US-CERT Cites FireFox Not less Vulnerable Than IE

[KCDoug]

Just got my Langalist newsletter this morning. He cites US-CERT (United States Computer Emergency Readiness Team) findings that FireFox is not more secure/less vulnerable than IE. From the links he provides it would seem that this is not a brand new thing.I think Fred is providing info., that is worthy of review when evaluating pros and cons of FF or any browser. A partial quote from his newsletter is pasted below.-Doug"...For example, between July 1 and December 31, 2004, Symantec documented 13serious vulnerabilities affecting Microsoft Internet Explorer, but found21 vulnerabilities affecting each of the Mozilla-based browsers.But don't take my word for it--- read the reports for yourself, see themethodologies for yourself, and decide for yourself: The article postednow (free!) athttp://www.informationweek.com/story/showA...cleID=160900911has all the details and links you'll need.I wrote that article to try to help readers interested in FireFox inparticular and Open Source in general to make an informed decision. Thereare many, many excellent, proven, objective benefits to switching to OpenSource software--- but there's also a lot of misinformation, and somevery, very *bad* reasons to switch.For example, the "common knowledge" that FireFox is "more secure than IE"simply is false. Switching to FireFox for that particular reason--- in thebelief that you'll magically and automatically be more secure--- is justplain wrong..."

Edited April 18, 2005 by KCDoug

[Rons]

Interesting article from Fred Langa, and a little surprising as well. I guess the common misconception is that FF is more secure, or so we were led to believe. However, I use FF and will continue to do so. And not because I am anti-microsoft. I just like it better, plain and simple.

[Neil P]

From Secunia:

Mozilla Firefox 1.x with all vendor patches installed and all vendor workarounds applied, is currently affected by one or more Secunia advisories rated Less critical

Microsoft Internet Explorer 6.x with all vendor patches installed and all vendor workarounds applied, is currently affected by one or more Secunia advisories rated Highly critical

Less secure? Please. Give me a break. I'm not under any illusions that Firefox is more secure just because it is Firefox. However, I am sure that the Mozilla developers try their hardest to make sure it is secure. There are many bugs that are fixed 15 minutes after they're reported.Most of these "SECURITY ALERT"s that I see are things that are already fixed and released, or at least soon to be released. People find bugs and report them. They stay un-accessable to the public until they are 1)Fixed and pushed into a public update or 2)Reported publicly (some people that report a security bug to bugzilla.mozilla.org but don't get it fixed decide to take it to a place like Secunia to get exposure to it)Either way, the bugs end up fixed either before or soon after they are publicly known. There is a debate, of course, about how they handle the bugs. Some people say that the bugs should always be public, whether they are security or not, but I think I agree with mozilla.org's policy of not disclosing them.Anyway, when it comes down to it, Firefox is more secure based on what Secunia says (if you don't trust mozilla.org's word, Secunia is independent), and I have lost trust in IE.Also, just for the record, his "Beyond Security" section (page 4 of that article) is way off. Those problems are not Firefox's problems, they are web site problems. Take these very forums, for example. Remember the old post problem, where parts would look out of place, be missing, all the crazy problems (fixed recently by rebuilding post content)? Those were not Firefox's fault at all. However, how many people blamed them on Firefox? "IE doesn't have the problem! Firefox must be broken!"Anyway, I'm sorry for the rant, and I'm sure people disagree with what I've said, so I'll just stop here.

[Ed_P]

There are many bugs that are fixed 15 minutes after they're reported.

How many of the fixes get installed by the users of FF and in what time frame? There's a difference between being fixed by the vendor and being fixed by the masses. Does FF have an automated check for updates built into it? Do people use it or disable it? Do the fixes require the end user to reinstall all their add-ons? That would slow the distribution of the patches if so.While not a FF user, I'm not an IE bigot either. I use Netscape.

I think I agree with mozilla.org's policy of not disclosing them.

