Welcome to WebmasterWorld Guest from 188.8.131.52
Forum Moderators: incrediBILL
There have been more security problems outside of Internet -- with Firefox in particular -- than with Internet Explorer. So the contrast of how diligent we've been about fixing things, doing things, updating things has been made clear. ...
Thus saith Bill.
What the ...?!?
And, of course, there's plain and simple experience. Show me a spyware-ridden computer where Firefox is used exclusively for browsing. I don't think you could find such a thing, assuming the computer was clean to start with and average common sense had been used with downloads.
In other news...
Number of Unpatched Vulnerabilities:
Firefox: 3 out of 23
IE: 23 out of 50-something-plus
Wish I could find the article from last week that had the exact numbers.
Compare that with the legions of MS powered zombie pcs, what a joke..
Or the fact that a lot of MSIE security holes are involved with active x, which gives root level control of the OS.
The funny thing is that I think Bill actually sort of believes this nonsense, which is really good, that means that no matter what MS says in its PR releases, the corporate culture - ie, what bill wants and believes - will continue to generate more and more insecure products, that can only help the alternatives, which do not suffer from this mental deficiency. Why? Because they - open source products, that is - are almost all developed over the web, and have to deal with security issues as a matter of course, day in and day out. If you want to find one of the most security conscious group of people in the world, hang out with some debian developers, they might even share their pgp key with you if they like you...
I know one thing though, if I want real security information, I'm not going to ask an MS person, I'm going to ask a unix/linux type.
Plus the completely undeniable fact that if someone is using Firefox and Thunderbird, they aren't being exposed to anywhere close to the real world risk IE/Outlook users are being exposed to. MS can spin this as much as they want, but they keep adding more and more junk to these products; that virtually guarantees that they will always be filled with holes.
[edited by: 2by4 at 1:31 am (utc) on Aug. 3, 2005]
They must be feeling threatened.Threatened? No! Just look at Microsoft's history, they have always got what they wanted. To say FireFox is much safer would be foolish. Just wait to they become really popular among average computer users, where the hackers start targeting them and then we'll see how safe it really is. However, it's great for us Internet users, now both of them will have to work real hard on their browsers if they want people using them.
Well, you don't hear Mr. Gates talking about Opera. Clearly, this Firefox upstart does not fit into the MS plans. You don't start talking or spinning about a competitor unless you do consider them a real competitor. Look at that reporter's question (at least as pulished.) The reporter did not mention Firefox, Bill Gates introduced it by name.
hackers start targeting them [Firefox]
That started a while ago - a year ago or more. Sure, it's true that the bigger the market share the bigger the target. But that doesn't mean that hackers are ignoring Firefox until it reaches 40% or some onumental number. In fact, it would be a big coup for a hacker to release a working exploit against Firefox. So far, there's been precious little found "in the wild" and most vulnerabilities have been found and patched in a preventative manner - not after users were suffering.
I think it's important to crank up the level of discriminative thinking here and filter out spin and partial truths. What kind of measure is "number of exploits identified"? Especially when, as Robin mentioned, there is a bounty available - real cash - for finding a hole in Firefox and nothing like that for IE.
Secunia gives us pie graphs to compare "criticality" of how severe the reported security holes are - here are the two top numbers from the IE and Firefox reports:
Extremely critical -- 15% ie -- 0% ff
Highly critical -- 27% ie -- 19% ff
edited for clarity
[edited by: tedster at 3:50 am (utc) on Aug. 3, 2005]
Ok, I'll go ahead and say it: FIREFOX IS MUCH SAFER.
Why do I feel comfortable saying this? Because I've followed the history of MSIE for many years. Now if you had said 'say that MSIE will ever be really secure would be foolish' I'd have to agree with you wholeheartedly, since you'd have many years of exploits and security failures to point to to support your claim.
And there's just simple facts like Firefox not having Active X, and not supporting certain proprietary JS MSIE system calling functions, lots of other stuff.
And Firefox is open source, anyone can fix any hole they find anytime they want, then submit the fix. Including security researches, who have to pray that MS will pay attention when they notify them.
IE 7 will be the last release. MS will give up because the reward to effort ratio will make it uneconomic. Right now, this is already true. IE 7 is under development for reasons of company pride not commercial logic.
If MS were to officially unburden themselves, that would leave a lot of programmers that could be reassigned to commercially-viable products and/or OS development. That would just leave the compiled html help system and Outlook(express). If these were converted to a mozilla engine, the job would be done.
Eventually, MS will realise this and bite the bullet.
Just wait to they become really popular among average computer users, where the hackers start targeting them and then we'll see how safe it really is.
The real security issue here is not marketshare, it's the fact that IE is so deeply integrated with the operating system. That makes it inherently insecure. That and ActiveX.
Also, notice the relative marketshares of Apache and IIS. And yet, it's IIS that's always getting hacked and new vulnerabilities always being found.
As MatthewHSE points out, absolutely correctly, Apache serves up something like 65% of all the websites on the web, it's the by far most dominant web server on the planet, and has been for years, yet it's IIS that has been the victim of attackers. The same IIS that at one point the gartner group declared to be an absolute security disaster.
"Use a different web browser ..... There are a number of significant vulnerabilities in technologies related to the IE domain/zone security model..."
If they advise using another browser rather than IE, anyone else's advice to use IE should be rigorously backed up with evidence of mistakes in US-CERT's analysis.
For me, it's their recommendation I pass on to my clients.