In a report that will surely start internet fires all over the world Secunia is reporting that Firefox is the most vulnerable web browser that is widely adopted on the market today."This year, Secunia published advisories for the four most widely used web browsers: Internet Explorer (IE), Safari, Opera, and Mozilla Firefox. 31 vulnerabilities were reported for Internet Explorer (IE 5.x, 6.x, and 7), including those publicly disclosed prior to vendor patch as well as those included in Microsoft Security Bulletins. Safari and Opera each had 32 and 30 vulnerabilities, whereas 115 vulnerabilities were registered for Firefox in 2008."
(warning link is a PDF)
The vulnerabilities measures areas of a browser that requires a patch to fix a hole that could be exploited by a malicious user to take sensitive data from the end user.
It's an interesting contrast to the idea that people assumed that Firefox was the most web secure browser. According to this review Opera appears to be the safest but Microsoft and Apple's web browsers are not far behind.
Does this mean that you should switch your browser out of fear? Not so, the study does leave out the human element that the best defense is an educated user. If you are aware of what you are doing online and don't download bonzi buddy you are one step closer to a safer web experience.
Update: Mozilla have responded to the report and you can read their response here. Interestingly it appears Mozilla discloses all security issues whereas other vendors tend to keep them secret which would explain the big number differences.
Doesn't this completely refute the previous article where the guy that hacked Mac OS X via Safari point blank said it was easier to exploit???
Once again... I'm a firm believer that all statistics does is confirm what the user "wants" it to confirm.
Exactly my thoughts!
No. The thing about the Safari on OSX hack was that it was on OSX, not that it was Safari.
OSX doesn't properly implement any of the newer anti-exploit technologies that Windows and Linux do, and as such, if you have a vulnerability in any piece of software there, be it Firefox, Safari, whatever, it's easier to crack open and do something with.
I took an entire college course thats studied slanted statistics....its amazing, if your looking for a result its easy to setup a test to prove your results
It's also a hell of a lot easier when all parties involved are not represented fairly.
Seriously, this may not mean you'll end up getting a virus if you use Firefox, but the way you are ignoring the news presented is just too fanboyish.
If this is your original analysis of the report, you just participated in slanting!
Secunia is not "reporting that Firefox is the most vulnerable web browser that is widely adopted on the market today.", as stated in the opening paragraph of the article. The chart is the first chart in the report, and is just one metric that is looked at.
I posted this already in the forums, but will repost it here, since this is the same subject, just in a different location.
And a chart that shows how the vendors Microsoft and Mozilla have responded to 0-day exploits that were publicly announced without responsible disclosure to the vendor. IE's were more severe, yet were either unpatched, or took a lot longer to turn around a patch.
The remainder of the report focused on overall market, and did not separate browsers.
Wrong.
Besides, a hole is a hole, it's a capability of being breached whether or not it can be used or not.
I've been saying this for years, and I'll say it again, FireFox machines are the most infected machines that I get in to fix and remove spyware/viruses...
Firefox, it's not CamelCase.
What reasons do you see for Firefox getting infected more - I mean, is it the browser, the browsing habits, or the user being stupid?
It sure is
Besides, a hole is a hole, it's a capability of being breached whether or not it can be used or not.
I've been saying this for years, and I'll say it again, FireFox machines are the most infected machines that I get in to fix and remove spyware/viruses...
And you inspect each patch and know only one thing security vulnerbility was fixed in each patch right?
Please show me where Microsoft/Opera/Apple disclose vulnerabilities that were found internally before release?
What reasons do you see for Firefox getting infected more - I mean, is it the browser, the browsing habits, or the user being stupid?
A combination of all three, I imagine. Think about the simple fact that users, educated or not, will use Firefox with an Apple Complex: "I'm perfectly safe, I'm not using Microsoft." If you market a product as being more secure, people will dump caution and click anything without thinking twice.
I mean, what do you expect? How should Firefox be marketed?
"Firefox! More secure, as long as you browse intelligently and don't click mysterious links and don't install software offered by pop-up ads..."
Really, the same 'safe habits' people need to use to make Firefox secure are the same habits that would make ANY browser (including IE) just as secure. In other words:
Browse safely, and use whatever the heck you feel like.
Actually, he would be right.
