- Related Stories
-
Firefox flaw raises phishing fears
January 7, 2005 -
Phishing hole discovered in IE
December 17, 2004 -
Net threats spur action on browser front
December 9, 2004 -
Browser phishing 'flaw' could hook users
December 8, 2004 -
Microsoft rushes out critical IE fix
December 1, 2004 -
Firefox fortune hunters
November 17, 2004
Security firm F-Secure warned Wednesday that the vulnerability, which allows the URL in a Firefox download dialog box to be spoofed, could be exploited by online fraudsters.
Some ZDNet UK readers took issue with the experts, arguing that the flaw shouldn't be regarded as a security vulnerability, because a Firefox user would already have to have clicked on a phishing e-mail and been taken to a fake site to be at risk. "Where is the problem? I hardly think that a spoofed site would link you to a legit download area," commented Pete Molina, a PC and LAN administrator.
"As far as a 'security hole,' it should be more of a user vulnerability, as only a dumb person goes clicking links in e-mails from odd places," argued another reader who went by the name Killian. "Granted, it's nice to know, but come on. Most of these 'announcements' just give the phishermen a reason to try to exploit it."
Mozilla's Firefox browser is proving popular with surfers who want an alternative to Microsoft's Internet Explorer, which has been prone to many security problems. Some readers were adamant that Firefox is still a much safer product than IE.
"Firefox, without a doubt, is the best and most secure browser on the market today, and no matter what propaganda is spread throughout the Net regarding its security in a negative way, those who actually know will continue to use Firefox and wait until the patch is complete, not actually even thinking nor caring whether it is released or not while using it," wrote one Web developer.
Some members of the Firefox camp weren't happy about any criticism of their favorite browser. "Thanks but no thanks for the information. We still trust and love FireFox," said Abe, an engineer. He did not reveal his last name.
But other readers pointed out the importance of holding all software to the same standards. "Firefox is undoubtedly a better and more secure browser than IE, but any site that reports on flaws or possible flaws in IE--and gives Firefox coverage--should report on Firefox's flaws too," said "Seb," an artist based in London. "Essentially, Firefox is better, but it's not perfect, and anyone who thinks or claims it, is as bad as anyone who gets taken in by (Microsoft Chairman Bill) Gates' marketing spiel."
A software developer from London wrote: "If this vulnerability had been identified in IE, the anti-Microsoft community would no doubt be quick to criticize the product as insecure. Users are smart enough to make up their own minds about which Web browser to use--and the more information that is available about all products on the market, including open-source efforts, the better."
One reader even took issue with the claim that Firefox is inherently more secure than IE. "Firefox may offer some 'security through obscurity,' but once it gets to any sort of critical mass, then it will be targeted. Since the hackers have the source code, their lives will be that much easier, and when a patched version is released, it will be easy for them to see where the vulnerability is and target older versions," said one London-based IT worker.
Another reader suggested that Firefox may have an uphill task breaking IE's dominance."Most users couldn't spell 'browser' without help. The only reason so many people use IE is because it is built into the operating system that was on the PC they bought," said "Philbert," a computer and electronics specialist.
Got a different view? Post a TalkBack below, or in the original story.
Ingrid Marson of ZDNet UK reported from London.
See more CNET content tagged:
flaw, phishing, Firefox, reader, London
It's BUILT IN. It's at the core of Windows. Any hole or vulnerability reaches into the very system you're browsing on.
Give me a free-standing browser any day. I don't want any program connected to the internet to be intertwined with my operating system. That's just too risky.
You can turn ActiveX off or limit what kinds of plug-ins get installed on your browser.
And Firefox, by the way, has the same kind of mechanism built into it as well - it's just not called ActiveX. How do you think Flash runs in Firefox?
This is just another example of how Microsoft gets held to a different standard than everyone else. You can be certain that if these flaws were reported for IE then the anti-MS people would be all over it, but when it happens to Firefox everyone says "well, these flaws will only affect stupid users who don't know what they're doing".
