E
elaich
For those of you who keep harping about the recent Firefox updates to fix
security flaws, as if the browser is suddenly not to be trusted, here's a
read that hopefully will open your eyes.
I'm quoting it because the original page contains many stories. The
original page is here:
http://windowssecrets.com/comp/050512/#story1
"Is Firefox still safer than IE?
By Brian Livingston
The popular Firefox browser received a security upgrade, known as version
1.0.4, when the Mozilla Foundation released the new code on May 11. This
upgrade closes a security hole that could allow a hacker Web site to
install software without a visitors' knowledge or approval.
This is the fourth minor update to Firefox since the open-source
browser's 1.0 release on Nov. 9, 2004. That doesn't seem like very many
patches to me, compared with Firefox's dominant competition, Microsoft's
Internet Explorer (IE), which is included in every copy of Windows. But
I've heard a surprising amount of comment that Firefox might no longer be
as secure as IE.
At Microsoft's Windows Hardware Engineering Conference (WinHEC), held in
Seattle April 25-27, for example, an IE product manager made this case
explicitly. Firefox had had (at that time) "three major releases," she
said, while Internet Explorer 6.0 had had none. This statement was
presented as though a lack of upgrades to IE was a benefit.
In fact, Microsoft has released at least 20 major security patches for
Windows or Internet Explorer since November 2004. Most of these patches
were rated "Critical," Microsoft's most severe security alert level.
The evidence I've seen so far indicates that Firefox remains much more
secure than IE. But it's worth our time to take a closer look.
IE users were exposed for 200 days in 2004
Some remarkable statistics comparing the major Web browsers have been
developed by Scanit NV, an international security firm with headquarters
in Brussels, Belgium, and Dubai, United Arab Emirates.
The company painstakingly researched the dates when vulnerabilities were
first discovered in various browsers, and the dates when the holes were
subsequently patched.
The firm found that IE was wide open for a total of 200 days in 2004, or
54% of the year, to exploits that were "in the wild" on the Internet.
The Firefox browser and its older sibling Mozilla had no periods in 2004
when a security flaw went unpatched before exploits started circulating
on the Net. With the latest 1.0.4 upgrade, Firefox has retained its
"patch-before-hackers-can-strike" record so far in 2005, as well.
These statistics are so important to understanding the "attack surface"
of the major browsers that we should break down this study into its
individual findings:
• IE suffered from unpatched security holes for 359 days in 2004.
According to Scanit, there were only 7 days out of 366 in 2004 during
which IE had no unpatched security holes. This means IE had no official
patch available against well-publicized vulnerabilities for 98% of the
year.
• Attacks on IE weaknesses circulated "in the wild" for 200 of those
days. Scanit records the first sighting of actual working hacker code on
the Internet. In this way, the firm was able to determine how many days
an IE user was exposed to possible harm. When Microsoft released a patch
for an IE problem, Scanit "stopped the clock" on the period of
vulnerability.
• Mozilla and Firefox patched all vulnerabilities before hacker code
circulated. Scanit found that the Mozilla family of browsers, which share
the same code base, went only 26 days in 2004 during which a Windows user
was using a browser with a known security hole. Another 30 days involved
a weakness that was only in the Mac OS version. Scanit reports that each
vulnerability was patched before exploits were running on the Web. This
resulted in zero days when a Mozilla or Firefox user could have been
infected.
The Opera browser also experienced no days during which unpatched holes
faced actual exploits, but Scanit began keeping statistics on Opera only
since September 2004.
To see Scanit's visual timeline of these holes, exploits, and fixes,
visit the firm's Internet Explorer page. On that page, click "Next Page"
to see the timelines for Mozilla, Firefox, and Opera.
Firefox fixes take days, IE takes months
From the record to date, the Mozilla/Firefox team has shown that new
security discoveries typically result in a patch being released in only a
week or so.
