't any better than the alternative, if by alternative, you mean IE.

 

[P0ldy]

Originally posted by: STaSh
It really isn't any better than the alternative, if by alternative, you mean IE.

Yes, it is. This article is FUD.

 

[stash]

Originally posted by: P0ldy

Originally posted by: STaSh
It really isn't any better than the alternative, if by alternative, you mean IE.

Yes, it is. This article is FUD.

Wow, that's such a compelling argument.

 

[P0ldy]

Compelling enough to refute the _substantial_ work you put into your argument.

The Gecko rendering engine and far superior conformity to web standards are by themselves enough to refute your "argument."

 

[n0cmonkey]

CTho9305 posted something here.

Actually there was only one period in 2004 when there were no publicly known remote code execution bugs - between the 12th and the 19th of October - 7 days in total. That means that a fully patched Internet Explorer installation was known to be unsafe for 98% of 2004. And for 200 days (that is 54% of the time) in 2004 there was a worm or virus in the wild exploiting one of those unpatched vulnerabilities.

There were 56 days (15%) in 2004 when there was a publicly known remote code execution in Mozilla and no patched release.

 

[stash]

The Gecko rendering engine and far superior conformity to web standards are by themselves enough to refute your "argument."

My argument is that Firefox is not more secure than IE. WTF does the rendering engine and web standards have to do with that?

CTho9305 posted something here.

That's an interesting read. I wonder what it would look like for 2005. Also consider the state of Firefox's patch mechanism in 2004, which is to say, the lack thereof. Even today, FF's patching mechanism has some serious issues.

 

[n0cmonkey]

Originally posted by: STaSh
That's an interesting read. I wonder what it would look like for 2005. Also consider the state of Firefox's patch mechanism in 2004, which is to say, the lack thereof. Even today, FF's patching mechanism has some serious issues.

Supposedly it's getting a lot better with 1.5.

 

[stash]

Supposedly it's getting a lot better with 1.5.

Yes, that's what it sounds like. I still find it shocking that Mozilla would take so long to learn the lessons that Microsoft learned the hard way with regards to patching.

 

[n0cmonkey]

When I stop seeing code red, blaster, sasser, and zotob I'll start believing Microsoft is doing a good job with patches.

 

[P0ldy]

Originally posted by: STaSh

The Gecko rendering engine and far superior conformity to web standards are by themselves enough to refute your "argument."

My argument is that Firefox is not more secure than IE. WTF does the rendering engine and web standards have to do with that?

Clearly security is not all you're talking about when you say FF "really isn't any better than the alternative, if by alternative, you mean IE."

Originally posted by: STaSh

im not saying FF is perfect but its better than the alternative.

But that's the point of the article. It really isn't any better than the alternative, if by alternative, you mean IE.

 

[stash]

Originally posted by: n0cmonkey
When I stop seeing code red, blaster, sasser, and zotob I'll start believing Microsoft is doing a good job with patches.

Well, code red affects IIS4 (and 5) which runs on NT. No automatic updates for NT. Blaster also affects NT. Sasser affects NT and 9x. No AU for 9x.

Zotob only affects 2000 and higher, which do support AU. That said, I haven't heard/seen much about Zotob since that one week. And the patch was available through AU/WU in plenty of time for people to patch.

So if you can show me systems with AU enabled that are affected by any of these, I will be amazed.

 

[stash]

Clearly security is not all you're talking about when you say FF "really isn't any better than the alternative, if by alternative, you mean IE."

Clearly it is, if I start that sentence with "But that's the point of the article," which by the way, is exclusively discussing security. I see no mention of Gecko or web standards in said article.

 

[n0cmonkey]

Originally posted by: STaSh

Originally posted by: n0cmonkey
When I stop seeing code red, blaster, sasser, and zotob I'll start believing Microsoft is doing a good job with patches.

Well, code red affects IIS4 (and 5) which runs on NT. No automatic updates for NT. Blaster also affects NT. Sasser affects NT and 9x. No AU for 9x.

