Even though Internet Explorer is by far the most widely used browser, since 2004 it slowly began losing popularity to other browsers mainly due to security issues. Is Firefox more secure than Internet Explorer? What will the future bring? Read more in this article.
Maybe it is, maybe it isn’t more secure. But alteast we know when known bugs are sitting in there unfixed. Thats what gets me mad most of all. Microsoft doesn’t want to admit a problem unless it has no other choice. Just aknowledge the darn thing and fix it, so what if you look bad for a day.
When was the last time it took M$ less than a week to fix a security hole in IE? When was the last time FireFox did it?
A: About 3 weeks ago with 1.04
Cheers
1. Many times Internet Explorer has actually been exploited costing people money and hassle, but Firefox hasn’t. “The proof is in the pudding.”
2. Firefox doesn’t have ActiveX.
3. Firefox is not close to the operating system.
4. Diversity is good for security. One exploit affects fewer people.
5. Firefox is interchangeable. Say there is a problem with it: because Firefox supports standards, a user can move to another browser without much hassle. In an Internet-Explorer world, users must use IE even if there is a fault in it because sites require IE.
6. Firefox encourages webmasters to design sites for standards and makes point 5 more practical.
7. The latest Firefox runs on obsolete systems such as Windows 95. We have no choice but to use Windows 95 on a dozen stations where Microsoft stopped supplying browser security updates long ago. Firefox makes these computers practically safe to use.
An interesting alternative is SecureIE which costs 30$ and seems to outperform Firefox and IE in the security field.
Problem is SecureIE may have flaws inherited from IE and very few people is willing to spend money on a browser.
ActiveX was called a security nightmare in 1999. people questioned the security model, and the system from day one.
IE isn’t exploited all that often by bad images or webpages that create buffer overflows. Most of the attacks on IE are from ActiveX.
Heck even bundling the browser into the GUI and Kernel isn’t as dangerous as ActiveX is by it’s self.
There already is an unbiased measure of secure-ness that is beyond your arguments – number of published hacks, time to patch the holes.
In this regard, Firefox is vastly more secure than IE. No doubt a contrarian will dispute this (regardless of what you might state online, “the sun came up this morning”, “the temperature tends to be low when water freezes”), someone will always dispute it. But in this case they are wrong.
the last paragraph, what the future holds, he mentions a $30 program, also he mentions microsofts secure program..
why should users have to pay AGAIN, for something that should be totally secure out of the box
Who cares about security on a home PC that runs Windows … I use Windows only at work and for some games on my home PC .
I do not care which one is more secure , Firefox is much better when it comes to usability .
What we need is not more secure code but more users who are not trying to maliciously attack people/servers on the internet. We need societal reform not more secure code. As soon as we can get little johnny skript kiddie into an after school program that engages his mind instead of being engaged with a bunch friends that think it’s cool to break into military websites we’ll be doing something better than making a semi-secure browser more secure.
A much needed article, but it’d be nice to see it from someone who isn’t just giving a rediculously shallow overview with a wet-noodle conclusion!
To get higher level of security you must apply many independent layers that must be penetrated separately, to get a security breach.
In the Linux world such layers could be: the browser itself, unix permissions/posix acls, chrooting, SELinux policys.
Just relying on just browser security will never be enough to keep you safe.
Lil Jonny Script Kiddie doesn’t care about hijacking your browser. Signy-McCEO of bubble company Y wants the free advertising, and Humpy-McPornOwner X wants to make sure you never forget you like porn.
I think you need to look at who has a vested interest in hijacking your browser and not who is a little “punk.”
mainly due to security issues
I switched for features. Security isn’t a very big deal for me, as I’ve never had problems with IE.
In all of this, it often seems that the user and what they do with the browser is forgotten. Often, if someone is caught by a vuln or exploit, its usually because they’re poking around the less-pleasant areas of the web.
Granted, there’s also the social engineering aspect of this and many computer users won’t think to check the url or where they’re going. Even if you fix a vuln or exploit, these types of users aren’t likely to patch their systems or browsers.
It’s also not just the browser – if you don’t run as root or with admin rights, then certain problems might not be so much of a problem.
– Smiffa
because Firefox supports standards, a user can move to another browser without much hassle. In an Internet-Explorer world, users must use IE even if there is a fault in it because sites require IE.