This was certainly true in the case of Firefox version 1.0.4. The primary
security hole that was closed by that version was unexpectedly publicized
by the French Security Incident Response Team (FrSIRT) on May 5. The
Firefox patch was released only six days later. (The apparent discoverer
of the flaw, the Greyhats Security Group, had been working responsibly
with Firefox's development team and criticized the leak.)
Perhaps the responsiveness of the Mozilla development group will shame
Microsoft into fixing security holes much faster in the future. The
situation has become so bad that eEye Digital Security, a respected
consulting service, maintains an "upcoming advisories" page showing how
much time Microsoft is allowing critical problems that are reported to
the Redmond company to go uncorrected.
At present, eEye's count reveals that three critical unpatched issues
currently affect Microsoft's products. None of these have gone unpatched
longer than 60 days, the period after which eEye considers a patch to be
"overdue." But some critical, widely-known security holes went as long as
six months in 2003 and 2004 without an official fix being made available
by Microsoft.
Another security firm that tracks security holes in IE, Firefox, and many
other applications is Secunia, based in Copenhagen, Denmark. As of today,
Secunia reports that there are still 19 unpatched security flaws in IE,
the most severe of which is rated "highly critical." Firefox has only 4
unpatched flaws, all of which are rated "less critical" or "not
critical," the lowest severity rating. Opera has none.
Microsoft officials often excuse their tardiness in fixing security holes
in IE by saying that the code is so complex that any fix has a high
likelihood of breaking something else. Well, who integrated IE so tightly
into the operating system that the browser is so delicate? It's
Microsoft's own poor programming that causes much of the software giant's
very visible problems.
Microsoft employs some of the best software developers in the world. The
company enjoys a cash reserve of $35 billion and is highly profitable.
Yet a tiny company that builds open-source browser software is making the
Redmond giant look foolish and incompetent in securing its products.
I have no particular attachment to the Mozilla Foundation or its
products. If the foundation's browser software was a threat to Windows
users, I'd say so. At the present time, several serious unpatched holes
are known to exist in IE, while few or none plague Firefox. This isn't a
religious issue, it's just a fact.
The foundation announced two weeks ago that they'd surpassed 50 million
downloads of the free Firefox browser. The application is largely
responsible for knocking down IE from a 94% market share in May 2004 to
87% in April 2005, according to OneStat. That's a remarkable
accomplishment, considering that IE is free and comes preinstalled with
Windows. Sites with a base of expert Windows users report much higher
levels of Firefox usage.
How to keep Firefox upgraded
No matter how fast Firefox's developers update it, it doesn't do you any
good unless you've got the browser configured to notify you of updates.
This is a simple matter, but it's worth making sure you have it right:
• Enable update checking. In Firefox, click Tools, Options, Advanced.
Ensure that the selection for Periodically check for updates is on, both
for Firefox and for My Extensions and Themes. This is the default
setting, so most Firefox users will automatically get notices of updates.
• Check for upgrades manually, if desired. You should see a dialog box
informing you of new updates as the Mozilla Foundation releases them.
There's a random delay, however, so every user doesn't try to download a
new version on the same day. To check whether there's an update that
applies to you, click the red up-arrow that's in the upper-right toolbar
of the Firefox menu area.
• Download the latest version. If a dialog box tells you an update is
available, close the window, then open Firefox's download page. If you
want a version other than Windows U.S. English, click the Other Systems
and Languages link and select your preferred version. Download the
executable file to a temporary area of your hard disk, then close all
apps (including Firefox itself) and run the installer.
It's no longer necessary or recommended that you uninstall Firefox before
upgrading to a new version. A few glitches affected upgrades to versions
1.0.1 and 1.0.2, but this has been corrected since 1.0.3.
It's unfortunate that hackers are so attracted to browsers as a way to
take over users' computers. But that's where the money is, as bank robber
Willie Sutton once said. We have to accept a certain amount of upgrading
as the price of using complex Windows applications. But we can reduce the
threat to ourselves and others by using browsers that have a proven
record of rapid, responsible development."
security flaws, as if the browser is suddenly not to be trusted, here's a
read that hopefully will open your eyes.
