The number of recent documented Firefox vulnerabilities is higher than for Internet Explorer, Symantec says.

Full Story

I'm not surprised at all. I said long ago to the IE haters that it would happen. It will only continue to grow worse.

The most popular browsers will always be the biggest targets. That is a no brainer.

KTTD

Yeah KTTD and we used to get a lot of lip from some of them for even suggesting such a possibility...

Derek.W

The actual report is here in PDF. The specific sections are on pages 8 and 9. On p.45 the report says:

"So far, nearly all reports of vulnerabilities exploited in the wild against browsers are associated with Microsoft Internet Explorer. While there have been few, if any, credible reports of attacks against Mozilla, Mozilla Firefox, Opera, or Safari in the wild..."

The methodology for the study is on p.90, which states several things:

- only vulnerabilities confirmed by the vendor were included. I assume this isn't how their AV updates work?

- vulnerabilities need never be exploited to be included. I.e., it may be near impossible to actually exploit.

- A vulnerability could actually be defined as a string of conditions, each one counted seperately, though they may be interdependent. This might "distort" the numbers (their claim, not mine).

Finally, the actual vulnerabilities are not mentioned, nor if all of these have been patched.

Quick, run out of the woods and defend the browser.

I sit back and laugh.

IE is safe and secure as any other browser.

KTTD

Yeah KTTD and the last thing I had (using IE/OE) was really quite easy to remove and just produced a harmless firework display then passed it on. Happy99 it was called. I have been much more careful with attachments since year 2000 started tho.

Derek.W

Don't forget that they're comparing a browser which had been out for a long time with one that had just recently been released. Most of IE's holes were already found and known, so it only makes sense that the number of new ones would drop off over time.

Comparing the number of new holes found in IE to a browser just being put under the microscope is kind of meaningless. You can't assume from that that Firefox has just as many holes as IE and the only reason they're not found is because people haven't looked yet.

Quick, run out of the woods and defend the browser.

Not as quick as the first IE user to pounce on a negative Firefox article tho :).

IE is safe and secure as any other browser.

You said yourself it was a bigger target. Does that not make using it more risky? There are 'what if Firefox were more popular' scenarios and then there's the reality of what's out there right now. And while you may know enough to 'play safe', most users don't. For them, IE is a very bad choice.

you cant tell off mozilla for its holes in its program, it is only a new browser. For all we know ie has had the most holes in it. and firefox has never given me spyware or viruses yet.

Ratboy

The FireFox defenders run so quickly to the front line to amass the first assult and defend their beloved browser.

I will still be laughing in another year. I'm not going to repeat myself. Most know how I feel about it.

The end is near, chicken little is falling.

KTTD

I've always thought the most dangerous part of using Mozilla/Firefox is the implication that it's a fix-all for internet security.

It ain't and never has been.

As mentioned many times by Kevin and Derek, users of any browser had best get their act together and keep it together...

I like IE6 with MyIE2 and use it; one self inflicted BHO has been the only problem.

Skip

I think your gloating is a little ill placed. Firefox has just been released in version 1.0.2. It is now out of beta! One would expect that problems are identified during the beta testing.

On the otherhand, IE has been at version 6 SP1 for quite some time. Yet I still can't open it without immediately acquiring malware. This does not happen when I use the plain vanilla Mozilla.

Between the two browsers offered by the Mozilla organisation, they claim six percent market penetration. Hardly the widespread usage that attracts malicious hackers. Especially when you consider that the perentage is neglegible amongst the clueless majority of users.

Given that the open source community can repair a problem in half the time that it take Uncle Sir Bill, I'm seriously considering giving firefox a whirl.

Only time will tell if they are still a beta level programme when they enter version 6!

What a false sense of security I've had with Firefox. Back to the ole trusty IE for me. Hey, at least I have a backup. LOL

We're never safe ya know...

I actually started using Mozilla today because I have heard such good things about it, and have had a lot of random spyware issues lately. Then I come here and read this, haha, nice timing. So now I am sort of using both, which is probably the worst thing I could do. Still waiting for something to tip the scales for me one way or another.

