Firefox prone to hackers as much as Internet Explorer

[Frosty Jack]

Thats because hackers are attacking the majority' date=' as soon as firefox gains the majority over internet explorer they will attack it. The spyware/adware will be just as bad if not worse since Mozilla dont have as many software engineers as microsoft to create patches quick enough everytime it is hacked. They might manage just now because there is only a small quantity of attacks, give it a couple of years for the hackers to catch up.[/quote']

I don't get it. Are you arguing about something being good now, because it might not be as good in the future? So if I have a Skoda, I shouldn't go buy a BMW, because it might break down in 10 years time? What is your point?

[Snakebite]

I don't get it. Are you arguing about something being good now' date=' because it might not be as good in the future? So if I have a Skoda, I shouldn't go buy a BMW, because it might break down in 10 years time? What is your point?[/quote']

I'm just making the point that at the moment firefox appears to be safe from all of this spyware/adware just in the same manner that internet explorer was better than netscape when it was created years ago because it was initially used by the minority.

Look at internet explorer now, thats how I see firefox becoming in a couple of years if the majority of people start using it.

As long as it is just used by the minority it will be relatively safe from the majority of hacker attacks since most hackers will only concentrate their efforts on internet explorer.

Fair enough encourage people to start using it, however as soon the majority start using it the hackers will start to attack firefox more and I dont currently think mozilla could handle patching firefox as many times as microsoft do to internet explorer every month since microsoft has a larger pool of software engineers to handle it and even then they struggle.

The fact that it's open source too means that hackers can easily examine the code to find ways past the security measures

As far as firefox is at the moment there hasnt been much hacker attacks, but out of all of them there has been at least 4 major ones already in such a short space of time since it's official release. Which is a bit worrying.

[Scott!]

I dont currently think mozilla could handle patching firefox as many times as microsoft do to internet explorer every month since microsoft has a larger pool of software engineers to handle it and even then they struggle.

The fact that it's open source too means that hackers can easily examine the code to find ways past the security measures

I'm sorry, you're completely wrong. Because it's open source, Mozilla doesn't need more software engineers- anybody who wants to can patch it. That means Mozilla's pool of engineers is much, much larger than Microsoft's, especially because Microsoft is content to let IE sit on the back burner and hardly ever update it. Also, the fundamental premise of your argument is flawed; Firefox itself is not what is insecure, it's an extension for Firefox. That's like blaming Microsoft for a fault in the Google Toolbar; they're completely unrelated. The key difference between Greasemonkey and ActiveX is that Greasemonkey needs to be installed by the user, while ActiveX is on by default. As soon as anyone sees the security advisory they can easily turn it off or uninstall it, which is impossible with ActiveX. They're two completely different beasts and comparing them makes no sense whatsoever.

PS: A firewall prevents against spyware and virii the same way a raincoat prevents against drowning: not at all. The firewall only blocks remote access requests. Since spyware installs itself covertly because of the user's doing something legitimately, the firewall only sees your computer requesting to do something, and thus sees no issue with the spyware's being downloaded. Check the facts.

[Snakebite]

I'm sorry' date=' you're completely wrong. Because it's open source, Mozilla doesn't need more software engineers- anybody who wants to can patch it. That means Mozilla's pool of engineers is much, much larger than Microsoft's, especially because Microsoft is content to let IE sit on the back burner and hardly ever update it. Also, the fundamental premise of your argument is flawed; Firefox itself is not what is insecure, it's an extension for Firefox. That's like blaming Microsoft for a fault in the Google Toolbar; they're completely unrelated. The key difference between Greasemonkey and ActiveX is that Greasemonkey needs to be installed by the user, while ActiveX is on by default. As soon as anyone sees the security advisory they can easily turn it off or uninstall it, which is impossible with ActiveX. They're two completely different beasts and comparing them makes no sense whatsoever.

PS: A firewall prevents against spyware and virii the same way a raincoat prevents against drowning: not at all. The firewall only blocks remote access requests. Since spyware installs itself covertly because of the user's doing something legitimately, the firewall only sees your computer requesting to do something, and thus sees no issue with the spyware's being downloaded. Check the facts.[/quote']

But so can the hackers just because it's open source it makes it easy for them to exploit it. All that will happen is firefox will eventually need to be patched more often than not which may end up meaning you have to download patches on a daily basis in an attempt to stop the hackers.

