Dark Bilious Vapors

But how could I deny that I possess these hands and this body, and withal escape being classed with persons in a state of insanity, whose brains are so disordered and clouded by dark bilious vapors....
--Rene Descartes, Meditations on First Philosophy: Meditation I

Home » Archives » September 2005 » In re Firefox: facts or FUD?

[« Gem o'the Day:] [Thought for the Day: »]

09/21/2005: In re Firefox: facts or FUD?


I subscribe to a number of techie mailing lists. One of the headlines in this afternoon's list (linked to one of ZDNet's blogs) immediately caught my eye: Is the Firefox honeymoon over?

Now that Firefox has become the first viable contender to Microsoft Internet Explorer in years, its popularity has brought with it some unwanted attention. Last week's premature disclosure of a zero-day Firefox exploit came a few weeks after a zero-day exploit for Internet Explorer appeared on the Internet. Firefox not only has more vulnerabilities per month than Internet Explorer, but it is now surpassing Internet Explorer for the number of exploits available for public download in recent months.
This paragraph is followed by a number of graphs purporting to show how Firefox is being attacked more and more every month.

My first reaction when I see one of those pieces is to ask myself how much Micro$oft paid that particular shill to write that. Once I got past that, I started mentally to compose my defense of Firefox (more as an exercise), when I began reading some of the comments to that post, and I realized that (of course), someone else had said it better than I could, and pointed me to some data I didn't know (or, if I knew it, didn't know where to back it up).

Before one runs screaming in horror to Internet Exploder as one's default web browser, let's examine two webpages from Secunia, the software security firm.

First, Vulnerability Report--Microsoft Internet Explorer 6.x:
Vendor: Microsoft
Product Link: View here
Product Affected By: 85 Secunia Advisories

Microsoft Internet Explorer 6.x with all vendor patches installed and all vendor workarounds applied, is currently affected by one or more Secunia advisories rated Highly critical

This is based on the most severe Secunia advisory, which is marked as "Unpatched" in the Secunia database. Go to Unpatched/Patched list below for details.

Currently, 19 out of 85 Secunia advisories, is marked as "Unpatched" in the Secunia database.
Now, let's look at Vulnerability Report--Mozilla Firefox 1.x
Vendor: Mozilla Organization
Product Link: View here
Product Affected By: 23 Secunia Advisories

Mozilla Firefox 1.x with all vendor patches installed and all vendor workarounds applied, is currently affected by one or more Secunia advisories rated Less critical

This is based on the most severe Secunia advisory, which is marked as "Unpatched" in the Secunia database. Go to Unpatched/Patched list below for details.

Currently, 3 out of 23 Secunia advisories, is marked as "Unpatched" in the Secunia database.
So... Let me see here.

Internet Explorer: 85 known vulnerabilities. 19 of them are still unpatched. And the worst of those unpatched vulnerabilities is considered "highly critical" by Secunia.

Firefox: 23 known vulnerabilities. 3 of them are still unpatched. And the worst of those unpatched vulnerabilities is considered "less critical" by Secunia.

Well, I don't know about you, but I know which of those two browsers I think is more secure. HINT: it's most certainly not the one you'd associate with Bill Gates.

Below the fold, a few pertinent comments from a ZDNet commenter:

IE 6 was released in October 25, 2001. Firefox 1.0 was released November 9, 2004. Firefox is LESS THAN 1 YEAR OLD! Internet Explorer 6 has been floating around for 4 years and hasn't been actively developed in over a year and a half. It's a 1.0 version, people! Security patching near the beginning will spike, then trail off, naturally, as the browser has a chance to steep. Firefox is in that spike period. IE 6.0 is in coast mode of near zero development.

==================
IE 6 - 222 security patches since release

Firefox - 52 patches since release, only 13 critical
==================

As of this month [September, 2005], SecurityFocus reports 2 unpatched vulnerabilities in Firefox 1.0.6, versus 56 unpatched vulnerabilities in Internet Explorer 6 on Microsoft Windows XP SP2.

I'd say the IE 7 team has their work cut out for them. It's also clear that the Mozilla team patches the holes immediately. The IE team has left known critical vulnerabilities lie for over a year. Unacceptable!