Zotob only affects 2000 and higher, which do support AU. That said, I haven't heard/seen much about Zotob since that one week. And the patch was available through AU/WU in plenty of time for people to patch.

So if you can show me systems with AU enabled that are affected by any of these, I will be amazed.

Doesn't Win2k have IIS 5? So it's vulnerable to code red. Blaster and Sasser also affect win2k, IIRC. So there's another issue.

One problem is that there are a lot of servers out there that don't have automatic updates installed because people don't trust Microsoft's patches.

I'm just depressed about the whole situation. I shouldn't be seeing 4 year old worms.

There is no solution, except make better software.

 

[stash]

Doesn't Win2k have IIS 5? So it's vulnerable to code red. Blaster and Sasser also affect win2k, IIRC. So there's another issue.

Yes, and Windows 2000 has AU.

One problem is that there are a lot of servers out there that don't have automatic updates installed because people don't trust Microsoft's patches

It's Microsoft's fault administrators don't test and install patches in their environments? I mean, admins had what, six months to patch for Sasser before it hit the wild?

Mozilla is in a similar boat. It's not entirely their fault that people don't patch their systems. But their notification system sucks. And installing a new instance of the browser (usually leaving the old vulnerable instance installed) sucks too.

There is no solution, except make better software.

Amen. And I think Microsoft has made significant steps with XP SP2, IIS6, Server 2003 SP1. I think IE7 and Vista will be even more significant. Microsoft has invested a lot of time and money in the Trustworthy Computing initiative, which a lot of people scoff at. But it takes time to do a complete overhaul of development with an eye for security, implementing processes like the SDL and training devs who maybe had one course in college about writing secure code. And I think those efforts are just begining (within the last year) to pay off.

 

[nweaver]

Sasser does affect 2k, and the MS fix only works with SP3 or higher (iirc)

 

[n0cmonkey]

Originally posted by: STaSh
Amen. And I think Microsoft has made significant steps with XP SP2, IIS6, Server 2003 SP1. I think IE7 and Vista will be even more significant.

Hopefully. I look forward to hearing about some of the upcoming technologies as they're revealed. It'll be annoying to hear all the whiners complain about that one program they use from 1997 not working anymore, but I'll live.

Microsoft has invested a lot of time and money in the Trustworthy Computing initiative, which a lot of people scoff at.

Most of us are just wary. I wonder why.

But it takes time to do a complete overhaul of development with an eye for security, implementing processes like the SDL and training devs who maybe had one course in college about writing secure code. And I think those efforts are just begining (within the last year) to pay off.

I get to see improvements all the time in other OSes. Ok, so Microsoft got a bit of NX technology in SP2... Great. Hopefully Vista gets some more stuff in there.

EDIT: This all is probably a bit off topic. I know it isn't Microsoft's fault they write horrible code, it's the end users' fault. One day that education thing is going to work. Until then, I'll be depressed looking at the same old traffic over and over every day.

 

[P0ldy]

Originally posted by: STaSh

Clearly security is not all you're talking about when you say FF "really isn't any better than the alternative, if by alternative, you mean IE."

Clearly it is, if I start that sentence with "But that's the point of the article," which by the way, is exclusively discussing security. I see no mention of Gecko or web standards in said article.

Nevermind. You obviously can't distinguish between a blanket statement and what you meant to say.

 

[Canterwood]

Originally posted by: STaSh
The point is, FF has been made out to be the nirvana of web security, when it is clearly not.

By whom? The stupid fanboys?

Anyone with half a brain knows it not the nirvana of web security. Of course there's bugs to be fixed!

However, that said I'd still run FF over IE6 anyday.
I've still had far less problems (read zero) with FF than I had with IE6.

 

[nfamous]

honeymoon is over for me.... i just dl'ed opera last night, and it might become a believer

 

[stash]

By whom? The stupid fanboys?

If by stupid fanboys you mean the Mozilla project, I guess the answer is yes. They market it as more secure, using the same tired arguments and FUD.

http://www.mozilla.org/support/firefox/faq#mozvsie