Jen

As posted elsewhere:

Unlike Microsoft, when Mozilla fixes a bug it doesn't release a patch for users. If you want to stick to release-level programs, your only option is to wait for the next general release; the upgrade to version 1.0.1 from 1.0 took about 3.5 months. You can install an interim build of the program, but these are not official release versions and you should expect them to have other bugs; to the extent that you get support for Firefox, it will be undermined by your use of an interim build.

Report Offensive Follow Up For Removal

Nothing of value to add to the debate. In almost 5 years of activity I have had only one virus and two items of spyware/adware that were easily removed. I use both Firefox and IE6. I like the tabbed feature of Firefox but obviously need IE for Windows Updates. Some secure sites play better with IE.
There is one little difference I notice when on this forum. When typing a response (Like this one) using IE I can move the cursor outside the textbox and scroll up/down the string using mousewheel without having to "Click". I can resume typing at any time as the Text part of the cursor remains in the textbox. In Firefox, pointing the arrow outside the box is not enough. I have to click outside in order to scroll the string and then click back in the box to resume typing. Annoying particularly if it's a long string like this one and I need to re-read the original post or an earlier response.
Anyway this has digressed somewhat from the topic of security vulnerabilities. Each to his own said the woman as she kissed her cow.

Give a man a fish and you feed him for a day.
Teach him to fish and his wife will never forgive you.

Well, I'm a Mozilla fan but I don't think I need to "race to its defence".

I'd just like to say that I deal with a lot of people who don't know much about computers. Let's face it, most users don't. They come to me with their computers totally crippled by spyware/adware etc. One user bought a brand new compaq laptop, had it for two days before he was no longer able to browse using IE or receive e-mails.

I take these computers, clean them up, place a folder called "tools" on their desktop and put ad-aware, spybot search and destroy and AVG in it. I also add shortcuts to "disk cleanup" and the cookies folder in there. Then I give them Mozilla Firefox and tell them to use that instead of IE and send them on their way.

Three months later their computers are still functioning well without advertising popping up in their faces or their computers slowing down to a crippling crawl.

I do this because too many people take their computers to be cleaned up at a computer shop and find their computers work famously well for a week and then it's buggered again.

Mozilla may have vulnerablities but for practical purposes experience is telling me that it seems to be doing a good job for basic users.

Personally I enjoy the popup free browsing and tabbed views.

Each to their own though - those that know how to protect and clean their computers can use IE but I feel better giving Mozilla to novices.

Windows 98SE
HP Pavillion
Celeron 533MHz
HDD 10GB + 4GB
64MB RAM
Antiquated & Poor Quality
Runs like a dream.

Who cares - The Internet is dull and boring. Used to be fun but the novelty wares off. What can it possibly do that couldn't be done without it's existence?

I say get rid of the Internet and computers and throw in mobile phones too. Email is rubbish and you get more done sat in a pub or office phone doing what we used to do.... TALK! As for me am i being hypocritical by being here online - not really I was just sat here opened up all browers, be it IE, Firefox, Opera and just got re-directed here. Not my choice just the will of the machine. I say throw your PC's out of the window - who needs them they were supposed to free man from stress and give us more free hours. (Not woman she still needs the stress and to work for the benefit of man!) Instead they've done the reverse. Well I don't want it. I don't want to pick up my email as I walk down the street or receive calls from people on their mobiles telling me they are 1 minute away. Who cares.. really. And stop sending me an email asking me if I received your previous email and then thanking me for the email I sent you enough. But I go on...

The truth is who cares. If you ensure you critical updates are done, antivirus is up to date and don't download rubbish programs or go to sites you shouldn't you wouldn't have to worry about the vulnerabilites or spyware. Use common sense with email attachments I mean honestly if Britney Spears ever does appear nude it will be in the tabloid newspapers first ! Trust me it will!. Oh and one more thing - NEVER EVER store your passwords in particular your financial / banking passwords on your PC store them in your head (unless your IQ is low this shouldn't be a major problem). And accountants in your company - make sure that they can only use the banking sites and have no installation rights to their PC's. Lock these PC's down BIG TIME - accountants have little else to do with their lives except look at numbers and browse for porn.

Take care

...accountants have little else to do with their lives except look at numbers and browse for porn.

