Mozilla Firefox

[Fuzzy Logic]

Automatic checks for updates of extensions and themes as well.


Given, however, that most users are naive about these issues, it is
essential to ensure that the naive user is protected right out of the
box.

Regardless of the browser they use there is nothing to protect the user
from doing stupid things except education. You can have the latest AV
software, patched operating system and Firefox and it's not going to stop
a user from downloading something with a harmful payload that your AV
software doesn't know about yet.

But if there are a lot of leaks because of manufacturer's defects, maybe
its time for people to consider alternatives.

By all means consider alternatives. I'm simply saying that switching to
another browser doesn't mean the user is suddenly a lot safer. They still
must practice safe surfing and keep all their software up to date (not
just their browser). Things like Flash, Adobe Acrobat, Java and various
other pieces of software are also attack vectors. Ultimately if they want
to be secure they have to take responsibility. Software can only do so
much for the user.

Sigh. IE offers all sorts of hooks which makes it easier for malware to
do damage. (Think of how many people who are complaining because their
home pages have been hijacked by malware like Cool Web Search which are
beyond the capabilities of ordinary users to uninstall.) FF simply does
not offer such hooks.

My experience is that malware is installed by the user. I can't believe
how many users want their clock synchronized to the internet and gladly
install Precision Time or other such products. This has nothing to do with
wether or not the browser has hooks to the OS. Running Firefox is not
going to stop this and possibly encourage more of it because the users no
longer has anything to worry about because they are running a 'safe'
browser.

Sun has to be pushed to do a better job here. They fought hard in court
to stop Microsoft from keeping its own JVM, so in fairness Sun should
offer automatic updates as well. It does not help much to offer a more
secure JVM, and then not to ensure that users keep up-to-date.


So you argue that it is better to sell unsafe cars, because safer cars
might encourage users to drive more dangerously? An interesting
viewpoint.

No I'm argueing they need to understand how things work and take some
responsibility. Just because you have a very safe car doesn't mean you can
drive recklessly and not expect to get in an accident. Also a car is only
safe if it's properly maintained.

Simply switching to Firefox is no quarantee that you are safe from threats
on the Internet and MAY encourage you to do things you wouldn't normally
do if you weren't using a 'safer' browser.

I have nothing against Firefox or switching. My concern is that nieve
users will be led to believe that by switching to Firefox they no longer
need to concern themselves with security and that's a dangerous place to
be.

 

[BC]

Ok, I'll bite. Better security how? Fundamentally more secure design
somehow, or just a question of who did the better coding?

Both. IE and its ActiveX controls have been nothing
but bad news for security since its introduction way
back when:
http://www.halcyon.com/mclain/ActiveX/Exploder/FAQ.htm

All these years and patches/updates since and IE is
even more insecure than ever since the virus writers
have been doing much better at improving their wares
than Microsoft. There is NO way to truly secure IE
without disabling a lot of its so-called features that
Microsoft disengenuously convinced a lot of naive
companies into requiring it for web access to their
services.

As far as coding goes, look at the size difference
between a full download of IE6 and Mozilla Firefox:
Approx 76.8 Mb versus 4.7 (or about 5.4 Mb if you
include Flashplayer, or about 11.2 Mb if you also
include Thunderbird.) And this for a product that
hasn't been fundamentally improved since the original
NSCA Mosaic and Netscape browsers:
http://www.greytower.net/help/browsers.html

If Microsoft was truly committed to improving security,
it would have at the very least phased out ActiveX
years ago.

I hope you find this food for thought and whatever.

-BC

 

[Fuzzy Logic]

Both. IE and its ActiveX controls have been nothing
but bad news for security since its introduction way
back when:
http://www.halcyon.com/mclain/ActiveX/Exploder/FAQ.htm

All these years and patches/updates since and IE is
even more insecure than ever since the virus writers
have been doing much better at improving their wares
than Microsoft. There is NO way to truly secure IE
without disabling a lot of its so-called features that
Microsoft disengenuously convinced a lot of naive
companies into requiring it for web access to their
services.

