Mr. Lemos, you should be careful to avoid indicting Firefox as buggier than Internet Explorer. It most certainly is not. Yes, vulnerabilities have been found in Firefox, but that was to be expected, was it not?

Given the fact that no major software product (open or closed source) on today's market has completely avoided vulnerability, flaws in Firefox were to be expected. While Mozilla cannot claim Firefox to be immune to threat (and they never have), they should sleep easy with their claim that it is more secure than IE.

Many of the vulnerabilities uncovered in Firefox were found as a result of detailed code analysis -- something not possible with IE's closed-source development model. Also, the vulnerabilities of Firefox are inherently less risky than those of Internet Explorer because IE is tightly integrated into the OS. Because of all the different ways IE has been embedded into common applications, its vulnerabilities pose more risk. Firefox, as a standalone component, is more easily isolated from the rest of the system (e.g, by running it under different user accounts).

So even if one is to assume that IE 6.0 is just as secure in terms of pure vulnerability discovery as Firefox (a laughable assertion), IE is inherently less secure.

Paul is incorrect to state that SP2 reduced the vulnerability of IE to attacks. The truth is, Microsoft's "Local Machine Zone Lockdown" simply changed the methods that attackers must use to exploit the browser. Right now, no such methods have been found. At least, not by the interested community. They do exist.

In much the same manner, Firefox will slowly begin reducing the level of access that software installs (the source of the "arbitrary code execution" vector of most of the attacks) have to the system. This is far more easily done in Firefox than in IE, where different environments (the Shell, HTAs, the browser, just to name a few) need different privileges.

Also, Mozilla has Microsoft beat on one key point that isn't related much to design at all. The fact is, Mozilla is many times faster in plugging the same severity of flaw than Microsoft is. That's something that is very valuable when you have zero-day exploits like the one recently uncovered in Firefox. The Mozilla Foundation doesn't need to wait until attackers are trojaning legitimate sites to exploit their browser's vulnerabilities before they act. As Microsoft have demonstrated time and time again with IE, it's all fun and games until someone gets hurt.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/11155/31858#31858