Is the Firefox honeymoon over?

Is the Firefox honeymoon over?

Summary: Firefox mostly managed to stay under the radar from hackers before April of 2005. Since that time, new exploits are being released almost on a monthly basis.

SHARE:
TOPICS: Browser
364

[Updated: 9/16/2005 7:22PM]  Now that Firefox has become the first viable contender to Microsoft Internet Explorer in years, its popularity has brought with it some unwanted attention.  Last week's premature disclosure of a zero-day Firefox exploit came a few weeks after a zero-day exploit for Internet Explorer appeared on the Internet.  Firefox not only has more vulnerabilities per month than Internet Explorer, but it is now surpassing Internet Explorer for the number of exploits available for public download in recent months.

Update:  A lot of people have complained that I didn't list the number of actual "in-the-wild" attacks against the two browser platforms.  The problem with this theory is that they either didn't read the entire article or they don't understand what I meant by "published exploits" in the second chart in this blog.  When I say published exploit, I mean a downloadable script or source code that can be used to attack real live browsers in the wild.  These are not simple advisories that talk about certain theoretical exploits.  Published exploits are basically freebies for professional hackers and script kiddies to use in the wild.  Unpublished exploits have to be bought in the underground Internet and I don't list them here because I have no way of knowing how many there are.  If anyone is wondering why I don't include any links to the exploit code, that isn't a mistake.  It is our policy not to link to exploit code.

Here is a break down of recent vulnerabilities:

MonthFirefox 1.x VulnerabilitiesIE 6.x Vulnerabilities
Sept 200510
Aug 200504
July 2005101
June 200521
May 200531
Apr 200593
Mar 2005150
Total4010

Note that this is not a count of the number of advisories because advisories can contain multiple vulnerabilities.  This is a count of the actual number of vulnerabilities.

Here is a break down of recent published exploits: 

MonthFirefox ExploitsIE Exploits
Sept 200510
Aug 200503
July 200541
June 200500
May 200540
April 200522
Total116

Note that I won't publish the links to these exploits here.

As you can see, the facade that Firefox is the cure to the Internet Explorer security blues is quickly fading.  It just goes to prove that any popular software worth hacking that has security vulnerabilities will eventually have to deal with live working exploits.  Firefox mostly managed to stay under the radar from hackers before April of 2005.  Since that time, new exploits are being released almost on a monthly basis.

Topic: Browser

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

364 comments
Log in or register to join the discussion
  • Honeymoons aside...

    Everybody already knows that Firefox is not as mature as IE, certainly not in a commercial point of view, and it's not likely to take over the enterprise scenario that soon either. So don't worry, OK? ;)

    To make this comparison fair, you should be talking about the nature of the exploits as well as the amount, and maybe account for frequency of exploits averaged over the age of each browser.
    Anti_Zealot
    • The exploits are designed to own your computer

      What else is there to do other than take over your PC with any of these exploits?

      Don't even tell me that Firefox wasn't marketed as the cure to IE because of "better" security. I guess Opera is still pretty clean, but it isn't free and it breaks formatting on my own webpages so I stay away from it.

      Best thing to do is use DropMyRights on any Internet Browser.
      george_ou
      • Some exploits are easier to prevent than others

        Which is why some are flagged as critical and others as moderatly critical, etc.

        Are you suddenly so extreme about vulnerabilities to the point of saying that all are equally evil?

        This comes as a surprise, considering how you think that "worms are good for security".
        Anti_Zealot
      • Since most....

        "Don't even tell me that Firefox wasn't marketed as the cure to IE because of "better" security."

        Firefox doesn't use ActiveX.. Just that simple.
        ju1ce
        • One more thing....

