Comments on: Exploit turns up heat for Firefox flaw

Mozilla has patched the hole in the Web browser, but the public release of attack code means it's urgent that people apply the fix.

[Cuto]

FF now anyone? lol

Ok, where's all the bashing now. Seems IE has exploit, a few suggested the unbreakable FF. Makes sense to suggest IE now? lol

Um

The patch for this problem is out buddy. All you have to do is when FF tells you there is an update, you just click to install it. Most people using FF click to apply the first time they got the prompt. Were as with IE, the exploit is out before the patch, and half the people don'e apply it or even know its out.

[FutureGuy]

HAHA

What's more funny, it seems that the exploit only work on the "unbreakable" Linux and Mac OSes.

[Seaspray0]

Bash, Bash, Bash

Firefox has a Flaw! A patch is available! Bash, Bash, Bash! Happy?

The fact it has seen a security exploit is both a negative and positive event. It's negative in that flaws are not good and it reflects on the security of the browser that was touted as built around security. It is positive that this newcommer browser has garnered so much attention in the short lifespan to be considered worthy of the attention of the scum hackers.

Welcome to the big time, Firefox, and take your place alongside Windows, IE, OSX, Linux and others that have made enough impact to be hacked at in this imperfect world of software written by humans.

[eBob1]

Max OS X

Take your Macintosh to the max! (I assume that this was supposed to be "Mac OS X".)

[Michael G.]

Patch Before, Not After

That's one of the many reasons I prefer Firefox, compared to IE. They provide a patch before the malicious code strikes, not the other way around. Downloaded Firefox 1.5.0.1 a few days ago---so I have nothing to worry about with this exploit.

[FutureGuy]

not always...

...FF bug list is pretty long, in this case they were just lucky. And moreover most virus writers are either spammers going after the bigger pot or overzealous Linux crusaders.
Here's a full bug list https://bugzilla.mozilla.org/buglist.cgi?&product=Firefox&bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&bug_status=RESOLVED&resolution=WONTFIX&resolution=---

[Hernys]

That's so silly...

So you have a buffer of only one bit in your brain?
There has been no zero day exploits for IE in the last year. There was the WMF flaw, but that was a Windows flaw, not IE, and it affected you even if you used Firefox.
OTOH, Firefox has had at least one Zero Day exploit. Not the case of this last one, but that doesn't magically make past incidents disappear.
So the argument goes actually the other way. If you count zero day exploits, IE has a big edge over FF.
Now, the whole point is moot. The interesting part of this is not that FF has an exploit. It's that all the MS bashers that have nothing else to do than to criticize anything Microsoft does now have to go on claiming what they always criticize MS fanboys for saying. All software has flaws. It's the ability to handle them effectively and quickly that matters. All other considerations are of little importance.

[solarflair]

Firefox

Remember one thing--patches are available as soon as a problem is discovered. This is unlike ms windoze. The Mozilla team will always make updates and patches ready ASAP once a security issue surfaces its ugly head.

[directrix]

Linux

How does this virus "commandeer" Linux? I thought you had to crack root.

[Seaspray0]

Perhaps

Perhaps it will if you are logged in as root and browsing the internet.

Not logging in with an administrative account is a big plus in security. I wish I could convince windows users to follow the same practice that many linux users do out of habit... log in with a generic user account unless you need administrative priveledges. Remember, security is not just the responsibility of the OS.

Not another Flaw :-(

Another day another patch when will they ever get it right.

[someguy389]

Never

Software will always leave room for improvement. No product is ever entirely perfect and software inherently differs in many ways from physical products in ways that make it more difficult to get "just right".

In software we also struggle with the fact that it's a young industry, relative to other engineering disciplines. There is a growing movement in the industry, especially at the university level, to work towards remedying those issues with the introduction of formal engineering practices into software. It's slow going though because there is an existing mentality of corporate rebellion (if the term rebellion can really be applied to throngs of nerds) and informality already ingrained in the current crop of developers. We are already seeing more college grads that come from "Software Engineering" programs, rather than traditional computer science studies.

