Is the Firefox honeymoon over?

[parry]

Some of you may have already seen this since it was posted the other day:

 

Now that Firefox has become the first viable contender to Microsoft Internet Explorer in years, its popularity has brought with it some unwanted attention.  Last week's premature disclosure of a zero-day Firefox exploit came a few weeks after a zero-day exploit for Internet Explorer appeared on the Internet.  Firefox not only has more vulnerabilities per month than Internet Explorer, but it is now surpassing Internet Explorer for the number of exploits available for public download in recent months.

 

Here is a break down of recent vulnerabilities:

 

Month	Firefox 1.x Vulnerabilities	IE 6.x Vulnerabilities
Sept 2005	1	0
Aug 2005	0	4
July 2005	10	1
June 2005	2	1
May 2005	3	1
Apr 2005	9	3
Mar 2005	15	0
Total	40	10

 

Note that this is not a count of the number of advisories because advisories can contain multiple vulnerabilities.  This is a count of the actual number of vulnerabilities.

 

Here is a break down of recent published exploits:

 

Month	Firefox Exploits	IE Exploits
Sept 2005	1	0
Aug 2005	0	3
July 2005	4	1
June 2005	0	0
May 2005	4	0
Apr 2005	2	2
Total	11	6

 

Note that I won't publish the links to these exploits here.

 

As you can see, the facade that Firefox is the cure to the Internet Explorer security blues is quickly fading.  It just goes to prove that any popular software worth hacking that has security vulnerabilities will eventually have to deal with live working exploits.  Firefox mostly managed to stay under the radar from hackers before April of 2005.  Since that time, new exploits are being released almost on a monthly basis.

 

 

Source

 

Edited September 18, 2005 by parry

[sate]

I guess I saw that coming, since Firefox is so popular.

 

So we should switch to IE now? Can I download IE 7 free btw?

[Opius]

Can IE be patched in under 24 hours?

[EmSixTeen]

Can IE be patched in under 24 hours?

Exactly. And IE6 has been around for just a teeny bit longer than Firefox, it goes without saying that less and less exploits will be discovered.

[SWEETSAPRIK]

I can't think of anything to say that wasn't already mentioned at the bottom of the page that your link leads to.

 

Vulnerabilities are not exploits, how many still exist in IE even after patching, etc., etc.

(EDIT)

 

Accoding to secunia more highly critical flaws are still unpatched in internet explorer (19 flaws)

http://secunia.com/product/11/

 

than in firefox (3 flaws)

http://secunia.com/product/4227/

 

Meh, the safety of one over the other changes depending on who you're talking to. I've become so used to the features FF has over IE, that I couldn't switch. Hell when they released the info about the "javascript vulnerability" I turned off javascript, I didn't switch back to IE. If I remember correctly, they fixed that before anyone made an exploit anyway.

 

Edited September 18, 2005 by SWEETSAPRIK

[BenMillard]

No pattern can be drawn from such small, erratic numbers.

Edited September 18, 2005 by Cerbera

[Wolf68k]

Wait wait wait.

Are those figures accountint for the numer of IE expliots that have to be fixed and have been known for some time? I'll bet not.

 

Also as Opius implied. Within 24hours, a week at the most, after getting word of the flaw the Mozilla teams (which is a HUGE number because it's open source) there is a fix of some kind released whether that be a patch or an easy work around people can do until the patch or update comes out.

 

M$ with IE on the other hand they get word of the flaw and then they stick it under the stack of other flaws they have and are working on and months later the grace period passes and the flaw info is let to the public. Then M$ sees how bad this flaw really is and before they say, "hmm maybe we should fix this a bit sooner than 'when ever'."

If you tried hard enough I'll be willing to bet you could find there are flaws in IE6 that have been around since IE3. No joke there was a flaw in IE3 or 4 that still existed in IE5 but what makes this so funny was that in IE5 the flaw was opened up and made worse, and not because it was now public knowledge but because M$ screwed up (gee what a surprise).

[ilikensrs]

 

Wait wait wait.

Are those figures accountint for the numer of IE expliots that have to be fixed and have been known for some time? I'll bet not.

 

Also as Opius implied. Within 24hours, a week at the most, after getting word of the flaw the Mozilla teams (which is a HUGE number because it's open source) there is a fix of some kind released whether that be a patch or an easy work around people can do until the patch or update comes out.

