I was just parsing through the release notes for the new Firefox version, when I noticed Mozilla had built up quite a list of security vulnerabilities itself.

http://www.mozilla.org/projects/security/known-vulnerabilities.html

With the amount of people discarding IE in favor of Firefox as part of their security setup, I'm beginning to wonder how wise this really is, especially since I haven't heard of any new vulnerabilities for IE for quite a while now. With Automatic Updates turned on, it seems that IE7 provides comparable security to Firefox - many good ol' classic exploits that triggered the IE scare are long gone and don't work anymore - while guaranteeing website compatibility.

I use Opera myself while installing Firefox to my friends. I'm not particularly inclined to suggest they switch back to IE yet, but I'll have much more reservations about recommending Firefox from now on.

Thoughts?

No, Firefox isn't much safer than Internet Explorer (And it's slower.)

Isn't Firefox faster (while being as safe or probably safer) than IE while surfing on most sites?
That already is a big plus imo.

On my machines, ebay and Yahoo, MSN, are definitely slower to respond with IE.

-{ Quote: "Isn't Firefox faster (while being as safe or probably safer) than IE while surfing on most sites?
That already is a big plus imo." }-
No, Firefox has higher requirements. I think that says enough.

-{ Quote: "No, Firefox isn't much safer than Internet Explorer (And it's slower.)" }-

Not using Active-X is the primary "security benefit".

IE has never run faster than Firefox on any machine I've used it on, and most likely never will.

-{ Quote: "Not using Active-X is the primary "security benefit".

IE has never run faster than Firefox on any machine I've used it on, and most likely never will." }-
Firefox runs ActiveX too. The Mozilla people just call it "extensions".

-{ Quote: "Not using Active-X is the primary "security benefit".

IE has never run faster than Firefox on any machine I've used it on, and most likely never will." }-
Internet Explorer runs faster for me (I use Opera);
so I guess it varies?

-{ Quote: "Firefox runs ActiveX too. The Mozilla people just call it "extensions"." }-

Adding functionally with a plugin can't get much different than running ActiveX by default, which was my point in terms of security benefits.

-{ Quote: "Internet Explorer runs faster for me (I use Opera);
so I guess it varies?" }-

Opera definitely runs the fastest on my machines. :)

-{ Quote: "Adding functionally with a plugin can't get much different than running ActiveX by default, which was my point in terms of security benefits." }-
It must've been a while since you last used IE, because that's not how it works anymore since quite some time ago.

-{ Quote: "It must've been a while since you last used IE," }-

Trust me, I wish that were the case. ;)

-{ Quote: "because that's not how it works anymore since quite some time ago." }-

ActiveX is prevailent in IE7. Asking for permission on an unsigned control doesn't equate to "not running." When you handle clients who click on just about anything, you realize the annoyace options can cause.

-{ Quote: "Adding functionally with a plugin can't get much different than running ActiveX by default, which was my point in terms of security benefits.



Opera definitely runs the fastest on my machines. :)" }-
Same for me. 8)

-{ Quote: "ActiveX is prevailent in IE7. Asking for permission on an unsigned control doesn't equate to "not running." When you handle clients who click on just about anything, you realize the annoyace options can cause." }-
If you have clients, I trust you can easily configure system policies to block ActiveX. Not to mention that this behavior you describe is not fundamentally different from (and hence not any more dangerous than) Firefox's extensions.

Also, I'm talking about home users, if it helps...

-{ Quote: "If you have clients, I trust you can easily configure system policies to block ActiveX. " }-

As with most networks, it's not always that easy. Some require ActiveX, which is why they have permissions.

-{ Quote: "Not to mention that this behavior you describe is not fundamentally different from (and hence not any more dangerous than) Firefox's extensions." }-

Like I said, not supporting something at all and having to visit a website to install a plugin is quiet different than having the technology built in. Such a difference that Firefox is allowed nearly network-wide while IE7 requires different permissions as I mentioned.

ActiveX was my only point. Firefox has security vulnerabilities left and right and "safer", while a passable term, is sketchy.