Okay the latest flaw was about due to an extension of firefox but some of the other major attacks like phishing were directed at firefox itself

[IamScrooge]

The fact that Microsoft are introducing tabbed browsing in Internet Explorer v7.0 and have just introduced pop-up blocking just goes to show how far Firefox is ahead of the game.

Opera has offered these features for YEARS!

Operas offered a significant advantage over other browsers for ages now including popup blockers, tabbed browsing, on-the-fly scripting disable/enabling, even image blocking.

Your all living in the past!

[Neil]

Opera has offered these features for YEARS!

Operas offered a significant advantage over other browsers for ages now including popup blockers' date=' tabbed browsing, on-the-fly scripting disable/enabling, even image blocking.

Your all living in the past! [/quote']

Yeah, but Opera is bloatware because of all these features - and it's not free.

[The Milner]

Yeah' date=' but Opera is bloatware [i']because of all these features - and it's not free.

exactly!!!!!!!!!

[Scott!]

But so can the hackers just because it's open source it makes it easy for them to exploit it. All that will happen is firefox will eventually need to be patched more often than not which may end up meaning you have to download patches on a daily basis in an attempt to stop the hackers.

Okay the latest flaw was about due to an extension of firefox but some of the other major attacks like phishing were directed at firefox itself

Linux is the most popular OS for web servers, is open source, and there hasn't been a single virus outbreak for Linux since, if I recall correctly, 2001. The vulnerabilities are being fixed before they become an issue. Also, phishing is not directed at browsers. Phishing is directed at idiots who think that Paypal needs their password to do system maintenance. Even if they had IE or Opera, they would still be idiots.

[soundian]

Thats because hackers are attacking the majority' date=' as soon as firefox gains the majority over internet explorer they will attack it. [/quote']

And as soon as everyone switches to IE again, they'll target that, putting you back to square one.

You and logic don't live on the same street, do you?

I'll stick with Firefox if you don't mind, at least the people fixing it are staying further ahead of the pack than the fat, bloated, corporate monster which is MS

[Snakebite]

And as soon as everyone switches to IE again' date=' they'll target that, putting you back to square one.

You and logic don't live on the same street, do you?

I'll stick with Firefox if you don't mind, at least the people fixing it are staying further ahead of the pack than the fat, bloated, corporate monster which is MS[/quote']

Obviously you didnt read the post, you have a bad habit of that. What I was saying is that as soon as firefox becomes more popular it will get attacked more just like Internet explorer. I never said they would stop attacking internet explorer, nor did I say internet explorer was any better.

The problems that firefox has experienced since its release have however been on a greater scale than what internet explorer first experienced in it's infancy. Yes there may be alot of people that could help patch up firefox due to it being open source since everyone can modify it. It can also however be just as easily manipulated by hackers because they can easily access the programming code.

Open source is fine if no one decides to attack it, but once they do, all that will happen is the need to patch the software non stop in an attempt to keep up with the hackers instead of having the time to use it properly since you will have to constantly update it.

Internet Explorer may not be any better but not everyone has access to the programming code. Only the really determined hackers once they manage to decompile it.

[Neil]

The problems that firefox has experienced since its release have however been on a greater scale than what internet explorer first experienced in it's infancy.

Bollocks. Care to justify that statement with some facts and figures? No' date=' I thought not...

Yes there may be alot of people that could help patch up firefox due to it being open source since everyone can modify it. It can also however be just as easily manipulated by hackers because they can easily access the programming code.

But does the fact that is it open-source not make it inherently more secure? Because it is open-source the entire source code of the software is under scrutiny by many more people than would ever have access to the source code to Internet Explorer. Thus bugs not only usually get fixed quicker but they also get spotted quicker by the developer community.

In addition, because it is open-source then you have complete transparency of the bugs detected and how they are fixed. You don't have this with Internet Explorer and Microsoft take advantage of this fact when they refuse to acknowledge bugs, say they have fixed bugs when they haven't or fix bugs on the sly through other patches/hot-fixes/service packs.