This is a fault of the web-site designer…not Microsoft.
Look, I hate IE’s lack of standards compliance as much as the next developer. But there is no law (moral or judicial) that states Microsoft MUST release a standards-compliant browser.
1st quote from author…
“Still, Firefox has its flaws like crashing while trying to view PDF files and taking a lot of time to load. If the next IE version would support tabbing and would be 50% more secure than before, Microsoft would surely maintain dominance in the field.”
1) firefox has never crashed while opening a .pdf on any of my systems. note to author: check your facts or fix your windows or acrobat installations.
2) firefox DOES takes a bit longer to load, but this too is a case by case scenario regarding each machine. never the less… pointless comment from author.
2nd quote from author…
“As more and more users dump IE due to its lack of features and move towards a faster and more efficient alternative like Firefox, virii and spyware programmers will start using it as their new “feeding ground.””
this is pure FUD.
other than that, article was fair.
>>because Firefox supports standards, a user can move to
>>another browser without much hassle. In an Internet-Explorer
>> world, users must use IE even if there is a fault in it
>>because sites require IE.
>This is a fault of the web-site designer…not Microsoft.
>Look, I hate IE’s lack of standards compliance as much as the
>next developer. But there is no law (moral or judicial) that
>states Microsoft MUST release a standards-compliant browser.
Let’s put economic pressure from customers on both Microsoft and designers until the problem is fixed.
As we have seen with the ACID2 test, there are levels of standards support. Still, we want Microsoft and web designers to good faith effort into it the way Gecko, Opera, and KHTML have.
“In all of this, it often seems that the user and what they do with the browser is forgotten. Often, if someone is caught by a vuln or exploit, its usually because they’re poking around the less-pleasant areas of the web.”
So?
…how the security of the 2 browsers compare when you disable ActiveX and Java in IE. I suspect most of IE’s problems are due to ActiveX controls executing without the user knowing/undertanding what’s going on…
“According to secunia.com Internet Explorer has 20 out of 79 security vulnerabilities that are still not patched in the latest version (with all vendor patches installed and all vendor workarounds applied), while Firefox has only 4 out of 12 security vulnerabilities unpatched.
Based on information on secunia.com (1 and 2) we can see the benefit of an Open Source browser in the security field: while Internet Explorer only issued a patch for 52% of the bugs found and applied partial fixes in 14%, Firefox has not only patched 69% of its flaws but it has never used a partial fix or a workaround.
If we look at Secunia’s criticality graphs (1 and 2) we can see that Firefox has 0% extremely critical and 8% highly critical bugs while Internet Explorer has 14% extremely critical and 27% highly critical bugs.”
– so yeah, Firefox still is more secure than IE, although the post here at OSNews titled “Is Firefox really more secure than IE?” would lead casual readers believe not. Please read TFA editors before accepting stories.
I’m not so sure anymore. Especially with all these news about its developers cutting corners to get their product out immediately.
Very interesting articlle, indeed. Personally, I use Firefox for all of my PC’s (except my wife’s: She clings to IE). I simply prefer it because it is a nice solid modular design, I came to rely on tabbed browsing, I enjoy the better security features and updates, and (most importantly) I have Firefox in Irish Gaelic….although there are SEVERAL(!!!) local languages available.
…And I too, have never had an issue with the PDF support with Firefox.
JM
I was using IE until a couple months ago when someone was using a IE vulnerability to break into my machine, delete my thesis(fortunately i kept an older backup), and turn my computer into a spam machine. I couldn’t even log on anymore and had to turn my machine for investigation.
Lesson learned: never ever use IE!
Still, Firefox has its flaws like crashing while trying to view PDF files and taking a lot of time to load.
I can only speak of Linux’ Firefox version, but on my comp it hasn’t crashed once when loading a pdf file.
… every Web site is optimized for Internet Explorer.
Totally wrong. There already are a lot of websites designed with Firefox in mind, and they’re becoming more every day.
An interesting alternative is SecureIE which costs 30$ and seems to outperform Firefox and IE in the security field.
Problem is only few people will pay 30$ for a program that’s not much more than a commercial extension for Internet Explorer, even if the company wants them to believe it’s a brandnew browser. This part of the article reads more like an advertisment than a presentation of facts.
