The fact is that if they can correct the flaws so quick, it must have been a "dummy" mistake, and I dont know if I trust my browsing with "Dummies"

A Regular Joe :)

Updates are necessary and expected for all software.
I loaded Mandriva Linux 10.2 yesterday. It was released only in late April. When I went to the update link, it found 342MB of updates. No way can MS beat that one ;-)
A security update to Firefox every few weeks isn't a problem. Linux might be though!

Bla Bla Bla... use the one that suits you best. IE is great, and FireFox falls in a close 3'rd. I'll leave the #2 spot open for discussion. Keep the ball rollin folks... it's caught up on which browser is better when it's plain as night and day.

Delete of double post

Troll. If you dont have anything constructive to add to the conversation, why post at all?

pffft. this was the most intelligent thing said in this entire article: "Bla Bla Bla... use the one that suits you best."

Is Firefox still safer than IE?

By Brian Livingston

The popular Firefox browser received a security upgrade, known as version 1.0.4, when the Mozilla Foundation released the new code on May 11. This upgrade closes a security hole that could allow a hacker Web site to install software without a visitors' knowledge or approval.

This is the fourth minor update to Firefox since the open-source browser's 1.0 release on Nov. 9, 2004. That doesn't seem like very many patches to me, compared with Firefox's dominant competition, Microsoft's Internet Explorer (IE), which is included in every copy of Windows. But I've heard a surprising amount of comment that Firefox might no longer be as secure as IE.

At Microsoft's Windows Hardware Engineering Conference (WinHEC), held in Seattle April 25-27, for example, an IE product manager made this case explicitly. Firefox had had (at that time) "three major releases," she said, while Internet Explorer 6.0 had had none. This statement was presented as though a lack of upgrades to IE was a benefit.

In fact, Microsoft has released at least 20 major security patches for Windows or Internet Explorer since November 2004. Most of these patches were rated "Critical," Microsoft's most severe security alert level.

The evidence I've seen so far indicates that Firefox remains much more secure than IE. But it's worth our time to take a closer look.

IE users were exposed for 200 days in 2004

Some remarkable statistics comparing the major Web browsers have been developed by Scanit NV, an international security firm with headquarters in Brussels, Belgium, and Dubai, United Arab Emirates.

The company painstakingly researched the dates when vulnerabilities were first discovered in various browsers, and the dates when the holes were subsequently patched.

The firm found that IE was wide open for a total of 200 days in 2004, or 54% of the year, to exploits that were "in the wild" on the Internet.

The Firefox browser and its older sibling Mozilla had no periods in 2004 when a security flaw went unpatched before exploits started circulating on the Net. With the latest 1.0.4 upgrade, Firefox has retained its "patch-before-hackers-can-strike" record so far in 2005, as well.

These statistics are so important to understanding the "attack surface" of the major browsers that we should break down this study into its individual findings:

• IE suffered from unpatched security holes for 359 days in 2004. According to Scanit, there were only 7 days out of 366 in 2004 during which IE had no unpatched security holes. This means IE had no official patch available against well-publicized vulnerabilities for 98% of the year.

• Attacks on IE weaknesses circulated "in the wild" for 200 of those days. Scanit records the first sighting of actual working hacker code on the Internet. In this way, the firm was able to determine how many days an IE user was exposed to possible harm. When Microsoft released a patch for an IE problem, Scanit "stopped the clock" on the period of vulnerability.

• Mozilla and Firefox patched all vulnerabilities before hacker code circulated. Scanit found that the Mozilla family of browsers, which share the same code base, went only 26 days in 2004 during which a Windows user was using a browser with a known security hole. Another 30 days involved a weakness that was only in the Mac OS version. Scanit reports that each vulnerability was patched before exploits were running on the Web. This resulted in zero days when a Mozilla or Firefox user could have been infected.

The Opera browser also experienced no days during which unpatched holes faced actual exploits, but Scanit began keeping statistics on Opera only since September 2004.

To see Scanit's visual timeline of these holes, exploits, and fixes, visit the firm's Internet Explorer page. On that page, click "Next Page" to see the timelines for Mozilla, Firefox, and Opera.

Firefox fixes take days, IE takes months

>From the record to date, the Mozilla/Firefox team has shown that new security discoveries typically result in a patch being released in only a week or so.

This was certainly true in the case of Firefox version 1.0.4. The primary security hole that was closed by that version was unexpectedly publicized by the French Security Incident Response Team (FrSIRT) on May 5. The Firefox patch was released only six days later. (The apparent discoverer of the flaw, the Greyhats Security Group, had been working responsibly with Firefox's development team and criticized the leak.)

Perhaps the responsiveness of the Mozilla development group will shame Microsoft into fixing security holes much faster in the future. The situation has become so bad that eEye Digital Security, a respected consulting service, maintains an "upcoming advisories" page showing how much time Microsoft is allowing critical problems that are reported to the Redmond company to go uncorrected.

