Thane > as a programmer I know that when a program reaches > that point, two things are true: 1)it's my fault, and 2)I have to rewrite > it to make it easier.
Is 1) absolutely true even in cases where you have warned the powers that be? But they insisted on the fast "patch" anyway? On 5/13/05, Thane Sherrington <[EMAIL PROTECTED]> wrote: > Since this has been a discussion recently, I think people will find this > interesting. I think he has the issue nailed: Yes, FF could be more > secure, but since it's better than anything other than Opera (who isn't > going to make it in a free browser world when they charge), it doesn't > matter. Of real interest is MS's admission that IE is effectively "too > complex to maintain" - as a programmer I know that when a program reaches > that point, two things are true: 1)it's my fault, and 2)I have to rewrite > it to make it easier. > > T > > Is Firefox still safer than IE? > > By Brian Livingston > > The popular Firefox browser received a security upgrade, known as version > 1.0.4, when the Mozilla Foundation released the new code on May 11. This > upgrade closes a security hole that could allow a hacker Web site to > install software without a visitors' knowledge or approval. > > This is the fourth minor update to Firefox since the open-source browser's > 1.0 release on Nov. 9, 2004. That doesn't seem like very many patches to > me, compared with Firefox's dominant competition, Microsoft's Internet > Explorer (IE), which is included in every copy of Windows. But I've heard a > surprising amount of comment that Firefox might no longer be as secure as IE. > > At Microsoft's Windows Hardware Engineering Conference (WinHEC), held in > Seattle April 25-27, for example, an IE product manager made this case > explicitly. Firefox had had (at that time) "three major releases," she > said, while Internet Explorer 6.0 had had none. This statement was > presented as though a lack of upgrades to IE was a benefit. > > In fact, Microsoft has released at least > <http://WindowsSecrets.com/links/edc2a8h/?u=www.microsoft.com%2Fsecurity%2Fbulletins%2Fdefault.mspx>20 > major security patches for Windows or Internet Explorer since November > 2004. Most of these patches were rated "Critical," Microsoft's most severe > security alert level. > > The evidence I've seen so far indicates that Firefox remains much more > secure than IE. But it's worth our time to take a closer look. > > IE users were exposed for 200 days in 2004 > > Some remarkable statistics comparing the major Web browsers have been > developed by Scanit NV, an international security firm with headquarters in > Brussels, Belgium, and Dubai, United Arab Emirates. > > The company painstakingly researched the dates when vulnerabilities were > first discovered in various browsers, and the dates when the holes were > subsequently patched. > > The firm found that IE was wide open for a total of 200 days in 2004, or > 54% of the year, to exploits that were "in the wild" on the Internet. > > The Firefox browser and its older sibling Mozilla had no periods in 2004 > when a security flaw went unpatched before exploits started circulating on > the Net. With the latest 1.0.4 upgrade, Firefox has retained its > "patch-before-hackers-can-strike" record so far in 2005, as well. > > These statistics are so important to understanding the "attack surface" of > the major browsers that we should break down this study into its individual > findings: > > • IE suffered from unpatched security holes for 359 days in 2004. According > to Scanit, there were only 7 days out of 366 in 2004 during which IE had no > unpatched security holes. This means IE had no official patch available > against well-publicized vulnerabilities for 98% of the year. > > • Attacks on IE weaknesses circulated "in the wild" for 200 of those days. > Scanit records the first sighting of actual working hacker code on the > Internet. In this way, the firm was able to determine how many days an IE > user was exposed to possible harm. When Microsoft released a patch for an > IE problem, Scanit "stopped the clock" on the period of vulnerability. > > • Mozilla and Firefox patched all vulnerabilities before hacker code > circulated. Scanit found that the Mozilla family of browsers, which share > the same code base, went only 26 days in 2004 during which a Windows user > was using a browser with a known security hole. Another 30 days involved a > weakness that was only in the Mac OS version. Scanit reports that each > vulnerability was patched before exploits were running on the Web. This > resulted in zero days when a Mozilla or Firefox user could have been infected. > > The Opera browser also experienced no days during which unpatched holes > faced actual exploits, but Scanit began keeping statistics on Opera only > since September 2004. > > To see Scanit's