I work in IT. And patching Microsoft related software and operating systems in an absolute nightmare at the best of times because of sheer volume of "critical" security patches that get released and have to be applied to desktops and servers.

I mean look at Windows 2003 server for example. In it's default configuration you can't browse ANY web site within Internet Explorer aside from the Windows Update web site because it has been locked down so much. What does that tell you about Microsoft's confidence in Internet Explorer?

[imprinted]

also - won't more hackers attack IE anyway simply because it belongs to Microsoft, nevermind whether or not Firefox becomes more popular?

I'm no software engineer (and it'll show probably) but surely the fact that Firefox is a free program that nobody is making money off of will mean that it's more likely to be left alone? the corporate money beast that is Micro$oft persists in doing things the wrong way ergo will keep being attacked more.

just a thought.

[Hugh_Jazz]

Obviously you didnt read the post' date=' you have a bad habit of that. What I was saying is that as soon as firefox becomes more popular it will get attacked more just like Internet explorer. I never said they would stop attacking internet explorer, nor did I say internet explorer was any better.

The problems that firefox has experienced since its release have however been on a greater scale than what internet explorer first experienced in it's infancy. Yes there may be alot of people that could help patch up firefox due to it being open source since everyone can modify it. It can also however be just as easily manipulated by hackers because they can easily access the programming code.

Open source is fine if no one decides to attack it, but once they do, all that will happen is the need to patch the software non stop in an attempt to keep up with the hackers instead of having the time to use it properly since you will have to constantly update it.

Internet Explorer may not be any better but not everyone has access to the programming code. Only the really determined hackers once they manage to decompile it.[/quote']

An almost unbelievable number of spurious, ill-educated, misinformed arguments backed up with no facts whatsoever.

You ever heard the phrase "quit while you're ahead"? Well you're not ahead mate...in fact ur so far off the pace of this argument it's become staggering. Please stop before u make an even bigger eejit of yourself.

[imprinted]

did you just type half of that in "TXT SPK" for any reason?

[Addi]

some of the people posting in this thread clearly have little to no background education in the subjects surrounding this issue.

[Snakebite]

Bollocks. Care to justify that statement with some facts and figures? No' date=' I thought not...?[/quote']

It was a good couple of years before hackers started to fully exploit internet explorers weaknesses, with Firefox it hasnt even been a year since it's official release and hackers are managing to access files on peoples PC's (okay it was an addon called grease monkey for firefox that allowed this to happen, but it was still successful in getting access to files of firefox users because they were installing the addons).

Maybe it's just the type of world we live in nowadays that everyone wants to hack into other peoples PC's compared to when internet explorer came out. Some of it maybe to do with that fact they want to attack microsoft, but others just want to steal information from you period, irrespective of your browser choice.

Below is a list of problems that had to be fixed in this year alone - okay internet explorer may have a similar amount these days, but it didnt have this much problems when it first came out.

(Doesnt include the theft of users personal information from the spreadfirefox.com website which also happened recently)

Fixed in Firefox 1.0.5/1.0.6 - 2 of which were critical that allowed unauthorised code to be run which could be used to access data

MFSA 2005-56 Code execution through shared function objects

MFSA 2005-55 XHTML node spoofing

MFSA 2005-54 Javascript prompt origin spoofing

MFSA 2005-53 Standalone applications can run arbitrary code through the browser

MFSA 2005-52 Same origin violation: frame calling top.focus()

MFSA 2005-51 The return of frame-injection spoofing

MFSA 2005-50 Possibly exploitable crash in InstallVersion.compareTo()

MFSA 2005-49 Script injection from Firefox sidebar panel using data:

MFSA 2005-48 Same-origin violation with InstallTrigger callback

MFSA 2005-47 Code execution via "Set as Wallpaper"

MFSA 2005-46 XBL scripts ran even when Javascript disabled

MFSA 2005-45 Content-generated event vulnerabilities

Fixed in Firefox 1.0.4 - All 3 were critical that allowed unauthorised code to be run which could be used to access data

MFSA 2005-44 Privilege escalation via non-DOM property overrides

MFSA 2005-43 "Wrapped" javascript: urls bypass security checks

MFSA 2005-42 Code execution via javascript: IconURL

Fixed in Firefox 1.0.3 - 3 of which were critical that allowed unauthorised code to be run which could be used to access data

