|
| Ê Articles | Editorials | Reviews | News | InfoSec Directory | Releases | Submit PR | |
|
GFI LANguard Network Security Scanner - Network-wide security vulnerability scanning & fixing - Free version available.
Network Security Software - Sponsored by GFI Network Security. 
|
Mozilla: The Honeymoon is over IT-Observer.com Reader comments Just have a look at these stats from security professionals (they usually don't post such FUD-articles around): http://secunia.com/product/4227/#statistics_criticality http://secunia.com/product/11/#statistics_criticality If there were any relation btw. market share and insecurity share, Apache webserver would be the most cracked server ever! Well, if memory serves me well, it's the IIS. Go figure! - Cüneyt Yilmaz "When Firefox’s Mozilla came onto the scene..." Correct me if I'm wrong, but shouldn't it be: When Mozilla's Firefox came... Mozilla is the group, and Firefox is the browser. Of course there is also a Mozilla browser, but I assume the article was targeted towards Firefox. - Joe Hey Paramoy the only good comment in your rant is "...while IE is a flaw itself." Developers and users who know better want a good browser with good features and good security. Years ago, IE stopped being the best alternative and for many people Firefox is. You sound like a M$ fanboy and if you cannot see the obvious advertisement that this "article" is then no wonder you think Firefox fans are "zealots". If demanding the best and using the best is what a zealot is, then I'm also one. - Kiko Jones Hey Paramoy the only good comment in your rant is "...while IE is a flaw itself." Developers and users who know better want a good browser with good features and good security. Years ago, IE stopped being the best alternative and for many people Firefox is. You sound like a M$ fanboy and if you cannot see the obvious advertisement that this "article" is then no wonder you think Firefox fans are "zealots". If demanding the best and using the best is what a zealot is, then I'm also one. - Kiko Jones One thing the author fails (voluntarily, I suspect) to mention, is that the vulnerabilities detected in Firefox are all (with one exception which has since been fixed) SHARED WITH IE. The majority (of this very small number) is in the "phishing" class (like enticing you to give full rights to a SIGNED java applet); the rest is due to flaws in WINDOWS (i.e. the JPEG exploits), not in firefox/mozilla. The simple fact of the matter is that I have yet to hear of a serious exploit in Firefox which doesn't already exist in IE... And there is a large number of exploits which only exist in IE (ActiveX, by itself, should really be considered an exploit by M$ employees at the expense of their customers, but I'm not even including that...) - Denis Robert Quote from article "We don’t expect our browsers to block viruses, spyware or malicious scripts so why should we have such high expectations for their security capabilities" But those *are* the security capabilities. That is *exactly* what we expect browsers to protect against. This guy's product must be pretty poor, he obviously has no idea what he's talking about. - fed up with FUD Glossing over the fact that this article is a pathetic excuse for advertising your product... The javascript "exploit" mentioned was only dangerous if users clicked past a warning that the installation could be dangerous - is that a flaw in the browser or the users? None of the security issues discovered in Firefox *so far* has led to actual exploits, unlike Internet Explorer. One day exploits will happen, of course, but it hasn't happened yet. No browser is perfect, and Firefox never promised to be. However the number and severity of issues, and the time to fix, remains hugely favourable to Firefox when compared with Internet Explorer. - AN Other One thing overlooked by people not involved in open source is open source developers are always willing to tell you about bugs, flaws, etc. They are also fast to fix the bugs. Microsoft will only admit to bugs that people "catch." And then they are sooo slow to fix them. Its like they are saying "oh, you caught me, I guess I'll have to get around to that." And then the MS drones say "ok," he's $300 bucks for crap software. - Jeff As with almost every review, of Firefox vs. IE these days, in terms of security, you missed the point. Firefox IS SAFER. It always will be safer. Now let me explain why. 95% of the security issues with IE, result from abuse of [JScript, VBScript, and/or ActiveX]. Mozilla Firefox does not support any of these, for exactly this reason... they are too dangerous to leave on, when connected to a network of millions of computers. So, we're left with 5%... a risk of simply being connected to Internet at large, and the "bad apples" out there... So, as soon as an issue comes up, the developers patch it up, and release it. It doesn't sound like thats much better than IE, until you realized the LEVEL of security holes we are talking about. In