the latest firefox bug - flagged 'extremely critical'
I once had a lengthy debate with several experts editing the Wikipedia article on Internet Explorer. These guys were convinced that Firefox was more secure than Internet Explorer by design. They criticised the security of IE whilst extolling the virtues of Firefox. The two corresponding Wikipedia articles soon turned into a biased, popularist mess that was practically unsalvageable. I tried to balance the articles but my writing was erased or twisted by the other editors. Aren't collaborative encyclopedias great?
The hunt begins: and it aint gonna be pretty
Among other things, I stated that the system-access privileges in Mozilla's JavaScript interpreter made the browser potentially just as vulnerable as Internet Explorer, which has similar sandboxed features. The editors responded that Firefox's protection of privileged JavaScript was robust. Apparently the 'chrome' directory lockdown was infallible.
Today proves otherwise:
Secunia reports a vulnerability marked 'extremely critical' in Firefox that allows complete access to a Firefox user's system from the most talentless hacker. Using a snippet of HTML and JavaScript, which has already been published here, one can run any executable file on a Firefox user's PC without them knowing.
As yet, the flaw is unpatched, and even when it is patched, Firefox's unreliable update mechanism will leave many users unprotected. I've never been prompted to upgrade to the latest version of Firefox when necessary on my PC or my Mac, and have always upgraded manually. Not all users will be as careful.
Reading the comments in response to this journal you'll see people convinced that Firefox is, and will always be, more secure than Internet Explorer. Well guys, let's take a look at the stats:
Internet Explorer - 6 vulnerabilities reported so far in 2005
Firefox - 12 vulnerabilities reported so far in 2005
(courtesy of Secunia)
09/05/05 12:17am
(4 years, 9 months ago)
11 comments
add photo
Pick your numbers. If you look at bugs found in the last 5 months, then sure, the new kid on the block has more. If you look at the number of still-unpatched bugs, the figures tilt the other way.
Note: all these numbers are from Secunia, the same source you used.
Firefox 1.x: 5 bugs unpatched
Internet Explorer 6.x: 19 bugs unpatched
I could have stopped here, like you did, with one pair of convenient numbers, but I'd prefer to be honest about it and admit that, since IE has been around longer and people have found more bugs in it, the percentages work out the same. Of course, some of those 19 unpatched IE bugs have been around for a year or more....
But let's look at some other information and see how these trends hold up.
How about criticality?
Firefox: 6% extremely critical, 13% highly critical, 31% moderately critical - altogether 50%
Internet Explorer: 14% extremely critical, 28% highly critical, 22% moderately critical - altogether 64%
Type of vulnerabilities?
The largest category of Firefox vulnerabilities (30%) is spoofing -- allowing one website to impersonate another. The largest category of IE vulnerabilities (again, 30%) is system access.
So sure, you can find one pair of numbers that make Firefox look less secure than IE. But across the board, it's the other way around.
10:46pm
I think there will be 1.0.4 soon. So I'm not worry.
Like "extremely critical" bug? 14% of IE bugs are "extremely critical", compared to 6% in Firefox. Some are fixed of course, but it still shows you how insecurity IE is by design.
Also, 19 out of 80 Secunia advisories of IE is unpatched. As 6 are reported in 2005, you can see how many bugs from 2004 (or earlier) are still not fixed.
08:03am
its good to have critic. MS is now here because of OSS(much safer and better because of competition, care to admit or not). MS couldnt fix a serious in such a short time - firefox is already patched. I do not know of MS patching anything so soon. hey wait, they 57000 employees on thier rolls. what abt them ?
05:29pm
In addition to the other comments, please note that there is a $500 US (~£275; enough to pay for your broken projector bulb
"Bug Bounty" for reporting security vulnerabilities in Firefox, Mozilla Suite or Thunderbird: http://www.mozilla.org/security/bug-bounty-faq.html
07:07am
Chris , the fact that Firefox has had more security issues identified in a given timeframe does NOT prove that it's less secure. It may be, it may not be, but this piece of information doesn't help us know. What it DOES tell us, though, is that Firefox is tending to improve faster than IE - every bug spotted is a win.
01:14am
All Systems have bugs. Period.
The more users of a system you have, the more interest there will be of that system. Before going into any debates, go and fetch statistics on the number of people HACKING Internet Explorere, and the number of people HACKING firefox. Think About It.
If you want a browser with less vulnerabilites, use one that no one is going to care about: Konqueror and Opera for example.
09:33am
Using IE for quite a time I got so much spyware and troyans that,... well I don\'t even understand how do some people here try even to compare those two products, moreover fox is much more functional with all its plugins and extensions, and it works much faster.
11:29am
Microsoft Internet Explorer 6.x with all vendor patches installed and all vendor workarounds applied, is currently affected by one or more Secunia advisories rated Highly critical
Mozilla Firefox 1.x with all vendor patches installed and all vendor workarounds applied, is currently affected by one or more Secunia advisories rated Less critical
09:43pm
:D
08:08pm
behind you:
'...Your all are forgetting one major things with bugs. How long they take to patch is another vital thing to look at. Lets see, firefox had 2 vunrabilities which were made public at the beginning of may. Less than a week later it was patched. Have you ever seen microsoft work that fast?'
What you're forgetting is FF has exactly what to fix? A browser.
MS, OTOH, has an OS to check too, plus, they have huge legacy and an huge user-base situated in hundreds of different jurisdictions, climates, languages and thousands - if not millions - of different operational uses.
Now let's get real; no human(s) can possibly foresee all the consequences of each permutation of use before it happens - especially on such a general, but frequently used application - anyone that ships software knows that...
... and why is, "... How long they take to patch, another vital thing to look at..."? Clearly, there's been a lot more "bugs" than there have been exploits of those "bugs"... even when reported and left to stand for a while.
(... and the word "critical" is too often used for its "panic" (and marketing) appeal IMHO.)
Thinking laterally, the more "hits" that M$ products take, the more they gain a competitive advantage - Arthur C Clarke, in his last sequel novel (to "2001, Space Oddysey"), "2030", posits that virii will constitute the future "weapon of mass destruction"... wouldn't you prefer an organisation with an history of attacks to draw experience from to deal with it?
02:46am
Your all are forgetting one major things with bugs. How long they take to patch is another vital thing to look at. Lets see, firefox had 2 vunrabilities which were made public at the beginning of may. Less than a week later it was patched. Have you ever seen microsoft work that fast?
01:35am