-{ Quote: "While the Firefox browser has generally been considered a more secure alternative to Microsoft's Internet Explorer, its increased market share and corporate deployment have finally made it a worthwhile target for malware authors. Users are advised to start treating Firefox with the same level of security preparedness they used to reserve only for IE." }-
Article (http://www.technewsworld.com/rsstory/52152.html)

We knew it was bound to happen. As the popularity grows, so grows the bullseye on your back. Sad situation.

But we still have opera.;D

Almost amazing that this article like springs off of this one (http://www.wilderssecurity.com/showthread.php?t=140618) ... while no doubt as popularity increases, so to will the targeting of FF. But being realistic we haven't seen anything really yet (no direct attacks that I'm aware of), and FF will never have the market share IE enjoys, so it'll never represent as large of target IE does. FF evolves fairly rapidly covering any holes (unlike the rather stagnant IE6/7) ... it also has the benefit of security type extensions that can fill voids in the mean time. While extensions are likely the easiest attack vector against FF ... anything unbecoming would be discovered rather quickly IMO. The issue remains M$'s OS, no matter the browser.

-{ Quote: "But we still have opera.;D" }-

Opera will no doubt be next though.

It isn't even a vulnerability of firefox, it's more an attempt to discredit firefox by using a phony extension as a way in.
In fact it has nothing to do with firefox but more with the way people treat an E-mail from an unknown source,clicking on attachments that's the trouble.
The real 'vulnerability' is sitting behind the keyboard doing stupid things without thinking twice what could happen.

Lamehand

PEBKAC. [Problem Exists Between Keyboard and Computer]

That is the biggest security vulnerabilities for all software.

But, isn't there a fundamental difference between "extension" and "activex" and how much access it has to one's computer?

The difference is that activeX can do an install without the intervention of the user, if not properly set up.An extension on the other hand can't do this, it must be the choice of the user to install it.
Once a trojan or other piece of malware is installed it can do anything it wants with the system, that has nothing to do with the way it got there in the first place.
This extension-malware needs 'social engineering' to entice the user to install it because it can't install automatically.

Lamehand

-{ Quote: "PEBKAC. [Problem Exists Between Keyboard and Computer]

That is the biggest security vulnerabilities for all software.

But, isn't there a fundamental difference between "extension" and "activex" and how much access it has to one's computer?" }-

To be honest "PEBKAC" and similar statements are not an explanation but a design principle. Desktop PC software, especially software targeting residential users, has to be designed so that it can be safely driven by people who not only don't have Computer Science degrees but have grown up in an era before computers and never worked in an office environment (he says thinking of his father who worked in physical world security for the Government).

This is why the mass market security software tries to have simple, easy to follow user interfaces.

Operating systems and software cannot rely on the user as the main form of defence. Sure we are probably all the biggest obstacle (after our firewalls) to malware. However the non-computer literate user with no desire to become computer literate needs intelligent protection. The user needs software that is self healing, updates regularly, and makes intelligent decisions about protecting the PCs integrity. How often has a user struggled to know if they should let services.exe connect to the internet or not? There is a clear market need for software which doesn't confuse "the man on the Clapham omnibus" (Joe Public for Americans) with questions that they lack the knowledge to answer.

To return to the main point of the thread. This is but the beginning. The enemy will come in increasing numbers. The test for Firefox will be how it reacts and more importantly pre-empts the coming threats.

As for the timeframes, who knows. It may be sooner than we think. It may be a really slow burner like Mac Malware. I suspect it will ramp up faster as more malware authors are PC owners and their is a lot of sick kudos from exploiting FF.

Fairy

-{ Quote: "Opera will no doubt be next though." }-
Yes, just like Linux. Once the bad guys put their claws in Linux, we can call it Winux.
Each OS and software is vulnerable and there is always a brilliant bad guy somewhere in the world, who will find a way to do it.

-{ Quote: "Yes, just like Linux. Once the bad guys put their claws in Linux, we can call it Winux.
Each OS and software is vulnerable and there is always a brilliant bad guy somewhere in the world, who will find a way to do it." }-Some softwares are much more vulnerable than others, believe me.

-{ Quote: "Some softwares are much more vulnerable than others, believe me." }-

While this is true, just like I said in a couple of posts here about this time a year ago, vulnerabilities will be discovered, and then exploited through the creation of new malware targeted towards those vulnerabilities. This ulitmately depends upon WHO the hackers target. And as Firefox's popularity has continued to rise, it was inevitable that this would be the result. Here are the two posts I made on this subject last year....primarily mentioning that marketshare and popularity/usage would dictate who the malware authors went after to exploit browser vulnerabilities:

http://www.wilderssecurity.com/showpost.php?p=511209&postcount=9

http://www.wilderssecurity.com/showpost.php?p=567351&postcount=23

Vulnerability through popularity?

Sounds like the inverse of security through obscurity.

These have nothing to do with the reality of the actual number and severity of programming and design flaws.
One program can be designed with security in mind and still be extremely popular and secure.
Another program can be designed with all kinds of multimedia features in mind with no thought to security. This program can be so obscure that almost no one knows about it. It doesn't make this program any more secure.

Popularity does bring the attention of hackers which will help expose vulnerabilities. So far Mozilla has responded quickly to discovered flaws.
I would still pick FF over IE (both with default settings), all things considered, it is more secure in my opinion.