At present, eEye's count reveals that three critical unpatched issues currently affect Microsoft's products. None of these have gone unpatched longer than 60 days, the period after which eEye considers a patch to be "overdue." But some critical, widely-known security holes went as long as six months in 2003 and 2004 without an official fix being made available by Microsoft.

Another security firm that tracks security holes in IE, Firefox, and many other applications is Secunia, based in Copenhagen, Denmark. As of today, Secunia reports that there are still 19 unpatched security flaws in IE, the most severe of which is rated "highly critical." Firefox has only 4 unpatched flaws, all of which are rated "less critical" or "not critical," the lowest severity rating. Opera has none.

Microsoft officials often excuse their tardiness in fixing security holes in IE by saying that the code is so complex that any fix has a high likelihood of breaking something else. Well, who integrated IE so tightly into the operating system that the browser is so delicate? It's Microsoft's own poor programming that causes much of the software giant's very visible problems.

Microsoft employs some of the best software developers in the world. The company enjoys a cash reserve of $35 billion and is highly profitable. Yet a tiny company that builds open-source browser software is making the Redmond giant look foolish and incompetent in securing its products.

I have no particular attachment to the Mozilla Foundation or its products. If the foundation's browser software was a threat to Windows users, I'd say so. At the present time, several serious unpatched holes are known to exist in IE, while few or none plague Firefox. This isn't a religious issue, it's just a fact.

The foundation announced two weeks ago that they'd surpassed 50 million downloads of the free Firefox browser. The application is largely responsible for knocking down IE from a 94% market share in May 2004 to 87% in April 2005, according to OneStat. That's a remarkable accomplishment, considering that IE is free and comes preinstalled with Windows. Sites with a base of expert Windows users report much higher levels of Firefox usage.

How to keep Firefox upgraded

No matter how fast Firefox's developers update it, it doesn't do you any good unless you've got the browser configured to notify you of updates. This is a simple matter, but it's worth making sure you have it right:

• Enable update checking. In Firefox, click Tools, Options, Advanced. Ensure that the selection for Periodically check for updates is on, both for Firefox and for My Extensions and Themes. This is the default setting, so most Firefox users will automatically get notices of updates.

• Check for upgrades manually, if desired. You should see a dialog box informing you of new updates as the Mozilla Foundation releases them. There's a random delay, however, so every user doesn't try to download a new version on the same day. To check whether there's an update that applies to you, click the red up-arrow that's in the upper-right toolbar of the Firefox menu area.

• Download the latest version. If a dialog box tells you an update is available, close the window, then open Firefox's download page. If you want a version other than Windows U.S. English, click the Other Systems and Languages link and select your preferred version. Download the executable file to a temporary area of your hard disk, then close all apps (including Firefox itself) and run the installer.

It's no longer necessary or recommended that you uninstall Firefox before upgrading to a new version. A few glitches affected upgrades to versions 1.0.1 and 1.0.2, but this has been corrected since 1.0.3.

It's unfortunate that hackers are so attracted to browsers as a way to take over users' computers. But that's where the money is, as bank robber Willie Sutton once said. We have to accept a certain amount of upgrading as the price of using complex Windows applications. But we can reduce the threat to ourselves and others by using browsers that have a proven record of rapid, responsible development.

Brian Livingston is editor of the Windows Secrets Newsletter and the coauthor of Windows 2000 Secrets, Windows Me Secrets, and eight other books.

well said. and usually I just totally ignore such a long post because it is usuallyt full of drivel or some such. You presented the unskewed facts with your perspective on those facts and kept the whole thing entirely interesting and unboring.

BRAVO!

Actually, there are thousands of security holes in Firefox and Mozilla. But they are kept secret.

"The public warning of the security vulnerabilities is evidence that the Mozilla Foundation's products give a false sense of security, says Thor Larholm, a senior security researcher with PivX Solutions in Newport Beach, California.

"The only reason Mozilla and Firefox have a good track record in security with a low number of security vulnerabilities is simply because they don't tell anyone about them," Larholm says via e-mail.

"The Mozilla Foundation has fixed hundreds if not thousands of security vulnerabilities over the last few years without notifying the world and without providing security patches, instead they have simply just told their users to upgrade," he says.

"We have to remember that all software has security vulnerabilities, the only difference is in how we anticipate them and inform the world about their existence.""

I am not of the computer generation so many of the other comments about Firefox 1.0.4. although interesting + relevant have no impact on me. All I know is that Firefox outperforms IE6 SP1 in every way, faster, more secure, fewer errors, extensions to make my browsing experience very specific to "me". In my non-technical opinion, Firefox just keeps getting better.

I hope this thing fixes the problem I've been having the past few weeks... For some reason the Java extensions that I had to install a long time ago keep becoming infected randomly. I have everything updated, but I've found viruses in the zip files 3 times now, and the only way it could have gotten there is an unknown vulnerability that nobody knew about yet.

For those of you wondering it was a Trojan of some kind. I could look up what it was, but it's in my anti-virus vault as of right now.

