Internet Explorer 7 vs. Firefox 2.0: It's all about security (actually, lack thereof)

Internet Explorer 7 vs. Firefox 2.0: It's all about security (actually, lack thereof)

Summary: Barely a week has passed since Internet Explorer 7 and Firefox 2.0 were released to the public and already, the merits of one vs.

SHARE:
TOPICS: Security
12

Barely a week has passed since Internet Explorer 7 and Firefox 2.0 were released to the public and already, the merits of one vs. the other is devolving into a discussion of which is less insecure (I chose those words very carefully). As it turns out, there are already vulnerabilities in both. In the case of Internet Explorer 7, the most recent of these vulnerabilities (ranked as moderately critical by security researcher Secunia) is, according to eWeek, and "old windows injection flaw" that "has haunted earlier versions of Internet Explorer since Dec 2004." Suggesting that the flaw may be too obscure to merit attention (I'll leave that to security whizzes like George Ou to discuss), eWeek noted that "The flaw remains unpatched in IE 6.0, suggesting that Microsoft may not consider it serious enough to warrant a patch."

Meanwhile, ZDNet readers are claiming that that we're playing favorites by not giving Firefox's vulnerabilities equal airtime (headlines).  According to a reader that goes by the handle of "PeterWeter," there may be other vulnerabilities in Firefox, all-be-them equally obscure. According to SecurityFocus's discussion of one:

Mozilla Firefox is prone to a remote memory-corruption vulnerability. This issue is due to a race condition that may result in double-free or other memory-corruption issues...attackers may likely exploit this issue to execute arbitrary machine code in the context of the vulnerable application, but this has not been confirmed. Failed exploit attempts will likely crash the application.

Another Firefox vulnerability is cited by the Department of Homeland Security's National Vulnerability Database as being of medium criticalitySays the post:

Concurrency vulnerability in Mozilla Firefox 1.5.0.6 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via multiple Javascript timed events that load a deeply nested XML file, followed by redirecting the browser to another page, which leads to a concurrency failure that causes structures to be freed incorrectly...

My point isn't that either browser has vulnerabilities or that one is less insecure than the other. My point is how the conversation regarding these and other insecurities that you just know certain people are racing to find will very likely overshadow the conversation about why these browsers represent advancements over their predecessors. Instead of upgrading to them for their features, the first question will be, but are they secure? Answer: No software except for "Hello World" is 100 percent secure. Ever. Now, the conversation appears not to be about why I should upgrade to one of these. It's about why I shouldn't.

This will of course re-open the debate of what's more secure: commercially developed software or open source?  So, there's no time like the present to get a head start.

[poll id=8] 

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

12 comments
Log in or register to join the discussion
  • Don't be so sure

    [i]No software except for "Hello World" is 100 percent secure. Ever.[/i]

    Actually, "hello world" is a lousy example, since it depends on a huge number of functions lower on the food chain that can be compromised.

    More seriously, your statement is also false in the sense that there [b]are[/b] programs which can be verified by formal methods. Some are almost as complex as "hello, world," too.
    Yagotta B. Kidding
  • Open is more secure

    In the real world open-source standards rule the security world. SSH?? openPGP??
    mcritz
  • That flaw affects Fire fox and IE

    "and "old windows injection flaw" that "has haunted earlier versions of Internet Explorer since Dec 2004.""

    It was actually originally found for Firefox. The flaw affects Firefox and IE7.
    http://www.betanews.com/article/Vulnerability_Affects_Firefox_and_IE_New_and_Old/1162235840

    But we have to remember this is more of a behavior of web browsers in general that might be considered weak or potentially exploitable for social engineering attacks. Rating it "moderately critical" might be excessive considering the fact that this isn't as bad as the address bar spoofing weakness from last week which was ranked less critical.
    georgeou
  • Re: Internet Explorer 7 vs. Firefox 2.0: It’s all about security..

    So David,
    WHY are you not recommending another, more secure browser?
    You can argue which of IE vs FF2.0 is the LEAST SECURE until you are blue in the face, but nowhere in your article does it recommend an alternative.
    You and I both know that there is a better, faster, more secure option with a truly impressive feature list, but it needs some unbiased, non-political support from the tech media to get the message across.

