Re: Firefox Remote Compromise Leaked

[bkfsec <bkfsec () sdf lonestar org>]

Mary Landesman wrote:

> I find security in understanding how best to secure a browser, rather than
> switching to whichever one advertises the least vulnerabilities regardless
> of how open that interpretation might be.
>
> My point is that crunching numbers reveals different results, depending
> solely on the desired outcome. One could equally argue that Firefox had the
> advantage of learning from IE's mistakes, hence comparing the first six
> months of a browser three years later becomes a moot point. But, of course,
> if one were to make that argument, one would expect Firefox to have done
> better in the previous six months, which it clearly has not.
>
>  

Of course, you could also make the argument that Microsoft could have 
learned from Netscape and Mosaic when it bought the mess which became IE 
from Spyglass.

So that door swings both ways.

Not to mention that you're not talking about the same kinds of mistakes 
in firefox versus those in IE in all instances.  Many of the flaws in IE 
come from its poorly planned position within MS Windows as an Operating 
System component.  (Before people jump on me - I'm referring to its 
place in the interface.  I'm well aware that it is not part of the 
Windows Kernel and that you can, if you intend to break a large number 
of programs, remove IE completely with enough work.)  What kind of 
lessons would Firefox learn from IE's zoning issues?  It wouldn't... and 
any argument that it would is specious at best.

Listen, there are no perfect programs.  All programs will have bugs.  If 
you track the statistics, you can play games with the numbers until 
you're blue in the face.  However, what we can say is this:

   - Firefox has, at this moment, only 1 quasi-functional unpatched 
hole while IE has 3 completely unpatched holes.
   - Firefox is not part of the OS interface and, as such, does not 
implement poorly concieved zoning interfaces. 

Mozilla/Firefox are designed the way that browsers should ideally be 
designed.  Some of the holes found in Firefox rely on external programs 
(like Java) to do their dirty work and some of them are in the web 
standards and equally apply to IE. 

Those are the facts, statistics be damned and firefox still wins.

            -Barry




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/