And MS's policy also.

[Neil P]

How many of the fixes get installed by the users of FF and in what time frame?  There's a difference between being fixed by the vendor and being fixed by the masses.  :)Does FF have an automated check for updates built into it?  Do people use it or disable it?  Do the fixes require the end user to reinstall all their add-ons?  That would slow the distribution of the patches if so.

There is an auto-update. How is it mozilla.org's fault if people don't use it? Although I'm sure some people are unable to get the auto-update to work, many people do get it to work. It's nobody's fault but the users if they aren't up to date. Would you use a virus scanner without updating it? Maybe, but how is it Symantec's fault if you aren't up to date and you get a virus?

And MS's policy also.

Yeah, but MS doesn't disclose anything, whereas mozilla.org is open with everything except security stuff.

[Ed_P]

There is an auto-update. How is it mozilla.org's fault if people don't use it?

The same can be said about MS and Windows' and IE.

Would you use a virus scanner without updating it?

No, but I can assure you many do. And they don't run firewalls or antispyware utilities either. And some people still run Windows 95 and 98 and Me and refuse to install SP2 on XP. So are all the problems with Windows and IE then user problems?

It's nobody's fault but the users if they aren't up to date.

[DarkSerge]

heh, you beat me to it. i just read the article and was about the post on itwhat brought me to use other browsers and shy away from IE is all the extra web features. Opera and Firefox have tabbed browsing, pop-up blocking, skins/themes and more. I've always been very careful and never come upon many security problems even when IE was my main browser. Plus I always keep things updated and frequently check updates for AntiVirus, IE, Windows, Firefox, Opera, etc. and have found as long as you keep things updated and be careful of odd stuff that things will generally be okay without much worry.it does make one think rather than blindly assume anything not IE is better (although in my experience, anything not IE is better)

Does FF have an automated check for updates built into it? Do people use it or disable it? Do the fixes require the end user to reinstall all their add-ons?

In my experience, all my settings/extensions (both Opera and Firefox) go relatively untouched when installing updates.According to the Firefox help contents: By default, Firefox will periodically check and notify you when a new version is available. Uncheck this option to disable the periodic check. Edited April 18, 2005 by DarkSerge

[KCDoug]

I've been using FF for about 6 months. I was attracted by the additional features over IE (which has been developmentally dormant for a few years) and the logic that it's probably not as big a malicious code target as IE. And I like the notion of not being part of the masses all the time.BUT...I had and still do have frustrations with FF. Its update process remains clunkier than IE; reading recommendations to do a clean install every time a .xx version/update is released ain't warm and fuzzy and this makes it not ready for prime time for too many casual browser users. Not yet having enough mainstream firewall support is another negative, albeit it supposedly for just a few months longer. The coolness of open code and creativity and diversity of talented folks releasing terrific extensions is a great virtue...and still a weakness - especially when extensions must be reinstalled or they are not updated by authors and rendered useless. And whether you choose to blame web sites, or FF, or both, it still causes enough of us to wince to have to pop open IE to view some sites. And in all honesty, I cannot find real-use evidence that FF is faster at loading and basic functioning than IE. I have two high end machines that are tweaked to run pretty lean, and I cannot give first-hand witness to a noticeable difference between these two browsers in this performance venue.I like hearing the unvarnished pros & cons for making and living with my choices. Yup, I'll continue with FF for now because I chose to and it works pretty well for me. I hope it continues to grow and refine. Regardless your perspective, it's always important to have genuine choices. -Doug

Edited April 19, 2005 by KCDoug

[DarkSerge]

On my machine, website load times don't really seem to be any different from Opera to Firefox to IE. Program load times though, Opera and IE load fast but Firefox usually takes an extra second to load up. Plus the only complaint I have on Firefox is that you have to restart the browser to change themes. Opera can change skins without this inconvenience.Another reason I choose Opera and Firefox is cause it makes me feel more like I have a choice of browser and not feel like someone who just uses whatever default program comes with the computer (that's what IE seems like to me.) Plus I think Opera has the most attractive default skin/theme.