Many of the questionable features are disabled in XP SP2. There is nothing
to stop a user from disabling features that they don't want or need.

As far as coding goes, look at the size difference
between a full download of IE6 and Mozilla Firefox:
Approx 76.8 Mb versus 4.7 (or about 5.4 Mb if you
include Flashplayer, or about 11.2 Mb if you also
include Thunderbird.) And this for a product that
hasn't been fundamentally improved since the original
NSCA Mosaic and Netscape browsers:
http://www.greytower.net/help/browsers.html

A full download of IE contains Outlook Express, Windows Media Player,
Shockwave and assorted other components.

If Microsoft was truly committed to improving security,
it would have at the very least phased out ActiveX
years ago.

I hope you find this food for thought and whatever.

Turn off ActiveX. It's not that hard. Even better configure it to only run
on trusted sites.

Here are Microsoft's recommendations:

http://www.microsoft.com/security/incident/settings.mspx

 

[BC]

If you disable all those features, then you're going
to get a lot of complaints when you go to sites that
detect you're using IE, but have the security turned
up high. You also lose a reason to use IE at all
instead of downloading/installing Firefox.

But fundamentally there is no good reason to continue
using IE, given its history and the growing severity of
its exploits. Look at what Penn State recently decided
to do, and I suspect that it won't end here:
http://www.techweb.com/wire/security/55301051

And I would be more impressed to see a Microsoft link
urging developers to abandon ActiveX development.

-BC

 

[Fuzzy Logic]

If you disable all those features, then you're going
to get a lot of complaints when you go to sites that
detect you're using IE, but have the security turned
up high. You also lose a reason to use IE at all
instead of downloading/installing Firefox.

Strange the we haven't received any complaints. We rollout a preconfigured
version of IE that has the settings we think are a good compromise between
security and convenience. Many people have tried Firefox and don't like it
(I prefer Avant). I am not against Firefox, just people who tout it as the
panacea of browsers. It's about choice and I'm all for competition because I
think it will make all the major browsers better.

A Volvo may be safer car but that doesn't mean we should all be driving one.
If you are an 'informed consumer' you can make the choice of the 'best
vehicle' that addresses your wants and needs. Having Volvo's out there
raises the bar on safety and in the end results in safer cars for everyone.

But fundamentally there is no good reason to continue
using IE, given its history and the growing severity of
its exploits. Look at what Penn State recently decided
to do, and I suspect that it won't end here:
http://www.techweb.com/wire/security/55301051

Well it's working just fine for us and to date we have not had one security
incident related to Internet Explorer since we switched from Netscape many
years back.

 

[BC]

Sorry, but I don't buy that last statement at all. I personally
don't know of ANY organization that hasn't had problems
with malware coming in on IE, regardless of the security
measures they have in place. I've personally seen more
undetectable (except by being suspicious of flaky behavior
and sleuthing out the processes running) and unremovable
(except via hacking) in the past 6 months than in the past
6 years, and I think IE has been front and center as the
cause.

The only hope for IE is if enough people switch over to
Firefox or other genuine alternatives (Avant is just a front end
for IE), which would likely be the ONLY incentive for Microsoft
to actually fix and improve it finally.

-BC

 

[Fuzzy Logic]

Sorry, but I don't buy that last statement at all. I personally
don't know of ANY organization that hasn't had problems
with malware coming in on IE, regardless of the security
measures they have in place. I've personally seen more
undetectable (except by being suspicious of flaky behavior
and sleuthing out the processes running) and unremovable
(except via hacking) in the past 6 months than in the past
6 years, and I think IE has been front and center as the
cause.

The malware we get (aside from cookies which I don't even consider an issue)
has ALL been installed by the user. The most common one is Precision
Time/Gator. The user is prompted if the want their clock synchronized to the
net and they figure that's a good thing. Bingo they have it. Hardly an IE
issue.