[slim-1]

Firefox vs IE Security

Were Firefox is most secure is as a spyware stopper. Since I switched I went from up to 12 a week per each of the 9 PC's in my network in a week to 1 or 2 every six months per unit.

So you can't go to a site that uses ActiveX, complain to the site and use Firefox.

[dragonbite]

So

THAT was why Firefox popped up for upgrading?! Hmph, had the patch before I knew there was an exploit.

Pre-emptive fixing, gotta love it! :)

[mcepat]

Just in time to have people switch back to IE7

Trying out the beta right now, its pretty sweet, tab preview is sweet.

and I guess now you can say its just about as secure as FF, but since FF has exploits and IE has exploits and they will all continue to have exploits then really who cares?

IE7 baby

Its great: http://www.microsoft.com/windows/ie/ie7/default.mspx

[pentium4forever]

MS updates IE after 3 years

It's funny it took this long for Microsoft to update their browser, copycats of Mozilla and Opera with tabbed browsing.

[solarflair]

IE7...what?

Tab browsing is nothing new for opera, mozilla and firefox. windoze is and expert at stealing eye-candy from osx and nix systems. They have no choice because they are being left behind. However, eye-candy will not replace the armor protecting all nix and BSD platforms. I have been a Linux user since Jan. 2000 and may main server, router run Fedora Core. Nightly updates are performed via apt-get which keeps my system rock-solid. Gnome and KDE are GUI's with more eye-candy than most need. (TAR), tape archive files give much greater freedom to compile source MY-WAY...Even using the terminal with Lynx I can surf the web and have more than one window in view. Konqueror in KDE is a great web browser with tabbed windows.
Have a great day...

[JulesLt]

IE7

I'm also running the Beta, and it's certainly an improvement, but
there are still plenty of OTHER reasons to use Firefox - the main
one being it's commitment towards standards compliance.

MS users typically have a negative attitude towards this - 'it
works for me and 90% of the world, so who cares' - which is one
reason the other 10% of people get so annoyed. If MS would
make their browser standards compliant (breaking all those IE
only web pages in the process, so not likely) then a lot of that
anger would go away, because people would have a free choice
in what they use - at the moment, their choice is limited by the
action of others.

'Quit whining and use IE' seems to be the line, but that's holding
back innovation - I don't see IE on my PSP or PS2 or set-top box
or PDA or Phone - ALL of which can connect to the Internet.

There's also the fact that Firefox is massively extensible, and
rapidly changing, while it's taken years to get tabbed browsing
into IE. You get a similar thing happening with Apple's 'Safari'
browser - new features only come along with a new version of
the OS, while other browsers innovate around it.

Oh yes - as my other post says - schaudenfreude is no basis for
a security policy.

[Steven N]

Yep...

...and have your antivirus disabled. Cool feature, esp. now since MS comes out with their own antivirus junk.

[pentium4forever]

FF

Firefox is still more secure than IE. It fixes flaws very quickly.

[pentium4forever]

Myth?

FF being more secure than IE is not a myth, parts of it is true. No ActiveX for one thing which is a big difference. Futureguy's post is a myth.

[pentium4forever]

I second your post!

Yeah, the funny thing is Microsoft hasn't had a major update to IE since 2002. Now that FF is gaining popularity, MS is getting a little scared and now choose to take action. They are copying Mozilla for tabbed browsing but since they are behind, they have no choice.

[someguy389]

Just good business

This isn't funny, it's expected and smart business. MS didn't update IE because they had no reason to. It's not a sellable product, so there was no money to be made from new versions. Why invest money in significant improvements when no one is challenging you? Now that there is a significant challenger for market share, MS has a reason to improve their product. I'm more tempted to blame the rest of the industry for taking so long to create a product that can compete than I am to blame MS for being stagnant on this one. Development costs money and they have shareholders to satisfy. MS doesn't have an ethical obligation to provide us with new features and software, especially software we expect to be free. On the other hand, they do have an ethical obligation to their shareholders.