    Surely your position within the tech community requires that you report ALL the options, good or bad, without bias? (or am I being a tad naive here?)

    [url=http://www.opera.com]Opera 9.02[/url]
    Scrat
    • I've been having page rendering problems with Opera

      I've been having page rendering problems with Opera which is why I'm having a hard time recommending it.
      georgeou
      • OK, I wouldn't challenge that for a minute George...

        ...but please at least do some research as to WHY these pages are not being rendered properly.

        That is all I ask.
        Scrat
        • Easy...

          They conform to only one proprietary solution which is IE, and hence do not follow standards laid out by the W3C.

          They use products like Frontpage which are faulty.

          But I believe George actually had another valid point at one time.. Can you change millions of people's habits, or change a browser to handle the "incompatibilities".

          It's probably easier for the browser than it is for the people to be educated on proper CSS, XHTML implementation.
          ju1ce
      • I agree with you for once on browsers here....

        George actually has a valid point.
        ju1ce
  • Both the same thing, and now fixed (almost!)

    Both of these 'exploits' in Firefox 2.0 seem to be the same thing: a fixed flaw which leaves the browser open to a DoS attack which cause a crash:

    http://www.securityfocus.com/archive/1/archive/1/447840/100/200/threaded

    http://lcamtuf.coredump.cx/ffoxdie.html

    Both stories mention the ffoxdie.html test page which will crash Firefox 2.0

    The story appeared in a BetaNews comment:

    http://www.betanews.com/article/Mozilla_Launches_Firefox_20_Browser/1161617884

    Unpatched flaw....exploit...Firefox 2.0 still vulnerable. In fact this flaw has been much commented upon. See here:

    http://blogs.zdnet.com/Ou/?p=352

    "The Firefox bug was considered critical and "fixed" last month but it seems strange that Mozilla would leave a crash condition in Firefox 2.0. Any kind of flaw that can cause an application to crash has to be alarming because it might be exploitable. It sounds like some modifications were made to make the exploit condition less exploitable but a crash condition still exists. When I spoke with Window Snyder last month on the phone, she made it very clear to me that Mozilla would not argue about what is a flaw and what isn't a flaw and that they would simply just fix it."

    By the way, the ffoxdie.html page and its mischievous JavaScript will also give Opera indigestion, but not actually crash it. (With Opera, I got 100% CPU usage for 247 seconds before the browser finally passed the page.)
    FreewheelinFrank
  • Trust is a bigger issue

    Which do you trust over the long term. Without competiton microsoft demostrated a complete lack of interest in the cusomter and their needs, security, stability, reliability, were of absolutely no interest to M$. When Linux, Firefox and thunderbird etc. came out and were more secure, more stable and more reliable, and were taking away customers, then and only then did micrsoft start to improve. They have demostrated that they do not care about the damage they do their customers, only microsofts profits count to microsoft. Open source forced microsoft to at least pretend to care about the customers problems, so why bother with microsoft, you know that in the long term, should you be foolish enough to choose them, you will end up stuck yet again with unreliable POS products like windows ME and windows NT4. It is conveniet for customers to have an OS monopoly because it simplfies all the purchases in IT hardware and software. Having a M$ monopoly proved disasterous, with acknowledged losses for every one else in the billions (in total likely trillions), while M$ was laughing all the way to the bank.
    rtb
  • Security is NOT just about Browser Interface

    Performance, preference, and usability are also items to weigh in choosing a "default" browser. Firefox 2 is the definite winner in the "cool". It also does not have a native ActiveX issue that can still be enabled in IE7. Third party security software should be properly adapted from assorted vendors. This will lessen the likelihood of any one source of attack. Mix your browser, firewall, anti-virus defenses properly to prepare. Give yourself alternative methods to access online information (use multiple browser, email, communications mediums). Don't place your security in the hands of ANY browser interface. Be prepared to change with the need.
    dmaster
  • This story contains errors!

    Slashdot fell for the same FUD and they were good enough to post a correction:

    http://it.slashdot.org/it/06/10/28/2115202.shtml
    FreewheelinFrank