 

M$ with IE on the other hand they get word of the flaw and then they stick it under the stack of other flaws they have and are working on and months later the grace period passes and the flaw info is let to the public. Then M$ sees how bad this flaw really is and before they say, "hmm maybe we should fix this a bit sooner than 'when ever'."

If you tried hard enough I'll be willing to bet you could find there are flaws in IE6 that have been around since IE3. No joke there was a flaw in IE3 or 4 that still existed in IE5 but what makes this so funny was that in IE5 the flaw was opened up and made worse, and not because it was now public knowledge but because M$ screwed up (gee what a surprise).

You certainly strike me as an impartial advisor on this subject, it must be the replacing of the "s" in microsoft with the dollar sign that does it.

I personally feel that when the code grows beyond a certain size then problems are inevitable, no matter whether the project is open or closed source, free or sold, black or white. It is interesting to see how many people will come flying out of the woodwork to mention that firefox bugs and vulns don't mean anything because IE is worse, yet were I to release my own browser with the security model based on that of a colander nobody would cut IE any slack.

Anyway, take these figures at face value, or don't. Fact of the matter is that all common software will have bugs, exploits, and whatever else.

 

Edit : Re IE taking longer to patch than firefox. A million and one zealots across the globe have access to the firefox source code, and can make the necessary changes and push them upstream very quickly. IE, on the other hand, is the product of a massive corporation and doesn't get the benefit of all those hands. This is the fault of the microsoft business model. However, from what I understand, IE patches also have to go through extensive testing to make sure they won't break anything. I have also been led to believe that due to a decision made by the U.S government, patches for any windows component, no matter how urgently they are needed, must be released for all afflicted programs and platforms in all languages at the same time. This ties up the QA time a lot more, and obviously means that the patches take a hell of a lot longer to get released. Most of the time patches are reay to roll for IE6 running under winxp en but get delayed while they test for any issues with IE6 running under win95 zh.

Short version for people who can't read : Microsoft surely should speed up the patching process, but they're not the only reason your patches can take so long to reach you. Rawr m"$" is f*cking you again while bill gate"$" watches and strokes.

 

Edit 2 :QFT?

Edited September 18, 2005 by ilikensrs

[Tornado Rex]

Meh, stats like this are flawed in a ton of ways. First off, MS is a huge f*cking company where as Mozilla is a small (more or less) foundation of mostly volunteers. Secondly, IE is a closed-source project whereas FF is completely open source. It's common sense that FF is going to show more exploits for the simple fact that people have the code right in front of their face as opposed to having to reverse engineer the program to find flaws.

 

There's also an issue of that this was done on IE 6. With IE 7 comming out very soon I'm sure a lot of exploiters have turned their attention to finding holes and bugs in that since there will no doubt be a mass update once it's publicly released.

 

Then of course you have why it's all negated. Like what everyone else has said, you can patch FF much faster. Hell, you can even set FF to download the nightly builds (which usually get the exploits fixed before anyone even know about them) automatically every day (which is what I do, it's pretty sweet ).

 

None the less, interesting info. I honestly didn't know FF had so many exploits. That's probably a good thing though

 

Edit:

 

Fact of the matter is that all common software will have bugs, exploits, and whatever else.

Quoted for truth

Edited September 18, 2005 by Tornado Rex

[Wolf68k]

You know why IE's patches have to go through such testing to make sure it doesn't break anything? It's because F'ing IE is interweaved into Windows. Which means if IE screws up it filters down into the OS. Now if IE wasn't so tightly woven in to the OS there would be less testing.

 

You're right FF does have millions of people working with the open source, and as Rex pointed out most of those people do it in their spare time. So it's these people that going to find the flaws and find a fix at the same time, then report said flaw and fix to Mozilla who will then release a statement to the public along with the fix.

IF the flaw is really bad, like the IDN flaw that's currently out, they release a 'patch' that disables IDN but they also tell the public how they can disable it themselves until a moore perment fix has come out.

Now IE had the same issues with IDN in the past. It was a security firm that found the flaw and told M$ about it, who did exactly jack about it for months. In the mean time in the "black hat" hacker community the flaw was coming to light as were way to expliot the flaw, hell is was because of these people that security teams pushed M$ to get off their collective a**es and do something about and even then it wasn't until it was released to the public that they finally released a patch that only half-a** fixed it.

