Nah never heard of Googling before

I just don't think you can compare apples to oranges... and yes there are places where IE isn't safe, but nothing is totally secure. Nothing, some are more than others, but others are not. IE's shortcoming is that it's not a standalone app... it's integrated into windows - there are OBVIOUS shortcomings there.

However, SP2 is still WAY WAY WAY more secure than IE used to be - even plain IE6. Yes there's room for improvement, but that takes time.

i know josh but do u see the point?
well in this trhead it wasnt "is m$ more secure now then before" which i dont think it is btw~

the rant "was" is ie as secure as firefox?

yes or no?

been what 4-5 yrs now?
how much time do they need?

how can the biggest corperation in the world with all those ppl take so much time to fix something when say the firefox team (like 6 ppl) takes so short a time? and we dont even pay the ff ppl

like with linux, when the find a flaw how long does it take to fix?
its certainly not 4-5 yrs

where to start...

loftboy, I am nervous about installing anything from a source that I am unfamiliar with. I depend on my machines for my income, so I try to be cautious. But fear isn't currently what's keeping me from installing Firefox, it's my cold, xmas shopping, and getting sidetracked oin these forums.

I too know how to use google, and I also reviewed all of the links you posted. (Did you notice one of them even contradicted a number of claims that FireFox was more secure than IE)? I also did a google search on XP vulnerabilities. Here's the common themes I noticed: The info was often written before the actual release of SP2. (A number of changes were made in the betas and release candidates, so I don't think you should count even the articles based on the RC's of XP2). I also found a lot of incorrect or misleading info (even on some of the posts from more technical sources). I'm always extra wary of content that doesn't come from a developer-based publication. Stuff like CNN tends to have 'journalists' that sensationalize without fully understanding what they write about - and it shows. I also saw some posts that while pointing out some flaws, also pointed out that they weren't actually that serious or exploitable. Finally, another big issue is that most vulnerabilities is the issue that people run their Windows OS'es as admins. This is more of a user issue than an OS flaw (although I would agree that MS is largely at fault for creating this user issue).

As for the time to fix flaws in MS stuff vs. Linux stuff, you have to again consider the number of users using each system, and the variety of critical software they're running in each system. Every patch can have implications to other software on the machine. Because so many use MS products for so much, they can't just release a fix the next day. It really requires a lot more testing and planning. MS has much more to lose if it gets a patch wrong.

On the "Farmer's Insurance" thing... I couldn't find a like relating to this on google. I do know that a number of companies have told people not to install sp2, but I've never read it being due to a lack of security in sp2. On the contrary, these companies had a lot of software that was doing unsecure (or otherwise 'bad') things, that got broken when the more secure sp2 was installed. Also, users all the sudden wonder why they can't open attachments in e-mail etc. This is that battle I already mentioned between security and convenience, functionality and performance. This battle is above and beyond OS choice. I'm just guessing here, but I expect legacy app compatibility is the real reason why "Farmer's Insurance" wouldn't install sp2.

At the end of the day, if we ignore xp2 specifically, and ask what's more secure FireFox, or IE (on XP2), I think the answer is that we don't know from what you've posted.

Now part of the problem may be how do you define, "more secure"? If you're counting total # of times a browser has been exploited, than most likely IE (even on sp2) IS less secure. But again, I would say this is more the result of the technical level of the average user, and the number of users of each browser, rather than the technical security of the code. I think Josh, Allen, and I are considering more the actual # of serious flaws in the code as the defining factor in what is more secure. And, I really haven't seen anything conclusive either way to prove that FireFox or IE is more secure from that point of view.

So maybe we can all agree on this: IE is currently the most exploited browser. As far as the actual technical level of security in the code, we haven't yet seen anything conclusive in this thread to prove a winner.

right
and i know what ur saying about ie
but also look a what u say

like ie takes so long to come out with patches and u say well its cause they have to make it mesh with more programs.
EXACTLY, thats part of the whole problem cause its to closely tied to the os

so the other way to say that is firefox can come out very quickly with patches because it doesnt have to worry about conflicting with os programs
and a proper browser shouldnt!

do u see what i am saying?

if ie wasnt directly connect to the os most of these attacks wouldnt exist because they wouldnt have access to the main os system, same goes for outlook.

its like this, for a attack to occure on ie & xp the attacker has to climb one wall to get it

to get in through firefox the attacker has to climb several walls, so which are they gunna pick?

and the funny thing is what does the most damage to xp?
vbscripts, which is so funny cause thats a m$ technology so for the attackers its a double whammy!
i can see them grinning, lol "lets use their own program to destroy them with, lol"

but that cant be used in firefox

and what happens when they exploit firefox?
all they are doing is trying to get through the browser then into the os through the os's flaws, so it just comes back to the os

u know i get most of my info through eweek, u should subscribe, let me grab a few headlines from this week









not ie but too funny










those have been the last week or so, so im assuming they relate to sp2 and eweek is a very reliable source

and i get those week in and week out

and maybe after seeing that for years is why i have turned my back to them.