MFSA 2005-33 Javascript "lambda" replace exposes memory contents

MFSA 2005-34 javascript: PLUGINSPAGE code execution

MFSA 2005-35 Showing blocked javascript: popup uses wrong privilege context

MFSA 2005-36 Cross-site scripting through global scope pollution

MFSA 2005-37 Code execution through javascript: favicons

MFSA 2005-38 Search plugin cross-site scripting

MFSA 2005-39 Arbitrary code execution from Firefox sidebar panel II

MFSA 2005-40 Missing Install object instance checks

MFSA 2005-41 Privilege escalation via DOM property overrides

Fixed in Firefox 1.0.2 - 1 of which was critical that caused problems with operation of firefox

MFSA 2005-32 Drag and drop loading of privileged XUL

MFSA 2005-31 Arbitrary code execution from Firefox sidebar panel

MFSA 2005-30 GIF heap overflow parsing Netscape extension 2

Fixed in Firefox 1.0.1 - 2 of which were critical that allowed access to data

MFSA 2005-29 Internationalized Domain Name (IDN) homograph spoofing

MFSA 2005-28 Unsafe /tmp/plugtmp directory exploitable to erase user's files

MFSA 2005-27 Plugins can be used to load privileged content

MFSA 2005-26 Cross-site scripting by dropping javascript: link on tab

MFSA 2005-25 Image drag and drop executable spoofing

MFSA 2005-24 HTTP auth prompt tab spoofing

MFSA 2005-23 Download dialog source spoofing

MFSA 2005-22 Download dialog spoofing using Content-Disposition header

MFSA 2005-21 Overwrite arbitrary files downloading .lnk twice

MFSA 2005-20 XSLT can include stylesheets from arbitrary hosts

MFSA 2005-19 Autocomplete data leak

MFSA 2005-18 Memory overwrite in string library

MFSA 2005-17 Install source spoofing with user:pass@host

MFSA 2005-16 Spoofing download and security dialogs with overlapping windows

MFSA 2005-15 Heap overflow possible in UTF8 to Unicode conversion

MFSA 2005-14 SSL "secure site" indicator spoofing

MFSA 2005-13 Window Injection Spoofing

Fixed in Firefox 1.0 - 2 of which were critical that allowed access to data

MFSA 2005-12 javascript: Livefeed bookmarks can steal private data

MFSA 2005-09 Browser responds to proxy auth request from non-proxy ssl server

MFSA 2005-08 Synthetic middle-click event can steal clipboard contents

MFSA 2005-07 Script-generated event can download content without prompting

MFSA 2005-05 Input stealing from other tabs

MFSA 2005-04 Secure site lock can be spoofed using view-source:

MFSA 2005-03 Secure site lock can be spoofed by a binary download

MFSA 2005-02 Opened attachments are temporarily saved world-readable

MFSA 2005-01 Link opened in new tab can load local file

But does the fact that is it open-source not make it inherently more secure? Because it is open-source the entire source code of the software is under scrutiny by many more people than would ever have access to the source code to Internet Explorer. Thus bugs not only usually get fixed quicker but they also get spotted quicker by the developer community.

In addition' date=' because it is open-source then you have complete transparency of the bugs detected and how they are fixed. You don't have this with Internet Explorer and Microsoft take advantage of this fact when they refuse to acknowledge bugs, say they have fixed bugs when they haven't or fix bugs on the sly through other patches/hot-fixes/service packs.[/quote']

Mozilla havent been fully transparent with details of some of the bug fixes that were carried out it the recent release, only some of them have been published on their website.

see link - http://news.zdnet.co.uk/software/applications/0,39020384,39208855,00.htm

So what does that mean for the normal end user non stop patching of the software? How often will that be with in the next year or so, weekly, daily, twice a day?

I work in IT. And patching Microsoft related software and operating systems in an absolute nightmare at the best of times because of sheer volume of "critical" security patches that get released and have to be applied to desktops and servers.

I mean look at Windows 2003 server for example. In it's default configuration you can't browse ANY web site within Internet Explorer aside from the Windows Update web site because it has been locked down so much. What does that tell you about Microsoft's confidence in Internet Explorer?