The only hope for IE is if enough people switch over to
Firefox or other genuine alternatives (Avant is just a front end
for IE), which would likely be the ONLY incentive for Microsoft
to actually fix and improve it finally.

I am aware the Avant is a front end for IE. As I said in my previous post I
am all for competetion as it raises the bar for all the browsers.

 

[BC]

My clients have been having more problems with spyware malware
than true viruses, and what's make me nervous is how very little coding

it would take to convert one of the newer difficult-to-detect/remove
spyware apps to a difficult-to-detect/remove worm:
http://www.spywareinfo.com/~merijn/cwschronicles.html

The bottom line, though, is that IE is just too exploitable to be used
as
the default browser anymore and there's nothing to indicate that this
is
a situation that's going to change for the better anytime soon:
http://tinyurl.com/59tly
http://tinyurl.com/4qpdq

-BC

 

[Guest]

Someone said "how does firefox stop someone from downlaoding something that
contains malware" You can replace firefox with IE in that sentance and it
still doesn't matter, no browser stops you from downloading something.

If your going to complain about it, you could at least try it. Sorry if your
hooked on Microsoft IE, but microsoft has decided to not release another
version of IE for a year. Firefox has enogh potential to be on 50% of
computers by next year, and shows no signs of slowing, Mozzila gets a quater
million firefox downlaods a day.

If you don't like something about firefox, you could ask them to put in that
feature you want, too.

 

[Fuzzy Logic]

Someone said "how does firefox stop someone from downlaoding something
that contains malware" You can replace firefox with IE in that sentance
and it still doesn't matter, no browser stops you from downloading
something.

That was my point. Every 'security incident' we've had related to IE was the
users fault. They either said yes to something they didn't understand or
installed some freeware that had the added bonus of including spyware.
Educating the user is a better security tactic than telling them to switch
to another browser. Switching to another browser will not stop them from
doing stupid things. It may in fact encourage them to do less secure things
since they are now running a 'safer' browser.

If your going to complain about it, you could at least try it. Sorry if
your hooked on Microsoft IE, but microsoft has decided to not release
another version of IE for a year. Firefox has enogh potential to be on
50% of computers by next year, and shows no signs of slowing, Mozzila
gets a quater million firefox downlaods a day.

I have tried it (more than a few times). I prefer Avant which get's updated
on a regular basis. Yes I'm aware it's a shell for IE but it gives all the
functionallity of Firefox and then some and I don't have to download a
single plugin.

PS simply disabling ActiveX in IE is enough to make IE essentially on par
with Mozilla/Firefox security wise.

If you don't like something about firefox, you could ask them to put in
that feature you want, too.

I have a browser that I am very happy with and have better things to do with
my time than to offer suggestions for a browser I don't even use.

 

[Guest]

That was my point. Every 'security incident' we've had related to IE was the
users fault. They either said yes to something they didn't understand or
installed some freeware that had the added bonus of including spyware.
Educating the user is a better security tactic than telling them to switch
to another browser. Switching to another browser will not stop them from
doing stupid things. It may in fact encourage them to do less secure things
since they are now running a 'safer' browser.

Not all problems are caused by installed software, i had to reinstall
windows once, and know that the virus was cause by a default setting in IE,
the one that says automaticaly update stored pages. Along with the usual
bugs that allow hackers to gain control of the machine. (default install
windows XP service pack 1 on DSL line lasts averagly about 4 minutes) I don't
think it will matter that much as to how unsafe they are especially since the
malware that already exists mainly affects IE. I'm also sure that people wont
just forget what they should and should not do on the web when it comes to
downloads.

 

[Guest]

"Fuzzy Logic" <[email protected]> a écrit dans le message de [email protected]...
[...]

... and uses the IE rendering engine.