Denial gets you nowhere, or worse, gets you to where netscape is - once the smartest and coolest kid on the block, now a juvenile delinquent.
Whoever argue that FF's vulnerability is no bug need to take their heads out of sand and listen to how just how biased and stupid they sound.
FF developers/defenders sometimes also should swallow a little pride and treat some issues with a serious attitude. For example, when reports of IE being the browser that crashed the least when pure junk was fed to the major browsers to parse, FF fans easily dismissed the news as "developers of web pages should follow standards". Since when is "fault tolerance" not one of the highest priority of ANY commercial software? How can a good commercial software demands user not to make mistakes? Besides, HTML is no XML. Just an example of how some attitude need to be changed in FF camp.
BTW, I've been using FF since 0.7 and still using it as my main browser, but that doesn't mean I don't realize that it crashes too, and it sometimes strangely consumes 100% CPU for a very long time, sometimes the find box captures your input even when you try to input into a form, sometimes ... and I'm talking about FF 1.0 too. The FF bug report should also be more convenient and less daunting on duplicate bug warning.
Level-headed FF user
Also, I believe that FireFox is coded a lot tighter than IE, which will be a reason it should see less vulnerabilities creep up. I firmly believe that the simple fact that IE is deeply ingrained into Windows makes it a riskier product to use.
At any rate, ultimately a browser is about as secure as the person using it. I'm sure there are a lot of us out there that would be able to use a completely unpatched IE6 for a long period of time to never become comprimised. However, the fact of the matter is that people aren't as careful as they should be with browsing the internet, and its us Admins that should setup the perimeter and tiered security levels in order to protect our users from such security threats.
The only place I have seen info to the oppisite has been on microsofts website. But hey they are always right.
That's why I tend towards Open Source software. Even security companies such as Secunia themselves, have inspected Firefox's code. Not only that, but security in Firefox has been tightened, one contribution at a time by many, many volunteers. In general, the more people who look at the source code, the more likely a vulnerability will be discovered before a maliciously-inclined hacker does.
Microsoft has never show to be more secure than open source. Microsoft has not proven proprietary code makes for less attacks or potentially less attacks. Microsoft has show how little they care about security. Microsoft has show, repetitively, how closed source is as vulnerably if not more than open source.
If the clued admin don't belive me go read Microsofts own report about linux and not the snippets they chose to show.
Hey me personally, I hope people keep using IE. If by your accounts the only reason IE is attacked is because its large user base then Firefox has nothing to worry about with its small user base.
"Code that is available to the public is less secure than any other application on Earth".
That is SOOO wrong!
Any code that is AVAILABLE TO ALL is at least a hundred-times more secure than proprietary software!
All software has vulnerabilities (at least all software comprising more than a couple hundred lines of code).
But, software source code that is available to all has the advantage of this: a vast majority of programmers are benign and want to help out of the kindness of their hearts. The ratio of good programmers to malware makers has got to be 100-to-1, minimum. So, using my (hopefully) consertive odds, a flaw or vulnerability is likely to be spotted by a benign source 100 times before it is spotted by a hacker (malign usage).
Therefore, using my unscientific odds, the flaw will be found and fixed, more often than not, before it becomes an issue (at least with those who patch/update).
Ae any articles you have to read an all in microsoft.com or some pure IE based company.
The truth of the matter is that hidden code hides the vulerbilities from all people other than the internal developers. Utilizing ignorance is how we make software safer?
When code is open and everybody can see it, the problems are found in the Lab and made public before hacker can utilize them.
When code is closed, the first time you find out about them is when funny things are happening to your system, or when a virus is running rampent thru the community.
You are right on one point: doing due diligence and learning about Internet Security are what FireFox and Open Source software is all about. The simple fact that anyone, anywhere can review the source code for FireFox makes it the quickest and safest browser available. Simple facts that might be difficult for the CC to grasp. Note that this exploit (well, not really an exploit, just a concern) is already patched for the next release of FireFox.
