Comments on: Exploit code chases two Firefox flaws

The two vulnerabilities, which have been rated "extremely critical," can be exploited when combined.

[bobby_brady]

I thought Firefox was secure?!!

Heck, I can get a unsecured browser by using IE. Now Firefox?

[quantum0726]

everything has its faults

Just because there is a listed exploit doesn't mean that the
product is less secure than others. Everything you use on your
computer can have some aspect of insecurity. Some are more
secure than others.

Even Mac, paraded for it's security, has had bugs and holes in
the past. What put Mac on top for security is the limited amount
of these and the quick turn around time for Apple to patch
them.

Just because a fault has been found doesn't mean Firefox is
more insecure than IE. In short time Mozilla will most likely put
out a patch for this problem.

[cupsdell]

Vulnerability leaked irresponsibly

Something not mentioned by the article is that the vulnerability was revealed irresponsibly: a bug report was filed with Mozilla on May 2, but some nitwit revealed the problem and an exploit on May 7, too early for Mozilla to release a fix, thereby seriously exacerbating the risk.

[Anonymous1234567890]

Firefox is still 99% more secure than IE

Get a life. Two flaws found which will be patched within a week, compared to IE which takes months, if at all, to get fixed.

[johnncyber]

Firefox is Secure

Firefox is still in its infancy stages for God's sake it is still ver. 1.0.4. There are countless coders across the world that work on Firefox and have new daily builds that come out everynight. They address these kinds of issues as they come out. How long has Internet Explorer been out?, and yet they are less secure than a browser first released 7 months ago.

[System Tyrant]

Just to be fair

I think we can all agree that Firefox has flaws. A flaw is a flaw regardless of whether or not it can/has been exploited.

I think the bigger picture here is how fast it is fixed excluding work arounds.

I suppose that the real questions are...

How critical is the flaw? How fast is a patched delivered? How complete is the patch? And how well is the patch delivered?

As far as comparing browsers goes I think you could compare them based on the following.

How well does it support standards or "recomendations"?
How much bloat does it have?
How user friendly is it?
How supported is it?
How does the company deal with flaws?
How fast does it render pages?
How well implamented is its security?
How many net related protocols does it support?

I'm sure others could add to this list.

In my opinion it comes down to how they all compare placed on an even field.

[hion2000]

Lots of points to make:

- Opera has had at least 1 critical security exploit before, while Internet Explorer clocks in at 11 extremely critical, and 24 highly critical, despite being the 6th major version. Firefox, being the new kid on the block, has

- Secunia (and other security companies of course) only lists PUBLICLY known exploits and is NOT a measure of product quality. For that reason Firefox may appear to have more vulnerabilities but that is more likely due to the source code being public and freely available to security firms.

- Mozilla has effectively disabled the remote system access exploit, as mentioned in the article within a few days of the exploit becoming publicly known. The worst of the exploits has ALREADY been mitigated.

- These exploits were known May 2nd, discovered by two guys: Paul of Greyhats Security Group and Michael Krax (who had received a Bug bounty of $2500 for discovering 5 other exploits). The exploits were restricted to security related people until the Mozilla group could come around to fixing it.

Here's the important part:

Some IDIOT released information on that exploit without Mozilla, Paul, or Michael's permission, thereby exposing 50 million users. Paul believes somebody hacked his server.

- Because of this, this is the ONLY reason why the flaw is even listed on Secunia as critical. Michael Krax himself found 5 security flaws, however they were silently fixed and they do not appear on Secunia.

- It's still safe to say that Firefox is secure because the whole system is excellent. Just because there's one critical flaw doesn't automatically make Firefox a bad browser. Mozilla will probably release a new version in a few days. Microsoft releases Internet Explorer patches on the second Tuesday of each month. Go figure. Mozilla also rewards people who find a security bug with $500. What an awesome incentive!

[Tex Murphy PI]

Generally correct...

Except that MS can, and has, released critical security fixes out of cycle.

What is interesting is how long it takes MS to release a patch. Sometimes, the patches come out relatively quickly (quicker than Firefox), and yet at other times, it takes them MONTHS to address the issue.

[alegr]

50 million downloads, not users

I hate to be a devil's advocate, but since you have to do a full download to update it, there is no way to reliably count real users. If an user went from 1.0.0 to 1.0.3, downloading all of them, this will be 4 (four) downloads.

