Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Firefox Remote Compromise Leaked
From: "Mary Landesman" <mlande () bellsouth net>
Date: Mon, 9 May 2005 22:54:52 -0400

I find security in understanding how best to secure a browser, rather than
switching to whichever one advertises the least vulnerabilities regardless
of how open that interpretation might be.

My point is that crunching numbers reveals different results, depending
solely on the desired outcome. One could equally argue that Firefox had the
advantage of learning from IE's mistakes, hence comparing the first six
months of a browser three years later becomes a moot point. But, of course,
if one were to make that argument, one would expect Firefox to have done
better in the previous six months, which it clearly has not.

Regards,
-- Mary

----- Original Message ----- 
From: "Eric Paynter" <eric () arcticbears com>
To: <full-disclosure () lists grok org uk>
Sent: Monday, May 09, 2005 8:24 PM
Subject: Re: [Full-disclosure] Firefox Remote Compromise Leaked


On Mon, May 9, 2005 4:46 pm, Mary Landesman said:
Well, that's one way to crunch the numbers.

Of course, IE 6 has been out since 2001, Firefox 1.x was released three
years later. Looking at the advisories on a timeframe basis for 2005,
Firefox 1.x has had 12 Secunia advisories compared to 6 for IE 6. In other
words, the odds you're banking on shift quite a bit depending on how you
look at it.

Ah, but new releases always have more bugs, which are supposed to get
ironed out over time. I guess for a more accurate look at the overall
quality of the release, compare IE in its first six months to Firefox in
it's first six months... I get 12 advisories (2 highly critical) for
Firefox and 18 advisories (7 highly critical) for IE in that time period.
It still looks to me like the future is safer with Firefox.

OK, so next you'll say "but Firefox didn't have the same market share when
it first came out. Now that people are using it, the numbers of found
vulnerabilities will go up..."

Well, I guess it's just a game of numbers at this point. But the fact is,
I feel more secure with Firefox because they actively work with the
community to fix the problems. The team seems to really care and take
pride in the quality of their work. I somehow don't think we'll ever see
something like "Microsoft MCIWNDX.OCX ActiveX Plugin Buffer Overflow"
rated highly critical and still not patched almost two years after the
announcement, or "Windows Explorer / Internet Explorer Long Share Name
Buffer Overflow", also rated highly critical and over a year old with no
patch available. If we did have things like that start happening, I'd bail
off of Firefox pretty quickly. But for now, they've been very responsive,
and that makes me feel more secure.

To each his or her own...

-Eric

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]