MSIE, on the other hand, has security holes that M$ knows about, either because they coded them there purposefully, or they've been notified of them by a security firm, that users and system admins don't see until they become widely used public exploits -- !TOO LATE! Even then the most important fixes for MSIE are only available in XPSP2 for WinXP users -- SHAMEFUL!
In the real world, FireFox proves much more secure than MSIE. Try it yourself and see. Set up a group of users with Firefox only, and another group leave them with MSIE. This test always leaves MSIE users with virus/adware/spyware and PC problems, and FireFox users troublefree.
I can go back to the Linux root hack (back door) which is / was most Linux installs (put in by one "open sourcers" and no one found it for YEARS ..yet Hackers were using daily.
As a Network Admin for many years,
Paid hacker so to speak...
I can tell you that I have gained access to over 90 % of all the Linux / *nix system I have "tested".
Now is it because the OS is insecure or is it because of the network admin???
Some of both but mostly the insecure OS gets them.
And I can tell you that the FF worries are about to increase, watch next week for a major hole to be exposed...so all you die hard FF fans watch out cuz it will be a big one.
No I do not say that M$ is more secure than FF or that FF is less secure than M$ I am saying that just because the software is OPEN does not mean BETTER OR SAFER.
OH all you M$ users out there go grab the new M$ anti_spyware from the Microsoft.com site
It is FREE and it works great.....
it does a much better job than AD-AWARE and SPYBOT
"A significant amount" describes whatever the reader wants (in the eye of the beer-holder). I personally have installed "backdoors" in computers that I've assembled (and had to deal with countless hours of phone support because of "user error"), and even though probably illegal, I justify this to myself in two ways: it would be nearly impossible to enter my backdoors unless armed with a supercomputer (if you knew which computer to look for in the first place!) and it saves my clients $$$ in on-site service charges.
I not sure why people believe proprietary software is so much more secure than open source. The studies I have read don't talk about code quality only the fact that open source can be seen by anybody. So their basis for calling open source insecure doesn't rely on code quality, but rather the fact that you can read it. Realisticly though code quality is the concern and this is why proprietary software maker don't want fight that battle because they won't win.
MS guys can bash Open Source and Open Source can bash MS all they want, but at the end of the day who produces better code?
My understanding is that open source software is not to be trusted until AFTER the source code has throughly checked by a trusted and skilled person. With closed source software it can NEVER be trusted since the source code cannot be checked, by YOUR source. From just this point open source is potentially more secure.
Of course your average user isn't going to check the the source code of a program and then compile it before using it, but the possibility of checking the code and changing it is available. So if a code is popular it will in most cases have been sanitised by sources other then the release team. So in the case of a popular software like FF it should be more secure then IE if you believe this argument.
Security through obscurity? Kind of like sticking your head in the sand, it leaves you bottom stuck up in the air ready to be taken advantage of...
Security on the whole is a moving target (the only static points are things like good practice). Pointing out vulnerbilities (especially malicious backdoors) from previous situations doesn't support closed source (or open source), remember a closed source program could have a backdoor in as well, but in the case of closed source how can it be checked? Remember it is standard practice to put in back doors in the development phase of software.
Your point about FF major security hole is unfounded, unless of course you have some inside info about a flaw that hasn't been published yet. As I pointed out earlier security is a moving target, flaws are found and they are patched. The biggest difference so far between FF and IE apart from that IE doesn't conform to W3C standards, is that IE has had a huge flaw that has been unpatched for several months, of course the sensible and informed user can mitagate this by turning off activex. FF is young so their test by fire may be in the future, but imho they are doing a fine job in regards to secure browsing, especially when you consider that most other browsers take several months to release a new version of thier browsers not just a critical patch.
Installing the Giant anti-spyware app is a good idea if you use IE, but it is resource hungry, so why should more of my resources be used to bandage up a flaw that is caused by using IE?
Spyware installed by the user manually installing it? This is a whole new ballgame. Well if it is from free software which uses spyware components to generate their revenue, they mostly don't work if the spyware has been disabled. This comes back to users following safe practices and being well informed.
