kinrowan:
"All of that said, I'm sure there are other known security holes in FireFox, and many more that haven't poked up yet. IE gets a bad security rap precisely because it is what most people use, so most of the shadier developers target it.
If FireFox ever got to be the 95% gorilla then I'm sure all kinds of holes would pop up."

Not so sure on this one
The Difference between IE's Developer Team and Mozilla's is that Mozilla's Team DOES listen and actually fix things.
I don't blame IE's dev team doesn't listen. They just can't change things, be as flexible as the open source Community.
The fact that Gecko (mozilla's browser engine) is open source does put YOU in charge.
Gecko is developed by the community. Everyone can join. the Source is FREE.

Don't scream on bugs, FIX them or find someone able fixing them (mozilla dev team). You can do
Hell they even pay you money for reporting bugs. Not worth it exploiting them anymore

This sounds like zealotry.

I switched to FireFox after the Scob scare, and see no reason at all to go back. Both as a user and as a developer FireFox makes my online life much more fun and easy. I've seen the new IE6 release, and there's little there to draw me back in. I live for the tabs (they really make web browsing much easier to my mind), don't skin, and have about 20 extensions loaded and have never had any problems at all. It's a slick piece of work, and I have no problem using polished "Beta" code for a production app. If FireFox's popup-blocker is too stringent then I say great! If there are sites that I need to see the pop-ups in (and those are few, for me) then I load up IE for 3-5 minutes and close it right back down when I'm done.

All of that said, I'm sure there are other known security holes in FireFox, and many more that haven't poked up yet. IE gets a bad security rap precisely because it is what most people use, so most of the shadier developers target it. If FireFox ever got to be the 95% gorilla then I'm sure all kinds of holes would pop up. DOes that make it less worthy to use? Not if it doesn't make IE less worthy to use. This particular security hole has a really simple solution; don't allow web sites to install software. Simple as that, and no worse a solution than the oft suggested "Turn of JavaScript" idea. I only allow wites to load soaftware when I'm particularly looking for something (like when I'm installing an extension).

When it comes right down to it, though, I'll switch back to IE if/when it shows that it's a better browser. I don't care, I'm not religious about it. But that have to convince me first....
kinrowan

this "bug" exists in practically any browser that can display fake browser-like XUL buttons and such. you could even fake an AOL window or a windows update window. it's not just firefox.

"do not follow untrusted links" is really the only advice you can give - think of all of the people who use IE who get POPUPS of fake internet explorer images? SP2 fixes the popup problem, but not a lot of people have downloaded the update, and even so... IE is still way behind with tons of other things.

there is a VerifyURL extension that allows you to right-click and see the true URL of any website (even the ones with fake buttons or within frames). this does more than solve the problem, it gives you a new tool to check other seemingly fake sites.

taking away a great feature because it can be abused is no good. that'd be like assuming your entire userbase is dumb and won't know that they're using a fake browser window.

I love the way they even spoof the padlock icon and the certification screen you get when double-clicking on it.

Agreed with Andrew. What's the point of being able to do such things in javascript ? It's only a feature, nothing really of a flaw.. And it require to click to open the window. So It really depend on the user. If there is a flaw, it's the user.
But a nice thing is that it shows me how firefox is powerfull.

Still think firefox's safe.

Etienne.

I think it's very important for people to draw attention to security flaws that might compromise Firefox (so do they--they're offering a cash bounty to people who find new security related bugs).

But I'm afraid that "Chris Beach", deliberately or not, has misrepresented the facts. I get an XUL error on the test page--not a spoof at all. You can see what the error looks like at the bottom of "Chris Beach"'s page--mine's in English. I'm using today's very latest branch build, the new release candidate. So, sorry, I can't "try a more up-to-date version of Firefox".

"Chris Beach" is wise to worry about security problems with his browser, but perhaps if he worried about new ones that need fixing, rather than old ones that have already been fixed, he'd appear less loony and uptight. He'd be richer too--he could claim the Mozilla bounty.

I think it's laughable that you're pointing out a bug in firefox that, incidentely, has been fixed, when there's much greater risks in internet explorer, such as the scrollbar exploit that can be found here: http://www.mikx.de/scrollbar/
Basically if you use the scrollbar on IE the site can install whatever file it wants to on your computer.

BTW if you use IE then don't go to that site!!! At least, definitely don't use the scrollbar. Though it doesn't hurt your computer, it does modify your registry and install a (blank) exe file on your system. Use Firefox instead :)

I'm a webdesigner working for now 5 years and it's now 1 year i am using Firefox. Clearly, i only use IE now to check if my code is rendered well under it. Only.

Tab browsing and bookmarking, quick search textfield (i have here 16 search engine just in a polldown menu), password and downlaod manager, popup killer, frame browsing by right clic, skin support, W3C total compatibility (except for xHtml 2.0 where IE deals those new things better), better specials caracters rendering (korean, japan, russian and chinese) ... and i don't talk about the availability of the browser under Win, OS X, Linux, BeOS, .... everywhere you can use the same (very user friendly) interface.

All my friends who have tryed it (and they do dress designing, marketing, sciences, translation, teacher, .... for the most of them not geeks !) are totally in love in it. Specially cause they don't have those "casino" or "playboy" popups (and no they don't do warez or aldult website browsing) and use tabs (even some do more than me ). I'm sure even my grand ma would love it.

If you are happy with IE, just use FF or Moz as your main browser for 1 week and then come tell me again that you still want to use only IE ;)

Even the french internet provider "Free.fr" told to their customer at hotline to install Mozilla ... if a commercial company tells to his customer to use Moz insteed of IE, it's not just for fun, it really means something ... nope ?

It's actually quite funny - considering the attitude of Mozilla supporters when a similar (but not nearly so bad) problem was discovered with IE (where you could put a certain character in links and anything after that would not be displayed in the address bar)

Just upgraded and it works. Also glad to be using a good browser ;)

I just prefer the look of Internet Explorer

This problem also exists in Internet Explorer. Its called HTA. Using an HTA document, you could do the same exact thing in IE.

You can create a similar thing in HTML, and have it work for Internet Explorer. They have only addressed this in SP2: blogs.msdn

What's the difference between this and using javascript with bitmaps? Wouldn't it work in IE just as well, or better, since I can't middle-click on the link to open it in a new tab? That right there tells me it's not a web page, but a javascript window.

Can someone please inform me.

"I feel sorry for the computer industry as a whole to suffer at the hands of such self-serving zealots" - this cracked me up! 'the computer industry as a whole' suffering! Like progress hasn't been stifled by Bill and the boys lately? Wake up.

(i enjoy the nature of argument, do not take anything personally, just that IE/firefox makes one hell of an argument ... )

http://browsehappy.com/why/

especially this one from slate magazine owned by microsoft, quite incredibly !!!!
http://slate.msn.com/id/2103152/

http://secunia.com/internet_explorer_command_execution_vulnerability_test/

\"I just hope that the Mozilla community stops spouting Microsoft-bashing hype for a moment and does something about it. I\'m glad to be using IE6.\"

Glad that I am using Firefox.

http://secunia.com/advisories/12889/
http://www.jmcardle.com/?postid=77

Gave me an XML error when I tried it in Firefox :(