why is firefox more secure?

[Relyt]

All of that being said, in a network environment IE is "more secure" because it can be configured via the group policy. This allows the admin to enforce a higher level of control, resulting in greater consistancy.

Thank you! So often folks blindly hoist up the MoZiller/Firefox banner regardless of the scenario.

cheers

[ByTeWrangler]

Greeting's

From : http://secunia.com/product/4227/

Currently, 4 out of 13 Secunia advisories, is marked as "Unpatched" in the Secunia database.

Now if you look at the date's at which these 4 vulnerabilities were discovered the oldest one was discovered on 2004-08-30, hence an eight month old vulnerablity is still unpatched. More on this specific vulnerablity can be found here http://secunia.com/advisories/12403/. This vulnerablity is classified as less then critical.

As per Secunia.com

Mozilla Firefox 1.x with all vendor patches installed and all vendor workarounds applied, is currently affected by one or more Secunia advisories rated Less critical

Now as for Internet Explorer

Currently, 20 out of 79 Secunia advisories, is marked as "Unpatched" in the Secunia database.

The oldest unpatched vulnerablity in IE is as old as 2003-03-13 ( http://secunia.com/advisories/8283/ ).

And verdict for IE as per Secunia.com

Microsoft Internet Explorer 6 with all vendor patches installed and all vendor workarounds applied, is currently affected by one or more Secunia advisories rated Highly critical

Also if you look at solutions provided for SOME of IE unpatched vulnerablities it says

Use another browser.

But you have to understand these are views as per one site. Also as per secunia and its statistics Opera is the most secure browser as none of the vulnarablities found in Opera are still unpatched.

This is all as per www.secunia.com.


you may also want to take a look at this active thread :
http://www.antionline.com/showthread...hreadid=267304

[!mitationRust]

Originally posted here by catch You see what that says? Adequate security cannot be provided by applications... it must be accomplished at the OS level. What does this mean? Application security DOSE NOT MATTER! Unless your application is PERFECT sooner or later it will be exploited, and all applications get exploited in the same way. A BOF in Firefox is the same as one in LYNX and the same as one in MSIE.
Counting exploits is not a viable measure of security. If an exploit is made public on Jan 1, 2005... that software was vulnerable since its inception, aka 100% of the year not 300 days, not even 358 days. Even though the exploit isn't widely known, it still existed.

So again, I'll say it... the NCSC says it, the NSA says it, the good people at ISO say it, the CISSP exam says it.

APPLICATION LEVEL SECURITY IS MEANINGLESS.

heh That's the complete opposite of what Smittens just said. I guess someone studied harder. Yeah, and those lockdown options in IE are there for a reason. And don't come complaining when you’re surfing on an Admin account either, that's what I tell 'em.

Originally posted here by Microsoft TFM Use separate accounts for administrative activity and general user activity. Individuals who do administrative work on the computer should each have two user accounts on the system: one for administrative tasks, and one for general activity.

[scratchONtheBOX]

Fellow AOs

Let us examine things a bit here. IMO, each product can be customized to meet the requirement of a user. There are categories in which we should consider before judging which is which (MORE SECURE).

A typical user could just conclude that product A is more secured than product B by checking and believing with the statistics (which IMO, again depends on the type of crowd). Opinions in forums like AO could lead people to being convinced about such product. So far, I could see that the crowd is being driven to observe and think harder about concluding which is MORE SECURE. SECURE in what way? So far as the growing discussion here, perhaps we have to consider the following dependencies (correct my analysis if you may ):

A. Percentage of users of such product – Firefox has fewer user
B. Age of the product (since introduction) – Firefox is younger
C. Number of vulnerabilities and patches – depends on item A & B (IMO). See item D.
D. Sources of such security threat advisory (source 1, 2, 3 and so on…) – to name a few, sans, cert, secunia, AV websites, lots of them actually (those are the only ones I visited often).
E. Advisory of the product provider themselves – Seriously, advisories here comes late compared to item D.
F. Degree of actual effect once exploited – depends on the data provided in items D & E
G. Coverage of users/clients really affected – As of now, it entirely depends on items A and B.
H. Impact to security – Consider looking at the charts and level that can be found on sources in item D.
I. People’s awareness – The reason why the Internet is there is primarily to speed-up information. SURF, SEARCH, READ IMPORTANT UPDATES ABOUT THE PRODUCT! AO is a good source.

Check these related articles about the current analysis:
http://informationweek.com/story/sho...leID=159905629

"We must stay ahead of the curve in patching potential vulnerabilities," he said.

- And while patches are being done, we have to get updated whenever it is available. Good thing LIVE UPDATE OR REMINDER IS THERE, use it!

Reminder: Sometimes, don’t trust the media too much. Research and seek for a really reliable source.

Yo!

[d0ppy]

I'm going to throw something out here....



Firefox is indirectly more secure due to the slightly more educated/motivated userbase.


Those who are willing to take that extra step are more likely to have a firewall/antivirus/system updates since they are still extra steps.


I'd also like to throw out the lack of ActiveX.....

[TheSpecialist]

Firefox is indirectly more secure due to the slightly more educated/motivated userbase.

Come now, lets consider how many people who made the switch for reasons based on word of mouth... yep, there's no way your going to shake the minds of those people.

[catch]

Firefox is indirectly more secure due to the slightly more educated/motivated userbase.

I disagree with this point. Most of Firefox's user base seems to be people that think Firefox is more secure. I submit that these people actually know very little about security (see my above post) and enjoy having the perception of security. These people are more likely to be compromised as their perception of security frequently precludes actual security.

cheers,

catch

[d0ppy]

Touche....



Well... one thing that was said earlier, about IE being more secure due to configuration through group policy....

This does not mean IE is more secure, it means that is is easier to secure in a networked environment.


Hell, if you want a secure browser... ain't nothing quite like lynx....

[catch]

Well... one thing that was said earlier, about IE being more secure due to configuration through group policy....
This does not mean IE is more secure, it means that is is easier to secure in a networked environment.

You'll note, I put "more secure" in quotes. When comparing two networks, one with a collection of browsers configured in an ad hoc manner and the other with all of the browsers configured via a central point. Which is more likely to have security issues from misconfigurations? This is why a security configuration (approved manuals, etc) is a major point in both of the primary security evaluation standards.

Why is security frequently called the antithesis to productivity? Because security is best achieved through bottlenecks. Single points of high assurance whose presence is felt across everything behind it. Consider firewalls, security kernels, and mantraps as a few prime examples. Now there may be ways to configure Firefox uniformly across a network in a mandatory fashion... but such a method has undergone now formal evaluation (or even much informal evaluation) and consequently cannot be trusted.

cheers,

catch

[johnnymier]

Thanks, everyone for your feedback.

So, it would be correct to say that for visiting sites that require a secure connection its the same to use IE or firefox since the protocols for secure connections are standards shared by both browsers. What will you choose to use IE or firefox for, say, online banking?

cheers