-{ Quote: "While this is true, just like I said in a couple of posts here about this time a year ago, vulnerabilities will be discovered, and then exploited through the creation of new malware targeted towards those vulnerabilities. This ulitmately depends upon WHO the hackers target. And as Firefox's popularity has continued to rise, it was inevitable that this would be the result. Here are the two posts I made on this subject last year....primarily mentioning that marketshare and popularity/usage would dictate who the malware authors went after to exploit browser vulnerabilities:

http://www.wilderssecurity.com/showpost.php?p=511209&postcount=9

http://www.wilderssecurity.com/showpost.php?p=567351&postcount=23" }-

This is all good and fine, but my sentence wasn't really targeted at Firefox (though I definitely don't think security-wise it's as bad as the swiss cheese IE 6). And yes, popular softwares are more exposed (usually... but don't forget that high-security systems containing valuable often don't use "popular" software packages because these were not planned with security as the main concern).

Nevetheless, as I said before, there are softwares that were planned with security as the primary goal: possible security flaws were carefully analyzed, "features" that could have endangered the security were not implemented, hardening features were implemented. Very often the most secure a system is, the hardest it is to use. So it's perfectly natural that a system aimed at newbies won't be as secure as a system that requires time and patience to set up. But really, to claim "every software is vulnerable", while true, doesn't say anything: the aim of security-conscious programmers is not to make an invulnerable system (which would be unusable), but to make the system the most secure possible while maintaining usability for the target "audience".

On the other hand, not every programmer (and especially not every marketing staff) thinks security is more important than "cool features", especially since most of the target audience of popular products will not be able to evaluate a system's security, but will be able to see cool features right away.

-{ Quote: "
These have nothing to do with the reality of the actual number and severity of programming and design flaws.
One program can be designed with security in mind and still be extremely popular and secure.
Another program can be designed with all kinds of multimedia features in mind with no thought to security. This program can be so obscure that almost no one knows about it. It doesn't make this program any more secure." }-

That's not what I was saying or meant to imply, Devinco.

-{ Quote: "
Popularity does bring the attention of hackers which will help expose vulnerabilities. So far Mozilla has responded quickly to discovered flaws.
I would still pick FF over IE (both with default settings), all things considered, it is more secure in my opinion." }-

Now THAT is what I was saying! That marketshare would ultimately dictate which browser the malware authors went after...not which browser would be more "secure"...just more "under attack"....:)

-{ Quote: "That's not what I was saying or meant to imply, Devinco." }-
Actually, I wasn't replying to what you wrote. In fact, at the time I was writing it I didn't see your post. It was just an observation not directed at you or anyone in particular.

@JR

Firefox will never enjoy the marketshare IE has. Honestly the majority of Windows users don't know any alternatives exist - IE is just there and they use it. They aren't securing their systems or browsers, many run with outdated AVs if they're running one at all, most don't run a firewall - they're just easy targets - no matter the changes in any future M$ OS or IE 7 ... they will continue to be the easiest target because security isn't even a passing thought to them. I'm not saying firefox won't ever be targeted, but it'll never be the first option in the foreseeable future ... the ends just don't justify the means.

-{ Quote: "@JR

Firefox will never enjoy the marketshare IE has. Honestly the majority of Windows users don't know any alternatives exist - IE is just there and they use it. They aren't securing their systems or browsers, many run with outdated AVs if they're running one at all, most don't run a firewall - they're just easy targets - no matter the changes in any future M$ OS or IE 7 ... they will continue to be the easiest target because security isn't even a passing thought to them. I'm not saying firefox won't ever be targeted, but it'll never be the first option in the foreseeable future ... the ends just don't justify the means." }-

Hey Steve,

Oh, don't get me wrong.....I completely agree with that premise, and have my reservations about Firefox ever being on par with IE as far as the number of users goes.....but in just 2 years, Firefox has made one incredible dent in IE's numbers!

I saw this today, and thought it was pretty interesting:

http://www.w3schools.com/browsers/browsers_stats.asp

I don't know how accurate it is....but I have no reason not to believe it. That is roughly what I would have estimated or guessed anyway. According to this link, IE now has a little over a 2 to 1 margin over Firefox. Pretty substantial....until one considers that IE "USED TO" have about a 17 to 1 advantage! At the beginning of January of '04, IE had 85% (84.7) of the marketshare (when you combine IE5 and IE6) to Firefox's 5.5%. As of July of '06, IE now has 64% (63.9) of the market (when you combine IE5, IE6, and IE7) where as Firefox now has 25%. So IE went from 85% in Jan. of '04 to 64% in July of '06 (21% loss).....and during that same time, Firefox jumped from 5.5% to 25% (20% gain)! So it's really no wonder why malware authors would target Firefox more frequently these days.....that was really my main point. ;D

Did you notice this comment on that page ... -{ Quote: "W3Schools is a website for people with an interest for web technologies. These people are more interested in using alternative browsers than the average user. The average user tends to use Internet Explorer, since it comes preinstalled with Windows. Most do not seek out other browsers.

These facts indicate that the browser figures below are not 100% realistic. Other web sites have statistics showing that Internet Explorer is used by at least 80% of the users." }- I doubt FF has main such in roads with the average user. :-\

-{ Quote: "Did you notice this comment on that page ... I doubt FF has main such in roads with the average user. :-\" }-

Yeah, probably so. I know I saw on the world news about a year ago that Firefox had increased to 15% of the marketshare.....so I was just assuming that the growth had continued. I guess that it's probably more likely that it's leveled out somewhere in the mid teen range, though...