Browser security

[ric449]

I was just thinking how people everywhere are telling each other to go with Firefox or other alternative browsers because of the many vulnerabilities of IE. But then it got me thinking, how long is it until the people who expose IE's problems notice people are using these other browsers? Won't that mean these people will find security holes in these alternative browsers instead?

[fudtone]

I don't think that would be anytime soon. I believe the hackers are actual after Microsoft not the users.

[mbossman2]

Quote:

Originally posted by ric449 Won't that mean these people will find security holes in these alternative browsers instead?

every product has security holes in some manner shape or form.

Lets look at it from a hacker's point of view:
where can i obtain the deepest penetration across the widest number of targets?
A) poke, prod & disassemble a product that is used by less than 2% of the computing population

B) poke, prod & disassemble a product that is used by 80% of the computing population.

People are people, they want to most bang for their buck (so to speak) and don't want to expend any more additional energy than is necessary.

Plus, in many ways, MS does a lot of their work for them: MS ID's a security hole, issues a patch, hackers reverse engineer the patch to create an attack and rely on the intrinsic laziness of people not to patch their systems as recommended by the manufacturer.

Patching is, unfortunately, basic maintenance for a PC, akin to chaning the oil, rotating the tires and getting tune ups for your car.

[mattg2k4]

http://www.w3schools.com/browsers/browsers_stats.asp

Mozilla's popularity for June is 11.4%, which is still significantly smaller than IE5/IE6's collective 81.4%, but still a good portion. In the next few years, depending on the success of the next IE, mozilla could well become a viable target.

But with IE, it's already connected to other parts of windows, whereas Mozilla is an application that stands much more on its own, which makes it more secure. Also, any security flaw found is likely to have a fix sooner, and in my personal opinion, people who use Mozilla are not as much the "set it and forget it" type, they would get the updated version sooner.

[ric449]

But what I'm saying is that with other browsers being recommended so much, it could soon become a much more viable candidate for attck, like mattg said. But I disagree where you say the security flaw will have a fix sooner, I seriously doubt the creators of these alternate browsers have the manpower of Microsoft's patch developers.

[aym]

Quote:

Originally posted by ric449 But what I'm saying is that with other browsers being recommended so much, it could soon become a much more viable candidate for attck, like mattg said. But I disagree where you say the security flaw will have a fix sooner, I seriously doubt the creators of these alternate browsers have the manpower of Microsoft's patch developers.

Check out these two articles.

Two vulnerabilities in IE have been around for 11 months now without any patches from MS, they allow attackers to to install malware when a web page is opened, nothing more.

OTOH, Firefox, being Open Source, has plenty of developers reviewing the code, so security holes get fixed in no time, even before that attackers discover them.

And IE is integrated into the OS, so vulnerabilities in IE allow attackers to do much more damage to the whole OS.

IE runs unsafe VB scripts and ActiveX controls, the source of like 99% of malware.

Firefox doesn't support any scripting language other than the sandboxed JavaScript, and its extensions aren't automatically installed, they are easy to uninstall, and the developers are working on a feature that makes Firefox refuse to install extensions from untrusted websites, by using a white list of trusted websites.

The latest version of Firefox makes it very easy to install updates, updates are small in size and can be installed automatically while using the browser. To patch IE you need to use Windows Update, download no-so-small files, and in many cases, reboot the computer.

I don't think that Firefox will be targeted when/if (hopefully when ) it becomes more popular. The Open Source Apache web server is more popular than MS IIS according to Netcraft, it runs 70% of the web, and still, IIS gets much more exploits and viruses than Apache, and Apache gets fixes faster.

MS products are usually less secure than alternatives, because of this, they are targeted.

[doctorgonzo]

Quote:

Originally posted by aym_7 IE runs unsafe VB scripts and ActiveX controls, the source of like 99% of malware.

That's the key issue. Could Firefox have some security issues like unknown buffer overruns somewhere? Sure. But only IE allows viruses to automatically download and install themselves while you are browsing. There may be problems with the implementations in Firefox, but it's security model is a whole lot more secure from the start because it doesn't allow viruses to install themselves.

[Hi Ho]

Quote:

IE runs unsafe VB scripts and ActiveX controls, the source of like 99% of malware.

Why don't they just get rid of them then? Other browsers seem to have no trouble without them. Why not eliminate the cause of so many problems?

[aym]

Quote:

Originally posted by Hi Ho Why don't they just get rid of them then? Other browsers seem to have no trouble without them. Why not eliminate the cause of so man problems?

Because of the brilliant idea of integrating the browser into the OS, IE's rendering engine is used every where in Windows and not just for web browsing.

For example, without ActiveX, Windows Update won't work any more.

[Hi Ho]

ZDnet - Microsoft posts work-around for IE flaw

Hmmm... Looks like they're already looking to change that.