As more and more users dump IE due to its lack of features and move towards a faster and more efficient alternative like Firefox, virii and spyware programmers will start using it as their new “feeding ground.”
It’s not that easy. Of course IE is target No. 1 due to its marketshare being far bigger, but even if FF will become the main player in the browser market, it’ll always be more secure. For the FF developers it’s all about usability and security, while MS only wants to lock-in Windows users by forcing their proprietary “standards” on them.
When everyone switch to Firefor it will be insecure too they say? Vah. Try and exploit firefox you’ll notice it is difficult is not the people using it is the way it is build. Same happens with Linux no matter if Linux were the only OS it will still be very secure because is not the amount of people is the difficulty to exploit it and the way is built.
when i was still using IE i had ActiveX turned off and someone took it over several times annoying the hell out of me. when i saw that several configuration files and essentially my entire desktop had been compromised i realized how serious the situation had become and finally switched to Firefox. Firefox is a fast and awesome browser, ways more secure than IE, and i am so much happier with it.
One of my friends was running a webserver and showed my in front of my eyes how simple it is to hack into any client that was still using IE. I’ve been a happpy Firefox user since…
Shouldn’t the lesson be, don’t mess thing CS majors? No computer system connected to the internet is 100% secure. If someone is out to get you, there isn’t a lot you can do outside of notifying the FBI.
http://www.windowssecrets.com/comp/050512
Scroll down a bit and look for the “Is Firefox still safer than IE?” header.
“ActiveX” is senseless commerical buzzword, joining together several things which haven’t anything in common.
In IE vulnerability origin is VBScript (who really needs it internet besides moron designers and hijakers? This is awful piece of technology and should be used only for corporate applications in well-proteced intrantets), this is also under name of “ActiveX”, but if you switch ActiveX off, you switch off also JavaScript. Last is in use by enormous number of sites, so you fall with that on level of IE 2.0 (except CSS1 support).
In FF you don’t need to switch Java/ECMA/Script support off to achive same level of security.
Its only as secure as the user. If the user isnt smart about where they go on the internet they will have problems no matter what browser they are using. I use IE exclusevly, and havent had a piece of spyware or virus in years.
This article is a mess. First, comparing an open source product, that leaves itself wide open for everyone to see and possibly exploit, to a closed source product that promotes security by obscurity is just plain stupid.
There is no direct measure we’ll be able to use to see just how one is “better” than the other. Use what works for you and gets the job done to your satisfaction. Any piece of software can be exploited, so let’s move on from this time-wasting argument.
FF is a great browser…I dont need to use it…IE7 comes out and lets see how that stacks up…if it is a miserable failure I am gonna switch to FF.
IE6 also provides different levels of security zones thus dividing the Internet into 4 categories: Local Intranet, Trusted Sites, and Restricted Sites.
4 like in 1, 2, 4.
datruth:
>> this is pure FUD.
Uh, how so? Are you suggesting that if FF became almost as popular as IE, they spyware/virii writers would say “hey.. its firefox, lets not target it!” What a joke, man.
It is pure FUD because it is a forward looking statement, levered on the big “IF”. A more secure browser is here NOW not at some point in the future, as in the case of IE7. Contrariwise, “IF” the Moz Foundation managed to come up with a more secure browser, wouldn’t it lend to reason that they will be more able to maintain it’s secure-ness ?
Hello everyone,
There is a saying I picked up long ago and it says, “More walk, less talk.”
Along those lines, I deinstalled Internet Exploder off of the XP box I must work at and installed the most recent Firefox onto it on 04.22.2005. I’ll let you guys figure out how I did that.
After reading this I decided to scan my system with the following tools: Ad-Aware se, SpyBot Search and Destroy, Ccleaner, RegClean, ClamWin anti-virus, and Norton Win Doctor.
Here are some of the results:
AdAware reported zero critical objects out of 62,376 objects scanned using the most recent definitions file SE1R46 17.05.2005;
SpybotS&D reported no immediate threats found;
CCleaner only found a few old IE cache files laying around in some obscure tucked away IE-related directory;
RegClean found no registry errors and produced no Undo* file;
ClamWin anti-virus scanned for 34653 know viruses and found zero; and
Norton WinDoctor only found two registry errors that RegClean did not find and a proverbial “boatload” of Active X errors.
Now I’m sure there are other programs I could use, but such is life in education. You use what you can find without overspending. Being a good steward of public funds is a goal here.
