I see an awful lot of unbridled, borderline-religious zeal in these discussions. I agree that Firefox is a good product and I think it's good that Microsoft has a real competitor making headway in the browser market. It means that both organizations had better innovate and put out a good product lest the other side take over altogether. That being said, however, I see many absurd statements being made with regard to both MS and the Mozilla Foundation. Here are some specific points that Mr. Murphy made and my response to each:

"Mr. Lemos, you should be careful to avoid indicting Firefox as buggier than Internet Explorer."

Um, this article never made the assertion that "Firefox [is] buggier that Internet Explorer." It did say the following: "For the last six months of 2004, researchers found more vulnerabilities in ... Firefox than ... Internet Explorer, according to Symantec's ... Internet Security Threat Report. The report tallied 21 vulnerabilities for ... Firefox versus 13 for Internet Explorer." These are all statements of fact - like it or not.

"Paul is incorrect to state that SP2 reduced the vulnerability of IE to attacks. The truth is, Microsoft's "Local Machine Zone Lockdown" simply changed the methods that attackers must use to exploit the browser. Right now, no such methods have been found. At least, not by the interested community. They do exist."

This paragraph sounds like the jealous denial of reality by a rabid fan. The operative term being disputed is "REDUCE", not "ELIMINATE". While other methods of attack might be discovered (though the author acknowledges that none have been found yet), putting the Local Machine Zone Lockdown in place does, as a statement of hard fact, REDUCE the number of attack vectors for IE and, hence, its vulnerability. Saying otherwise would be like trying to argue that the Pope isn't Catholic.

"In much the same manner, Firefox will slowly begin reducing the level of access that software installs (the source of the "arbitrary code execution" vector of most of the attacks) have to the system."

So, after arguing that the Local Machine Lockdowns don't fix anything vulnerability-wise, the author now argues that Firefox will eventually, someday do the same thing? Why should they go down this road if it doesn't reduce vulnerability to attacks like the assertion made earlier stated?

"Also, Mozilla has Microsoft beat on one key point that isn't related much to design at all. The fact is, Mozilla is many times faster in plugging the same severity of flaw than Microsoft is. That's something that is very valuable when you have zero-day exploits like the one recently uncovered in Firefox."

That might sound all good and wonderful, but when a "zero-day exploit" actually takes place, how many working copies of Firefox will have ACTUALLY BEEN UPDATED? The key point is not just how soon the fix is made - it's how soon the fix is implemented within the user base. With that factored in, I think Firebox and IE have similar response times.

The author of this post made several legitimate points, but much of it got lost in emotional mischaracterizations of both IE and Firefox in terms of security. A simple acknowledgement that IE has made good strides security-wise (including SP2) and that Firefox does have security issues that, though expected, should be reported and discussed will go a long way. I don't expect Firefox (or any organization's product) to be perfect. I also don't expect that a discussion of such flaws for a product whose use is as far reaching and widespread as a web browser to be seen as an inherent attack on the organization. Articles detailing flaws in IE are seen as legitimate by all parties, so too should articles detailing flaws in Firefox.

-- Daryl Shockey

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/11155/31883#31883