firefox insecurity?

der.hans PLUGd at LuftHans.com
Tue Sep 20 14:10:09 MST 2005


Am 20. Sep, 2005 schwätzte Anthony so:

> Here is one that I keep seeing mentioned.
>
> http://news.zdnet.com/2100-1009_22-5873273.html

That article doesn't mention how the reports from Mozilla are being
counted. Does an exploit common to both Mozilla and Firefox count as a
single bug or as two bugs? Also, consider that they're comparing 3 browser
products from Mozilla against one from m$.

Even if Symantec were non-biased and could be trusted to give a fair
comparison that article only compares a particular 6 month period. It
doesn't mention which vendor had the most issues the 6 month period
before or the period before that. When we look long term at the number of
security issues that have been discovered m$ is definitely first in class
with no competition...

There are several security holes that m$ has refused to acknowledge, so
they won't make the list from Symantec. Mozilla, OTOH, is open about bugs.
They have to be because their bug tracking is open for people to look at
and add to.

"resulting in a compromise of the entire system if exploited." I hope
people aren't running web browsers as root. Hmm, I guess that's really
just an issue on m$ boxen and the browser is irrelevant for that
particular security problem.

The real telling piece is that exploits now need less than 6 days to
appear. The report doesn't say anything about how long it takes m$ or
Mozilla to respond to security holes.

I would count on Mozilla having a fix out to at least block the problem
in less than 6 days. If the exploit is described at the beginning of the
month it'll be weeks before m$ has a fix out. If the exploit comes out at
the end of the month it'll likely be at least a month before any kind of
fix comes out.

Mozilla is designed to be secure. There are still security issues, but
overall Mozilla is doing a good job and the security issues get addressed
quickly.

eXploder wasn't designed to be secure. It still has many engineering
flaws. For example, activeX. Having web sites install a bunch of software
into your browser is a really, really bad idea. Even worse activeX isn't
in any type of sandbox, so they can fully exploit the client machine.

Mozilla is also better if there is an exploit as you can stop using or
even remove its web browsers if you need. m$ has bolted the OS onto
eXploder, so you can't remove it and some security holes can be exploited
even if you stop using it.

The best thing we could do for Internet security is to ban m$ Internet
Explorer and Outlook products. They are designed to not be secure. They
are the most exploited programs.

Additionally, they do not follow standards. The Internet requires
standards to work.

A quick question for those who use m$ desktops but don't use eXploder and
LookOut: do you still have to run anti-spyware and anti-virus stuff all
the time? If you do run them, do you constantly find stuff that needs to
be removed?

Outlook and IE are so insecure that even my grandma knows how to run
anti-spyware and anti-virus programs!

ciao,

der.hans
-- 
#  https://www.LuftHans.com/
#  "I decry the current tendency to seek patents on algorithms.  There are
#  better ways to earn a living than to prevent other people from making use
#  of one's contributions to computer science."  -- Donald E. Knuth


More information about the PLUG-discuss mailing list