I don't know how secure Firefox is Out Of the Box, but it has the advantage that you can add some extensions to increase it's security, like NoScript.
I saw this page on somebody's signature (www.firefoxmyths.com), where they say that Firefox isn't safer and isn't faster than IE.

I don't know if you can trust what is stated at that page, I still use Firefox because I like it better, and I like extensions.... as for security, NoScript+Linux+safeSurfing will do it for me.

If you're a malware write and want to get the most 'bang for your buck' you'll target IE. That doesn't mean FireFox is safer. Only that less people use FireFox than IE.

-{ Quote: "As with most networks, it's not always that easy. Some require ActiveX, which is why they have permissions." }-
You can't install the plugins you need and configure IE to block installation of new ones? That's news to me.

-{ Quote: "Like I said, not supporting something at all and having to visit a website to install a plugin is quiet different than having the technology built in. Such a difference that Firefox is allowed nearly network-wide while IE7 requires different permissions as I mentioned." }-
Extensions is "built in" into Firefox the same way ActiveX is "built in" into IE. From a practical viewpoint, there's no difference between the two, except for the malware author who has to sniff what browser you're using to correctly serve you an xpi extension or ActiveX plugin.

-{ Quote: "You can't install the plugins you need and configure IE to block installation of new ones? That's news to me." }-

With IE? Sure. This also has nothing to do with our network, as that wouldn't solve anything. Rest assured our network's security is doing well, with both IE7 and Firefox. ;)


-{ Quote: "Extensions is "built in" into Firefox the same way ActiveX is "built in" into IE. From a practical viewpoint, there's no difference between the two, except for the malware author who has to sniff what browser you're using to correctly serve you an xpi extension or ActiveX plugin." }-

ActiveX isn't built in to Firefox, nor officially supported. This is touted as one of the security benefits. Security vulnerabilities where a website or program attempts to load an ActiveX extension into Firefox and then execute it wasn't my point. Disagreeing with the inclusion of it or not wasn't my point either, nor was my network security. Just pointed out what Mozilla says. :)

http://support.mozilla.com/kb/ActiveX would be a great read.

-{ Quote: "ActiveX isn't built in to Firefox, nor officially supported. This is touted as one of the security benefits. Security vulnerabilities where a website or program attempts to load an ActiveX extension into Firefox and then execute it wasn't my point. Disagreeing with the inclusion of it or not wasn't my point either, nor was my network security. Just pointed out what Mozilla says. :)

http://support.mozilla.com/kb/ActiveX would be a great read." }-
Looks like we're not talking the same point. My point was that despite Firefox not supporting ActiveX, it supports extensions, which can be exploited just the same way as ActiveX.

-{ Quote: "Looks like we're not talking the same point. My point was that despite Firefox not supporting ActiveX, it supports extensions, which can be exploited just the same way as ActiveX." }-

NPAPI vs. ActiveX would be different than what I'm discussing. Pardon my apparent misunderstanding.

Mozilla's take on NPAPI is interesting and reliant on mozilla.org, which still has security vulnerabilities. As I said, Firefox has its own mess, only ActiveX isn't one of them and Mozilla likes to point it out. Firefox's usage of NPAPI would still be "safer" than IE's inherent ActiveX, although "safer" is again a gray shade.

Work and Roboform are the only things causing me to use Firefox in the first place. :)

-{ Quote: "I don't know how secure Firefox is Out Of the Box, but it has the advantage that you can add some extensions to increase it's security, like NoScript.
I saw this page on somebody's signature (www.firefoxmyths.com), where they say that Firefox isn't safer and isn't faster than IE." }-
Thanks for that page. I'm recommending Opera from now on.

Firefoxmyths.com and its "debunkers" (http://blog.thingoid.com/2006/01/the-myth-of-firefox-myths/, http://blog.matthewmiller.net/2007/09/debunking-firefox-myths-page.html) go back and forth, and both have points.

The best thing is to primarily not worry about either as both browsers have their issues, or just use Opera. Of course you could argue the same about Opera, at which point the only recommendation would be to not browse the net at all. *puppy*

If one has a sound security strategy and user policies in place, the choice of browser is irrelevant.