Oh, my! Better consider a true browser - i.e. rendering engine - that
actually complies to the standards then. I'd try Mozilla-based
rendering.

Why should I when I am quite content with what I have?

If IE is compromised, your entire system could be compromised (you have no
control over it at all) and if you have both and one doesn't work you can use
the other one as a backup.

 

[Guest]

Three Firefox features you might like are: (a) a great popup blocker (with
IE this is available only to those with XP SP2), (b) tabbed browsing (for
many who use it, it is a godsend); (c) better security (really).

Note that people uninstal service pack 2 because it slows down their computer.

 

[Fuzzy Logic]

"Fuzzy Logic" <[email protected]> a écrit dans le message de
[email protected]...
[...]
... and uses the IE rendering engine.

Oh, my! Better consider a true browser - i.e. rendering engine - that
actually complies to the standards then. I'd try Mozilla-based
rendering.

Why should I when I am quite content with what I have?

If IE is compromised, your entire system could be compromised (you have
no control over it at all) and if you have both and one doesn't work you
can use the other one as a backup.

If, could, this is all speculation. To date this hasn't happened to me and I
do a LOT of surfing.

If you don't patch Java in Firefox the same thing could happen to you.
Reference:

http://www.infoworld.com/article/04/11/24/HNsunhot_1.html

Pick a major browser YOU like and keep it patched, learn it's security
features and use them. If you use IE turn off ActiveX except for trusted
sites that require it. Practice safe surfing and you will be about as safe
as you can be. What's apparently 'safe' today may be totally vulnerable
tomorrow when a new flaw is discovered (and it will). Security is a process
not a piece of hardware or software.

 

[jeffrey]

Hi,

I have SP2 on over 200 plus systems, it hasn`t slowed down their computers.
They actually noticed a speed increase. Those that reported their system
was slower, was from poorly maintained computers.

 

[CCrusher]

That was my point. Every 'security incident' we've had related to IE was the
users fault. They either said yes to something they didn't understand or
installed some freeware that had the added bonus of including spyware.
Educating the user is a better security tactic than telling them to switch
to another browser. Switching to another browser will not stop them from
doing stupid things. It may in fact encourage them to do less secure things
since they are now running a 'safer' browser.




I have tried it (more than a few times). I prefer Avant which get's updated
on a regular basis. Yes I'm aware it's a shell for IE but it gives all the
functionallity of Firefox and then some and I don't have to download a
single plugin.

PS simply disabling ActiveX in IE is enough to make IE essentially on par
with Mozilla/Firefox security wise.




I have a browser that I am very happy with and have better things to do with
my time than to offer suggestions for a browser I don't even use.

disabling activex in IE affects many programs besides IE... but
microsoft was hoping software evelopers would use the easy hook into
xplorer......the browser should not be hooked into the system.... once a
program can do that ... it is a file on your computer with all access

 

[Guest]

""Dear IE, I'm leaving you for good

E-mail to a friend
Send us feedback

TalkBack:
Add your opinion
By Robert Vamosi
Senior editor, CNET Reviews
November 12, 2004


Dear Internet Explorer:

It's over. Our relationship just hasn't been working for a while, and now,
this is it. I'm leaving you for another browser.

I know this isn't a good time--you're down with yet another virus. I do hope
you feel better soon--really, I do--but I, too, have to move on with my life.
Fact is, in the entire time I've known you, you seem to always have a virus
or an occasional worm. You should really see a doctor.

That said, I just can't continue with this relationship any longer. I know
you say you'll fix things, that next time it'll go better--but that's what
you said the last time--and the time before that. Each time I believed you.

Well, not any longer.

You cheater!
The truth is there's nothing more you can say to make things better. I know
about your secret marriage to Windows. You say you two are not seeing each
other anymore, but I just don't believe it. You say you can live without
Windows, and I've heard that Windows can live without you, but I know that's
simply not true.

