"However, unlike IE, it does not support the concept of security zones, so to Firefox, system access whilst online isn't treated differently from sites running from the local system / trusted intranet."

Correct. Firefox doesn't support security zones. It simply denies all access to the local machine from webpages, whereas IE's zones do. Please rethink which is the better option here.

"Instead there is support for XUL (the spoofer's dream) and 3rd party extensions, which leave the browser open to manipulation. It's worth noting that SP2 locks down concerns with scripting and ActiveX in IE."

XUL isn't a scripting language, in itself, it cannot "manipulate" the browser, nor can it do any of the things that ActiveX or VBS could ever do. XUL is a more advanced version of HTML crossed with XML. It's also worth noting that SP2 locks down ActiveX, but Firefox's only equivilent (Javascript and/or XPInstall) has been secured since conception.

"Interesting - it was only the other night that a clever bit of Java managed to break it's sandbox in Firefox and almost wrote to my registry. Luckily, anti-virus software identified it just in time (it was the ByteVerify trojan)."

Sun's Java and it's sandbox is unrelated to Firefox. Had you used MSIE with Sun's Java, you would have got the same results. This is just FUD... please aim it at the source of the problem (Sun) and not an unrelated product.

"See above - I think I prefer MS's Java VM already... the ByteVerify trojan doesn't affect me at all in IE "

Well that's tough, since Microsoft is no longer supporting it and is, in fact, working with people to push Sun's Java as the standard. Also, MS Java is no longer bundled with Windows as of Win Server 2003.

As for the cookie statement, I've never seen the benefit of either implementation over the other.

Cusser

Really, if you don't know what you are talking aobut, just shut up and stop spreading rumours. IE does not have any algorithm to detect privacy issues of cookies, it is just using a standard (called P3p) where sites themselves can publish their privacy policy. Most sites do not even use this system, so there it is useless. Firefox also has P3P support if you have compiled it in.

Firefox extensions by default are blocked if they don't come from update.mozilla.org, so there is no risk there.

And last but not least Firefox does not have tens of unresolved security holes for which exploits exist in the wild. Last weekend ten thousands of Internet Explorer uses especially from the Netherlands, but also in the UK and Sweden, have fallen victim to trojan horses being spread via advertisements on popular sites, after the advertisement server was broken into. The crackers used an unresolved security hole which is already known for several weeks, to spread the trojan horses. How many weeks will MS still wait to actually create a patch? At least Firefox users do not have to wait weeks to have a new version when their system is vulnerable.

See:
http://isc.sans.org/diary.php?date=2004-11-20
http://www.tweakers.net/nieuws/35137
http://secunia.com/advisories/12959/

Freggy

Are you more *AT RISK* from using Internet Explorer than you are from using Mozilla. You clearly believe that the later puts you more at risk, despite Internet Explorer actually having viruses that are actually in existance for it. Point me to a site that installs software on Mozilla without the users permission... this has actually happened for IE users.

I could probably write a webpage that COMPLETELY spoofs how IE looks by hiding borders of a popup window and using javascript etc. How is that any different from, XUL spoofing, please tell me.

Are you seriously comparing the running of what are essentially .exe files as part of the browser is comparible to being able to create spoofed UI. You should note that XAML (copy of XUL for Longhorn) will almost certainly have the same problem!

Which site? What Java VM were you running? If you had managed to install Java on your machine this problem would have affected IE as well - unless you are using the Microsoft JVM which makes me want to cry with laughter! In the end Java is not a Firefox issue whichever way its looked at.

OMG - you are saying you installed Java for firefox but didn't install it for IE? You are seriously FUCKING STUPID!

Look man a site full'o flaimbait - you are wrong wrong wrong!

Andrew Phillipo

IE
http://secunia.com/search/?search=internet+explorer
67 advisories, 17 still unpatched !!!
(5 unpatched ones are critical. and 28 critical overall - awesome number)

firefox
http://secunia.com/product/3256/
17 advisories, 2 unpatched - this was for before version 1 !!!
(none unpatched on the critical list, overall only 2 advisaries were critcal)

check

Seriously man, whats the point?

Firefox happens to be the best browser in almost every way these days, and thats fact.

Why such love for IE?

Have a read on http://www.stopie.com

anon

I am no computer expert, but after struggling for 2 solid weeks trying to remove a persistent browser hijacker - that just kept on popping advertisements to secure my system, even when I wasn’t on the internet, and after trying to remove this with countless products and failing in the process – I gave up the ghost and decided enough was enough – I removed IE from my Windows (more like disabled it).

I switched to FireFox and never looked back since. I’m sure IE is more advanced than FireFox, but that doesn’t make it any better….

It’s been over a year now, and I still have not had a single infection or a problem directly relating to the use or misuse of my FireFox….

Mudhar Hadi

http://secunia.com/product/11/

you've got it all so wrong. check the firefox patches. they've got it better than IE. and MSIE is a fucking huge corporation with armies of programmers, sitting idle, and people pay through thier noses, costs them an arm and a leg, and they get screwed with bad code. the point here is they need not have muddled it so badly. if they wanted to integrate it with the OS they'd better make that secure. no bill just wanted to hump netscape, he did it successfully, but he screwed up his OS too. so much for his triumph over netscape. u know what, the best solution for people tired of IE problems ? opera, firefox !!!!

doesnt matter

Mate if you want to generate discussion on your site, do it without lying about software written by, and which can genuinely benefit, the community.

Nick

You keep on believing the M$ marketing drivel buddy,... with people like you around there will always be easy targets sitting on the web. The simple fact is all software has vulnerabilities. The difference is that a lot of open source software developers are interested in fixing as many of these as possible (generally by good initial design not patches, BTW). M$ realise that fundamental poor design limits what they can do and so they pump out cynical marketing BS to make people like you feel calm and happy. With you out there no one will ever need to spend the time required to take over my machines because you will always be the "low hanging fruit". Thanks champ you are saving the rest of us from harm

Molly

Are you joking? You actually trust IE's cookie manager to determine what's safe or not? With Firefox you can (as I have) set up so that cookies only from the originating website get set or that all cookies except ones you've explicitly set as "exceptions" are deleted every time you close the browser. How can you speak so authoritatively about something you know so little about? By the way, with Firefox, there are two simple checkboxes in the preferences that you can uncheck:

"Allow websites to install software"
"Enable Java"

I usually leave these unchecked; maybe you should, too.

aysiu