I also see conflicting reports of IE's exact number of patched and unpatched vulnerabilities. That's because MS buries their bug list. At least, with Firefox, they are made publically available. There is nothing to hide. We can log on at any time and see all outstanding bugs. What a fantastic way to develop software! Who can actually say, with all certainty, that IE's unpathced vulnerabilities lie at any given number. That's only the number the public knows about.

Len on 09.21.05 @ 09:45 PM CST
[ | ]

September 2005
SMTWTFS
    123
45678910
11121314151617
18192021222324
252627282930 



Home
Archives
Archives of Blogger site
Archives: May '04-Feb '05
Archives: Feb-March '05



RSS 1.0 FEED
Powered by gm-rss

Len's sidebar:
About Len (The uncondensed version)
Memorial to a dear friend
Frederick W. Benteen
The Web of Leonards
The St. Louis Cardinals
The Memphis Redbirds
The St. Louis Browns
The Birdwatch
Hey! Spring of Trivia Blog
BlogMemphis (The Commercial Appeal's listing of Memphis blogs)
The Guide to Life, the Universe, and Everything
George Dubya Bush Blows
asshat.org (be sure to refresh your window for more "wit and wisdom" from Our Beloved Leader)
Taking the Fight to Karl
Main and Central (blog by, for and about veterans and their issues)
Kraftwerk: Chicago, 6/4/2005
My Chicago: Part One
My Chicago, Part Two
Millennium Park
Miscellaneous Chicago
Busch Stadium Tour and BoSox/Cards Game: 6/6/2005
St. Louis Cardinals Hall of Fame Museum
Len's All-Busch Stadium Team
BP's Postseason Odds (Monte Carlo Simulations)

Len's extended blogroll:

Brock's Sidebar:
About Brock
The Agitator
Agoraphilia
apostropher
Armchair Capitalists
Battlepanda
Boing Boing
Brad DeLong
Crooked Timber
The Decembrist
Dispatches from the Culture Wars
Fafblog
Flypaper Theory
Heretical Ideas
John and Belle Have a Blog
Jon Rowe
Lawyers, Guns, and Money
Literal Minded
Majikthise
Marginal Revolution
Matthew Yglesias
Oliver Willis
Orin Kerr
Pandagon
Pharyngula
Political Animal
Signifying Nothing
Unfogged
Unqualified Offerings

Moonbat Icon

Karen's Sidebar
About Karen
The Ig-Nobel Prizes
The Annals of Improbable Research
The Darwin Awards
EBaums World
Real Clear Politics
U.S. News Wire
Foreign Affairs
The Capitol Steps
Overlawyered
Engrish
Legal Affairs
Nobel Laureates for Change
Program On International Policy
Law of War
Sunday Times
Media Matters
Fafblog
Is That Legal?
Discourse
Andrew Sullivan
Evolutionblog
Literal Minded
Jon Rowe
Dysblog
Freespace Blog
Thought Not
Publius Pundit
Maddox
Blog Maverick
Rosenberg Blog
Crooked Timber
GreeneSpace
EdCone.com
Conglomerate
McSweeney's

The Rocky Top Brigade:


A New Memphis Mafia


The Old Memphis Mafia

The liberal alternative to Drudge.

Get Firefox!




Take the MIT Weblog Survey

Len supports:
Operation Yellow Elephant:


"Because ranting is safer than enlisting"
Operation Yellow Elephant Blog

The Rebel Alliance of Yankee Haters
Blue Squadron (NL)
Babalu (Marlins)
Leaning Toward the Dark Side (Mets)
Ramblings' Journal (Cubs)
Mediocre Fred (Brewers)
Len Cleavelin (Cardinals)
Red Squadron (AL)
Obscurorama (Red Sox)
Frinklin Speaks (Mariners)
Steve Silver (Twins)
Steve the Llama Butcher (Red Sox)
Rob the Llama Butcher (Rangers)
MoatesArt (Red Sox)
Rammer (Tigers)
JawsBlog (Indians)
Ubi Libertas (Blue Jays)
Oldsmoblogger (Indians)
Mass Backwards (Red Sox)
Unassigned
Industrial Blog
Cry Freedom



How many visitors are here:


Blogrings/Blog indexes/Blog search:
« ? Verbosity # »


Listed on Blogwise
Blogarama - The Blog Directory
Popdex
Popdex Citations
Technorati
Blog Search Engine



Greymatter Forums Weblog Commenting and Trackback by HaloScan.com
template by linear