----
rich

I use Firefox, because I like it, not because it isn't safe or safe or safer.
I like my Forecastfox extension alot more than my NoScript extension.

DefenseWall HIPS or any other similar software (like Sandboxie) is supposed to stop anything bad, caused by Firefox. If DW fails to do so, my boot-to-restore will fix it.

I use Firefox coz i really like it.

Though i always thought Operqa was the most secure then Firefox and then IE.

I was always thought Firefox was more secure than IE.


Firefox is more up to date than IE.

-{ Quote: "I use Firefox coz i really like it.

Though i always thought Operqa was the most secure then Firefox and then IE.

I was always thought Firefox was more secure than IE.


Firefox is more up to date than IE." }-
One day Opera will look like a Swiss cheese and will need as many patches as Firefox does. Three years ago Firefox was the safest browser, nothing could touch it and now they have to patch Firefox regularly to close its holes.
History repeats itself, so Opera is the next target, than another browser and another browser. That's why I keep Firefox, because changing from one browser to another is useless.
Besides that, Firefox is a browser, not a security software.

Firefox with no script & add block beats opera in being the safest browser.
That what I think.

-{ Quote: "Firefox with no script & add block beats opera in being the safest browser.
That what I think." }-
You can disable script in Opera, with no add-ons.

But seriously, I think Opera is more secure because of its obscurity. As FF became more popular it became more of a focus of attacks, and the same would happen if Opera had 10-20% (doubt that'll happen) of the market.

-{ Quote: "...Firefox is a browser, not a security software." }-
Agree, but if the folks behind FF doesn´t patch its vulnerabilities then it will become a security riskware.

-{ Quote: "Firefox with no script & add block beats opera in being the safest browser..." }-
In Opera you can disable script, sound and .gif/.svg animation by default and then adapt and save the settings for each website you visit more often.

/C.

-{ Quote: "Firefox with no script & add block.....
That what I think." }-

I totally agree.;D

Hello,

Yes, it is safer.

How many people got owned by a drive-by while browsing through Firefox? The answer is: 0.

The number of security vulnerabilities - that were fixed, I might add - means nothing, for several reasons:

1. Open source, means more people will be hunting for problems and trying to fix them.
2. Fixed, means they were found and plugged.

In that regard, software with no found vulnerabilities is:
- either very very secure
- has some, but have not been found / published / fixed

What you should be looking at is how many vulnerabilities a program has that have not been fixed, their severity and the time to patch. And in THIS regard, the patches are pushed quickly, leaving no room to 0-day exploits and such.

Offtopic, Firefox is nicer, faster, and has 10E53 extensions to make it do all but shine your shoes. Let's not forget Noscript ...

I agree with Rmus that the choice is irrelevant if you know what you do, but since most people don't, the choice means very much.

Mrk

Quick note- Opera seems faster, then firefox, IE was never on this league on any criteria you choose. Go ahead and use it it's not my problem, just don't say it's better, never was.
That's not to say they're flawless (FF and Opera). Everything has its problems. And when it's open source/ free software (FF), problems are not hidden under the rug. To the extreme, in Debian social contract
-{ Quote: "We Won't Hide Problems

We will keep our entire bug-report database open for public view at all times. Reports that users file on-line will immediately become visible to others.
" }-
-{ Quote: "Thanks for that page. I'm recommending Opera from now on." }-
It's a great browser and a good choice (forgetting XSS), but don't do it based on that website, trust me.
-{ Quote: "If one has a sound security strategy and user policies in place, the choice of browser is irrelevant.
" }-
Agree. I don't base my security on any browser, although i try to secure it. Even if i still used IE, i think the chance of being hit would be pretty remote since i don't depend only on patches.

-{ Quote: "How many people got owned by a drive-by while browsing through Firefox? The answer is: 0..." }-
How do you know that? What´s the source for your statement?

Since security is the topic of this thread, I would say that Opera is to prefer before Firefox today in regard of:

1. Unpatched vulnerabilities
2. Severity of the vulnerabilities
3. Timeframe from publishing the vulnerabilities to patching it

If you are using a limited user approach or a sandbox HIPS (DW, GW etc), then it doesn´t matter so much which one to use.