[FutureGuy]

copying Mozilla??

where have you been? Tabbed browsing has been around way before Mozilla care around. There were even plugins available for IE that allowed tabbed browsing.

[_smigol]

Mozilla are downplaying vulnerabilities again!

They already did that in the past (see: http://aviv.raffon.net/2006/02/07/MoreMozillaSecurityAdvisoriesMoreVulnerabilitiesDownplay.aspx ).

[pentium4forever]

Stealing reply

Well I suppose it isn't maybe stealing but it just cracks me up that now IE decides to upgrade their browser right when FF starts making a mark in the browser world. 3 years and now IE will finally get a major upgrade. The update for SP2 for XP wasn't a major update.

Guess I'll stick with IE, then

There's been a lot of FF security problems of late. I think I'll just stick with IE, which has never given me any problem in that area.

I figured once FF got some market share and thus started to become a target for hackers that this would start happening.

[Musmanno]

I still prefer FF

I never had much security trouble with IE, but I don't with FF either, and I still get a lot less spyware and other crap with FF, so I'll stick with it for now.

[bemenaker]

Secunia

Look up each and then decide for yourself which is safer. Which one has more outstanding issues?

[Classic Software]

Silly boy

The main reason Firefox is more secure than IE is that IE uses Active-X. That is the most insecure part of the browser. This allows drive-by installation of spyware on your system.

Firefox, especially if you run the NOSCRIPT extension is pretty much impervious to these types of threats.

We will see what IE7 has to offer, but unless they drop active X they are going to remain vulnerable.

There is no question, for the average user, FireFox is safer than IE.

[System Tyrant]

This has become ridiculas.

I went through reading all these post bashing one side or the other and even commented on a few of them.

This has become ridiculas, not that I expected anything more, but what you have is one side hell bent on proving that IE is just as safe and secure as anything else out there and the other side hell bent of proving them wrong. The fact is IE can be just as secure as Firefox and Firefox can be just as insecure as IE. It does boil down to how each are used and updated. Firefox is updated faster generally than IE. Of course one could say that as long as IE has been out without any significant updates that it should be rock solid and bulletproof.

I have gone from looking so much at security and all the bells and whistles of a browser to looking at it's useability, stability, and, as a web developer, codeability.

Here's my assesment. IE is a simple interface that most people are use to. It renders most pages as long as they are not to heavy into the W3C standards. Most people will be just as happy with IE as I am with Firefox. From a web developers point of view. I hate IE for not even comming close to trying to be more standard compliant.

Firefox and Opera are both good browsers that are lightweight and full of power. I think they are both far more functional than IE, but that's just a matter of opinion. I like the way Firefox and Opera render pages and Opera has a lot of useful extras. From a web developers point of view it's nice to create a w3c compliant page and have it actually render correctly (I do mean more than basic HTML and basic CSS 1).

I say use what you like. If you like IE use it. If you don't use something else.

[Sharkster]

Right ON!

Good post.
I use IE - won't change.
I like German beer - won't change.
I like pretty women - won't change.
So, even though they all have pros/cons - I know what I like. Why does everyone want to talk others into changing? If you are truly happy with what you have, common behavior is to keep it for yourself!

LOL - later.

[Michael G.]

Techie's Boxing Ring

For that comment you should be awarded the practical thinking award of the month. I'm also fascinated by how passionate people can get concerning their web browsers and/or their OS---almost as if they're married to them. Some people get almost as angry and insulted as if you've insulted their wife or girlfriend. I said it well once---"Everybody wants their 15 minutes of fame or flame". Everybody wants to be the "smart" person on the block, until the next "smart" person comes along and knocks 'em off their perch---it makes for fun and interesting reading, but as my comments are included above too...

