Posted on 03/24/2005 2:57:43 PM PST by Termite_Commander
The Mozilla Foundation on Wednesday pushed out a new version of Firefox to patch three vulnerabilities, just days after a major security firm said the open-source browser had 60 percent more vulnerabilities in the last half of 2004 than Microsoft's Internet Explorer. The group released Firefox 1.0.2 on its site to fix three flaws, including one inherited from Netscape in processing .gif image files. That bug was discovered by Internet Security Systems (ISS), and if hackers were able to get users to visit sites or view e-mail messages with specially-crafted .gif files, they could take control of their PCs.
A patch was produced before ISS alerted the public, said Chris Hofmann, chief of engineering at Mozilla, so no harm, no foul. "The bug patched in this update has no known real world exploits, and we were able to provide a quick response."
This is the second security-related update of Firefox in the last month. In late February, the non-profit foundation released v. 1.0.1, which patched 17 vulnerabilities.
The spate of vulnerabilities and the updates bring into question the assumption by many that Firefox is more secure than Microsoft's Internet Explorer, one of the reasons many experts and analysts have given for Firefox's rapid climb from 0 to about 6 percent of the usage share in the United States.
To add fuel to that argument, Symantec this week said in its Internet Security Threat Report that during the last six months of 2004, it counted 21 vulnerabilities for Firefox, but only 13 for IE.
Although IE's count was dramatically up over the first half's mere 3, it was down from the 17 found in the last six months of 2003.
"This is likely due to two factors: the effort that Microsoft has undertaken to secure Internet Explorer and patch latent vulnerabilities, and the shift of vulnerability researcher interest towards alternative browsers that are being marketed or promoted as secure," Symantec's researchers concluded.
The surge in Firefox vulnerabilities, said Symantec, was directly tied to "the increased popularity and deployment of the browser, which is itself a reaction to the widespread abuse of several high-profile vulnerabilities in Internet Explorer."
Mozilla's Hofmann countered. "Rather than get hung up on the specific numbers, it's better to look at the trends. The bottom line in just about all the independent studies I've seen is that the severity of exploits discovered in IE is greater, and Microsoft takes longer to fix the problems."
Symantec's numbers backed up Hofmann.
By Symantec's classification, IE still had a higher percentage of "high severity" vulnerabilities in the second half of the year than did Firefox. Nine out of the 13 IE vuls, or 69 percent, were tagged as "high," while 11 of the 21 Firefox vulnerabilities, or 52 percent, were so marked.
And, Symantec said, the Mozilla Foundation fixes flaws much faster than does Microsoft.
"They patch faster, simple as that," said Alfred Huger, vice president of engineering for Symantec's security response team. "The average time between when a vulnerability is publicly announced and when a patch comes out is 43 days for Internet Explorer, only 26 days for Firefox."
"It's amazing the kind of rapid turn-around we see on some bugs when they get reported," said Hofmann in explaining Firefox's advantage. "All the code is available and the [open-source] community can help us to find and fix security problems faster than closed-source commercial software efforts."
And IE still leads Firefox -- leads every Windows application, in fact -- in the total number of vulnerabilities to-date. Symantec's count has IE as having "just north of 300 known vulnerabilities," said Huger. "That's the most vulnerabilities in any [Windows] application that we're aware of. The next in line is IIS [Internet Information Services) with 116."
Mozilla's code line, which goes back as far as Netscape, which preceded IE, has "under 100," said Huger.
Mozilla's Hofmann said that future updates to Firefox -- and its other products, which include the Mozilla suite and the Thunderbird e-mail client -- will be released "on an ongoing basis andas warranted."
"We must stay ahead of the curve in patching potential vulnerabilities," he said.
Recently recommended Firefox as an alternative browser to my folks .... too lazy to switch myself tho :)
Updated mine to 1.0.2 last night. The little red icon in the upper right corner reminded me.
Firefox is still the better mousetrap.
My problem with Firefox is that you cannot copy and past text. If I want to copy your post and paste it in quotes I wouldn't be able to.
Thanks for the tip!. I clicked on the red icon and easily updated my Firefox browser.
You most certainly can... I just copied and pasted your quote above.
Do it all the time...
"My problem with Firefox is that you cannot copy and past text. If I want to copy your post and paste it in quotes I wouldn't be able to."
I just copied and pasted the above.
haha.
I have no problem with copy/paste either.
When my critical update came in, it tried to install it on a nonexistent drive J:. I had to reinstall version 1.01 and upgrade from there. Just goes to show, you have to keep an eye on things or you may get unexpected results.
I hadn't noticed the red dot in the upper right of the browser page. I see mine's still red, better go check it out.
I select text and when I release it, it unhighlites. Is this just an option I can change?
"My problem with Firefox is that you cannot copy and past text. If I want to copy your post and paste it in quotes I wouldn't be able to."
Notice with quotes.
Using Firefox
"My problem with Firefox is that you cannot copy and past text. If I want to copy your post and paste it in quotes I wouldn't be able to."
Just did it with yours using Firefox. Highlight, right-click, select Copy, and then Paste into the reply.
Except it doesn't let me highlite text for some reason, that is the only thing keeping me form switching from Internet Explorer.
I have version 1.0.1 and I don't have the little red dot.
Go into advanced options, and check under Software "periodically check for updates", otherwise you'll have to manually check at their homepage.
thanks
Clicking the "Check Now" button will force a manual update....
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.