There's another key issue that makes IE a target for malicious intent, I think. With Explorer so tightly integrated into the Windows operating system, the successful breach of a given end user can more easily generate some serious spoils for the exploiter.

Speed of patching is still the #1 line of defense, though. And I loved the graph of the three browser's levels of known exploits. Opera is looking like a great choice - fewer bugs bu a long shot AND no active exploits found during the study.

Any project can have bugs, problems or get stagnant.

It's just that people behind Firefox and Opera respond faster to problems and new ideas where the monolithic Microsoft does not.

It really is that simple.

I also can't recall how I got anything done in IE before Firefox and it's plugins. It makes my work so much more productive. When I have to fire up IE to test pages it's simply annoying and unfortunate to see.

[edited by: amznVibe at 7:35 am (utc) on Sep. 3, 2007]

I keep hoping the new PC safari browser will be good...but its so dang buggy (as of yet) its not even worth the security advantages.

in future? we'll see.

eg: FF has HUGE access and usage problems in Korea since there is a such a high activeX use here (used for many banking security programs ironically).

Market share has to be a factor here as well, attacks (particularly professional attacks) are far more likely to target the most used browser. If Firefox or Opera overtakes IE, they will experience more attacks.

amznVibe, try this:

[ietab.mozdev.org...]

You can render with IE in a FF tab. :)

Thanks for that recommendation for the IETab extension - very, very sweet!

"... researchers have disclosed about twice as many vulnerabilities for Firefox 1.5.0 as for Internet Explorer 6 SP2..."

I must say I'm quite happy with IE7, Live One Care and Windows Update.

Live One Care is an excellent add-on to my system. It features a two-way firewall, antivirus, anti-spyware. It even finetunes my PCs. And it's free during the first 3 months of usage.

The Honeynet Project should configure their PCs with IE7, Live One Care and Windows Update.

Cheers!

Isn't there something just a bit strange about Microsoft selling Live One Care to protect you from problems with their own browser? I know it does much more than that, and a certified AV solution alone takes a lot of work - but still, it leaves me with a very odd feeling. AOL gives similar protection to its users for free, no?

[edited by: tedster at 7:33 pm (utc) on Sep. 3, 2007]

I rather pay Microsoft for Live One Care than paying Symantec or McAfee for their products.

AVG is a good alternative for a free product. However, it's just an antivirus.

With Live One Care I get a pretty nice and simple to use two-way firewall, anti-virus, anti-spyware. It also automates various tasks to finetune my operating systems.

It'll be nice for Microsoft to give Live One Care for free but can you imagine the guys from Symantec and McAfee immediately filing suits against Microsoft.

Like I said, I rather pay Microsoft for a product I know works well with my systems.

The whole premise of security through obscurity is completely flawed and lures people into a false sense of security.

Websites that have malware injector scripts work just as well on Firefox as MSIE unless you have javascript disabled so that report is complete BUNK!

It'll be nice for Microsoft to give Live One Care for free but can you imagine the guys from Symantec and McAfee immediately filing suits against Microsoft.

Microsoft decimated the email and browser industry giving it all away and everyone freely uses Outlook and Internet Explorer. Not to mention they bundle all sorts of additional tools others used to make a living developing that are now out of work.

Other than the DoJ's antitrust action, show me the rest of the lawsuits?

Even if those companies sued, MS has the upper hand in that giving it away will destroy those companies while the litigation is pending for years and by the time it's resolved those companies no longer exists and/or the customers have long gone away.

Like I said, I rather pay Microsoft for a product I know works well with my systems.

I'd put my trust in a company that's expertise was security and so far that is NOT Microsoft's. Besides, the 3rd party security company has a more vested interest in quickly responding to a crisis than MS as the 3rd party can lose their business over inability to rapidly resolve a security problem and to MS it's just another bug fix.

I thought AVG isn't free anymore (discountinue their updates for the free version).

great if they do..but I swear I saw an announcement otherwise.

iBill, I'm not saying you're wrong but I want to ask on what basis are you saying that Firefox is AS vulnerable as IE?

I haven't done a study, but my experience has been that browsing with IE gives me spyware quite quickly, as checked by regular spybot runs.

When I surf with Firefox, it happens rarely. It's been my feeling that Firefox is much less vulnerable than IE.

Are you speaking from experience? A study you did? A study you read?

Are you speaking from experience? A study you did? A study you read?

Didn't say FF was more or less secure or would even fall prey to the same exploits, but the only safe way to surf with FF is with Javascript disabled and it doesn't hurt to even disable some other things like Java and some plug-ins as well.