/C.

Hello,

The source of my statement is 2.5-3 years of watching hijack logs in a variety of forums, helping people I know. That's my source. You may disbelieve it or discredit it - or not.

Try it yourself. Download any hosts list, choose 100 sites at random. Go there with default IE6/7, then Firefox - on two different systems / images. Then, google for hack, crack, pron etc, try another 100 random sites. See what happens. After that, scan with whatever if you need. You'll get your answers.

Mrk

Some points:

- As Firefox gets increasingly popular, more vulnerabilities will be found, as it will be targeted more often. Only natural. But it is naïve to think that this argument is the only one and that Firefox will become like IE and full of holes. The open-source nature of the browser makes - in theory, at least - for more extensive testing, better coding, faster detection of bugs/breaches and faster correction of those flaws.
So far, Firefox staff has been faster than M$ at fixing bugs/flaws. And there have been less vulnerabilities found than in IE.

- Firefox has the advantage of having several extensions that can significantly increase browser security and privacy. For example: NoScript, AdblockPlus, the several cookie control extensions, the Dr.Web link scanner extension, etc... No equivalent exists in IE for this.
Firefox also has the big advantage of not being embeded in the OS. Many systems have been screwed up by this feature of IE.

- Security aside, and although there are a ton of worthless, redundant extensions, there are also some that allow things like download of embeded videos (these are in fact not needed, as there are webpages specializing in that), integration with anonymizing proxys and many more things... IE does not have this range of possibilities.

- Rmus makes a good point, of course. If a user has a properly configured system and knows what he/she is doing and where he/she is going (which seldom happens), choice of browser will be less important.

- A Sandbox HIPS like Defensewall is becoming an important consideration, for whichever browser you choose.

- With that said, IE has seen improvements in version 7, and one of the reasons is surely the pressure caused by the increasing popularity of Opera, Firefox, and other browsers.

Just some ideas.

-{ Quote: "The source of my statement is 2.5-3 years of watching hijack logs in a variety of forums, helping people I know. That's my source. You may disbelieve it or discredit it - or not.

Try it yourself. Download any hosts list, choose 100 sites at random. Go there with default IE6/7, then Firefox - on two different systems / images. Then, google for hack, crack, pron etc, try another 100 random sites. See what happens. After that, scan with whatever if you need. You'll get your answers." }-
With all respect, but that doesn´t say anything that Firefox, in its default setup, is invulnerable to drive-by infections of malware binaries. You can harden IE as well as FF by disabling script functionality for both, and what you have left are the vulnerabilities of "poor" design/coding. In that respect there´s no difference between any browser/software, and the only reliable sources are those that intentionally measure these issues scientifically.

/C.

Hello,

I claimed something. And I even bothered to suggest a methodology of testing / disproving my claim. If after visiting 200 random sites - expected and known to contain all sorts of thingies - you get drive-by hit in IE and you don't get drive-by in Firefox, then it kind of proves my point, doesn't it?

Besides, let's put the hardening aside. 99% of all users worldwide run on default settings on everything. This is the real test. Let's take the Wilders geeks out of equation here.

What happens when Joe Averagowsky takes onto the net, using Firefox 2.0.0.10 default versus IE6/7 default?

It is up to you whether to run the above test or not.

Mrk

-{ Quote: "
How many people got owned by a drive-by while browsing through Firefox? The answer is: 0." }-

I mean no disrespect whatsoever, but this is the mentality that black (and some grey) hats love! Zero? Try thousands and maybe millions. It doesn't matter what browser you use.

This thread reminds me of all the M$ vs. *nix, M$ vs. Novell, M$ vs. Apple, Symantec vs. McAfee, etc. etc. debates that have raged on for years. The problem is not the browser, operating system, firewall, anti-virus, etc. The problem is the person.