I'm quoting it because the original page contains many stories. The
original page is here:
http://windowssecrets.com/comp/050512/#story1
"Is Firefox still safer than IE?
By Brian Livingston
The popular Firefox browser received a security upgrade, known as version
1.0.4, when the Mozilla Foundation released the new code on May 11. This
upgrade closes a security hole that could allow a hacker Web site to
install software without a visitors' knowledge or approval.
This is the fourth minor update to Firefox since the open-source
browser's 1.0 release on Nov. 9, 2004. That doesn't seem like very many
patches to me, compared with Firefox's dominant competition, Microsoft's
Internet Explorer (IE), which is included in every copy of Windows. But
I've heard a surprising amount of comment that Firefox might no longer be
as secure as IE.
At Microsoft's Windows Hardware Engineering Conference (WinHEC), held in
Seattle April 25-27, for example, an IE product manager made this case
explicitly. Firefox had had (at that time) "three major releases," she
said, while Internet Explorer 6.0 had had none. This statement was
presented as though a lack of upgrades to IE was a benefit.
In fact, Microsoft has released at least 20 major security patches for
Windows or Internet Explorer since November 2004. Most of these patches
were rated "Critical," Microsoft's most severe security alert level.
The evidence I've seen so far indicates that Firefox remains much more
secure than IE. But it's worth our time to take a closer look.
IE users were exposed for 200 days in 2004
Some remarkable statistics comparing the major Web browsers have been
developed by Scanit NV, an international security firm with headquarters
in Brussels, Belgium, and Dubai, United Arab Emirates.
The company painstakingly researched the dates when vulnerabilities were
first discovered in various browsers, and the dates when the holes were
subsequently patched.
The firm found that IE was wide open for a total of 200 days in 2004, or
54% of the year, to exploits that were "in the wild" on the Internet.
The Firefox browser and its older sibling Mozilla had no periods in 2004
when a security flaw went unpatched before exploits started circulating
on the Net. With the latest 1.0.4 upgrade, Firefox has retained its
"patch-before-hackers-can-strike" record so far in 2005, as well.
These statistics are so important to understanding the "attack surface"
of the major browsers that we should break down this study into its
individual findings:
• IE suffered from unpatched security holes for 359 days in 2004.
According to Scanit, there were only 7 days out of 366 in 2004 during
which IE had no unpatched security holes. This means IE had no official
patch available against well-publicized vulnerabilities for 98% of the
year.
• Attacks on IE weaknesses circulated "in the wild" for 200 of those
days. Scanit records the first sighting of actual working hacker code on
the Internet. In this way, the firm was able to determine how many days
an IE user was exposed to possible harm. When Microsoft released a patch
for an IE problem, Scanit "stopped the clock" on the period of
vulnerability.
• Mozilla and Firefox patched all vulnerabilities before hacker code
circulated. Scanit found that the Mozilla family of browsers, which share
the same code base, went only 26 days in 2004 during which a Windows user
was using a browser with a known security hole. Another 30 days involved
a weakness that was only in the Mac OS version. Scanit reports that each
vulnerability was patched before exploits were running on the Web. This
resulted in zero days when a Mozilla or Firefox user could have been
infected.
The Opera browser also experienced no days during which unpatched holes
faced actual exploits, but Scanit began keeping statistics on Opera only
since September 2004.
To see Scanit's visual timeline of these holes, exploits, and fixes,
visit the firm's Internet Explorer page. On that page, click "Next Page"
to see the timelines for Mozilla, Firefox, and Opera.
Firefox fixes take days, IE takes months
From the record to date, the Mozilla/Firefox team has shown that new
security discoveries typically result in a patch being released in only a
week or so.
