Is the Firefox honeymoon over?
Summary: Firefox mostly managed to stay under the radar from hackers before April of 2005. Since that time, new exploits are being released almost on a monthly basis.
[Updated: 9/16/2005 7:22PM] Now that Firefox has become the first viable contender to Microsoft Internet Explorer in years, its popularity has brought with it some unwanted attention. Last week's premature disclosure of a zero-day Firefox exploit came a few weeks after a zero-day exploit for Internet Explorer appeared on the Internet. Firefox not only has more vulnerabilities per month than Internet Explorer, but it is now surpassing Internet Explorer for the number of exploits available for public download in recent months.
Update: A lot of people have complained that I didn't list the number of actual "in-the-wild" attacks against the two browser platforms. The problem with this theory is that they either didn't read the entire article or they don't understand what I meant by "published exploits" in the second chart in this blog. When I say published exploit, I mean a downloadable script or source code that can be used to attack real live browsers in the wild. These are not simple advisories that talk about certain theoretical exploits. Published exploits are basically freebies for professional hackers and script kiddies to use in the wild. Unpublished exploits have to be bought in the underground Internet and I don't list them here because I have no way of knowing how many there are. If anyone is wondering why I don't include any links to the exploit code, that isn't a mistake. It is our policy not to link to exploit code.
Here is a break down of recent vulnerabilities:
| Month | Firefox 1.x Vulnerabilities | IE 6.x Vulnerabilities |
| Sept 2005 | 1 | 0 |
| Aug 2005 | 0 | 4 |
| July 2005 | 10 | 1 |
| June 2005 | 2 | 1 |
| May 2005 | 3 | 1 |
| Apr 2005 | 9 | 3 |
| Mar 2005 | 15 | 0 |
| Total | 40 | 10 |
Note that this is not a count of the number of advisories because advisories can contain multiple vulnerabilities. This is a count of the actual number of vulnerabilities.
Here is a break down of recent published exploits:
| Month | Firefox Exploits | IE Exploits |
| Sept 2005 | 1 | 0 |
| Aug 2005 | 0 | 3 |
| July 2005 | 4 | 1 |
| June 2005 | 0 | 0 |
| May 2005 | 4 | 0 |
| April 2005 | 2 | 2 |
| Total | 11 | 6 |
Note that I won't publish the links to these exploits here.
As you can see, the facade that Firefox is the cure to the Internet Explorer security blues is quickly fading. It just goes to prove that any popular software worth hacking that has security vulnerabilities will eventually have to deal with live working exploits. Firefox mostly managed to stay under the radar from hackers before April of 2005. Since that time, new exploits are being released almost on a monthly basis.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
Honeymoons aside...
To make this comparison fair, you should be talking about the nature of the exploits as well as the amount, and maybe account for frequency of exploits averaged over the age of each browser.
The exploits are designed to own your computer
Don't even tell me that Firefox wasn't marketed as the cure to IE because of "better" security. I guess Opera is still pretty clean, but it isn't free and it breaks formatting on my own webpages so I stay away from it.
Best thing to do is use DropMyRights on any Internet Browser.
Some exploits are easier to prevent than others
Are you suddenly so extreme about vulnerabilities to the point of saying that all are equally evil?
This comes as a surprise, considering how you think that "worms are good for security".
Since most....
Firefox doesn't use ActiveX.. Just that simple.
One more thing....
Last I checked
No Mozilla ActiveX
http://www.iol.ie/~locka/mozilla/control.htm
Mozilla itself won't support ActiveX.. but the users who use Mozilla as an ActiveX control are allowing themselves the inheretance of the flaws.
Running ActiveX w/ Mozilla or Firefox...
ya I see people rushing to get that one
ya I see people rushing to get that one
ya I see people rushing to get that one
Yes, it was marketed as such...
What you should stop for a bit to think about is: if they marketed it on basis of better security, why did that message convince users?
Why don't you compare the amount of unpatched vulnerabilities of IE BEFORE FF came and AFTER? Maybe there's a very simple fact you chose to ignore in your "objective" analysis.
I don't think...
It's so much the marketing that convinced all users as much as the "features" and the fact it was something new.
Personally the reason I switched was I got tired of my IE and Windows Explorer being taken over by ActiveX controls coming from Spyware.
This solved that issue.
I have my entired family converted over to Firefox at the present, and none of them see it as a security thing.. Just a "Well XXXX says it's better"... Some have noticed the difference.. Others haven't noticed... A matter of perception and day to day browsing..
I mean if you're just doing light browsing, IE is the perfect solution because why download something you hardly ever use?
All about practicality really.
Simple
You don't say... (NT)
Nope...
not to mention...
my win2k sits unpatched behind 2 nat firewalls (2 routers and a switch, as do my other computers on the lan and the only one i worry about is the one that the kids use on a limited account. it still gives me the heebie jeebies. so i scan it regularly (weekly).
Not so simple
As opposite to heavy (or dark) "browing"? If by "kill" you mean that the IE window "crashes" or "locks up", this occurs with FF as well.
It's not the "browing". It's the poorly-written and inadequately tested code.
what he meant (he can correct me if im wrong)
im glad you asked. i work for an isp and i get calls daily. i have, on my webserver ip, the latest versions to dl of adaware and spybot. i keep a version of cwshredder there but it should be updated as they change it so often. i have to have people open explorer.exe or my documents, if you will, and browse to my ip. then they see the page and dl adaware and/or spybot and 90% of the time it solves the problem. the other 10% of the time its a horked firewall (thanks norton).
i use both...
what? im just saying what everyone else is hinting to. and my gf uses ie exclusively, and when i have her do the scans once a month, she is always clean. just tracking cookies which are shist.