-{ Quote: "What happens when Joe Averagowsky takes onto the net, using Firefox 2.0.0.10 default versus IE6/7 default?...It is up to you whether to run the above test or not." }-
Well it´s not hard to figure out what will happen when browsing on compromised sites in default mode with script, java etc. enabled...
Besides, I don´t know why you challenge me to do your random surfing test, since it was you yourself that proclaimed the following:

-{ Quote: "How many people got owned by a drive-by while browsing through Firefox? The answer is: 0..." }-
I suggest you do your test yourself.

/C.

Hello,
I know the answer.
Comfy, mentality of gray / black / purple hats ... please.
It does matter what browser you use and it does matter what OS you use. But if you believe in the uber-fatalistic approach "it doesn't matter, the system / matrix / bad guys will pwn us" then you need to reassess the overall concept of computing. NIX is not Windows.
Mrk

-{ Quote: "...NIX is not Windows." }-
No it´s not, but this thread deal with security issues regarding different browsers used on a Windows platform, thence the impact of malware binaries designed for Windows, not *nix.

/C.

-{ Quote: "I agree with Rmus that the choice is irrelevant if you know what you do, but since most people don't, the choice means very much." }-No quibble here with this observation, and another opportunity to encourage everyone to "Adopt a user."

We all know of family relations, neighbors, acquaintances, who can "use some help" in learning safe computing.

Why not, during this holiday season, instead of purchasing a gift for such a person, volunteer to help her/him in developing a safe computer strategy?


----
rich

Hello,

I'm doing that all the time, helping people. Already converted 7 people I know to Firefox just the last month, plus 2 personal Linux converts ... May not be what you had in mind, but it's a way.

Cerxes, the reply regarding OS was to Comfy's post. PS, I believe I have visited more than 10,000 different adult sites in my life, and they all assuaged my eyes without hurting il mio compo.

Mrk

My browser security is layered, so I'm not worried :
1. Firefox fails, then security extensions will save me.
2. Security extensions fail, then DefenseWall will save me.
3. DefenseWall fails, then boot-to-restore will save me.
4. Boot-to-restore fails, then a clean archive will save me.
5. Clean archive fails, then a clean image will save me.
6. Clean image fails, then a Zero Tool + clean image will save me.
Most users don't even have 6 layers and I didn't even use my brain ::) yet. ;)

Hello,
What about earthquake, power outages, water spilled onto the comp, dog kicking the comp off the table?
Mrk

-{ Quote: "Hello,
What about earthquake, power outages, water spilled onto the comp, dog kicking the comp off the table?
Mrk" }-
Thanks. I knew I forgot something.

-{ Quote: "
Try it yourself. Download any hosts list, choose 100 sites at random. Go there with default IE6/7, then Firefox - on two different systems / images. Then, google for hack, crack, pron etc, try another 100 random sites. See what happens. After that, scan with whatever if you need. You'll get your answers.
" }-

That's because a majority of these exploits specifically target Internet Explorer.

In another 2 years when everyone is using Firefox, the tables will slowly turn.

Hardening the Internet and Local Machine zone will make any IE setup rock solid.

On one of the forums I admin on there is a scrolling script that shows the last ten post's. No matter the settings Firefox allows the script. Opera stops it. I have noticed several instances where FF allows things that Opera stops by default. I will stick with Opera and just have FF as a back up.

-{ Quote: "I was just parsing through the release notes for the new Firefox version, when I noticed Mozilla had built up quite a list of security vulnerabilities itself.

http://www.mozilla.org/projects/security/known-vulnerabilities.html

With the amount of people discarding IE in favor of Firefox as part of their security setup, I'm beginning to wonder how wise this really is, especially since I haven't heard of any new vulnerabilities for IE for quite a while now. With Automatic Updates turned on, it seems that IE7 provides comparable security to Firefox - many good ol' classic exploits that triggered the IE scare are long gone and don't work anymore - while guaranteeing website compatibility.

I use Opera myself while installing Firefox to my friends. I'm not particularly inclined to suggest they switch back to IE yet, but I'll have much more reservations about recommending Firefox from now on.

Thoughts?" }-

Running under vista 64 with IE in protected mode (and HautseSecure) lookes like a safer solution.

