CritterNYC - 7:13 pm on Feb 4, 2005 (gmt 0)

Average Joes approve any installation anyways. I've seen it happen myself. A website would ask if he/she wants to install this piece of software and users would just click Yes no matter what. Just to get rid of the window, without even reading what it says. So if Average Joes will start using FF, they will confirm any kind of downloads too.

There's a BIG difference between IE and Firefox where software installation is concerned. IE, forever, allowed you to OPEN downloaded EXEs directly from the browser. It also allowed ANY site to install an ActiveX component as long as it was signed. Nearly everywhere spyware app is signed.

Today, Internet Explorer, even on Windows XP SP2, still allows you to RUN an EXE right from the browser when you download it. And it is very easy to accidentally hit RUN or OK if you're typing. All versions of Internet Explorer except XPSP2 also allow ANY website to install an ActiveX component directly. Just a quick click of OK from the user (unless the site uses one of many exploits to install directly). And it is very easy to accidently click OK... say if you are typing something and hit the space bar or enter.

Firefox, on the other hand, makes FAR smarter decisions about how to handle these situations. Firefox DOES NOT let you run an EXE from the browser. You HAVE to save it first. So, you'd need to save and then find and run it. Not something you can accidentally do.

In addition, the spyware losers started trying to auto-install using Firefox' extension XPIs. Mozilla responded by only allowing XPI installations from whitelisted sites (and only mozilla.org and mozdev.org are whitelisted). They also implemented a 3 second countdown timer, so you couldn't accidentally click OK. This cut the spyware folks off at the knees.

Add to all this the fact that Firefox security issues are patched very quickly whereas IE issues languish for months after an exploit is released... and you see why there is less spyware for Firefox AND why there is a big incentive for a hacker to get one in the wild... it's a big challenge and would lead to big bragging rights. I'd wager there's MORE incentive for the high-end hackers due to the bragging rights issue. Getting something into IE is so damn easy that it doesn't really gain a hacker any reputation.