IE has a few people working on it because it's a closed project, just as Rex also pointed out, something that M$ needs to think about changing if they want to get the ugly black mark off their products. I'm not saying the M$ should release the source code for all of their products. Software is the bread and butter, but hell they giving away the program anyway, so it shouldn't hurt to give the code. But oh wait, they can't because as I said IE is such a tight net part of Windows none of the open source flaws or patches would be able to be confirmed until it's bad in M$'s hands and then tested for several months because it'll take that long for them to get around to it because they will too busy trying to bloat IE with more crap that either doesn't really need or should have been includes years ago.

 

 

Oh as for me using $ when typing M$ or even Micro$oft, is a force of habit. If it bothers you, oh well. M$ is all about the profit, while others are more about the product. They don't really care about people or their customers, only for how much money they can suck off of them.

 

 

Another reason that might be the reason IE seems to be having fewer flaws, remember these are only the publicly reported flaws, is because of the move away from IE. Even the security firms are tired of M$ dragging their feet to do anything.

[segosa]

I bet there are hundreds of flaws for IE that are only known to hacking groups, which are used for personal exploiting only (not on a mass scale).

[reticulatingsplines]

Opera, on the other hand, is still looking pretty tight. As is Safari. It just goes to show that the hackers and script kiddies will run to wherever the fun is. With such low penetration, neither alternative to the "Big 2" is worth the effort, apparently.

[Wolf68k]

Well usually what ever flaws there are in FF you'll also find in Safari and Netscape, they are all made off of the Mozilla core.

[Waste]

Well usually what ever flaws there are in FF you'll also find in Safari and Netscape, they are all made off of the Mozilla core.

Nope.

Safari is a KHTML browser.

It runs off the same engine Konquerer does.

 

http://en.wikipedia.org/wiki/KHTML

[Knightmare]

Opera, on the other hand, is still looking pretty tight. As is Safari. It just goes to show that the hackers and script kiddies will run to wherever the fun is. With such low penetration, neither alternative to the "Big 2" is worth the effort, apparently.

I think that has more to do with the mass of users. IE/Firefox are #1 and #2 widely used browsers, correct? They're targeted more since more users = more people to exploit. I'm sure if everyone started using Opera/Safari, there would be a boatload of exploits to find just like every other browser.

[reticulatingsplines]

I think that has more to do with the mass of users. IE/Firefox are #1 and #2 widely used browsers, correct? They're targeted more since more users = more people to exploit. I'm sure if everyone started using Opera/Safari, there would be a boatload of exploits to find just like every other browser.

Absolutely right, that's what I meant to say

 

Not that I'd ever consider the possibility of thinking about maybe getting a mac, but at least they don't have the ongoing hilarity of exploits popping up every five seconds as in Wintel land.

 

Granted, that's got more to do with market penetration than how good their engineers are, but still

 

 

[Dup]

I go on lots of sites that may decide they want to f*ck up my browser, force me to have pop up adverts or just sneak some hidden spyware/adaware in there.

 

In say a month I can gaurantee by using IE I will get these problems, using Firefox, I won't.

 

I run adaware and spybot everymonth and get almost nothing whilst using firefox, if I use IE just once for a site that dosen't like firefox for some reason, I get at least 1 bit of spyware from somewhere.

 

IE is more easily exploted than Firefox and IE is also an unfriendly browser to design websites for.

 

Firefox is also faster too.

 

Nothing is ever fault free, but you have to look at the front end benefits rather than the small niggles that will rarely be exploited in your case before they are found and fixed very swiftly by Mozilla. IE fixes are few and far between and fix more than is publicised

[Svip]

Bugzilla anyone?

 

Anyways, in case you are wondering about the browsers, Safari might never become as used as Firefox or IE, as it's only for MacOS, and it's not open source. Despite MacOS uses FreeBSD services, which means the kernel of MacOS is relatively close to FreeBSD, and thus *BSD, and therefore Linux and other *nix systems.

 

So if it was in the Safari developers' interest, Safari could easily be ported to *nix. Also, Netscape is not based on Mozilla, Netscape decided, in order to win over IE in the gogo-90's, to make their browser open source, which then lead to Mozilla, as Mozilla's core is based on Netscape. Today both browsers have nothing to do with each other.

 

Anyways. Firefox is new, and thus there are things the developers haven't thought of yet. Despite that since Firefox is open source, it's much easier to track the bug.

 

And perhaps some flaws/bugs are discovered in Firefox because of being open source, as they don't have any "visible" damage ( in the sense that you wouldn't notice it, when it happened ), whereas IE could possible fly across bugs without anyone discovering, and nobody has the access to dig up the code.

 

Firefox is still new. Give it time, I say. This debate is retarded and plain useless.