[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Firefox Remote Compromise Leaked

To: Mary Landesman <mlande@xxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] Firefox Remote Compromise Leaked
From: bkfsec <bkfsec@xxxxxxxxxxxxxxxx>
Date: Tue, 10 May 2005 16:33:03 -0400

Mary Landesman wrote:

I find security in understanding how best to secure a browser, rather than
switching to whichever one advertises the least vulnerabilities regardless
of how open that interpretation might be.

My point is that crunching numbers reveals different results, depending
solely on the desired outcome. One could equally argue that Firefox had the
advantage of learning from IE's mistakes, hence comparing the first six
months of a browser three years later becomes a moot point. But, of course,
if one were to make that argument, one would expect Firefox to have done
better in the previous six months, which it clearly has not.

Of course, you could also make the argument that Microsoft could have learned from Netscape and Mosaic when it bought the mess which became IE from Spyglass.

So that door swings both ways.

Not to mention that you're not talking about the same kinds of mistakes in firefox versus those in IE in all instances. Many of the flaws in IE come from its poorly planned position within MS Windows as an Operating System component. (Before people jump on me - I'm referring to its place in the interface. I'm well aware that it is not part of the Windows Kernel and that you can, if you intend to break a large number of programs, remove IE completely with enough work.) What kind of lessons would Firefox learn from IE's zoning issues? It wouldn't... and any argument that it would is specious at best.

Listen, there are no perfect programs. All programs will have bugs. If you track the statistics, you can play games with the numbers until you're blue in the face. However, what we can say is this:

- Firefox has, at this moment, only 1 quasi-functional unpatched hole while IE has 3 completely unpatched holes. - Firefox is not part of the OS interface and, as such, does not implement poorly concieved zoning interfaces.

Mozilla/Firefox are designed the way that browsers should ideally be designed. Some of the holes found in Firefox rely on external programs (like Java) to do their dirty work and some of them are in the web standards and equally apply to IE.

Those are the facts, statistics be damned and firefox still wins.

            -Barry


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] Firefox Remote Compromise Leaked
  - From: tuytumadre
- Re: [Full-disclosure] Firefox Remote Compromise Leaked
  - From: Jason Coombs
- Re: [Full-disclosure] Firefox Remote Compromise Leaked
  - From: Vincent van Scherpenseel
- Re: [Full-disclosure] Firefox Remote Compromise Leaked
  - From: Bipin Gautam
- Re: [Full-disclosure] Firefox Remote Compromise Leaked
  - From: Eric Paynter
- Re: [Full-disclosure] Firefox Remote Compromise Leaked
  - From: Mary Landesman
- Re: [Full-disclosure] Firefox Remote Compromise Leaked
  - From: Eric Paynter
- Re: [Full-disclosure] Firefox Remote Compromise Leaked
  - From: Mary Landesman

Prev by Date: [Full-disclosure] [ GLSA 200505-08 ] HT Editor: Multiple buffer overflows
Next by Date: Re: [Full-disclosure] scanning through socks or proxy
Previous by thread: Re: [Full-disclosure] Firefox Remote Compromise Leaked
Next by thread: Re: [Full-disclosure] Firefox Remote Compromise Leaked
Index(es):
- Date
- Thread