Numbers 1, 2 & 3 on Browser Security
Bootnotes: Thai FLOSSer TOSSFEST Returns?!? [7,12,13]
By AD Marshall, Saigon, Vietnam
Published ICT.12:03.Thu.02.Aug.2007.AD
Ever irreverent, The Register [1] has reveled in "Biting the hand that feeds IT" since 1998 [2]. "El Reg" readers, numbering some four million a month in Nov.2005 [3], tend to a feistier fare and their comments often reflect the incisive wit with which El Reg itself is written.Commentaries on a 31.Jul El Reg piece [4] which noted a new Mozilla Firefox update, 2.0.0.6 [5], included several illuminating bytes on comparative browser security between Firefox (FF), Internet Explorer (IE) and Opera (Op).
One commentator provided references to consistent, comprehensive vulnerability statistics from Secunia that apparently give Op an edge over FF and IE on security. See BeLow. Generally, commentators put Op, FF and IE in that order for security based on lower numbers of vulnerabilities and faster, easier fixes over the last half-decade.
Microsoft IE championing opened the discussion but got swarmed and stomped by Op and FF supporters' stat's and rationales.
One commentator notably reported ongoing joy with Mozilla's Minefield [6], a Mozilla.org repository providing nightly alpha releases of the upcoming Firefox 3.0, codenamed "Gran Paradiso" and expecting final release later this year. Another might have dubiously made passing reference to the upcoming Thai FLOSSers' TOSSFEST! [7,12,13]
Edutaining commentary extracts and bootnote links to this missive's sources follow below.
The FF 2.0.0.6 update fixes what has likely been FF's biggest simultaneous slew of security bugs [8] since it first went beta in Sep.2002 as Mozilla's Phoenix browser. [9]
Since FF 1.0's release in Nov.2004 [10], the share of the global browser market usage attributed to Mozilla browsers (Suite, Netscape, Firefox, Seamonkey) has grown from some 6 percent to almost 26 percent on 30.Jul.2007, depending on how usage is measured, according to what looks like a fairly well researched and reported article at Wikipedia [11]. Caveat Emptor.
Conservative estimates gave Firefox some 15 percent of the market early this year [10,11]. Downloads of FF reportedly rose from one million in Nov.2004 to 300 million in Feb.2007 [10].
On a personal note, before this submission could by completed, Ubuntu Desktop Linux 7.04 (Feisty Fawn) requested and received my permission to install updates for Firefox, Gnome [Desktop] Support for Firefox, the Netscape Portable Runtime Library (libnspr4) and the Netscape Security Service Libraries - runtime (libnss3) -- whatever those libraries do... -- all to version "firefox2.0.0.6+1-0ubuntu1".
Suddenly i was happy i'd not yet switched to using the "original" Firefox installers from Mozilla after all -- though it's likely all but academic on this Linux box anyway.
But the danged "Reg Headlines Thursday August 2" just hit the inbox, too. <next... />
Select El Reg Reader Commentaries on "Firefox update fixes bug brace - Booby trap link bug defused" [4]:
i.e.7
Best get using i.e7. Seems a lot more secure these days...
And cue fanboy flames
Wow...
I was just reading this article when Firefox popped up with a message about having been updated. There may be some issues with Firefox, but at least they have a quick and painless update system, unlike another widely used browser...
</fanboy flames>
Appearance isn't everything Stu Reeves
If you compare the Secunia advisories for IE 7, Firefox and Opera you can quite plainly see which is the least secure (and it's not Firefox).
IE: http://secunia.com/product/12366/
Firefox: http://secunia.com/product/12434/
Opera: http://secunia.com/product/10615/
MS's ploy for announcing all their bad news in one go is working as people think their stuff is more secure now, when it plainly isn't.
Although it does seem that Opera is worth a go from a security perspective.
Firefox? I'm running Minefield!
If you ever want a demonstration of how flawless Mozilla's update system is, use Minefield [6] for a while. Every single day the browser updates itself to the latest nightly build - not had a single crap-out yet and the whole update process takes around 20 seconds.
