Conversely I am relying on FF's internal sense of whwen to disable features combined with the hope those features are not exploitable, and have been hit twice through java plugin calls that IE blocks with my restricted setup. It would take a previously trusted site with java enabled to do the same damage in IE as what FF let through on any random site.
All it takes if for FF to be the more popular browser and exploits will start coming real time like the do for IE. To FF defense, as long as the release patches/updates come before damage is done, all will be well I guess. Still would feel safer if I could find a plugin to do per-site settings for java, js, plugins. etc... with memory. If it's there, I'm not seeing it.
I have 1.04 loaded and am giving it a chance as I have with the previous versions.
Thane Sherrington wrote:
<snip>Is Firefox still safer than IE?
By Brian Livingston
The firm found that IE was wide open for a total of 200 days in 2004, or 54% of the year, to exploits that were "in the wild" on the Internet.
The Firefox browser and its older sibling Mozilla had no periods in 2004 when a security flaw went unpatched before exploits started circulating on the Net. With the latest 1.0.4 upgrade, Firefox has retained its "patch-before-hackers-can-strike" record so far in 2005, as well.
These statistics are so important to understanding the "attack surface" of the major browsers that we should break down this study into its individual findings:
• IE suffered from unpatched security holes for 359 days in 2004. According to Scanit, there were only 7 days out of 366 in 2004 during which IE had no unpatched security holes. This means IE had no official patch available against well-publicized vulnerabilities for 98% of the year.
• Attacks on IE weaknesses circulated "in the wild" for 200 of those days. Scanit records the first sighting of actual working hacker code on the Internet. In this way, the firm was able to determine how many days an IE user was exposed to possible harm. When Microsoft released a patch for an IE problem, Scanit "stopped the clock" on the period of vulnerability.
• Mozilla and Firefox patched all vulnerabilities before hacker code circulated. Scanit found that the Mozilla family of browsers, which share the same code base, went only 26 days in 2004 during which a Windows user was using a browser with a known security hole. Another 30 days involved a weakness that was only in the Mac OS version. Scanit reports that each vulnerability was patched before exploits were running on the Web. This resulted in zero days when a Mozilla or Firefox user could have been infected.
The Opera browser also experienced no days during which unpatched holes faced actual exploits, but Scanit began keeping statistics on Opera only since September 2004.
To see Scanit's visual timeline of these holes, exploits, and fixes, visit the firm's <http://WindowsSecrets.com/links/194251h/?u=bcheck.scanit.be%2Fbcheck%2Fpage.php%3Fname%3DSTATS2004%26page%3D3>Internet Explorer page. On that page, click "Next Page" to see the timelines for Mozilla, Firefox, and Opera.
Firefox fixes take days, IE takes months
>From the record to date, the Mozilla/Firefox team has shown that new security discoveries typically result in a patch being released in only a week or so.
This was certainly true in the case of Firefox version 1.0.4. The primary security hole that was closed by that version was unexpectedly publicized by the French Security Incident Response Team (FrSIRT) on <http://WindowsSecrets.com/links/084a1ch/?u=www.frsirt.com%2Fexploits%2F20050507.firefox0day.php>May 5. The Firefox patch was released only six days later. (The apparent discoverer of the flaw, the Greyhats Security Group, had been working responsibly with Firefox's development team and <http://WindowsSecrets.com/links/cd7ad0h/?u=www.greyhatsecurity.org%2Ffirefox.htm>criticized the leak.)
Perhaps the responsiveness of the Mozilla development group will shame Microsoft into fixing security holes much faster in the future. The situation has become so bad that eEye Digital Security, a respected consulting service, maintains an "<http://WindowsSecrets.com/links/9664c9h/?u=www.eeye.com%2Fhtml%2FResearch%2FUpcoming%2Findex.html>upcoming advisories" page showing how much time Microsoft is allowing critical problems that are reported to the Redmond company to go uncorrected.
At present, eEye's count reveals that three critical unpatched issues currently affect Microsoft's products. None of these have gone unpatched longer than 60 days, the period after which eEye considers a patch to be "overdue." But some critical, widely-known security holes went as long as <http://WindowsSecrets.com/links/ac66b1h/?u=searchsecurity.techtarget.com%2ForiginalContent%2F0%2C289142%2Csid14_gci950149%2C00.html>six months in 2003 and 2004 without an official fix being made available by Microsoft.
Another security firm that tracks security holes in IE, Firefox, and many other applications is Secunia, based in Copenhagen, Denmark. As of today, Secunia reports that there are still <http://WindowsSecrets.com/links/f32c2dh/?u=secunia.com%2Fproduct%2F11%2F>19 unpatched security flaws in IE, the most severe of which is rated "highly critical." Firefox has only <http://WindowsSecrets.com/links/adfc9fh/?u=secunia.com%2Fproduct%2F4227%2F>4 unpatched flaws, all of which are rated "less critical" or "not critical," the lowest severity rating. Opera has <http://WindowsSecrets.com/links/2a6f73h/?u=secunia.com%2Fproduct%2F4932%2F>none.
Microsoft officials often excuse their tardiness in fixing security holes in IE by saying that the code is so complex that any fix has a high likelihood of breaking something else. Well, who integrated IE so tightly into the operating system that the browser is so delicate? It's Microsoft's own poor programming that causes much of the software giant's very visible problems.
Microsoft employs some of the best software developers in the world. The company enjoys a cash reserve of <http://WindowsSecrets.com/links/e31755h/?u=www.computerworld.com%2Fmanagementtopics%2Fmanagement%2Fstory%2F0%2C10801%2C101349%2C00.html>$35 billion and is highly profitable. Yet a tiny company that builds open-source browser software is making the Redmond giant look foolish and incompetent in securing its products.
I have no particular attachment to the Mozilla Foundation or its products. If the foundation's browser software was a threat to Windows users, I'd say so. At the present time, several serious unpatched holes are known to exist in IE, while few or none plague Firefox. This isn't a religious issue, it's just a fact.
The foundation announced two weeks ago that they'd surpassed 50 million downloads of the free Firefox browser. The application is largely responsible for knocking down IE from a <http://WindowsSecrets.com/links/2c9a8eh/?u=www.onestat.com%2Fhtml%2Faboutus_pressbox30.html>94% market share in May 2004 to <http://WindowsSecrets.com/links/71bf9eh/?u=www.onestat.com%2Fhtml%2Faboutus_pressbox37.html>87% in April 2005, according to OneStat. That's a remarkable accomplishment, considering that IE is free and comes preinstalled with Windows. Sites with a base of expert Windows users report much higher levels of Firefox usage. ---
[This E-mail scanned for viruses by Declude Anti-Virus]
