Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Firefox Remote Compromise Leaked
From: "Eric Paynter" <eric () arcticbears com>
Date: Mon, 9 May 2005 17:24:26 -0700 (PDT)

On Mon, May 9, 2005 4:46 pm, Mary Landesman said:
Well, that's one way to crunch the numbers.

Of course, IE 6 has been out since 2001, Firefox 1.x was released three
years later. Looking at the advisories on a timeframe basis for 2005,
Firefox 1.x has had 12 Secunia advisories compared to 6 for IE 6. In other
words, the odds you're banking on shift quite a bit depending on how you
look at it.

Ah, but new releases always have more bugs, which are supposed to get
ironed out over time. I guess for a more accurate look at the overall
quality of the release, compare IE in its first six months to Firefox in
it's first six months... I get 12 advisories (2 highly critical) for
Firefox and 18 advisories (7 highly critical) for IE in that time period.
It still looks to me like the future is safer with Firefox.

OK, so next you'll say "but Firefox didn't have the same market share when
it first came out. Now that people are using it, the numbers of found
vulnerabilities will go up..."

Well, I guess it's just a game of numbers at this point. But the fact is,
I feel more secure with Firefox because they actively work with the
community to fix the problems. The team seems to really care and take
pride in the quality of their work. I somehow don't think we'll ever see
something like "Microsoft MCIWNDX.OCX ActiveX Plugin Buffer Overflow"
rated highly critical and still not patched almost two years after the
announcement, or "Windows Explorer / Internet Explorer Long Share Name
Buffer Overflow", also rated highly critical and over a year old with no
patch available. If we did have things like that start happening, I'd bail
off of Firefox pretty quickly. But for now, they've been very responsive,
and that makes me feel more secure.

To each his or her own...


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]