I've come to the conclusion that this is a form of techie's boxing ring. Nobody here is (probably) a real in-the-ring boxer like Mike Tyson, so it relieves the stress to believe we're "fighting" about something that is cerebrally important...and maybe it is. The question I've had is how much of a difference does it make? Is anyone here going to switch from IE to Firefox, or vice-versa? When it's all said and done, and CNET's article goes in the pile three days later, will anything have been accomplished?

Pass around the peace pipe, folks---be satisfied and celebrate the technology you have.

[Classic Software]

WRONG

Please read my earlier comment. As long as IE has active-x, it will remain less secure than FireFox.

As someone who removes Spyware from other peoples PC's, IE remains more vulnerable to Spyware.

[System Tyrant]

Just for fun.

Firefox 1.x vulnerabilities
http://secunia.com/product/4227/

Internet Explorer 6.x vulnerabilities
http://secunia.com/product/11/

An interesting read for those of you who like statistics.

[random-rambler]

That is Fun

Thanks!

[Michael G.]

Very Fun...

I liked the pie graphs the best.

[JulesLt]

schadenfreude

Schadenfreude is not a great security policy. I don't really
understand the attitude of Microsoft fans in delighting in seeing
flaws in other people's products.

It doesn't help improve the situation for them one bit to know
that BOTH major browsers on the Windows platform are flawed -
especially when they are probably less protected than other
systems once someone compromises the browser. (I say
probably, because people running a well-configured XP Pro
installation will be safer).

[Earl Benser]

Especially if they run XP Pro ...

... disconnected from the Internet. IF WIndows and IE aren't the
problem, then the Internet must be.

[JulesLt]

W3C

Thanks Matthew - this is something many people are so
ignorant of, and for some strange reason hostile to - that the
biggest problem with IE is that it doesn't comply with standards.

It might seem a stupid thing to be concerned about, when
'everyone has IE' but it becomes a vicious circle. New devices like
the Sony PSP have wireless connection and a web browser, but
cannot access many badly written pages. As the screens on
mobile phones grow, this will only become more of an issue.

Equally, browser development has also been held back - the
other browsers support standards like SVG and the 'canvas' tag,
which could really improve the graphical experience of the web,
but instead the only way to achieve these things is through
using the Flash plugin. Again, your typical user will say 'well,
that's not a problem, more people have Flash than IE' - except
your PSP users and a lot of phone users.

The point is that ANYONE could write a browser that works to
standards. (It is up to them how good a job they do of it). If you
want a Flash player or IE, you need to wait for Macromedia or
Microsoft to write it for you - and they may decide at any point
to cease support.

If you can't see how this hurts innovation, then I'm afraid you're
lacking in imagination.

[robertcampbell2]

Standards...not always best

The problem with standards often ends up being whether they're strict or loose. Strict standards tend to defeat innovation in technology because you often have to "develop" by committee. In the case of net technologies, innovation by the market has been extremely successful. And when combined with a loose coupling to the W3C standards, the web has, for the most part worked fine.

Companies like Adobe/Macromedia (Flash) Apple (QuickTime) and others have every right to develop products for the browser. This should not interfere with the W3C developing standards for other technologies like SVG. As a matter of fact, SVG development was driven by the introduction of other graphic formats by Microsoft, Adobe, Macromedia and Sun.

The above points out that many standards derive from non-standard ideas and successes. You could argue that, in many cases, it is non-standard code that drives the innovation that leads to standard technology.

One recent example is AJAX. Javascript was not a standard when it began and it took awhile to become a standard. XMLHTTPREQUEST was a non-standard success invented by Microsoft and that to took awhile to become part of standard. In the case of IE7, MS has moved closer to the W3C standards for CSS, and according to the IE team, will keep working to meet those standards.

But I hope it doesn't stop MS or any other company from introducing technology that is worthwhile but doesn't meet the standards dujour.

[likes2comment]

FF Patched in a day, IE in months

if IE even gets patched or acknowledged that it has bugs...... I'll stick with FF.