Compare that to Microsoft!
Oh, and has been said above, I would much rather have a browser be updated every week (or even every day) with the latest flaws patched, than one updated whenever the dev team (and end user, let's not forget*) can be arsed, leaving flaws exposed for much longer. The article should be praising Mozilla for getting patches out so quickly. Nicely done, lads and lasses.
*I say this bit because a lot of the XP users I know turn off Automatic Updates straight away. No-one really trusts MS to manage their PC, especially after they labeled "Genuine Advantage" anti-piracy software as a critical update.
So easy
Gosh it's so easy to get the fanboys going...
I've used i.e for years, never got a virus, never been a victim of phising [sic], never downloaded anything dodgy....
but then again, I'm not a Toser.
Re: So easy
Well, I haven't been infected by any of the issues resolved in the latest update of Firefox.
But it updated automagically. Unlike IE, which needs to be started manually. And only once a month. Malware authors know this, and wait until Wednesday to release new attacks. Zero day attacks are common on both browsers, but Mo publishes fixes ASAP. Unless it's a tremendous hole, MS won't fix it until the next patch release in a month. Assuming they've gotten around to it. I know of two vulns that were sent to MS three months ago that haven't been patched. Sooner or later these are going to go from "protected info by white hats" to "exploited by black hats".
3 exploits in IE7 ?
there are some known exploits in IE7. but since they cannot be mentioned until microsoft release patches - hopefully this will occur on the next patch tuesday... if not that'll be another 28 days of vulnerability. trouble is, its closed source, only
MS can fix this - noone else can come up with fixes or better code handling... so you hope and pray that they can be bothered to address. Mozilla/firefox/safari etc all have a point to make - so they're addressing these issues very rapidly.
and hey. to patch FF all you need to do is get that little update and just restart the browser... not the whole machine.
@Stu Reeves
Sources' Links
- The Register, http://www.theregister.co.uk/
- The Register - Wikipedia [Caveat Emptor], http://en.wikipedia.org/wiki/The_Register
- The Reg reaches 4m people a month, http://www.theregister.co.uk/2006/01/16/the_register_november_traffic_figures/
- Firefox update fixes bug brace - Booby trap link bug defused, http://www.theregister.co.uk/2007/07/31/firefox_update/
- Firefox 2.0.0.6 Security Update, http://developer.mozilla.org/devnews/index.php/2007/07/30/firefox-2006-security-update/
- Mozilla Minefield Start Page, http://www.mozilla.org/projects/minefield/
- 7th Thailand Open Source Software Festival (TOSSFEST) 2007, http://www.ossfestival.in.th/
- Secunia's "Vulnerability Report: Mozilla Firefox 2.0.x", http://secunia.com/product/12434/?task=statistics
- Browser timeline, http://en.wikipedia.org/wiki/Browser_timeline
- Market adoption of Mozilla Firefox, http://en.wikipedia.org/wiki/Market_adoption_of_Mozilla_Firefox
- Usage share of web browsers, http://en.wikipedia.org/wiki/Usage_share_of_web_browsers
- Tossfest 2007: are you a hardened open sourcer?, http://www.theregister.co.uk/2007/07/31/tossfest_2007/
- Urban Dictionary: toss, http://www.urbandictionary.com/define.php?term=toss
Copyright © 2007:
AD (Andi) Marshall
eMail: admarshall[at]gmail[dot]com
Zone: ICT (IndoChina Time, GMT/UTC+7)
Web: http://admarshall.googlepages.com/
Post: HoChiMinh City (ex/or SaiGon), VietNam
Quote: "Love all, trust a few. Do wrong to none..."
Source: Shakespeare, 1623, "All's Well That Ends Well"
Get it at Gutenberg: http://www.gutenberg.org/etext/2246
GPG/PGP Public Keys online: http://cryptonomicon.mit.edu/
digg
reddit
del.icio.us
Technorati Fave It
No comments:
Post a Comment