Hello,
bigc, please pm me that ...?
Mrk

-{ Quote: "If one has a sound security strategy and user policies in place, the choice of browser is irrelevant" }-
Right, but it's nice to know that your browser isn't a piece of Swiss cheese. If I whitelist content with NoScript, I know that my security setup won't be triggered.
-{ Quote: "In Opera you can disable script, sound and .gif/.svg animation by default and then adapt and save the settings for each website you visit more often." }-
NoScript does this much more elegantly and you also get protection against XSS.

I think it is apparent that most if not all big softwares have bugs and security holes in them. Personally I think that vulnerabilities are patched more frequently in Firefox than in IE. I am basing my opinion on the official numbers and frequencies of patches that come out for both of them. So in this regard, Firefox is safer (not to mention that IE is targeted more too).

-{ Quote: "
NoScript does this much more elegantly and you also get protection against XSS." }-
In the end, that's what matters to me also.
-{ Quote: "
I think it is apparent that most if not all big softwares have bugs and security holes in them. Personally I think that vulnerabilities are patched more frequently in Firefox than in IE. I am basing my opinion on the official numbers and frequencies of patches that come out for both of them. So in this regard, Firefox is safer (not to mention that IE is targeted more too)." }-
Of course, that and the fact that Firefox is not part of the OS core.

-{ Quote: "NoScript does this much more elegantly and you also get protection against XSS." }-
Havn´t used Firefox for awhile so I don´t know how the latest version of NoScript works today. But when I used it before, the only way of really be secured against XSS was to only temp. allowing the scripts, even for trusted sites. If you allowed scripts for trusted sites permanently, then the protection only lasted until one of the whitelisted sites was compromised.

But I agree that the NoScript solution is more elegant compared to how Opera is handling it ;).

/C.

-{ Quote: "I think it is apparent that most if not all big softwares have bugs and security holes in them. Personally I think that vulnerabilities are patched more frequently in Firefox than in IE. I am basing my opinion on the official numbers and frequencies of patches that come out for both of them. So in this regard, Firefox is safer (not to mention that IE is targeted more too)." }-

More targeted = more tested = more fixed.

I personally prefer Opera on XP, but on Vista IE in protected mode is my choice.

Reading: http://blogs.msdn.com/ie/archive/2006/02/09/528963.aspx

-{ Quote: "NoScript does this much more elegantly" }-Fascinated by this choice of phrase, so I cannot resist asking, please define elegant in this context. Thanx

-{ Quote: "Fascinated by this choice of phrase, so I cannot resist asking, please define elegant in this context. Thanx" }-
It's not on or off permanently for all sites, and in 2 clicks you change a site's permissions ;)
Doesn't ask questions, prompt you for anything (at least how i configured it).
Effective anti-XSS measure against untrusted sites, Opera afaik isn't (i would be happy to find out the contrary).
-{ Quote: "If you allowed scripts for trusted sites permanently, then the protection only lasted until one of the whitelisted sites was compromised.
" }-
Yes. It can only protect you from non whitelisted sites.

-{ Quote: "Fascinated by this choice of phrase, so I cannot resist asking, please define elegant in this context. Thanx" }-
As Pedro says, with NoScript you don't need to disable JS globally. Per-site options is what makes NoScript a more elegant solution than Opera's way of dealing with JS.

Anti-XSS protection (http://noscript.net/features#xss)
-{ Quote: "NoScript features unique Anti-XSS counter-measures, even against XSS Type 1 attacks targeted to whitelisted sites.

Whenever a non-trusted site tries to inject JavaScript code inside a trusted (whitelisted and JavaScript enabled) site, NoScript filters the malicious request neutralizing its dangerous load.
" }-

Joanna Rutkowska:
-{ Quote: "... I use IE to do all my sensitive browsing (e.g. online banking, blogger access, etc), while Firefox to do all the casual browsing, which includes morning press reading, google searching, etc. The reason I use Firefox for non-sensitive browsing doesn’t come from the fact that I think it’s more secure (or better written) then IE, but because I like using NoScript and there is no similar plugin for IE..." }-
(invisiblethings, 17 Oct 2007)

I only use it for the extensions.
If Opera had something like that I'd use it instead.