Bad News About Firefox Security

Developer Weblogs ^ | 2/9/2005 | Preston Gralla

[KwasiOwusu]

It hasn't been a good week for Firefox and its fans. First, the Danish security company Secunia warned that it had uncovered a vulnerability in Firefox and other browsers that can allow the URL displayed in the address bar and the SSL certificate to be spoofed, which means the browser and others are vulnerable to phishing attacks. The flaw affects all browsers built using the open-source Gecko browser kernel.

And this time around, Internet Explorer is not vulnerable to the attack.

Making matters worse, a few days after that, a security researcher found a trio of security bugs that affect Firefox and Mozilla -- but not Internet Explorer. Among other dangers, the bugs can allow someone to steal your cookies, and then use them to find out personal information about you and log into web sites with your login.

Perhaps most disturbing is that as of this writing, although fixes have been found, they have not yet been rolled up into a patch, or made available in a new Firefox version that can be downloaded and installed.

[Doohickey]

When Firefox has been on the market for four years like IE 6, you can make a valid comparison. Until then, you're erecting a strawman.

[thoughtomator]

Not at all. I'm talking about only during the duration of Firefox's existence. If you think it necessary for fairness, I'll even chop off the first 6 months or so.

Heck, if you can find any 3-month period ever with fewer IE security problems than Firefox security problems, I'll withdraw my comments. I'm also willing to consider other fair comparisons, if you can find any that are favorable to IE.

[webstersII]

"When Firefox has been on the market for four years like IE 6, you can make a valid comparison. Until then, you're erecting a strawman."

Yeah, the comparison is that IE has had 6 years to fix stuff, re-design, and improve, yet the first couple of Beta releases of Firefox are comparable (or better) than a product which should be mature by now.

[reagandemo]

"someone is throwing a child tantrum"

You?
LMAO!!" Yep you got it and just keep thinking down those lines. I state a fact and you jump on it. What I really like about MS Bigots is that no matter how much you point out the obvious they (you) still don't get it. I will grant you this one point though when Firefox finally reaches the amount of users as Outlook, and it will the geek terrorists will be going after it just as much.

[KwasiOwusu]

"Tell me then, during the period of time that Firefox has been on the market, how many security flaws were found in Firefox, and how many in IE?"

Tell me, what is the market share of Firefox again?
And how many malignant virus writers are wasting their time writing any viruses at all for Firefox as against the dominant IE?

Bottom line, by far most virus writers concentrate all their efforts on the overwhelmingly DOMINANT IE.

Very few bother writing viruses for Firefox at all.
Even now, when the market share of Firefox hit just 5% in 2004, the # of viruses for Firefox have ALREADY shot up sharply between 2003 and 2004..and that is with just 5% of the market.

[KwasiOwusu]

"What I really like about MS Bigots "

Ummm ....biggest bigots on the planet are the open source fanatics and crazies.

[thoughtomator]

Nice shift of the subject, but you won't get away with that so easily. I'm not talking about the number of viruses that are written to take advantage of security flaws. I'm talking about the number of security flaws that exist to be taken advantage of.

Seems my prediction is holding - you won't even attempt an honest answer, because you know any fair comparison looks terrible for MS.

[Doohickey]

Firefox is a good browser, and no doubt benefits lessons learned by other browsers. Nothing wrong with that; you wouldn't expect a fledgling car company to start with a Model T.

The point is, that the comparison make is just demagoguing the issue. The "bad guys" and "good guys" will leapfrog each other no matter who makes the software.

[KwasiOwusu]

"you are kidding right?"

I think its you that is kidding.
Get your head out of the sand ostrich, and face reality, will you?

Bottom line: As at today, Microsoft has issued their patches, Firefox hasn't.

[thoughtomator]

According to that standard - assuming it's not a convenient throwaway argument useful only for a specific day - how many days has IE had unpatched security problems, and how many days for Firefox? Let's look at the last year only, as I'm not interested in yet another repetition of the "IE has been out X years, Firefox is new" canard.

[Liberal Classic]

Ummm ....biggest bigots on the planet are the open source fanatics and crazies.

Good grief.

[thoughtomator]

That pretty much clinches the case that our friend Kwesi hasn't a clue what he's talking about.

[reagandemo]

Thank you! The delusion he projects is absolutely amazing! I love it when a person brings a knife to a gun fight. He has surely brought a butter knife too!

[Doohickey]

I'm not defending IE per se. In fact, I'm posting to you using Firefox. There's no good way to make a direct comparison. After you factor-in and weight time-in-the-marketplace and market share (as a start), all you'll end up doing is a lot of math.

Firefox learned, as it should have, every lesson that IE learned during it's four years.

That said, I will now bash Microsoft for enabling every known feature in their browser when the SHOULD have known better.

[kevao]

I used IE for years, and had my share of problems. I switched over to Firefox six months ago, and haven't had one problem yet.

So I just recently loaded Firefox onto all my computers. And now this. Just my luck.

Still, I think I'll stick with Firefox a while longer. IE I know is frustrating; Firefox has yet to disappoint.

[St0rmbr1nger]

While you make some good points, Mozilla/Firefox has some major problems to overcome before it will ever see widespread enterprise use. Up to now, patching most OpenSourceSoftware (Firefox included) meant installing a whole new version or patching and then recompiling the source code. Neither of those options are practical in a large-scale IT environment.

MS has problems, I don't think you'll find many that deny it, but they are trying and their patch management has come a long way in the last year or so.

[KwasiOwusu]

"Nice shift of the subject, but you won't get away with that so easily. I'm not talking about the number of viruses that are written to take advantage of security flaws. I'm talking about the number of security flaws that exist to be taken advantage of."

Rubbish.
Typical twisted open source logic.
I don't care what you think you want to talk about
Look above. I started the thread , and THIS is what I am talking about.
Its you that is changing the topic.

If someone writes a new browser,and keeps it on his computer at home, and no one else knows about it, and no viruses have ever been written for it, he can claim that his browser has had zero attacks from viruses.
He will have a 100% security record.
Does that mean his browser is safe?
Not a chance.
The only way to test the security of any browser is to put it out on the market and have the virus writers do their worst.
If some browser has a tiny market share (like Firefox) and very few virus writers are botherimng to write viruses for it, does it mean its secure? NOT A CHANCE!!

[Cold Heat]

It doesn't seem to perform as well as IE.

I have found Firefox to be impossible to use on my laptop. The cursor control is terrible and I can't compose with it because my mouse pad refuses to integrate with it..

[JustAnAmerican]

" Bottom line: As at today, Microsoft has issued their patches, Firefox hasn't."

Well now I am convinced that you are either a,

(1) Troll looking for flame wars.
Or
(2) MS shill, heck maybe even both.

In any case MS took 8 months to release that patch(as I pointed out in my last post to you), lets just see how long Firefox takes shall we. If Firefox's past history is any indication I guarantee It will not even be close to 8 months.

[thoughtomator]

You can make some comparisons without doing a ton of math, such as comparing the average time from knowing a bug exists to fixing it. The number I'm interested in isn't subjective or subject to the market at all - it's the total number of security flaws that exist in the product during any arbitrary, but long enough to be representative, period of time.