There are enough non-MS products that hold the dominate position in their respective markets; and have a much larger potential for damage if it were unsecure, but yet are very secure and flaws are rare and difficult to exploit; to show that 'security through obscurity' is nonsense. If the apache foundation, for example, can do it, why can't the company with the deepest pockets even come close to that level of security.
I'm not "apologizing" for MS's many security flaws, but I AM trying to point out that simply because a particular program might hold dominance in a particular segment of the population, that does not correlate to the same percentage of flaws found for that program. I would be willing to bet that the amount of critical flaws existing in an application (per line of code, or per capita, if you will) would be comparable for many programs out there. I don't think that MS has that many more (or less) skilled programmers than other companies.
Bottom Line: Microsoft is the main target because Microsoft is THE dominant player in the software industry. I personally could write an application that was COMPLETELY full of holes, but you would never hear about them because you would never hear of my application in the first place!
It features tabbed browsing, skins, a TON of useful plugins, and it even fixes some IE vulnerablities before Microsoft does! In my not-so-humble opinion, Maxthon is the best browser out there.
I personally think that it is better than Firefox because so many webpages out there are created by people who only test them on IE (or don't give a flying @#$%), and when you try to access them on other browsers like Opera or Firefox, they either look completely wrong, or worse, they don't open at all! Eventually web programmers will create pages that render perfectly on ALL major browsers, but until then IE and programs that use IE's rendering engine will rule the internet.
Here is what I have seen using both IE and Firefox. I have been to Microsofts webpage and had their pages not load right in IE, but load correctly in Firefox. I have also seen pages load incorrectly in Firefox that load correctly in IE.
But when I first started using and testing my apps with Firefox, many of my apps had bugs in it. Both in the Cascading Style Sheets and in general HTML code. At first I thought it was a flaw in Firefox until I researched and found that Firefox follows the W3Consortium starndards without any variance. IE takes liberty with the standards and allows mistakes by the web developer to be processed in some assumed manner by the coders of IE.
This can be good if every developer of a browser product made the same assumptions. But then again, they would be called standards.
Because of making sure that all my web pages work both on IE and Firefox.
IE and Firefox to me are just two tools in my toolbox that I used to do my job. But I like the tab browsing, the extensions (webdeveloper stuff expecially) and the pop-up restrictions.
I've found that running Spybot and Ad-aware on my home machine doesn't find any malicious software since I've been using firefox and that's reason enough for me.
Oh, and it's also helped that I've also converted to Thunderbird (as of rel 1.0) to replace Outlook Express.
I've been in the industry 35 years and I don't get so emotional about one product better than another. I try to use the best product and unfortuanately with Marketing, the best product sometimes doesn't win. (Just ask the boys at Wordperfect) So I stay flexible, just in case.
- What's the problem?
- by Foggy January 10, 2005 10:36 AM PST
- Any intelligent person on the web is going to have more than one browser on their computer. If IE is currently filled with flaws you avoid using it and instead use Firefox, Navigator(Netscape for the uninformed) or Opera or one of the other new browsers. As long as there are hackers and virus creators there are always going to be flaws detected in almost every browser.
- Reply to this comment
-
(60 Comments)You'd think with the billions that Bill Gates and his company Microsoft are now worth because of their monopoly on their OSs and forcing down the throats of the common man the inferior cloned office software they sell, that by now they could afford to have developed by now a corporate and personal conscious and with that conscious spend a billion or two and fix all their products before they force it on the general public. A lot of companies have whole departments dedicated to Quality Control, Gates and company figure the after market is the best solution, sell flawed unproven product with a limited guarantee and then sell them a solution after a flaw or lately muliple flaws are detected.
So there you have it, keep at least two browsers on your desktop other than IE, make any other browser and email program your default(in my case it's Netscape, I can't remember when a Netscape flaw was detected) and use Microsoft products only if you absolutely have to.