I've personally had the AV software kick off and stop lots of malware in FF and it happens on a somewhat regular basis because of the type of online work I do puts me in hazardous online places all the time.

Sometimes I have to enable JS just to get to the root of the malware hosting site as the code is too obfuscated to I turn it on, hit reload and pray ;)

Then again, I also have multiple machines and don't play Russian roulette with my primary systems.

I can't think of anything more reverse logic than running IE inside Firefox O_o

I only fire up IE to how the average novice will see a page in IE, I don't want to see IE in my premium Firefox setup.
And I can't imagine the security risk either.

Speaking of buggy browsers with less risk, Opera 9.50 alpha should be out today and the previews make it look kinda snazzy.
[my.opera.com...]

[edited by: amznVibe at 4:17 am (utc) on Sep. 4, 2007]

I can generally live with javascript in both browsers, but it goes without saying that Flash, ActiveX and Java are out.

I didn't realize that java and flash are a security risk. I know that the MS version of java is bad but the more recent ones from Sun were supposed to be ok.

>Like I said, I rather pay Microsoft

You'll forgive us for wondering if it isn't the other way around.

cheers encyclo for the link started using sandboxie and opera now as recommeneded in the study by honeynet.

[edited by: Dilly at 5:18 pm (utc) on Sep. 4, 2007]

"You'll forgive us for wondering if it isn't the other way around." Indeed, it'll be nice to be paid by Microsoft!

But no, mine is a completely ad honorem participation.

I simply made an extensive research on the development of computers and the Internet. The research made me better understand the "Who Moved My Cheese" politics in this industry.

So, I just like to participate in these debates to share facts.

Cheers!

[edited by: tedster at 10:29 pm (utc) on Sep. 4, 2007]

I will DEFINITELY require your forgiveness.

No problem. Just read "Who Moved My Cheese".

The guys from Symantec and McAfee should read it too!

I'm more concerned about who's poisoning it.

Ultimately, "this industry is based on good products, but the press wishes it was based on conspiracies. They should all work for detective magazines or something."

A quote by Bill Gates in a note published by Computer Reseller News on November 14, 1988 and titled "Gates: Dealing With A Non-Technical World".

You've perhaps not been watching the ISO shenanigans around the OOXML vote. But that wasn't in the detective magazines, although it was in the NYT (New York Times) and PC world.

The trouble is, when someone has earned a reputation as a 500-pound bully (like Gates has), people start noticing all the little weaklings that start verbally abusing the bully's current target.

And Microsoft has been really worried about alternative browsers -- enough to break the law in dozens of jurisdictions to squash the commercial Netscape (at least, so say the courts. I defer to your experience of the detective magazines.)

And they're worried again, as Firefox shows no signs of topping out, and IIS keeps dropping further behind.

I use both browsers -- FF by choice because of its functionality and safety and stability, the IE when imposed by corporate boneheadedness. So I know how long it takes to crash IE -- about 30 minutes. (Just open three or four windows, and switch back and forth between them to keep them all actively loading.)

And I know how many days of safe computing you could have practiced last year with IE (just counting the known critical errors) -- any creature with the original number of opposable thumbs could have counted them on its thumbs! But that may be further back in history that you researched: and it certainly wasn't in a Microsoft press release.

But even if the stability shoe was on the other foot, I'd still use FF preferentially because of several significant usability features -- most notably resizeable text.

The trouble isn't the 500-pound bully.

The trouble is with Hem and Haw as "they had not been paying attention to the small changes that had been taking place each day, so they took it for granted their cheese would be there. They were unprepared for what they found.

'What! No Cheese?' Hem yelled. He continued yelling 'No Cheese? No Cheese?' as though if he shouted loud enough someone would put it back.

'Who moved my Cheese?' he hollered.
Finally, he put his hands to his hips, his face turned red, and he screamed at the top of his voice, 'It's not fair!'"

[usatoday.com...]

I am very suspicious of vulnerability counts. The last time I looked at one closely it was a Linux vs Windows one. They had multiple counted Linux vulnerabilities (once for each distribution it showed up in) and compared all software included in the Linux distros (a huge amount) against just Windows.

Now, I have not looked at the FF vs IE vs Opera numbers in detail, but do not trust them without a close look.

Even with the best intentions, questions of severity and disclosure policy make fair comparisons very difficult.

I am not too worried, because I know of no attacks on my platform (FF with Noscript on Linux). If it does become more of a target I will go back to running the browser as a different user, so it cannot alter my files, or I will run SELinux which limits what files it can access.