[Gary]

I will continue to use Firefox no mater what anybody says. If The Mozilla Foundation comes out with an OS, I will use it also.

[epp_b]

Well... !Just kidding, I couldn't resist :DI think the only thing that would make IE perfect (from an interface a usability perspective, of course) would be tabbed browsing. Honestly, I find Firefox to be a decent browser, but...as soon as I install the amount of extensions needed to make it anywhere near usable for my liking, it becomes slower and slower...

[Neil P]

A friend of mine, who runs MozillaNews, has discussed Mr. Langa's article. Give it a read.http://weblogs.mozillazine.org/doron/archives/007979.htmlhttp://www.mozillazine.org/talkback.html?article=6445^ Two more takes.

[Ed_P]

From one of steeler_fan's links;"statement from Mozilla security guru Frank Hecker, who argued that the increasing number of attacks just means that Firefox becomes more secure as they are fixed." Gee, IE must be as secure as Ft Knox then. It's been attacked for years. And yet, people seem to think the opposite of IE because of that. Or, Mr. Hecker could realize that stirring the pot yields free publicity and therefore is doing it intentionally. I find it interesting to note how many articles and postings and blogs and etc are written defending FireFox and how few, if any, are ever written defending IE. Apparently when you're right, and you know you're right, you don't waste time defending yourself.

[Neil P]

I could swear I linked to this before...

Yes, Firefox is a lot more popular now and has a much higher profile. Yes, a lot of smart hackers are working now to break Firefox. And what a surprise: These hackers aren't making life miserable for Firefox users, they're working with us to make Firefox more secure. Why is that? Because we pay attention to security bug reports, we try to treat people who find and report security bugs with respect, we invite them to work closely with us, we reward them for finding bugs (both with money and with credit), and most important: we actually fix bugs in a timely manner as opposed to sitting on them and treating security as just a potential PR problem.

It's not the security of the browser, it's the attitude of the people working on it (or apparent attitude, in Microsoft's case).Nobody is under any illusion that a browser is "secure", and if they are, then they have other problems. It's just which one is more secure.

[Guest LilBambi]

Fred did make some valid points ... However, having read the article and the data (that he listed and other sources such as Secunia.com as well as others) .. I think he may have misnamed the article. ;-)I put my thoughts on Firefox on my newsletter site because I was concerned that some folks might get confused by Fred's article.Firefox is a better browser...Not because Firefox is necessarily more secure*, but because, if you use an alternative browser, at least for now, you are much less likely to get hit with self installing malware, crapware, spyware, adware. And Firefox is a great browser, and it's open source and it's free.Firefox also does have some interesting stats, and I think the timing was really was bad to release the article.It may have been better to wait with such an article to see how the new updates with Firefox and Internet Explorer fared in real life. Patch Tuesday had just passed and the 1.0.3 version of Firefox came out - and was due out any day during the time frame Fred was likely working on this article.Testing v1.0.3 out and finding out how it fairs would likely have been a better way to begin...and finding out what the experts who keep track daily of vulnerabilities are saying about the latest versions of all the browsers out there, like Secunia.com and other research and evaluation companies.That way he could have used the article to really encourage users to update to the version 1.0.3. Now that would have been helpful especially with his subscriber base.;)I think it's important to keep an open mind on all of this. The sands shift daily in regard to what's happening on the Internet.Let's try to remember what our goal is ... to keep our computers safe from all that crap.* The flaws/vulnerabilities still out there for Firefox are rated less critical than those still out there and well known about Internet Explorer.And Opera rates even better than Firefox in the number of flaws/vulnerabilities, but Safari rates best of all at ZERO known flaws/vulnerabilities.