LOL
Haha, I love random 1 liners like that in serious discussion. They're always so unexpected (:
*giggle!*
http://www.microsoft.com/technet/security/bulletin
because everytime i see someone use opera
they switch back due to websites not working correctly init...and theyre engine requires special code for sites like gmail that work perfectly in other browsers
simple things like websites that receive right clicks opera wont support..right clicking on menus they REFUSE to add, and without an easy built in add blocker like fx and extensions i cant imagine opera ever becoming popular
on a side note, i wonder what chrome will be on that chart next year
they switch back due to websites not working correctly init...and theyre engine requires special code for sites like gmail that work perfectly in other browsers
simple things like websites that receive right clicks opera wont support..right clicking on menus they REFUSE to add, and without an easy built in add blocker like fx and extensions i cant imagine opera ever becoming popular
This is because those websites code around Firefox and IE, not Opera.
It's not because Opera has flaws in its design, unless you count following the standards more strictly a flaw (which, you can, but not to a particularly great extent).
Last edited by Kirkburn on 15 Apr 2009 - 18:41
No offense, but that's incredibly vague.
Opera's big problem is that it tries to branch in all directions. It's got an e-mail client, BitTorrent client, widgets etc. but none of those are anywhere near as good as programs dedicated to just that one thing. That, combined with the very customizable but often quirky UI are the main things keeping me away. Opera Software is great at coming up with truly usable new features (often quickly adapted to other browsers) but they can't seem to mend all that into a coherent whole, there's little bugs and annoyances all around Opera 9. Hopefully they'll overhaul the UI for Opera 10.
I had no serious problems with page rendering with Opera 9. As for speed, haven't compared it to FF3.1/3.5 but Opera has always been very fast at actually rendering pages as well as starting up.
Opera's big problem is that it tries to branch in all directions. It's got an e-mail client, BitTorrent client, widgets etc. but none of those are anywhere near as good as programs dedicated to just that one thing. That, combined with the very customizable but often quirky UI are the main things keeping me away. Opera Software is great at coming up with truly usable new features (often quickly adapted to other browsers) but they can't seem to mend all that into a coherent whole, there's little bugs and annoyances all around Opera 9. Hopefully they'll overhaul the UI for Opera 10.
I had no serious problems with page rendering with Opera 9. As for speed, haven't compared it to FF3.1/3.5 but Opera has always been very fast at actually rendering pages as well as starting up.
See that's what bugged me too about Opera: too much stuff. I'm not the sort of person to complain about bloat (it makes me feel like one of those anti-MS weirdos), but I never bothered with their email client--it had nothing to offer me--and I LOATHE the included torrent client and how irritating it is to disable it.
The best thing Opera could do for their browser is trim out the clients that are inferior to almost every other free option out there, make the GUI (Mozilla, pay attention here too) more in line with the OS on which it's installed, and stop suing people for crying out loud.
Oh and, uh, change the icon. It's time.
they switch back due to websites not working correctly init...and theyre engine requires special code for sites like gmail that work perfectly in other browsers
simple things like websites that receive right clicks opera wont support..right clicking on menus they REFUSE to add, and without an easy built in add blocker like fx and extensions i cant imagine opera ever becoming popular
This is because those websites code around Firefox and IE, not Opera.
It's not because Opera has flaws in its design, unless you count following the standards more strictly a flaw (which, you can, but not to a particularly great extent).
i dont disagree with you
but that excuse doesnt fly in the real world, or for the average user
telling a customer "the internet needs to change their ways because were right and theyre wrong"..that customer is gonna go with a browser that DOES work with everythin
i really like opera, but they arent competitive and they constantly hide behind the web standards excuse..when they are in no position to encourage anyone to follow them
says who?
opera has up to 50% market share in some countries.
don't trust the liars at net applications.
actually, the email client is easily the best there is. and the convenience of having it built in is amazing.
nonsense. opera actually has a coherent whole, as opposed to bolted-on firefox extensions.
silly thing to say.
all that stuff is hidden or deactivated unless you actually start using it, so you won't even notice that it's there.
that's just a BLATANT LIE.
opera was designed from scratch with compatibility in mind.
they do NOT use web standards as an excuse.
opera's excellent standards support is NOT what's getting in the way of compatibility.
please STOP spreading the lie about opera hiding behind standards, because it's just untrue.
[citation needed]
35%: http://gs.statcounter.com/#browser-RU-dail...01-20090416-bar
49%: http://gs.statcounter.com/#browser-BY-dail...01-20090416-bar
opera was designed from scratch with compatibility in mind.
they do NOT use web standards as an excuse.
opera's excellent standards support is NOT what's getting in the way of compatibility.
please STOP spreading the lie about opera hiding behind standards, because it's just untrue.
really
everytime ive posted a site that works in Fx and IE on the opera forums, theyre reply has always been "That site is coded wrong its not standards complaint"
Yes they have compatibility in there, but not enough obviously
opera was designed from scratch with compatibility in mind.
they do NOT use web standards as an excuse.