This was certainly true in the case of Firefox version 1.0.4. The primary
security hole that was closed by that version was unexpectedly publicized
by the French Security Incident Response Team (FrSIRT) on May 5. The
Firefox patch was released only six days later. (The apparent discoverer
of the flaw, the Greyhats Security Group, had been working responsibly
with Firefox's development team and criticized the leak.)
Perhaps the responsiveness of the Mozilla development group will shame
Microsoft into fixing security holes much faster in the future. The
situation has become so bad that eEye Digital Security, a respected
consulting service, maintains an "upcoming advisories" page showing how
much time Microsoft is allowing critical problems that are reported to
the Redmond company to go uncorrected.
At present, eEye's count reveals that three critical unpatched issues
currently affect Microsoft's products. None of these have gone unpatched
longer than 60 days, the period after which eEye considers a patch to be
"overdue." But some critical, widely-known security holes went as long as
six months in 2003 and 2004 without an official fix being made available
by Microsoft.
Another security firm that tracks security holes in IE, Firefox, and many
other applications is Secunia, based in Copenhagen, Denmark. As of today,
Secunia reports that there are still 19 unpatched security flaws in IE,
the most severe of which is rated "highly critical." Firefox has only 4
unpatched flaws, all of which are rated "less critical" or "not
critical," the lowest severity rating. Opera has none.
Microsoft officials often excuse their tardiness in fixing security holes
in IE by saying that the code is so complex that any fix has a high
likelihood of breaking something else. Well, who integrated IE so tightly
into the operating system that the browser is so delicate? It's
Microsoft's own poor programming that causes much of the software giant's
very visible problems.
Microsoft employs some of the best software developers in the world. The
company enjoys a cash reserve of $35 billion and is highly profitable.
Yet a tiny company that builds open-source browser software is making the
Redmond giant look foolish and incompetent in securing its products.
I have no particular attachment to the Mozilla Foundation or its
products. If the foundation's browser software was a threat to Windows
users, I'd say so. At the present time, several serious unpatched holes
are known to exist in IE, while few or none plague Firefox. This isn't a
religious issue, it's just a fact.
The foundation announced two weeks ago that they'd surpassed 50 million
downloads of the free Firefox browser. The application is largely
responsible for knocking down IE from a 94% market share in May 2004 to
87% in April 2005, according to OneStat. That's a remarkable
accomplishment, considering that IE is free and comes preinstalled with
Windows. Sites with a base of expert Windows users report much higher
levels of Firefox usage.
How to keep Firefox upgraded
No matter how fast Firefox's developers update it, it doesn't do you any
good unless you've got the browser configured to notify you of updates.
This is a simple matter, but it's worth making sure you have it right:
• Enable update checking. In Firefox, click Tools, Options, Advanced.
Ensure that the selection for Periodically check for updates is on, both
for Firefox and for My Extensions and Themes. This is the default
setting, so most Firefox users will automatically get notices of updates.
• Check for upgrades manually, if desired. You should see a dialog box
informing you of new updates as the Mozilla Foundation releases them.
There's a random delay, however, so every user doesn't try to download a
new version on the same day. To check whether there's an update that
applies to you, click the red up-arrow that's in the upper-right toolbar
of the Firefox menu area.
• Download the latest version. If a dialog box tells you an update is
available, close the window, then open Firefox's download page. If you
want a version other than Windows U.S. English, click the Other Systems
and Languages link and select your preferred version. Download the
executable file to a temporary area of your hard disk, then close all
apps (including Firefox itself) and run the installer.
It's no longer necessary or recommended that you uninstall Firefox before
upgrading to a new version. A few glitches affected upgrades to versions
1.0.1 and 1.0.2, but this has been corrected since 1.0.3.
It's unfortunate that hackers are so attracted to browsers as a way to
take over users' computers. But that's where the money is, as bank robber
Willie Sutton once said. We have to accept a certain amount of upgrading
as the price of using complex Windows applications. But we can reduce the
threat to ourselves and others by using browsers that have a proven
record of rapid, responsible development."