Firefox will have most of the problems IE has had. This is only the beginning.

I don't think so...

Maybe this is the beginning of problems in bugs, but a lot of problems with IE is that it allowes or did allow any website to install an activeX application.

Firefox doesn't have ActiveX, but it does have Extensions, and by default, only mozilla's site is allowed to install these apps. You must go in and add sites to white list to be able to install.

Firefox isnt IE. Why would it have the same problems as IE?

For the record, IE is (integrated) s***e.

Agree, there is no difference betwwen firefox and ie. more and more security holes will be reveaalled.

james
http://www.7008000.com

So IE users are saying that vulnerabilites can be found in FireFox

FF users are saying it's not the vulns that count, it's how quickly they get fixed.

You know what I say? I say I'm glad I use Opera.

Congrats on 1.0.4, looking good.

If you think Opera has never had any security issues, I've got news for you. It does, it just isn't front-page news.

The fact is that browsers, especially nowadays, are so complex that there's bound to be something somewhere. I'm just glad it's fixed in a timely matter and that no one has ever "gotten hurt." This is true for both Firefox and Opera, both of which are great browsers, especially if you compare them to a certain other competitor.

Was trying to be sarcastic there, but ok. Look, of course browsers are going to have vulns. Everything does. What's impressive is how quickly most browsers patch these flaws. Except for "that one".

And believe me, when Opera has a security issue, it may not be front page news for you, but it is for me.

Impressive! I applaud their efforts to keep things up to date in a timely manner... hopefully they can keep up with it over the long-term.

On the other hand, for sake of hassle more than time, I don't like having to download the entire browser again... a patching method would be more efficient -- and it would be possible if they didn't put everything in a big, honkin EXE file instead of using smaller modular code like DLL's... a move that would also improve performance, I suspect.

Note: I can't wait to see how many people reply to me as if I'm trying to bash a product that I use daily and like very much, lol.

sounds like patching is gonna come around 1.1.

I too applaud their efforst on getting this fixed fast.

Although, I cannot understand the logic behind the security groups(Secunia in this example) that are publicly giving out the exploits in news groups/media. I commend MS for trying to take steps in developing a procedure to keep in limited to need to know. This was a "wild" rating and I commend that they(FF) had a work around almost instantly, I just don't like the way in whcih Secunia is releasing information.

Indeed! Secunia's credibility was ruined a long time ago... their inability to handle security in a responsible manner is pathetic.

Firefox 1.1 will have binary patching (aka sweet, simple, small, efficient updates).

I am VERY impressed at the speed which they fixed the holes. they seen a problem fixed it and released the fix... unlike some companies which I will not name that sees the hole, takes their time fixing it because they only release fixes once a month or so LOL

I am bummed tho :( apparently something is missing in my new install of Icepack Linux. I dled the firefox, prooperly extracted it and it wont install :( grrrr

why would you need to redownload the whole program? cant ya just use the update? i am new to the pc world and hopfully dont sound as a dumb ass

I use both IE and FF as both have their good points and bad. I too have been plaqued by the trojans that all of a sudden show up in the JAVA file. I had this problem with both IE and FF but when I got rid of it IE still worked fine and FF seems to be cripled a bit.
Not sure what else FF has to support except for FF but MS, I am sure, has a lot more to support. So of course FF is going to come out with fixes faster.
Questions arise though, did FF fix this in 2 days and not test it before sending it out to the public or did they fix it in 1 day and test it for 1 day and then send it out?
If no testing was done what other holes did this patch open? Even if 1 day of testing was performed is that enough?
Remember FF will do anything they can to show up MS, this is not necassarily a bad thing, unless testing suffers.
No matter what, this is good for us, the consumer, as compitition drives prices down and in this case drives quality up, since we don't pay for it.
So keep up the good work FF, make sure you test them patches though, and MS, well you better hurry up and get the next version of IE out because being stagnint will only be a negitive.

1 day 2 days or 2 weeks, the length of test time really doesnt matter because no amount of testing prior to release will cover every possible problem that could arise because of an update patch.
Look at most major applications. they go through months to years of beta testing before releasing a product for sale to the general public. They take all that time not because they are dragging their feet, but because it allows testers as well as themselves time to discover how the program will act on a wise a variety of systems as possible - to see where problems arise in the areas of stability and security as well as to test out features.

I say if they tested the patch in house for a day and were satisfied it performed as they expected and desired then that is enought for me

Firefox isn't one huge EXE. I see no fewer than *ten* DLLs (a little over 2 MB) in its root folder alone, plus many more in subdirectories.

IIRC, they changed what's separated into DLLs and what isn't between Mozilla and Firefox by "restructuring" a bit, and so I'm sure they're doing the best they can.

And it's still possible to patch an EXE; a patch doesn't need separate files to do its magic. That's why it's called a patch, because it's not a whole new file, it's a list of changes to a file (or several files).

Edit: I forgot to mention that, like others have said, they're working on patching for 1.1.