opera's excellent standards support is NOT what's getting in the way of compatibility.
please STOP spreading the lie about opera hiding behind standards, because it's just untrue.
really
everytime ive posted a site that works in Fx and IE on the opera forums, theyre reply has always been "That site is coded wrong its not standards complaint"
Yes they have compatibility in there, but not enough obviously
LOL, yeah, opera is like apple fan boys, if it's wrong, this is probably someone else issue
they switch back due to websites not working correctly init...and theyre engine requires special code for sites like gmail that work perfectly in other browsers
simple things like websites that receive right clicks opera wont support..right clicking on menus they REFUSE to add, and without an easy built in add blocker like fx and extensions i cant imagine opera ever becoming popular
This is because those websites code around Firefox and IE, not Opera.
It's not because Opera has flaws in its design, unless you count following the standards more strictly a flaw (which, you can, but not to a particularly great extent).
Actually previous versions of Opera (like 6, 7 and
really?
how about you show me these threads, eh?
also, show me that OPERA said that, and not just some random ignorant forum moron.
says who? do you even know the most common cause of compatibility problems? BROWSER SNIFFING! as in, the site sends different content to opera which doesn't work.
First, it covers 2008. Publishing date is meaningless.
Second, IE8 wasn't released in 2008.
They still have to patch them. While they could patch multiple issues at once every so often, it wouldn't reduce the number of patches by that much.
Well yeah but Mozilla has one bug report per problem and anyone can read them. How about IE? Who is to say that one of their patches actually patches just one security vulnerbility and not 50? No one because Microsoft isn't open source and/or has their bug database publicly viewable by the world.
I hate the fact that people assume open source means it's somehow easier or more likely to discover security holes. F/OSS has mountains of security holes, as does closed source software. Did you not hear about the SSL certificate problem whereby if you generate a an SSL cert on Debian you can guess the crypto key...
Neither closed or open models are perfect and both have their security holes. I won't bother providing you to a link to Secunia's list of holes in an open source app or platform of your choice.
Neither closed or open models are perfect and both have their security holes. I won't bother providing you to a link to Secunia's list of holes in an open source app or platform of your choice.
My point was that the list combines both Mozilla's disclosed and 3rd parties found vulnerbilities that were found in Firefox, unlike the others browsers where only the 3rd parties found vulnerbilites were disclosed....very, very scewed numbers.
But you could take that to paranoid extremes so easily. It rules out any possibility of honesty from Microsoft. Even if MSIE went opensource and the numbers stayed consistent, you could simply say something like "NOW the low numbers are accurate. they were higher and kept secret before, but thanks to open source they can say they're low without lying".
The reality is, some people will flat out refuse to acknowledge the possibility--the *possibility*--that Firefox has more vulnerabilities than closed source. People who can't even be shown proof because they can twist it into somehow being a conspiracy. People for whom, as long as Firefox is open and alternatives are closed, Firefox will inherently remain a result of superior programming.
It's childish, really.
Yes because their are oh so many people who i always hear say "WOW firefox is great because i get to see code i know nothing about!"
Which was easily tracked down to a patch from a Debian dev.
Now try finding out that kind of stuff on closed source.
You would be incorrect, sir. There are plenty of very knowledgable internet explorer users out there. Like the developers, for one.
Please, attack the arguments, not the people.
Number of vulnerabilities by browser plug-in, 2008
Figure 4: Number of vulnerabilities in various browser plug-ins and add-ons.
1------------Firefox Extension
0------------Opera Widget
366---------ActiveX
54-----------Java
19-----------Flash
30-----------QuickTime
Page 11.
How could that be!?
IMO, IE 6 wasn't any good, IE 7 only marginally better, and IE 8 caught up to others in some respects, and actually surpassing them in others.
You also need an internet connection
j/k
Brad, how about also linking to Mozilla's response instead of just creating a crap storm without all the facts.
Use the "report a problem" link at the top, it's what it's there for. (And I have done so).
yeah, all the firefox fanboys are scrambling to come up with excuses.
Bottom line. Viruses and spyware is a user problem. You don't have to install the XXXviewerTool to watch free porn videos. You didn't receive an e-card from a friend. You didn't miss a shipment and the details aren't in that attachment. You didn't win the lottery in Australia. You don't have to look at a bunch of cat pictures in the attached powerpoint file. You don't need the weather on your desktop (look outside). You don't need to change your screensaver for xmas.
Hell, you don't even need winzip to view and create zip files.
People just don't know any better.
It doesn't matter what browser you are using!
If you don't have protection, how would you know if you've got infected.
No, I don't believe running web detection routines every couple of months counts.