[patio]

I visited the site last nite and found this....a four, a six, and six zeros - wow!Posted by asa on Sun, 04/17/2005 - 19:32 :: Spreading FirefoxSFX TeamToday, as you can see from the counter up there in the right column, Firefox has broken through the 46,000,000 downloads mark. What an amazing week it's been since the new counter launched. Seems the counter wasn't reporting properly and they are fast approaching 50 million downloads.In my experience even if all browsers were dead even in all categories i would still choose the FFox / TBird combination.patio.

[Guest LilBambi]

Don't turn your head too quickly now...Firefox downloads: 46,875,556 (if you are wondering where these numbers come from. It's from:http://www.spreadfirefox.com

Edited April 19, 2005 by LilBambi

[rbdietz]

Firefox is a better browser...

<{POST_SNAPBACK}>

Nice write-up, Fran.

[Gary]

When I used IE and then ran Adaware , it would pick up all kinds of spyware. I run it now using Firefox and it picks up nothing. I have 27 extensions installed and I find that it is just as fast as with none. The only extension that I find a necessity is TBE.

[Guest LilBambi]

Nice write-up, Fran. :' /> 

Thanks rbdietz!BTW: I have added a few references to the bottom of the article as well this morning. Will be adding more as time allows.

[Guest LilBambi]

When I used IE and then ran Adaware , it would pick up all kinds of spyware. I run it now using Firefox and it picks up nothing. I have 27 extensions installed and I find that it is just as fast as with none. The only extension that I find a necessity is TBE.

Yep! I know exactly what you mean! :thumbsup:It's a fact that really can not be denied. Ask any computer technician these days and you will hear the same thing....over and over.

[Rons]

It's a fact that really can not be denied. Ask any computer technician these days and you will hear the same thing....over and over.

<{POST_SNAPBACK}>

Exactly ! :">

[lewmur]

Yep! I know exactly what you mean! :thumbsup:It's a fact that really can not be denied. Ask any computer technician these days and you will hear the same thing....over and over.

<{POST_SNAPBACK}>

Here, Here!!! All the "articles" and "theory" in the world are meaningless compared to actual experience in the field. IE is an investation waiting to happen.If, and when, Firefox starts having the problems IE has been having for years, I'll switch to *another* little known browser. One with a small enough user base that the malware spreaders haven't bothered with it.

[Neil P]

Asa Dotzler weighs in on the "security issue".

[-ct-]

blah blah blahff vs iewhatevershow me a site where it will kill or incapacitate or break or get past the security settings i have in ie and i will GIVE you my computerpack it up, ups it, and say have a nice dayall these reports and security settings etc etc are all talking about DEFAULT installsyeah, a DEFAULT install will have holesany idiot who can't be bothered to lock it down properly (i.t. admins or home users), deserve to be infected/taken over/rant

[Guest LilBambi]

I am glad you have your computer locked down. It's as it should be ... especially if you wish to use IE as your primary browser.

[Neil P]

yeah, a DEFAULT install will have holesany idiot who can't be bothered to lock it down properly (i.t. admins or home users), deserve to be infected/taken over

<{POST_SNAPBACK}>

Hm. I don't know that I agree with all of that. Shouldn't the goal be to have a useable, secure default install? I think Firefox DEFINITELY beats IE in that case. IE leaves the door wide open, especially without SP2.I can't expect my mother to "lock down" her computer, and should she really have to? I'd feel much better giving her a default install of Firefox than a default install of IE.

[epp_b]

But she's expected to lock the doors to her house at night

[Gary]

But she's expected to lock the doors to her house at night

<{POST_SNAPBACK}>

That just reinforces the need to use Firefox.

