Here is an interesting excerpt from Fred Langa's most recent LangaList publication:

The LangaList
Standard Edition
2005-04-18


1) FireFox Pros And Cons

For an industry built on logic--- at their deepest level, computers are
logic circuits--- blatant illogic somehow manages to cloud many issues.

Take FireFox http://www.mozilla.org/products/firefox/ , for example, a
very nice browser from Mozilla.Org http://www.mozilla.org/ . It's free,
Open Source, and the result of literally years of development. It's also a
cross-platform application, available for Windows, Mac, and Linux--- a
huge plus in computationally diverse environments because the
configuration and training/learning curve is basically the same, no matter
what platform the browser's installed on. Its human language support also
is extensive, with versions in everything from Afrikaans to Welsh. No
question: it's impressive software.

Some also like it simply because it's not from Microsoft. I think this
approach has some merit: Whenever Microsoft loses serious competition in
any software category, it grows complacent, and the pace of innovation
slackens. IE6, for example, came out in 2001; an eternity ago, in
computing terms. Except for a boatload of security updates and patches,
it's still basically the same browser it was then.

But, US-CERT (United States Computer Emergency Readiness Team), a
partnership between the Department of Homeland Security and the public and
private sectors that impartially tracks all manner of security issues in
operating systems and major applications, shows that the list of IE's
current vulnerabilities is shorter than those for FireFox, Mozilla, and
the other alternate browsers. Likewise, it also lists fewer Windows'
vulnerabilities than for the other OSes.

The last time I mentioned a similar US-CERT finding, by the way, Linux
partisans leapt up to tell me that US-CERT didn't know what it was doing.
Linux *couldn't* have more security flaws than Windows! Everyone *knows*
that Open Source software is so much better than anything from Microsoft--
- right?

Well, to the dismay the more rabid anti-Microsoft partisans, reports from
other independent observers corroborated CERT's findings.
For example, between July 1 and December 31, 2004, Symantec documented 13
serious vulnerabilities affecting Microsoft Internet Explorer, but found
21 vulnerabilities affecting each of the Mozilla-based browsers.
But don't take my word for it--- read the reports for yourself, see the
methodologies for yourself, and decide for yourself: The article posted
now (free!) at
http://www.informationweek.com/story/showArticle.jhtml?articleID=160900911
has all the details and links you'll need.

I wrote that article to try to help readers interested in FireFox in
particular and Open Source in general to make an informed decision. There
are many, many excellent, proven, objective benefits to switching to Open
Source software--- but there's also a lot of misinformation, and some
very, very *bad* reasons to switch.

For example, the "common knowledge" that FireFox is "more secure than IE"
simply is false. Switching to FireFox for that particular reason--- in the
belief that you'll magically and automatically be more secure--- is just
plain wrong.

But again, don't trust me, or any third party: Come see the source
material for yourself, and make up your own mind. It'll only take a few
minutes, and one way or the other--- whether you agree or disagree with me-
-- you'll have the facts at hand, and so can make an informed judgment,
rather than one based on "common knowledge."

Click on over to
http://www.informationweek.com/story/showArticle.jhtml?articleID=160900911 !

Well it's a nice Article, but the conclusions are all wrong. Firefox IS safer than IE for a number of reasons:


Firefox DOES NOT use Active-X. This is the main reason IE is more vulnerable.
IE has a larger installed base and malware writers go where the numbers are
Firefox is more nimble than IE. The security patches come out much faster from Mozilla then they do from Microsoft
Finally, while there are potential vulmerabiites in Firefox, there are REAL problems with IE.


I have yet to encounter one browser hijacking with FF and I read just about every Hijack this log on this forum. While in theory this story is true, in reality, at least for now, FireFox is safer than Internet Explorer

Langa writes these articles but you must force yourself to read the reality between the lines. He is poking at the attitude that if it is open source then it is better by default, and software is still just software whether it is open source or proprietary.
Firefox is not a total answer to security, no browser is completely secured. That being said, Firefox does help with security, particularly adware/malware/spyware. It took them less than 3 weeks to fix recent critical security holes from the discovery to the fix.
The reality is that CERT suggested it wise to use alternative browsers other than IE due to ongoing unfixed security holes, and the dominance of IE is not healthy for what would happen to the Internet if a major outbreak of worms/viruses occurs.
Alternate browsers (non IE based):
Opera
Firefox
Netscape
Mozilla suite

Thanks for your comments.

