It's funny. Ed Bott writes well. I like him. He knows Windows reasonably well but puts out a 'contentious' article.
Naturally, the comments were the typical mix, but I have to say the Moderators have been doing a tap dance with football cleats again and tore through the blog with deletions left and right, mine included.
Anyhow, I think I am safe with my comments here.
Personally, I think it's Microsoft trying to do damage control and prop up the 'image' of their security in general by making a showing and taking a position against Chrome and Firefox.
That's understandable but it's sort of like Pot meets Kettle.
I have a job to do and I am working cooperatively with both camps.
As for browser security in general here is my take:
o Microsoft feathers their own nest by putting Office and IE in a sandbox
o Microsoft Windows does not offer third-party developers any form of sandbox facility
o Google Chrome offers a sandbox (for Windows, but cannot guarantee it will not be compromised)
o Google Chrome offers an SUID sandbox for Linux which is reasonably secure insofar as stopping zero-day and other vulnerabilities.
o Linux offers Linux Security Modules (LSM)
o Ubuntu Linux uses LSM AppArmor as its sandbox facility
o Linux Developers can trust that their App will be protected by LSM and so not need to bolster their code with security features as is needed in Windows, for example Adobe Reader.
Personally, I use Chrome less than I do Firefox and given there is a standard profile for Ubuntu (/etc/apparmor.d/usr.bin.firefox) I trust LSM to do its job regarding security.
The patches for *whatever* is reported on a daily basis will come along if/as/when they become available in Ubuntu daily updates. I pay no attention to the 'noise chatter' on Zero-Day when it comes to Linux.
But I have to focus on the Zero-Day stuff for Windows b/c it's pretty problematic as far as security is concerned.
Windows security is so problematic that a recent article shows that the 'Father of SSL' has been so outspoken as to say "Windows is a terrible operating system...":
h-t-t-p://www.networkworld.com/news/2011/101111-elgamal-251806.html?hpg1=bn
Now, if you took the time to read the above link, you'd plainly see, the issue is not so much SSL as it is Windows 'accomodating' malware to perpetrate a unique exploit.
Had Windows kept the Malware from attaching in the first place, there'd have been no SSL hack.
So, I really have to laugh about the Internet Explorer thing--safe?--nah.
Is Firefox going to have a zero-day exploit tomorrow?
Maybe, but with Linux and LSM, it doesn't matter.
Thanks Steve.
According to Microsoft, Chrome on Linux only gets a 2.5 for security!
Microsoft has always been fond of paying analysts to say that its products are best, or having partners release reports showing how their rivals’ products are second-rate, and, now, Web sites that “show” how Internet Explorer (IE) is better than Chrome and Firefox when it comes to security. Really? Didn’t Microsoft just release yet another major Internet Explorer patch?
I quote from the IE patch update (MS11-081), which apples to all currently supported versions of Microsoft Windows and Internet Explorer and IE 6 as well: “The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”
Yes, that includes IE 9, the best and most up-to-date IE which is only available on Windows 7. Isn’t it funny how Microsoft claims that IE 9 is the most secure of its browser family, but somehow it has to have the same problems fixed that exist in IE 6, 7, and 8? Could it be that it’s really not that different after all from the rest of its historically insecure family?
If you go to Microsoft’s Web browser security “test” site, Your Browser Matters though, it will tell you that IE 9, with a score of four, is the most secure browser of all. Funny, it told me that it was the most secure both before and after the patch.
As for the other browsers, it informs me that Firefox 7.01 only rates a 2, and Chrome 14 gets a 2.5. And, this I might add, were my scores on my Mint Linux desktop!
How can they produce such clearly nonsensical results? It’s because they’re setting the rules on what’s important and what’s not. So, for example, Microsoft give IE full credit for its SmartScreen malware detection software. With SmartScreen, software that signed with a digital certificate that Microsoft trusts is allowed to be saved or ran. Chrome, on the other hand, blocks known malware, but lets you save unknown, potentially dangerous programs.
On the other hand, if you do download malware with Chrome, the program is still stuck in a sandbox, where it has very limited abilities to actually attack your system.
Besides that, Chrome automatically upgrades browser extensions as security fixes come out. Since programs like Adobe Flash are often used for attacks these days, and in Flash’s case there have been 17 significant patches in the last 16 months, I think automatic security updates for Flash and other potential problem programs are a big deal. While Microsoft acknowledges that it doesn’t provide these important features, it doesn’t take away any points for lacking them from its perfect score.
Interesting judgement call there Microsoft.
Johnathan Nightingale, Mozilla’s director of Firefox engineering, also has trouble with what factors Microsoft considers important and what it doesn’t. “Mozilla is fiercely proud of our long track record of leadership on security. We believe that being safe on the Web means having a robust browser that defends against malware and phishing, includes new technologies to help sites and users secure themselves, and a responsive security team that gets security updates out quickly and reliably. Microsoft’s site is more notable for the things it fails to include: security technologies like HSTS [HTTP Strict Transport Security], privacy tools like Do Not Track, and vendor response time when vulnerabilities are discovered,” said Nightingale.
Exactly so. Firefox has long been a leader in browser security. True, Microsoft has gotten a lot better about security, but Firefox was doing it when the horribly unsafe IE 6 was still the best Microsoft could do. True, today. you can make Windows and IE relatively safe. No, really you can. All you have to do is constantly and regularly patch it.
Those of us who use other operating systems, like Linux and Mac OS X, and alternative browsers such as Chrome and Firefox, can sit back and relax more. Don’t get me wrong. We must patch our software as well. As security guru Bruce Schneier points out, “Security is a process, not a product.”
Security also isn’t something though that you measure by a Web site that, when you get down to it, simply checks to see what your browser you’re running is IE 9 or not. Deciding what’s a secure Web browser a lot more complicated than that. Personally, thanks to Chrome’s auto-updating and sandboxing, I feel a lot safer running Chrome on Windows than I ever will running IE.
Related Stories:
Internet Explorer 9 haunted by ‘critical’ security vulnerabilities
Microsoft calls out Firefox and Chrome for security weaknesses
If your PC picks up a virus, whose fault is it?
Firefox 7: Better Memory Management, Meh Performance (Review)
Chrome 14: The best Web browser keeps getting better (Review)
Thanks for sharing 