          Wait until the Mozilla ActiveX control gets more widespread.. Watch how many more exploits there will be on the products using it.
          ju1ce
          • Last I checked

            Mozilla doesn't and probably never will support ActiveX because of it's inherent security issues.
            Linux Guy 1000
          • No Mozilla ActiveX

            It's a control developers can use in their applications to use the Mozilla HTTP Engine over IE's.

            http://www.iol.ie/~locka/mozilla/control.htm

            Mozilla itself won't support ActiveX.. but the users who use Mozilla as an ActiveX control are allowing themselves the inheretance of the flaws.
            ju1ce
          • Running ActiveX w/ Mozilla or Firefox...

            ...is sort of like taking all the locks off the doors of your house and hanging a sign outside saying, "There's $1,000,000 on my kitchen table! Come rob me!!"
            bhartman36
          • ya I see people rushing to get that one

            NOT
            IceTheNet9
          • ya I see people rushing to get that one

            NOT
            IceTheNet9
          • ya I see people rushing to get that one

            NOT
            IceTheNet9
      • Yes, it was marketed as such...

        "Don't even tell me that Firefox wasn't marketed as the cure to IE because of "better" security."

        What you should stop for a bit to think about is: if they marketed it on basis of better security, why did that message convince users?

        Why don't you compare the amount of unpatched vulnerabilities of IE BEFORE FF came and AFTER? Maybe there's a very simple fact you chose to ignore in your "objective" analysis.
        Anti_Zealot
        • I don't think...

          "What you should stop for a bit to think about is: if they marketed it on basis of better security, why did that message convince users?"

          It's so much the marketing that convinced all users as much as the "features" and the fact it was something new.

          Personally the reason I switched was I got tired of my IE and Windows Explorer being taken over by ActiveX controls coming from Spyware.

          This solved that issue.

          I have my entired family converted over to Firefox at the present, and none of them see it as a security thing.. Just a "Well XXXX says it's better"... Some have noticed the difference.. Others haven't noticed... A matter of perception and day to day browsing..

          I mean if you're just doing light browsing, IE is the perfect solution because why download something you hardly ever use?

          All about practicality really.
          ju1ce
          • Simple

            Light browing can kill a Windows box...
            Linux Guy 1000
          • You don't say... (NT)

            (NT)
            ju1ce
          • Nope...

            proof is in the machines I have cleaned... but hey I will admit that if you stop using IE and install a NAT firewall, use some good ol' fashioned common sense and Spy-Bot, AdWare SE and AVG along with Firefox, a Microsoft Windows box can exist on the internet in relative safety.
            Linux Guy 1000
          • not to mention...

            so im mentining it anyway :P

            my win2k sits unpatched behind 2 nat firewalls (2 routers and a switch, as do my other computers on the lan and the only one i worry about is the one that the kids use on a limited account. it still gives me the heebie jeebies. so i scan it regularly (weekly).
            linuxoverwindows
          • Not so simple

            >Light browing [sic] can kill a Windows box...

            As opposite to heavy (or dark) "browing"? If by "kill" you mean that the IE window "crashes" or "locks up", this occurs with FF as well.

            It's not the "browing". It's the poorly-written and inadequately tested code.
            cdgoldin
          • what he meant (he can correct me if im wrong)

            is that light browing can kill a windows box by installing so much spyware on your system without your knowledge and/or consent to the point where you have to open windows explorer (my documents) and browse by ip address and dl adaware and spybot. ask me how i know...

            im glad you asked. i work for an isp and i get calls daily. i have, on my webserver ip, the latest versions to dl of adaware and spybot. i keep a version of cwshredder there but it should be updated as they change it so often. i have to have people open explorer.exe or my documents, if you will, and browse to my ip. then they see the page and dl adaware and/or spybot and 90% of the time it solves the problem. the other 10% of the time its a horked firewall (thanks norton).
            linuxoverwindows
          • i use both...

            i use ie and ff. ff i use to surf pr0n because there are way too many pop-ups and drive by installs that have gone away since i started using ff for it. oh, and i test my pages with ff because some features dont work in ie.

            what? im just saying what everyone else is hinting to. and my gf uses ie exclusively, and when i have her do the scans once a month, she is always clean. just tracking cookies which are shist.
            linuxoverwindows