So the conclusions I have reached by using these tools are:
Deleting IE after a clean-and-pristine system install is a positive thing. If I need to do something on the server I will log into it remotely RDP (RDC in Win) and work with it at that level.
Installing Firefox to replace IE as a web browser is a positive thing. Apparently Firefox does not have the same “trash collection” faults and errors the IE browser has.
How do I know this? Simply, I ran commonly used “trash” cleaning and other “repair” tools, freely available to the masses. I even included a proprietary software as-well. It reported the occurrence of such IE spy or malware events was significantly reduced or, dare-I-say, non-existent after performing the above de-install and install. It is also relatively clear of browser clutter, free of viruses, and has few windows-related errors dated after IE was removed and Firefox was applied.
Will errors in software occur? Yes. It would be foolish to think it wouldn’t.
But if I must use one program or another, especially on Windows, I will opt for the one that is more-often-than-not going to damage my system. System downtime cost money. This is true for people who actually work in small to medium businesses, for people who work from their home computer rooms or basements, for non-profits groups, for educational institutions, etc.
There are more thing to a system administrators time than just sitting in a server back room, applying patches, downloading security updates, and playing around with active directory, constant defragging, or monkeying around with gpedit. It’s a solve the problem mentality. Keep the computers up, undamaged, and productive.
So, is Firefox really more secure? I would have to say it is from observation and daily use.
C’mon. Of course its more secure. Ive never had my homepage hijacked by a .ws domain or any *ware while using mozilla.
Oop. Forgot.
I don’y use the Outlook program, what I commonly refer to as ‘Look Out’ as a joke, to check my e-mail but rather the web-mail version of it in Exchange, a.k.a. ‘Extra Change (also a joke) server.
By avoiding the Firefox browser and using the web-based e-mail server you will save yourself from probable data loss and reconstructive system work.
And the winner is: FireFox!
Duh! No surprise here! But this is a good article which people should point to when discussing this issue. The counts of vulnerability severity and outstanding unpatched vulnerabilities are the most important point of this article.
‘”In all of this, it often seems that the user and what they do with the browser is forgotten. Often, if someone is caught by a vuln or exploit, its usually because they’re poking around the less-pleasant areas of the web.”
So?’
Do you expect to walk through hell and come back alive?
the exploits in firefox i fixed (the ones mentioned in article, explorer has not fixed more than one ore so..)
ActiveX requires a user to say “Yes, trust this person/company and install the ActiveX control”. This is no different than having a separate installer to install something that messes up your computer.
Also, with XPSP2, you can easily block ActiveX controls, turn them on, turn them off, etc…
Saying that ActiveX is insecure is just outright stupid. By that token, anything that allows you to install something on the system is insecure.
Simply, the problem is with the user. Disabling ActiveX does not change this one bit.
Who cares about security on a home PC that runs Windows … I use Windows only at work and for some games on my home PC .
Well actually everybody using the Internet on a daily basis does care. If end users don’t take security on their home PCs seriously, sooner or later their boxen will be rendered into spam/DDoS drones. Once a site or service you happen to depend on is taken down because of a DDoS you will realize that home PC security is as important as any other computer’s security.
By default, Firefox comes with the ability to only install extensions from the Mozilla site. But, what is to stop unscrupulous company from ‘rebranding’ Firefox, removing the extension installation safeguard, add the ability (if it isn’t there already) to install extensions without asking the user, and offering it for free in exchange for some sort of perk, knowing that as soon as users install it, they’ll be able to throw whatever crap they want on the user’s system?
Always nice to debunk a troll with `even if.’ Here we go:
Even if firefox will prove to be just as insecure as IE the effectiveness of mallware will be massively decreased since there is not one browser which everyone uses but two browsers. Monocultures are much more subsceptible to attacks than diverse cultures.
Yay.. my comment was deleted for no reason.
datruth: you totally missed the point. You replied “pure FUD” to:
“”As more and more users dump IE due to its lack of features and move towards a faster and more efficient alternative like Firefox, virii and spyware programmers will start using it as their new “feeding ground.””
No where does that say that FF will have the same problems as IE, or at that it will even have ANY problems. It simply says that it will be TARGETTED more, even if unsuccessfully.
Yes, so why ask these silly questions?