I love semantics and statistics, you can prove anything on any side of an argument with proper use of them. The reasons stated by Classic and PrntRhd that FireFox stands above Internet Exploder in terms of security are spot on. Beside the activeX issue, I think the vulnerability-to-fix response time is the most differentiating factor. I read an article recently, I think it was by Securina, that put it into perspective. I wish I had the exact words, I don't so I'll try to paraphrase. If you used IE only in 2004, you were vulnerable about 60% of the time or 219 days out of the year. If you used FireFox only in 2004, you were vulnerable about 2% of the time or just 7 days. That is a staggering difference. They based their statements on the number of days between when a vulnerability was publicly identified and when M$ or Mozilla released a fix to the public. The recent release of Firefox 1.03 is a beautiful example.

Clearly, FireFox is currently more secure than IE based on this type of analysis. It might be possible that M$ could become more nimble and respond to vulnerabilities faster--and it's possible that pigs will fly.

First I must say that I don't like the pro Fx (Fx is the suggested abbreviation for Firefox as per Mozilla) argument that just because IE has a larger user base, it is less secure. I don't think that argument holds any merit whatsoever, and I regard it as a myth. If the roles were reversed and Fx had a 90% user base and IE had 10%, I don't think we would be seeing too much of a difference, since the problems for IE lie more in design issues than anything else...

While it is true that there has not been one reported hijacking involving a Fx browser, it would also, IMO, be unrealistic to believe that if you surf with Firefox you are completely safe from the Internet's most feared predators. Clever malware authors will eventually find a way to break the Fx brick wall, and the unwritten rules of "safe surfing" should be adhered to whether you use IE, Fx, or any other browser. Also along these lines, none of my Fx homepage statistics even show up in a HJT scan, so how would I know for sure?

I think the argument here is design and the intent of the designers. Firefox is more secure, but for the simple reasons of simplicity in design and the fact that it puts the security of the users first. Not supporting ActiveX is a HUGE factor in my reasoning that Firefox is, in fact, safer. The problem is that many websites still don't support Firefox (notice I didn't say that the other way around), and this is certainly one of the main reasons I hear of people who have not yet "switched" for good. And rightfully so. I am also forced to use IE once in a while against my will, simply because there is as of yet no true alternative to ActiveX (except maybe arguably Java applets, but that's another topic for a different thread).

I am loving the fact that Firefox is giving Microsoft a run for its money (if you call taking 10% share away a damaging blow) but not because I dislike Microsoft or because I am an Open Source advocate either. I like this because it is good for the users (us). Anyone else find it funny that MS announced the release of IE 7 once it looked like Firefox was going to hold their own and Mozilla dropped support of the Mozilla browser in order to put all of its resources into Firefox and Thunderbird? This was no coincidence.

I think this sort of competition is great for the consumers and if IE 7 can prove itself to be more secure than Fx, then I will have no reservations about switching back. I am not tied to any one particular company or browser, and that leaves me with the freedom to choose the best product, whether it comes from Microsoft or another company.

But for now I am a proud Firefox advocate and user...:D

And of course MS would not behind spreading FUD to blunt the advances either.
:rolleyes:

FUD= Fear, Uncertainty, Doubt

Classic can and will speak for himself but let me give you my take on the "larger user base=less secure" scenario. Being former military, let me put it in tactical terms (this is a war, afterall): larger user base=more targets of opportunity; larger user base with vulnerabilities=more successful attacks on more targets of opportunity. And of course, the reverse is true. Taken in the aggregate, an IE user base IS less secure than the FireFox user base.

Now, speaking as an engineer, purely on a design level, comparing one browser side-by-side with another, IE is also more vulnerable than FireFox over time. Only if you could freeze IE and FireFox at a single point in time, and compare them one-on-one (not the total), could you find a solid case to argue that IE is or ever was more secure than FireFox. And as of today, you would have to find the perfect point in time to do that.

First, 15 vulnerabilities for IE, and 21 for Firefox is a rare thing. Second, the vulnerabilities in Firefox are most likely much less severe than those in IE. And as said before, Firefox is patched much quicker than IE. If I remember right, there are still security holes in IE that have been known for months, and still are without a fix.

Firefox all the way. :D

Just to finalize my thoughts on the "user base" points. One thing you have to keep in mind is the "motive" behind the spread of malware, in particular spyware, hijackers, and certain types of trojans. The motive is profit. These people are not 14 year old hackers out to destroy your PC for kicks, they're people out to make money. So if you were out to make money using the world's personal computers and you had two choices: 90% of the worlds PCs running IE that should be easy for you to take over, or 10% of the world's PC running FireFox, which would you do?

You would go after the easy money.

Firefox is safer because scumbags don't see it as a profitable target...yet. As Foxfire gains more of a market share, it will become more of a target. Then we will be trumpeting the virtues of the next "new", "safer" browser. The time will come when IE will be the safe browser because no one will be paying any attention to it any more.

And such is the way of the internet...

IMHO, of course...