[xpgeek11]

Cnet always gets at least one thing wrong

"Mozilla has changed its update Web service and advises people to temporarily disable JavaScript."

WRONG. Disabling JavaScript was Secunia's idea and Mozilla has suggested a better way. Quote from MozillaZine : "The Secunia advisory suggests disabling JavaScript as a workaround; however, simply disabling software installation eliminates the problem."

[hion2000]

Being picky there....

It's still the official word from Mozilla to disable Javascript. It may or may not have been their solution but they are still recommending that you turn off javascript.

[acarlos1000]

Firefox it's far better and secure than IE STILL

I totally agree with Bob Mckaren. Firefox is still more secure and a better browser tha IE. Another important issue is that Firefox has only 4.2MB while my last IE upgrade(from 5.5 to 6) had more than 90MB, and I've did several critical updates, each one with several MB.

Patchings the problem.

A lot of users have Automatic Updates turned on so at least their IE gets updated automatically when the patches appear. Is there an automatic way for Firefox. If there isn't you know that users are going to be running insecure versions no matter how fast the patches come out. Same for corporates. I have WUS turned on, on my network and can deploy patches to IE for 400 desktops with little effort. If they were all running Firefox I could still patch them with SMS but it's more work for the admin (and we don't like more work). For all it's shortcomings, IE on a secure network, regularly patched has never given us a problem in all the years we've been running Windows.
So for work I'll be sticking with IE and for home Opera (btw, for home I'm not saying Opera is better, it's just my preference).

OK. I'm ready for the evangelical replies.

Well. . .

Okay, MS has an automatic update service. True. This makes it easier for admins. I absolutely agree.

So, everyone's running the most updated version of IE because of it, and there are no insecure versions of it being run by users?

Hmmm. . .I didn't realize that automatic updates were a cure-all.

Evanginical enough a reply for you?

[Buzz_Friendly]

I get your point

I just don't agree. That said I would rather know. Your assuming people will patch when the fix has been found. If that were the case we would have far less problems across the board. But that?s not the case.

[System Tyrant]

Another opinion.

Firefox is not right for every enviroment. Some people don't like it for their own reasons. That's why it's called a choice. We should all be thankful that we have one (and we have more than IE and Firefox).

One thing that does amaze me is that it seams like those who cursed those security experts for releasing the vulnerabilities only after a month or two for IE are now over joyed that Firefox's flaws get publicized only day's after it is found.

I understand the need to get behind one side or the other, but we aren't really doing anybody any good. Debating computer has (or always has been) like debate religion. Everybody is always on the right side. That's just my opinion.

Another Myth ends

I strongly believe how secure a product is inversely proportional to number of feature it provides. Firefox started with a clean simple browser. But with time it included complex feature like plugin support, theme support that has ultimately made it too complicated to be 100% bug free.
This is nothing new. Internet explorer is the best example. It is one of the best browsers. However it stopped being just a browser after version 3.0.
With every component of its being reusable, and features that competes with operating systems, Internet explorer code-base has become too complex.
With complexity it has now involved into big security risk. I am sure Firefox if it goes high on its success; shall land up into same insecure browser category.

[Steven N]

just compare

Similar vulnerability, similar situation, only on IE this time. Sounds to me they are not making a lot of fuzz out of it... "you have to be tricked"... Yeah right... Don't hear the same tone in the firefox reporting...

http://news.com.com/Critical+flaws+in+IE+and+Outlook+discovered/2100-1002_3-5650238.html?tag=cd.hed

I am not making excuses for the flaw, however, giving their previous track record, you can be sure there will be an updated version shortly...

[amadensor]

Which will be fixed first?

IE for Win2K or Firefox? The Win2K IE flaw has been known and not fixed for quite a while, so MS has a head start. Who will finish first?

[onux16]

they're not noobs; they're human

I write simple console Java applications, and every so often I'll make a simple mistake and the next thing I know, I've got animations jumping on top of each other and moving in directions they aren't supposed to.

The point I'm reaching at is though the Firefox programmers aren't as newb as I am in programming, they are still human, and flaws are expected. It's just a matter of getting them fixed quick enough before something extreme occurs (mass infection of viruses, hacks, etc.).

[hion2000]

Release candidates available!

http://weblogs.mozillazine.org/asa/archives/008121.html

That, my friends is why we back Mozilla and not Microsoft. One exploit disabled within hours, both fixed in under two days.

Bravo :)