Could it be … flame bait?
i use IE with Avant as frontend when browsing our intranet sites(looks good with all those IE specific eye candies). Firefox is my choice of browser though..very customizable.One thing i dislike about FF is that i have to install a new one just for an update..
usual windows or ie patch/update is 2 and more times bigger than whole FF install package:)
Not to say about those servicepacks
As per usual…
“Based on information on secunia.com (1 and 2) we can see the benefit of an Open Source browser in the security field: while Internet Explorer only issued a patch for 52% of the bugs found and applied partial fixes in 14%, Firefox has not only patched 69% of its flaws but it has never used a partial fix or a workaround.”
So Open Source browsers are better in the security field than non-Open Source browsers based on that Firefox has less open vulnerabilities than Internet Explorer.
Never mind that another non-Open Source browser (Opera) has ZERO open vulnerabilities.
No, because Firefox is better than IE, OSS is better than non-OSS in the security field.
What a turd of an article.
The worst program, based solely on security is Outlook Express. It’s a shame because it really had an easy to use interface.
People have been quick to jump ship to firefox, but much slower in jumping to Thunderbird–IMHO it should be the OPPOSITE! you’re more likely to get hosed by an email!
Firefox is open source. The firefox trademark is no doubt owned by Mozilla foundation.
If some “unscrupulous company” wants to modify and then re-distribute Firefox then:
(1) they must publish whatever modifications they made, and
(2) if Mozilla foundation do not like what “unscrupulous company” changed in Firefox, Mozilla foundation can insist that the product from “unscrupulous company” does not bear the firefox name, and that it makes no reference at all to firefox (trademark law).
These two points combined are what stops “unscrupulous company” from jumping on the firefox bandwagon with a malware product.
“… every Web site is optimized for Internet Explorer.
Totally wrong. There already are a lot of websites designed with Firefox in mind, and they’re becoming more every day.”
And that is JUST AS BAD as sites designed for IE.
Try standards.
Never mind that another non-Open Source browser (Opera) has ZERO open vulnerabilities.
No, because Firefox is better than IE, OSS is better than non-OSS in the security field.
You’re looking at it the wrong way. FF is open source – this means that anyone can look at the source in an effort to find a hole to exploit. EVEN GIVEN THAT, only a few have been found.
MSIE and Opera are closed source. They RELY on security through obscurity. Since no source is published, you have to try to reverse engineer the code from the binary. That is a HUGE task. It’s HARD to do. But people still do this and find DOZENS of holes in MSIE. That means that if MSIE was open source, nefarious folks would probably find HUNDREDS of holes or more!
Opera also needs to be reverse engineered from the binary, so if we assume it had the same number of holes as FF, it would take MUCH more effort to find them. Considering the relatively few numbers using Opera, it’s no wonder that script kiddies and security firms alike don’t bother with it. There are nowhere near as many people checking into Opera security as there are into FF or MSIE security.
In the end, that’s good for Opera users. No matter WHY they don’t have as many open holes (known about), it still means they are less likely to be exploited.
You’re missing the point there
“In the end, that’s good for Opera users. No matter WHY they don’t have as many open holes (known about), it still means they are less likely to be exploited.”
Opera does get holes in it like every other bit of software. But Opera’s holes have been fixed more quickly and more fully than either Firefox (the open source hero which anyone of the millions of users can go and fix the problems in) or IE (the closed source villain).
That is the point. Saying OSS or non-OSS is better when it comes to fixing holes is entirely irrelevant. Its the effort and commitment behind the desire for security (which is shown by the percentage of holes that remain open and the time it takes to fix those that get closed) that matters and Firefox while better than IE is far worse than Opera when it comes to that.
“They RELY on security through obscurity.”
*groan* Just noticed that…
What a joke
Microsoft and security? What a comic relief.
“An interesting alternative is SecureIE which costs 30$ and seems to outperform Firefox and IE in the security field.”
This is not an alternative it is a add on to IE.
“… every Web site is optimized for Internet Explorer.”
“Totally wrong. There already are a lot of websites designed with Firefox in mind, and they’re becoming more every day.”
“And that is JUST AS BAD as sites designed for IE.
Try standards.”
Yeah, Try bulding a website with (X)HTML and CSS in mind, like they should be built. A broswer is a means to the web site. Build the web site RIGHT.
