|Internet Explorer more secure than Firefox?|
According to Bill Gates, it is
From here: [chronicle.com...]
|There have been more security problems outside of Internet -- with Firefox in particular -- than with Internet Explorer. So the contrast of how diligent we've been about fixing things, doing things, updating things has been made clear. ... |
Thus saith Bill.
What the ...?!?
He didn't detail that fragment, nor did the lousy reporter pursue it.
If we're talking about the number of security advisories issued, in 2005 so far Secunia shows 9 advisories for IE and 17 for Firefox. Of course that doesn't talk about active exploits found "in the wild", severity of the exploit and so on.
Or the number fixed, or the fact that MoFo pay cash bounties to people who find security bugs :)
Plus, as I recall, some of those bugs attributed to Firefox were actually Java bugs that had nothing to do with the browser itself. And besides, IE exploits can always be more severe than any other browser simply because of the way it's tied in with the OS.
And, of course, there's plain and simple experience. Show me a spyware-ridden computer where Firefox is used exclusively for browsing. I don't think you could find such a thing, assuming the computer was clean to start with and average common sense had been used with downloads.
On another note, it's kind of nice to see the notice MS has been taking of Firefox lately. They must be feeling threatened.
Hmm, that was the number of bugs found in 2005, so far.
In other news...
Number of Unpatched Vulnerabilities:
Firefox: 3 out of 23
IE: 23 out of 50-something-plus
Wish I could find the article from last week that had the exact numbers.
Or the articles that mention how long some very major IE security holes went unpatched, months, some I think as long as 6 months. Firefox, on the other hand, had 17 or whatever holes because in most cases, people are looking for them, finding them, posting them, then they get fixed. Usually within days. And almost in all cases long before the exploit actually was seen in the wilds.
Compare that with the legions of MS powered zombie pcs, what a joke..
Or the fact that a lot of MSIE security holes are involved with active x, which gives root level control of the OS.
The funny thing is that I think Bill actually sort of believes this nonsense, which is really good, that means that no matter what MS says in its PR releases, the corporate culture - ie, what bill wants and believes - will continue to generate more and more insecure products, that can only help the alternatives, which do not suffer from this mental deficiency. Why? Because they - open source products, that is - are almost all developed over the web, and have to deal with security issues as a matter of course, day in and day out. If you want to find one of the most security conscious group of people in the world, hang out with some debian developers, they might even share their pgp key with you if they like you...
I know one thing though, if I want real security information, I'm not going to ask an MS person, I'm going to ask a unix/linux type.
Plus the completely undeniable fact that if someone is using Firefox and Thunderbird, they aren't being exposed to anywhere close to the real world risk IE/Outlook users are being exposed to. MS can spin this as much as they want, but they keep adding more and more junk to these products; that virtually guarantees that they will always be filled with holes.
[edited by: 2by4 at 1:31 am (utc) on Aug. 3, 2005]
We can of course debate various statistics and compare records, but, well, it's Bill Gates, chairman of Microsoft. He would say that, wouldn't he? Microsoft is working very hard on improving IE security, with IE7 probably a very big step forward. It would be one hell of a story if he had said that Firefox was better than IE, but as it is, it's just the usual spin.
Threatened? No! Just look at Microsoft's history, they have always got what they wanted. To say FireFox is much safer would be foolish. Just wait to they become really popular among average computer users, where the hackers start targeting them and then we'll see how safe it really is. However, it's great for us Internet users, now both of them will have to work real hard on their browsers if they want people using them.
|They must be feeling threatened. |
Well, you don't hear Mr. Gates talking about Opera. Clearly, this Firefox upstart does not fit into the MS plans. You don't start talking or spinning about a competitor unless you do consider them a real competitor. Look at that reporter's question (at least as pulished.) The reporter did not mention Firefox, Bill Gates introduced it by name.
|hackers start targeting them [Firefox] |
That started a while ago - a year ago or more. Sure, it's true that the bigger the market share the bigger the target. But that doesn't mean that hackers are ignoring Firefox until it reaches 40% or some onumental number. In fact, it would be a big coup for a hacker to release a working exploit against Firefox. So far, there's been precious little found "in the wild" and most vulnerabilities have been found and patched in a preventative manner - not after users were suffering.
I think it's important to crank up the level of discriminative thinking here and filter out spin and partial truths. What kind of measure is "number of exploits identified"? Especially when, as Robin mentioned, there is a bounty available - real cash - for finding a hole in Firefox and nothing like that for IE.
Secunia gives us pie graphs to compare "criticality" of how severe the reported security holes are - here are the two top numbers from the IE and Firefox reports:
edited for clarity
[edited by: tedster at 3:50 am (utc) on Aug. 3, 2005]
"To say FireFox is much safer would be foolish"
Ok, I'll go ahead and say it: FIREFOX IS MUCH SAFER.
Why do I feel comfortable saying this? Because I've followed the history of MSIE for many years. Now if you had said 'say that MSIE will ever be really secure would be foolish' I'd have to agree with you wholeheartedly, since you'd have many years of exploits and security failures to point to to support your claim.
And there's just simple facts like Firefox not having Active X, and not supporting certain proprietary JS MSIE system calling functions, lots of other stuff.
And Firefox is open source, anyone can fix any hole they find anytime they want, then submit the fix. Including security researches, who have to pray that MS will pay attention when they notify them.
I don't often stick my neck out with predictions but I'm going to here.
IE 7 will be the last release. MS will give up because the reward to effort ratio will make it uneconomic. Right now, this is already true. IE 7 is under development for reasons of company pride not commercial logic.
If MS were to officially unburden themselves, that would leave a lot of programmers that could be reassigned to commercially-viable products and/or OS development. That would just leave the compiled html help system and Outlook(express). If these were converted to a mozilla engine, the job would be done.
Eventually, MS will realise this and bite the bullet.
|Just wait to they become really popular among average computer users, where the hackers start targeting them and then we'll see how safe it really is. |
The real security issue here is not marketshare, it's the fact that IE is so deeply integrated with the operating system. That makes it inherently insecure. That and ActiveX.
Also, notice the relative marketshares of Apache and IIS. And yet, it's IIS that's always getting hacked and new vulnerabilities always being found.
It's always interesting to me when I see posters repeat word for word MS company spin, I guess MS is getting some value for their PR dollars.
As MatthewHSE points out, absolutely correctly, Apache serves up something like 65% of all the websites on the web, it's the by far most dominant web server on the planet, and has been for years, yet it's IIS that has been the victim of attackers. The same IIS that at one point the gartner group declared to be an absolute security disaster.
Worth taking a look at what US-CERT say - they appear to be talking on behalf of the US Dept of Homeland Security.
"Use a different web browser ..... There are a number of significant vulnerabilities in technologies related to the IE domain/zone security model..."
If they advise using another browser rather than IE, anyone else's advice to use IE should be rigorously backed up with evidence of mistakes in US-CERT's analysis.
For me, it's their recommendation I pass on to my clients.