I fix spyware and virus problems as part of my living, so I am pretty keen on spotting them and their symptoms.
Not every virus or worm gives you "wierd popups" or slows down your system. Some just hijack your machine sit their as part of bot network. Others sift through your online banking and online shopping history looking for credit card numbers and private financial information, turning your PC into a datamine for identity thieves. And other just **** with you for the fun of it. (and that's just the snowflake on the tip of the proverbial iceberg). Good luck trying to protect yourself from all those threats by yourself.
Every day I curse my work PC (running XP) for how slow it is for a Core2Duo machine w/ 3GB RAM and all I can think of is that it must be because of the F-Secure crap running on it.
The biggest "hole" with any software is the user itself. I've run into lots of people who will click just about anything without any common sense at all. I was relieved when some of them bought a Mac, mainly because at least then they just can't run all that Windows malware. Since IE is the default browser for Windows, it's no surprise that there's a bigger share of idiots using those browsers than there's in the group running Firefox, Opera, Chrome or Safari.
Tell you what. I will install the Nod32 that I install on the computers at work and if I find something I will give you $100. If it doesn't you give me $200.
Deal?
Bottom line. Viruses and spyware is a user problem. You don't have to install the XXXviewerTool to watch free porn videos. You didn't receive an e-card from a friend. You didn't miss a shipment and the details aren't in that attachment. You didn't win the lottery in Australia. You don't have to look at a bunch of cat pictures in the attached powerpoint file. You don't need the weather on your desktop (look outside). You don't need to change your screensaver for xmas.
Hell, you don't even need winzip to view and create zip files.
People just don't know any better.
It doesn't matter what browser you are using!
Because - obviously - everyone knows as much about computers and online safety as you do.
But, let's just assume that people don't - that's where having a browser like Firefox would come in handy. I'm far from being all over the Mozilla 'bandwagon' so to speak, but it's statements like the above that just irritate me. Firefox IS more secure than say IE, even IE 8 which I know has made strives in that category as well as others.
You are a minority in the online world. The majority does not conform to the minority.
My point is that it doesn't matter the browser. The "majority" will still open attachments in email. The "majority" will still install Limewire or stupid little programs that do cute things. The "majority" will still install pirated software increasing their risk for infection.
None of those things have to do with the browser.
And currently most infections don't even come from browser exploits. They come from USER EXPLOITS. If a user sees a flash popup described as a windows dialog box and they get tricked into installing something it is still not a browser problem. If a user is looking at porn and the site tells them they must download this viewer or app to look at the content and the user installs it... it is still not a browser problem.
If I had to guess, based on my direct experience with customers that were infected, 99% of the infections were caused by something the user did, or was tricked into doing.
The "majority" will still open attachments in email. The "majority" will still install Limewire or stupid little programs that do cute things. The "majority" will still install pirated software increasing their risk for infection.
Wow man, you hit it spot on. Hope you don't mind me quoting you on that in the future.
Despite the stupidity of the majority, I must say they do a wonderful job in giving us work to do.
Don't get me wrong, I understand why some people use virus protection. They want to be safe and secure. What I can't understand is why my computer-expert friends always say it's totally crazy and tell me my computer must be full of some really scary stuff. It's totally my own choice and not the worst one you could make! I mean, seriously worst thing that could happen is somebody hacked to my bank account but that's just not that easy if you always logout and you have changing password everytime you login. Oh, and I use firefox because I like it.
Don't get me wrong, I understand why some people use virus protection. They want to be safe and secure. What I can't understand is why my computer-expert friends always say it's totally crazy and tell me my computer must be full of some really scary stuff. It's totally my own choice and not the worst one you could make! I mean, seriously worst thing that could happen is somebody hacked to my bank account but that's just not that easy if you always logout and you have changing password everytime you login. Oh, and I use firefox because I like it.
A colleague in the office doesn't use one either. He also turned off scanning on his business laptop which annoyed me. Of course he ended up with a virus on it.
Run a HouseCall scan and see what it finds? http://housecall.trendmicro.com
How can I do this without winZip ? Can you please help me learn it or let me know where can I learn it ?
I hope you would like make others also as educated as you.
I hope you would like make others also as educated as you.
http://lmgtfy.com/?q=create+zip+files+with+windows
I hope you would like make others also as educated as you.
http://lmgtfy.com/?q=create+zip+files+with+windows
I'm guessing that adicted was laying the sarcasm on REAL thick, but you seem to have missed it entirely.