IE, most of the holes, give the user FULL ACCESS to the ENTIRE OPERATING SYSTEM, because IE is tied into the OS. So, will someone find a way to code something to mess Firefox up? sure... but will they be able to get into the users PC, and have free access to run whatever they want?... Not likely! and that's the difference. Its called SECURITY BY DESIGN. - Steve The key differentiator in security models between Firefox and IE is being ignored in this article: with IE, the tight integration with system services means that if IE's security model is violated, the system's security model is violated, and your entire OS is open for malicious business. With Firefox, if the browser's security model is violated, then the Gecko rendering engine and the XUL UI engine are violated, and only your browser window is open for malicious business. This means that while Firefox is still susceptible to phishing, popups, and social hacks like tricking people into installing trojans and spyware, it is still, at its core, a far more secure model than IE. - Mike Beltzner I am NOT a Microsoft Man and I am also sick of the frequency of occurrence of updates/patchings,.... but let's be fair: Imagine Hercules is being punched constantly here and there, 24/7, I am after a month, he will fall, then we would say, "What a weakling!" Waht have to ask is: even I do not have any good impression on Mr. Gates, as the Windows OS is such a complicated software, it is bound to have flaws. The most important thing is - HOW FASSSSST CAN THE MICDROSOFT MEN TO REACT TO PATCH THE FLAWS, NEVER ON HOW MANY WINDOWS FLAWS HAVE BEEN CAUGHT OR DETECTED this week/month,craps like that? So, I never say like Mozilla is SAFER than IE, NONSENSE! - AHL Your article surely makes it sound as if Firefox was the only alternative to IE. Not true! You don't mention by a word any of the other competitors, such as Opera (www.opera.com) which has existed for ten years, innovating many of the features that have later been adapted to Firefox. - Jere Aren't there more subtle way of advertising your product? The fact that you're even able to discuss "Firefox's Mozilla" speaks for a lot of your knowledge... Well, at least you can spell the name of your product right... - bemused the only way to surf safe is not to use windows, very simple. mac os, linux or ANYTHING ELSE. just not this stupid slow buggy ugly os. - post Does the article writer have any courage to respond to any of the issues mentioned by the readers? This article feels nothing but like a cheap commercial. If you are planning to sell security solutions for Firefox, at least get the name straight, before you secure a "foundation" instead of a browser. - Mircea This article: - Incorrectly refers to the Mozilla and the Firefox names (thanks for making me smile upon reading this, though). This should have been corrected easily if the writer had the time to go to the Mozilla website and read the facts. - Did not mention how much time it takes for a bug to be fixed -- and fixed properly -- between the two browsers. - Leaves a bad taste in the mouth by using the author's third-party product as its reference for measuring the security of the browsers -- looks more like a product advertisement to me rather than a more truthful evaluation. - Used a single platform as a test bench, whereas one of the products can run on multiple platforms -- some of the bugs can be attributed to the security model of the underlying platform. I think most of these are already mentioned in other comments. I just want to let the author know that writing such an article based on incomplete facts would not easily fool readers into concluding that one browser is better than the other. Readers are well-informed now compared to 20 years ago. - Yeah Jeez! Quite hilarious. - bjornredemption Am I the only one who is a little bit hesitant to take the word of a company that makes a third-party security solution (and off-handedly mentioned "the number of viruses targeting Mozilla stopped by Not to say that Firefox & Mozilla don't have security holes - that's why they offer a security bug bounty. What they do provide are faster security fixes in general, and overall a higher level of security (if for no other reason than the lack of direct ActiveX). Note also that some of these bugs mentioned are general Windows/IE issues that the application has to paper over (and the vulnerability was shared by IE for the same reason). Another was because registrars were "supposed" to weed out IDN homonyms according to the IETF/ICANN, but aren't. - A skeptical reader Notice the author line in the article: Roy Tuvey, Co-founder and president, ScanSafe Now, anyone is suprised that a scanning company is recommending more scanning? - More Auto-advertisement Firefox's vulnerabilities will never be as severe as that of IE simply because Firefox will never be intergrated into any of the OS's it runs on. This means even if Fx and IE share the same bug, Fx's rating will get a lower rating because it doesn't