Hence the fall of WorldCom's accountant Arthur Andersen LLP.

i_XpUser

Be it IE, firefox or another browser running
on windoze, GNU/Linux or another OS....the
computer is only really as secure as the
people installing, maintaining and using it.
Even lynx had vulnerabilities! Admittedly
though some are softer targets than others,
but then again a lot could be avoided with
some common sense. So many computer problems
lie somewhere between the keyboard and the
chair.

I still reckon the most secure computer is
(a little along the lines of Quenchy) in a
safe locked in a room with the key thrown
away....and never turned on let alone
attached to a network!

Pssst guys and gals we must have upset Mozilla. Guess what? They've just released THIS new version of Firefox 1.0.2 less than a month after version 1.0.1....

i_XpUser

Firefox still is good to me. It has helped me many times at school (stuff ie and its hackers), pissed of the school adminstrator who cant put any blocks on it and other things.

Ratboy

"...pissed of the school adminstrator who
cant put any blocks on it and other
things..."
Then he isn't worth his salt as an
administrator!

""...pissed of the school adminstrator who
cant put any blocks on it and other
things...""

I agree Dave...that's a load of hooey.

Bottom line is that no "fix" exists by going to a different browser. It's all up to the user.

Ratboy,

What "blocks" and what "other things"?

Skip

It never ceases to amaze me how quickly the Mozilla team patches their holes. Can't say the same for some other companies *cough* Microsoft *cough*.

*anxiously awaits the zip version of Firefox 1.02*

Rkix with a mouthfull to say...

I have used Internet Explorer for ages, And I HATE it. Back in the Win98 days, whenever IE 5 crashed, my whole desktop either crashed and didn't restart, or I would get a BSOD error (either way, I would have to restart my machine). With XP, it's all those pop-ups and other BS which I don't need. I tried the Avant brower, and it worked fine for a long time. But as time went by, I got several block-ups, even with Avant (after about 3 months of use). I used FireFox for about 3 months now, and pop-ups are still rare (if they even occurr at all).

I 2 questions. Back when I had Windows 98 on my computer, I was manually replacing a DLL file in the Windows\System folder. I deleted it in DOS, restarted the computer into Windows, opened My Computer, and instead of showing the drives, it showed a "Web Page Not Found". Of course, I went back into DOS, replace the DLL (don't remember the name), restarted the machine, and everything was fine. I wonder if any ever got this error? Also, why does the browser (IE) have to be a OS component (Like WMP too), not a true browser? When you make the browser part of the OS, it hogs additional resources, virus can jump from the browser to the actual OS itself. It's unneccessary overhang. If IE6 (IE 7 has just been anounced) was a seperate program with it's own DLL's for displaying web-pages (and not using the combination IE/Win32 GDI in which a clever advertisers/hackers can use code to display pop-up IE windows, even when your not on the Internet), it could easily be unistalled or patched whenever everything gone to hell. Not really a issue now (plenty of RAM), but just an pet peeve.(Since then I cleaned up my machine, and I don't have any problems now =).

Other pet-peeves along with the Windows98/IE integration is:
1. Calling Windows 3.1 an operating system
2. People thinking that MS is this "high and mighty" corporation when there running scare from Mozilla and projects like Wine(even though they don't admit to it).
3. People thinking that the Microsoft programmers are all that. The programmers at Apple (and later QNX) were geniuses for getting an GUI to fit on an diskette, and the IBM devolepers far surpass MS.
4. People thinking that open-source is crap (even though from personal expirience, it's not).

Just glad I'm using FireFox for my internet surfing needs (if you can call it a need), except of using MS IE (I was half temped of using the $ for the S). Also, I use OpenOffice on my desktop now, and all that I can say is "Goodbye MS-Office". Open-Source GNU sollutions are just as good (if better) as there commercial counterpart.

Just my two cents(And too much spare time on my hands)...

rkix

Yep, I can see your point about the integration.
Having said that, see my #5.

I'll own up to the fact that W9x and IE needed some work to get high stability but it was definitely possible. Mine is still fine.

Maybe with systems like WinXP folk are losing the interest/knowledge in "computers themselves" and have become used to expecting everything on a plate. If this is the case then, sure, I can understand that view. After all, you don't need/want to be a car mechanic to drive a car.

Derek.W

some people, IE is good for people who want a browser to work in, check emails, read news etc. Firefox is the same thing. I dont know which one is more secure, but they are the same thing to me. Every browser has its supporters, and i am a supporter of firefox. Big deal, as long as it allows me to check my email, play games read news etc it is ok.