You say you can live without Windows, and I've heard that Windows can live
without you, but I know that's simply not true.
What about HTML e-mail in Outlook? Every time there's a new letter in the
Inbox, you rush over to help Windows render it. And what about HTML within
Word? There you go again. And don't get me started with those late nights
you've spent rendering thumbnail images in Windows Explorer. You're all over
Windows and, what, you just expect me to turn a blind eye?

You're no longer fit
For another thing, you've gone and gotten all lazy and out of shape on me.
When was the last time you picked up a new feature? Two years ago? Three?
While you rest on your laurels, while you spend your days slapping patches on
the various flaws that seem to pour out as though your source code were a
colander, the Internet has changed. A lot.

Last Christmas, I gave you a free RSS reader, Pluck, and you seemed to like
it, with new feeds popping up from time to time keeping you fun and relevant.
It gave me reason to think maybe you and I could work things out. But, in the
end, it just wasn't a true fit; it wasn't really a part of you.

When I mentioned wanting to view more than one Web page at a time, you just
laughed, said it couldn't be done. Well, I knew that wasn't true. Opera,
Netscape, and now Firefox, they can all do it. You simply don't want to
discuss change.

And when you do, it's only because of someone else. A certain someone else:
Windows. Don't deny it. You didn't think twice when Windows XP SP2 offered
you its shiny new pop-up blocker. Or gave you new firewall protection. I know
Windows has promised to block buffer overflows, too--but I'll believe it when
I see it.

Yet what have you done for me lately? I don't want to keep upgrading my
operating system just to keep you around. Talk about baggage.

This is it
I know, I've tried breaking up before, and I've always come back, but that's
because I couldn't find the right browser to move on with. I want an
independent browser, one that stands on its own without a codependent
operating system. What I want is a browser that's strong and secure, one that
handles the latest content and won't crash. I want transparency. I want code
that actually means something.

I have found just that.

You barely even talk to Macs anymore, and you always seem to walk out of the
room whenever Linux stops by. Why?
With Mozilla Firefox, at least I know where I stand. The code is open
source, built from the ground up, clean--not recycled. No more hidden
agendas. At least when there's a flaw in Firefox, this browser alerts me on
its toolbar. It doesn't try to hide its mistakes, waiting until the second
Tuesday of the month to offer me a patch for some flaw that's been out there
for six months already.

I can take my Firefox to my Mac and Linux friends, and everyone gets along
just fine. You barely even talk to Macs anymore, and you always seem to walk
out of the room whenever Linux stops by. Why? What are you afraid of?
Honestly, a grown browser like you afraid of a little operating system? I
think this snobby behavior speaks volumes about what's wrong with this
relationship.

So this is it: Good-bye. I know you'll do fine without me; you always have.
I'm sure there'll be someone who'll find you to be cute and interesting. It
just won't be me.""

 

[Guest]

If you don't patch Java in Firefox the same thing could happen to you.
Reference:

http://www.infoworld.com/article/04/11/24/HNsunhot_1.html

That article has nothing about firefox, you cant just guess it affects
somethng. What it actually means is every browser that runs Sun's version of
Java could be hacked.

 

[C A Upsdell]

:



That article has nothing about firefox, you cant just guess it affects
somethng. What it actually means is every browser that runs Sun's version of
Java could be hacked.

The java problem could affect anything using an older Sun JVM. This
certainly includes old betas of Firefox: as for Firefox 1.0, I suspect
it uses the updated JVM, as the updated JVM became available before 1.0
was released.

 

[Fuzzy Logic]

The java problem could affect anything using an older Sun JVM. This
certainly includes old betas of Firefox: as for Firefox 1.0, I suspect
it uses the updated JVM, as the updated JVM became available before 1.0
was released.

The problem was addressed in early December by Sun. If you have an older
version of Sun Java you should update:

http://sunsolve.sun.com/search/document.do?assetkey=1-26-57591-1