All that means is that they've adopted a maximum security approach for initial installs, thats why Windows firewall in service pack 2 amongst other security features are now automatically switched ON. It is up to the installer to reduce the security settings down to a level to suit their required usage.

[Snakebite]

also - won't more hackers attack IE anyway simply because it belongs to Microsoft' date=' nevermind whether or not Firefox becomes more popular?

I'm no software engineer (and it'll show probably) but surely the fact that Firefox is a free program that nobody is making money off of will mean that it's more likely to be left alone? the corporate money beast that is Micro$oft persists in doing things the wrong way ergo will keep being attacked more.

just a thought.[/quote']

Bollocks, if people want to steal your information they wont not do it because you use firefox. All they want is to see if there is any valuable information on your PC that they can steal irrespective of what browser you use.

[Addi]

a patch should be available as quickly as possible after an exploit is discovered, if thats twice a day then YES patching twice a day is what should happen. Having exploits reported and then waiting until the next "patch day" to fix them leaves your browser insecure for longer, thats of course if microsoft ever gets round to patching them at all.

[Snakebite]

a patch should be available as quickly as possible after an exploit is discovered' date=' if thats twice a day then YES patching twice a day is what should happen. Having exploits reported and then waiting until the next "patch day" to fix them leaves your browser insecure for longer, thats of course if microsoft ever gets round to patching them at all.[/quote']

So what do you do whilst your waiting for all these patches to be downloaded & installed, use another browser?

Who is going to have the time to write, test and issue patches twice a day? Is there enough computer programmers with nothing better to do but develop patches for firefox all day long every day.

[Addi]

im confused as to what your point is....you need to download patches for internet explorer and firefox except you have to wait until the next patch day to get them for IE. whereas they are available quickly for firefox.

[Snakebite]

im confused as to what your point is....you need to download patches for internet explorer and firefox except you have to wait until the next patch day to get them for IE. whereas they are available quickly for firefox.

There has been a large frequency of patches for firefox already within its first year and is almost on par with the amount of patches released every month for internet explorer which has been around for more than 10 years. What happens in the next few years can mozilla keep up with an exponentially increasing rate of bug fixes.

[Frosty Jack]

What should we do, then?

[Snakebite]

What should we do' date=' then?[/quote']

Improve the security of any important information held on your PC (or take it off of your PC) to minimise the chance of it's theft when someone does break into your PC via your browser which will happen irrespective of which one you use.

Hackers will always be one step ahead of the software companies, the open source approach just gives them a bit of an advantage since they can easily see the programming code too.

Open source may be patched quicker, but it only takes a few minutes for hackers to take what they want once they've got into someones PC.

[Addi]

security through obscurity is NOT a good policy.

and yes, you should take responsibility for securing sensitive information on your computer.

however firefox is patched more quickly and it may be easier to find possible exploits, but since they are fixed more quickly there is less time for someone to exploit them. There have been less exploits found and they have been patched more quickly. I dont see your point. You say that being open source makes it easier to find problems, but there have been less problems found in firefox than in IE.

[spellchecker]

at the end of the day, doesn't it just come down to user experience? who can actually say with personal experience that they've been a victim of ANY of firefox's vulnerabilities? the only one i've even experienced a proof of concept exploit for was the address bungling one... compare that to internet explorer - the problems that effect internet explorer are actually affecting people's usage of the program.

i don't get the point about mozilla not being transparent about bug fixes - at any point you can download the latest code from CVS, so it's not like they are restricting access to what mozilla actually is compiled from. if mozilla hasn't disclosed a critical bug, it's probably for good reason, i.e. they fix it as soon as they can and hope as many people upgrade before the bug is otherwise found. that makes good sense to me... it doesn't mean they are being secretive.

the whole debate between closed source and open source developments has been a raging flaming discussion for years, and both sides have some valid points. but to say that closed source is better because people can't see the problems is crazy: this type of practice is labelled "security by obscurity" and is no security at all. i bet that no more than 10 full time developers work on internet explorer (the web browsing component) at any time - for the simple reason that software development works better in smaller teams. taking into consideration that internet explorer seems to have lay dormant for about 3 years as well, it's probably safe to say that the gecko codebase is far more audited than internet explorer's.