Ratboy

Regardles of what operating system or browser you use NO system is EVER going to be 100% secure.

We are just going to have to live with it.

Of course it would be nice if an O/S came on ROM with a manual hardware switch on the case so it can`t be flashed without the switch being on that would kill a great deal of the crap.

As for browser I use IE, fully patched and I try not to go to places where i`m likely to get virii etc. I`m reasonably careful, security setting pretty high, active x and java set to prompt etc. Of course i wiwsh I didn`t have to run loads of security software etc but its the price i guess we have to pay for peace of mind.

"The price of freedom is eternal vigilance"
I forget who said that, History was never my forte! but it was someone famous.

Woof

Curiosity may have killed the cat but at least the cat wasn`t bored

wof you are so true!. No browser will ever be secure (maybe one day, maybe?). not even firefox is fully secure, it is secure but not fully.

Ratboy

Complacency is Microsoft's problem. They've been the leader for so long that they didn't bother looking over their shoulders.
I am now a proud (and very happy) user of Firefox, OpenOffice.org and ZoneAlarm.

Yes, ZoneAlarm. Even the writers of that report, Symantec have become complacent. ZoneAlarm long ago surpassed Norton as the best PC protection suite.

My $.02 on a topic probably long abandoned...

"Quick, run out of the woods and defend the browser. I sit back and laugh."

I agree with you in spirit, but I think this comment was out of place if it was in response to anonproxy's clarifications. His points were perfectly valid and brought to light several glaring omissions in the originally posted article. The story (and many of the pro-IE posts in this thread) takes Symantec's research out of context, indicating that attackers are targeting firefox, when the research only shows an increase in known vulnerabilities. A vulnerability is not an exploit. (Just ask the Microsoft GDI team :-)

From the posted research: "While there have been few, if any credible reports of attacks against Mozilla, Mozilla Firefox, Opera, or Safari in the wild, it remains to be seen whether these browsers will live up to the expectations that many have for them."

I don't believe any valid security comparison exists between IE & Firefox, with the possible exception of ActiveX being absent in Firefox...It's a favorite way to get spyware on novice IE users' machines. But is that a security issue or a training issue?

Personally, I prefer IE for its speed and ActiveX functionality on sites (mostly intranet) that require it. I prefer Firefox for its functionality, adherence to w3 standards, and wonderful array of developer plugins that IE may never have (DOM inspector, Venkman's javascript debugger, validators, etc.)

Sit back and laugh all you want...But arbitrarily dismissing good points only makes you look like you're laughing because you don't have anything intelligent to say.

-SN

ok just to say something that was happening as i was reading this post.

my ebay virus post got deleted but the whole story is on another forum
http://www.dslreports.com/forum/remark,13208858

now the is an exe hidden as a gif image that nod32 detects as a new virus. (already submitted it)

if i load the page (taken out to stop you going to it)/images/e_logos.gif

through Ie6 i get nod32 popping up talling me virus see the screenies on the ohter forum.

however if i load the same page through firefox it get just a red x and image could not be loaded due to errors.

not saying mozzila is overall more secure but in this case it stopped the exe hidden as a gif even running unlike Ie6 that happily let my pc get infected luckily i got nod lol

Athlon xp 2500+ @2.17
pc 3200 512mb ram
radeon 9200se
win xp home oem

Simon

Not taking any side on this browser debacle, but I suppose it is possible that this nasty was (as often) "designed" for IE.

Obviously makes Mozzila safer than the IE security update version you are running, how long for who knows.

Derek.W

you have a point however if i right click the image in mozilla and save it then i get a virus warning. just mozzila doesnt show all the code like ie does

Athlon xp 2500+ @2.17
pc 3200 512mb ram
radeon 9200se
win xp home oem

Thx for additional info Simon.

Derek.W

I have got win 3.1 (new additiono- a new comp for it) and i must say netscape( mozilla's and firefox'es big brother), is fastest. Ie4 makes a right mess out of my win 3.1. The same thing i see on my win 98 comp and my win xp comp, firefox may take a while to start up but when it does it works better than ie. Sorry ppls but that is the truith. (or it might not - aaaaaaaargh!)

Ratboy