[jodef]

It seems it's open season on FF Jim Eshelman in the latest E-news had this to say

INTERNET EXPLORER vs. FIREFOXLast week, an AumHa Forum participant asked me for my current thoughts onthe Mozilla-based Firefox browser vs. Internet Explorer. I thought E-ListNews readers might be interested as well.I choose to use Internet Explorer, and I seriously dislike Mozilla andFirefox.I take two additional steps to make Internet Explorer more secure and to addenormous additional capabilities and flexibilities which exceed those inMozilla or Firefox. Some people say that my doing this is, itself, testimonythat IE is inadequate. I respond that the Mozilla model intentionally makesroom for plugins, so why shouldn't we judge IE in the context of things thatcan be added to it as well?To make IE secure, I load **IE-SpyAd** (seehttp://aumha.org/freeware/freeware.php#ie-spyad). That's it! This leveragesthe built-in **Restricted Zone** safety feature in IE which Mozilla didn'teven implement. I think the zone model is the best thing thought of yet forhaving **both** security and feature-richness. Every other alternative I'veheard costs you one or the other of these -- makes you sacrifice eithersecurity or features. This approach sacrifices neither.Even without this addition, the current version of Internet Explorer is moresecure than Mozilla-based browsers according to independent securityobservers. Multiple reports listed on AumHa Forums (http://aumha.net/) inrecent weeks have indicated that Mozilla-based browsers have had moresecurity holes over the last year, and also more **severe** securityvulnerabilities. The only advantage their open-source origins provide isthat vulnerabilities do tend to get fixed a bit faster once discovered --Microsoft is slower at releasing fixes for discovered vulnerabilities on theaverage. (See, for example, this thread from late March:http://aumha.net/viewtopic.php?t=12546.)To make IE more feature-rich I use the **Maxthon** browser overlay shell(see http://aumha.org/freeware/freeware.php#myie). It's about more thantabs! -- But even on tabs, Maxthon has delivered far better than anything inthe Mozilla family. You just can't touch Maxthon's capabilities withMozilla/Firefox, even in those areas where Mozilla thinks it is strongest.(Try putting browser tabs at the **bottom** of the screen in Firefox, whereyour Windows toolbar probably is. You can't! That's a representative exampleof **many** places their implementation falls behind most IE overlayshells.)And, in using Maxthon, I'm using IE. Maxthon isn't another browser -- it's ashell. IE is what it sits on and what is really running.I also dislike the Mozilla rendering engine. On this point, I walk onslightly thin ice for the following reasons: I am an advocate forstandards-based browsers and coding. In the parts of Mozilla's renderingengine I dislike, Mozilla is technically more standards compliant. In theparts of IE's rendering I like better, IE technically diverges from thestandard. In this instance, I think the standard is wrong.What am I talking about here? Open this current page side-by-side in IE anda Mozilla browser and you'll see that the default font size is one levelsmaller in Mozilla. That is, x-small in Mozilla looks like xx-small in IE.Their methods of scaling fonts are different. There is a lot of historicdiscussion on this point, and I won't recap it -- I'll just say that Mozillafollowed the standards, IE varied from them, but IE did it the way thatuniformly looks best and scales best across different font sizes and screenresolutions.At present, Mozilla is solidly ahead of IE on full CSS compliance. IEdoesn't render certain 'position' codes correctly, for example. This is themain reason I haven't yet redesigned this site to drop tables and make useof full CSS structural roll-out. I look forward more than anything else tovery significant improvements on this one issue with IE7. Let me put it morebluntly: If the static, relative, absolute, and fixed variants of the CSS2'position' code aren't fully implemented when IE7 ships, I then will sayenough is enough, recode the site so that it only works right with theMozilla engine, and recommend that people stop using IE.But for now... use whatever browser you want of course... my opinion wasasked, so I answered. With only a couple of simple changes, IE can be madesignificantly more secure than Mozilla without any loss power or capability,and the options for enhancing its shell beat Mozilla/Firefox hands down._________________________

I don't even pretend to agree with this but it seems Mr. Langa is not alone in his views particularly in the area of security. I would really like to see some unbiased stats in this regard.