visual timeline of these holes, exploits, and fixes, visit > the firm's > <http://WindowsSecrets.com/links/194251h/?u=bcheck.scanit.be%2Fbcheck%2Fpage.php%3Fname%3DSTATS2004%26page%3D3>Internet > Explorer page. On that page, click "Next Page" to see the timelines for > Mozilla, Firefox, and Opera. > > Firefox fixes take days, IE takes months > > >From the record to date, the Mozilla/Firefox team has shown that new > security discoveries typically result in a patch being released in only a > week or so. > > This was certainly true in the case of Firefox version 1.0.4. The primary > security hole that was closed by that version was unexpectedly publicized > by the French Security Incident Response Team (FrSIRT) on > <http://WindowsSecrets.com/links/084a1ch/?u=www.frsirt.com%2Fexploits%2F20050507.firefox0day.php>May > 5. The Firefox patch was released only six days later. (The apparent > discoverer of the flaw, the Greyhats Security Group, had been working > responsibly with Firefox's development team and > <http://WindowsSecrets.com/links/cd7ad0h/?u=www.greyhatsecurity.org%2Ffirefox.htm>criticized > the leak.) > > Perhaps the responsiveness of the Mozilla development group will shame > Microsoft into fixing security holes much faster in the future. The > situation has become so bad that eEye Digital Security, a respected > consulting service, maintains an > "<http://WindowsSecrets.com/links/9664c9h/?u=www.eeye.com%2Fhtml%2FResearch%2FUpcoming%2Findex.html>upcoming > advisories" page showing how much time Microsoft is allowing critical > problems that are reported to the Redmond company to go uncorrected. > > At present, eEye's count reveals that three critical unpatched issues > currently affect Microsoft's products. None of these have gone unpatched > longer than 60 days, the period after which eEye considers a patch to be > "overdue." But some critical, widely-known security holes went as long as > <http://WindowsSecrets.com/links/ac66b1h/?u=searchsecurity.techtarget.com%2ForiginalContent%2F0%2C289142%2Csid14_gci950149%2C00.html>six > months in 2003 and 2004 without an official fix being made available by > Microsoft. > > Another security firm that tracks security holes in IE, Firefox, and many > other applications is Secunia, based in Copenhagen, Denmark. As of today, > Secunia reports that there are still > <http://WindowsSecrets.com/links/f32c2dh/?u=secunia.com%2Fproduct%2F11%2F>19 > unpatched security flaws in IE, the most severe of which is rated "highly > critical." Firefox has only > <http://WindowsSecrets.com/links/adfc9fh/?u=secunia.com%2Fproduct%2F4227%2F>4 > unpatched flaws, all of which are rated "less critical" or "not critical," > the lowest severity rating. Opera has > <http://WindowsSecrets.com/links/2a6f73h/?u=secunia.com%2Fproduct%2F4932%2F>none. > > Microsoft officials often excuse their tardiness in fixing security holes > in IE by saying that the code is so complex that any fix has a high > likelihood of breaking something else. Well, who integrated IE so tightly > into the operating system that the browser is so delicate? It's Microsoft's > own poor programming that causes much of the software giant's very visible > problems. > > Microsoft employs some of the best software developers in the world. The > company enjoys a cash reserve of > <http://WindowsSecrets.com/links/e31755h/?u=www.computerworld.com%2Fmanagementtopics%2Fmanagement%2Fstory%2F0%2C10801%2C101349%2C00.html>$35 > billion and is highly profitable. Yet a tiny company that builds > open-source browser software is making the Redmond giant look foolish and > incompetent in securing its products. > > I have no particular attachment to the Mozilla Foundation or its products. > If the foundation's browser software was a threat to Windows users, I'd say > so. At the present time, several serious unpatched holes are known to exist > in IE, while few or none plague Firefox. This isn't a religious issue, it's > just a fact. > > The foundation announced two weeks ago that they'd surpassed 50 million > downloads of the free Firefox browser. The application is largely > responsible for knocking down IE from a > <http://WindowsSecrets.com/links/2c9a8eh/?u=www.onestat.com%2Fhtml%2Faboutus_pressbox30.html>94% > market share in May 2004 to > <http://WindowsSecrets.com/links/71bf9eh/?u=www.onestat.com%2Fhtml%2Faboutus_pressbox37.html>87% > in April 2005, according to OneStat. That's a remarkable accomplishment, > considering that IE is free and comes preinstalled with Windows. Sites with > a base of expert Windows users report much higher levels of Firefox usage. > > --- > [This E-mail scanned for viruses by Declude Anti-Virus] > > -- G. Waleed Kavalec ------------------------------- Copyright: G. Waleed Kavalec 2005 This message may be resent and/or repuplished provided the content and this notice are kept intact.