“… every Web site is optimized for Internet Explorer.”
“Totally wrong. There already are a lot of websites designed with Firefox in mind, and they’re becoming more every day.”
“And that is JUST AS BAD as sites designed for IE.
Try standards.”
Actually, half or better web sites are made on the Mac. There are certainly plenty of tested only on IE sites, but they are the minority.
No need to RTFA, the answer is yes. Even an idiot in a hurry knows that.
Since abandoning IE, I’ve noticed a lot less spyware gets on my system. I’m not going back.
IE is so close to the OS, I don’t trust it. And fixes are released quickly once exploits are found in Firefox.
Anyhackers can insert adware and spyware on FireFox by using Javascript, hidden java, and image Plug-in. Of course it works. you can see and monitor everything more than IE. YOu can see someone cursor moving around internet and keytype. it’s very easy for anyone to code. I like to scale 1 to 10 – 1 is easy; 10 is hard. I would say 3. Hackers say it’s 2. It’s somewhere 2 or 3.
I’m sorry, but you can’t call yourself a geek if your system is getting infected with spyware. It doesn’t take a whole lot of effort to keep these things from happening.
Opera does get holes in it like every other bit of software. But Opera’s holes have been fixed more quickly and more fully than either Firefox (the open source hero which anyone of the millions of users can go and fix the problems in) or IE (the closed source villain).
How do you know? Opera is closed source. Is some little bird telling you? Do you have a magic mirror that reveals the inner workings of Opera? No. That’s the point. You have no idea what-so-ever what is going on in closed source programs. For all anyone knows, Opera could be sitting on thousands of holes they know about, but don’t want to spend the time and money to fix until they’re revealed by security researchers.
You cannot make ANY statement about how fully holes have been fixed in either Opera or IE. It’s simply impossible unless you’re on the programming staff of either of those browsers, in which case the company wouldn’t let you comment on the issue. That is a fact you cannot dispute (unless you’re just trolling).
It’s funny how they can even pose this question when I myself havn’t had any spyware, malware etc in a long time, and even retards that I know who I always have to fix their computers when they download that crap, havn’t been complaining 1 bit since they switched to firefox.
“How do you know? Opera is closed source. Is some little bird telling you? Do you have a magic mirror that reveals the inner workings of Opera?”
Are you for real?
You are having the gall to talk about magic mirrors when you are arguing the what-if of unknown security holes being the problem.
Go to secunia. Look up IE, Firefox and Opera. Look at the amount of vulnerabilities of each. Look at how quickly they were closed, look at the amount that remain open.
And quit being such a dimwit.
Now now Andrew, don’t bring “facts” and “logic” into this! There is no place for such thing!
Opera is closed source therefore there are many many more security bugs not found yet and therefore its more insecure because its closed source!!!
“An interesting alternative is SecureIE which costs 30$ and seems to outperform Firefox and IE in the security field.”
This is just plain spam!
And that is JUST AS BAD as sites designed for IE.
Try standards.
Of course you’re right, didn’t even think about standards when writing this :-
On the other hand, IE isn’t standard compliant.
With your logic, there wouldn’t be an article about anything that isn’t free. E-mail OSNews and tell them that you wish to stop reading articles about Windows for example, after all, it’s not free.
This is disturbing. Certain people keep praising Firefox as if it’s perfect, and as if open-source is inherently more secure.
Fact: Opera has no unpatched vulnerabilities, and has a better track record than Firefox. Now let’s explore some of the crazy excuses Firefox drones are coming up with:
“FF is open source – this means that anyone can look at the source in an effort to find a hole to exploit.”
This comment doesn’t make sense, since most flaws found in Firefox are a result of testing the browser, not by reading the source code. Have you any idea how hard it can be to read someone else’s code?
Open-source doesn’t matter in this case. Secunia reports flaws that are found by testing the actual program. And besides, Mozilla keeps security bugs hidden too.
“For all anyone knows, Opera could be sitting on thousands of holes they know about, but don’t want to spend the time and money to fix until they’re revealed by security researchers.”
Just like Mozilla does it. They keep security bugs hidden from the public.
“You cannot make ANY statement about how fully holes have been fixed in either Opera or IE.”
Sure you can. See above. Those who find holes do so by testing the compiled binaries, not by inspecting Firefox’s source code.