affect the whole system. Now, many of the bugs they are talking here are "social engineering" exploits (ie. phishing etc.), which are much less severe (has to be initiated by the user explicitly etc.) Also, the author seems to ignore the fact that Mozilla Foundation had never said that Fx will never have any exploits. In fact, they expected a rise in the # of exploits. However, they did promise that they will fix bugs (not just security ones) at a much faster pace compared to IE and that has been happening since the release of Fx 1.0 (1.0.1 and 1.0.2 are already out within weeks and 1.0.3 is coming up next week) BTW, Version 1.0.3 (Several RCs already released and probably coming next week) will fix a crucial JS engine bug which will stop a lot of "potential" exploits. - IE vs. Firefox Hmm, if Firefox's Mozilla is having all these problems, I sure am glad I'm using Mozilla's Firefox. - rsnidjik "Firefox’s Mozilla" Okay I stopped reading there. Get some facts before writing ANYTHING, please. - th @matthew The reason MS release on the first Tuesday of each month is because of Corporate preassure, Corp IT Depts wanted lead time and clean up time between patches from MS so MS agreed to once a month patch schedule to make their corp customers happy, Just wanted to correct you on that issue. As for FireFox, sorry to say but this article is a Troll as far as i can see, designed to get people to read only, all of the vulnerabilites discussed are either OS related, 3rd party vendor related or I/Net infrastructure related ( affecting everyone ), that my 2 pence worth - DLM This is the question that needs not to be asked - is FF the best browser in the world or not. For modern Mozilla/W3C Zealots the answer is "yes" and nothing will ever prove the contrary. As long as people type "Micro$oft" IE will be the browser that simply "sucks" and FF will be the only alternative that "rocks" (of course, some n00bz may use Opera and Safari and other useless browsers, it's better than the awful M$ IE), and all the flaws in FF will always be user flaws, while IE is a flaw itself. Even if one day there are more exploits in FF than there ever were in IE - FF will rule, that is the essence of being a real Mozilla/W3C Zealot. - Paramoy So... IT Observer... How much has Microsoft paid you? huh? This article is totaly pointless...... ( I am not a Firefox fan boy, but the facts most info are wrong ......... ) - Anonymous Well if you look carefully IE has some of the crutical bugs not fixed for over serval months. While firefox quickly release fixes to combat. And 1.1 alpha already has 14xx bugs fixed. - Anonymous The product is called Mozilla's Firefox, not the other way around. That would no have taken a moment's research to get right. Also, IE (and all other browsers that support Unicode domain names, to my knowledge) are vulnerable to the same URL spoof. This is a design flaw in the Internation DNS spec. Firefox now comes with International domain name support turned OFF for just this reason. - jayKayEss This text has many flaws. First at all, features like International domain names are not supported at all on Internet Explorer, and this is related to new technology, not related to web browser (and even this has been fixed in recent versions of Firefox). Other things like bugs in Sun's Java VM, or bugs in Windows's drag-and-drop are not related to Firefox at all, and it is damn wrong to stick them to this great browser. - Goran Rakic Firefox's Mozilla? After reading that I can wholeheartedly agree with the ``sloppy research'' angle :-). I think one of the key points here is that no software is perfect (though I would personally say FF is very good). Open Source does enjoy a lot of security by obscurity but I still believe that it is better designed and will weather better in the long run. When problems are found, fixes tend to come along very quickly, too, unlike fixes from a certain popular software house. I read an OSNews article recently that said M$ plan to release some critical patches on Tuesday. Why not release them _right now_??? I have never seen a F/OSS program sit on bugs until there is a politically acceptable time to fix them! Just my tuppance. - matthew The java applet vulnerability is in Sun's VM and occurs in Internet Explorer also. The drag and drop issue is in direct parity with IE. Since the remaining vulns are not listed, I can't address them individually, but so far this really looks like sloppy research. FF is not without it's flaws, but I'm sure the public would appreciate a more accurate representation. - A Concerned Reader Most non-IE browser vulnerabilities are actually user behavior problems. They can be 'fixed', but only by rearranging the app to change behaviors. IE is the one that lets the particularly nasty ActiveX crap run wild. - Anonymous Hero |
Tuesday, May 10, 2005 Network Security
Wireless Security
InfoSec Directory
Press Releases
|
| ÊCopyright © 2000 - 2005 eBCVG IT Security | Affiliates :: RSS feeds :: PrivacyÊ |
Ê