Not every virus or worm gives you "wierd popups" or slows down your system. Some just hijack your machine sit their as part of bot network. Others sift through your online banking and online shopping history looking for credit card numbers and private financial information, turning your PC into a datamine for identity thieves. And other just **** with you for the fun of it. (and that's just the snowflake on the tip of the proverbial iceberg). Good luck trying to protect yourself from all those threats by yourself.
Not very many people use windows 98 anymore. xp, 2000, vista etc wouldnt allow an actual virus infection. 99% of the "viruses" out there today aren't viruses, but trojan horses. Which are not nearly so destructive.
I have found the NoScript a hinderance sometimes, and hate having yet another application on my system.
I have found the NoScript a hinderance sometimes, and hate having yet another application on my system.
Don't use NoScript? It's not required by any means.
Unless Chrome, Opera, and Safari (for windows) start installing themselves by default onto OEM machines, the road to catch firefox will be tough.
So for as long as I can get those only on Firefox I'm sticking with it. I'd love to use Chrome or IE8 but I just cannot part with NoScript and ESPECIALLY AdBlock.
Perhaps because Google Chrome runs on an outdated version of WebKit? And WebKit falls under the same umbrella as Safari?
As for the article at hand, it's easy to grab some statistics and use them to slant the article in one direction.
Seems those that didn't look at the PDF may have missed this bit of information as well.
For browser plug-ins, the number of vulnerabilities in ActiveX controls in 2008 remains by far the most significant, at 366.
Or what about this?
This table considers only those vulnerabilities publicly disclosed without or prior to vendor notification. The number of days unpatched are in red for those vulnerabilities that are still unpatched as of 31 December 2008.
I don't know about you guys, but that doesn't look good on Microsoft's behalf at all. But hey, instead of talking sh-- to each other, why don't we sit back and realize what I believe to be the overall truth despite whatever operating system or browser we use: stupid people will always do stupid sh-- and simply find ways to screw up their computer. It NEVER fails. And if it did, I suppose many of us would be out of a job, eh?
1) Scare people into thinking that Firefox is full of holes
2) Sell them software they don't need to patch holes that don't exist.
3) Profit!
YIKES
They have a free evaluation tool as well - that tends to call everything installed on your system a security threat. Even worse than AVG in creating panic-like symptoms to get you to buy their paid version. And here's one from their EULA:
3.3 We reserve the right to monitor your usage of the Software and the Website Service in order to verify that your usage comply with these terms and conditions.
Sounds like spyware to me. So, before putting any type of weight behind a report like this, make sure to look at the company and reasons for their report.
http://blog.mozilla.com/security/2009/03/0...ecurity-metric/
I stopped taking secunia seriously a long time ago.
If there are more holes there are more to exploit and I am sure this won't come as welcome news to a browser company that basically lauds their browser as one all encompassing piece of spyware, and virus protection
the best defense is an educated user
Of course this is true but it sure is nice to have something like this to throw in Mozilla's face as it spews out utter garbage about being the "safest" or "most secure" browser. Maybe they could consider spending less time on their high horse and more time fixing problems in their software?
True, they should indeed spend more time fixing all those unfixed vulnerabilities from the report.
Oh wait, there are all fixed already!
I don't know about these so-called vulnerabilities they counted, but I haven't had any security problems with Firefox in all the years of using it. Firefox makes it much more difficult than IE to accidentally download malware or be phished. IE7 improved, but IE8 turned out to have a bunch of new issues with rendering and other bugs, so why even bother?
Just curious and think clearly before you read it on digg or Neowin or other news site about this little question.
Before today Has anyone else heard of "Secunia?" when they released this report?
or the other one that stated last year that firefox was the top of the Vulnerable list (Bit-9)
see this post
http://www.neowin.net/forum/index.php?show...amp;p=590344574
Just curious.
And I use Linux which does not have Active X so they didn't even bother testing before releasing this news. Now don't get me wrong it may have some issues with flash or even some with java. But they didn't bother even testing it on OSX either.
Just curious and think clearly before you read it on digg or Neowin or other news site about this little question.
Before today Has anyone else heard of "Secunia?" when they released this report?
Yes anyone who keeps himself up2date on software security has certainly heard of them. They got a big vulnerability database.
They released some good scanning and update software too.
This shows that even some of the most coolest browsers, aren't always as secure as you think...
Obviously, MS has really improved IE security.
No browser is inherently secure or flawless; it's the browsing habits that determine security.
You'd think people were talking about each others mothers.
Got me for a minute there.
Who didn't know this already?
Apparently is more easy to pay secunia instead to fix the mess.
Firefox named most vulnerable Windows application
Firefox named most vulnerable Windows application
Which was another flawed article that was debunked back then.
That one went to rate how vulnerable an application was just counting released patches, remember?
Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!
Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.