now on your comment about firefox being opensource and your concerns

i think u have a opensource confused

ok take php, its built by the community and is owned by no one, thats one of the reasons why i wouldnt use php, any hacker can put in new features that they know how to easily break through.

now say firefox is owned by mozilla and they only have a few ppl that actually dev it. that type of opensource means that u can download it and have complete access to the code so that u can modify it as u wish for yourself or your oganization but it doesnt apply to the public releases.

does that make sense?

i think the holidays just make us all grumpy

i know i dont always say it correctly or nicely but i have yet to steer any of u wrong. and its ok for us to disagree (just remember that i am always right haha) because thats how we learn.

look at me and josh, we totally went at it at first and we argued till the cows came home but we get along now and we have learned from each other, he's even publicly admitted it

and the first thing allen said to me was something like "i use fp and u will never get me to use anything else"
and look at him now?
a few weeks later he is a completely diff web dude

im not gunna bash m$ unless there are reasons behind it and i have the reasons.

i used to act just like allen does now, then as i progressed as a dev'r i slowly saw how things really work, how things really are and its amazing how wrong ms really is!! everytime i think of ms i think of communist china, they are one and the same

like china, russia, germany, someday the gates of ms will fall

at the end of yesterday, yes i know that im more safe using ff than ie, there is no ? whatsoever.

why?
ff isnt vulnurable to the same types of attacks as ie and 99.99% of the attacks are made to ie, so that in itself makes me a wee 99.99% more secure by using ff. I'd surely say thats more secure.
A yr from now? who knows what that # will be but it will still be way lower for non ms browsers, so whats the problem?

and allen, so if it doesnt have the track record r u gunna wait 5 yrs to make your choice or be more secure in the meantime?
i know u will try and fight that ? but think about it?

I've decided I'm gonna stick with FrontPage.

figures

DOH!!! Allen!!! You're killing me!!! I just knew we'd hook you!!! *bangs head repeatedly*

Nah, just kidding. I gonna get a computer outta Zanzibar. I figured there weren't too many hacks that knew Swahili. They write there own code too... and it's guaranteed to be secure. Their web page editor is called Zulu and it's really neat. Would you like to hear about it Dave?

im sure it would be better than that microsoft crap u think is so wonderful

I think the wya to determine if FF is more or less secure than IE is to look at it this way. How long would it take someone to find a vulnerability in either one of the pieces of sfotware, how large would the breach be and what would the effects of the exploitation of that breach be.

I really believe that in every case IE would be totally blown out of the water. I mean for example :
IE runs the MSJavaVM - security risk
IE allows ActiveX components - HUGE security risk
IE allows VBScripts clientside - HUGE security risk
IE users have limited control over cookies - security risk
IE allows active installs of various pieces of software - HUGE security risk

None of those afformentioned vulnerabilities exist in FF & it's sister pieces of software.

So - I believe it would be much easier for a hacker to find a vulnerability in IE thus making it less secure. So lets say that once someone does find a vulnerability in IE or FF how big of a hole would they find? Well, in FF, if they do find a vulnerability, what they could actually do is very limited. FF does not allow any programs to run clientside so the chance of downloading and installing a piece of sftware is slim to none. FF is not used to run things like Windows Explorer or FrontPages views, or Outlook (topic for another security risk thread...) so your other apps are safe. You can't run any clientside scripts from within FF so your OS installation is pretty secure. So whatever access they were able to gain, their ability for damage would be pretty slim. They could futz with your FF installation or your FF extensions, MAYBE get the passwords that FF stores for you, but that's about it. IE on the other hand basically gives a hacker all the power of a user sitting down behind the keyboard at said PC. They can install apps, run apps, run scripts, set up servers, heck with the ability to use ActiveX they can honestly do just about what they please. So the hole they would find and the amount of damage they could potentially do would be pretty small for FF users and pretty dang big for IE users.

I really dismiss the arguement that "because soooo many people use IE that's why there are so many vulnerabilities discovered". I believe that there are so many people hacking MS apps because :
#1 MS has made it easy to do by trying to make apps like IE and Outlook all things to all people - in the effort to make these apps do WAY more than is needed, they have built in vulnerability to them.
#2 Once you DO find a vulnerability, you find a pot of gold, not just a few coins

I could go on...but I found another cool extension for FF I want to install...

ok so thats explained better then i did (i never explain it right) but im not so far off base either

Bobum, you've explained it A WHOLE LOT better than Dave (who needs writing lessons for more reasons than I have to dump FrontPage). Thank you. If you don't mind, I have a few questions about those itemized security risks you listed above (remember, I'm a greenhorn).

Wouldn't most of those (if not all) be a case of what is allowed by the client? For example, while I know I've got active X controls, I don't enable it for anyone but the most trustworthy. In fact, I don't let my operating system interact with hardly anybody... they practically need a note from God. In short, wouldn't these security risks pretty much depend on how interactive one wants to be? Perhaps these risks are more applicable to the freewheeler with a devil-may-care attitude?

You also mentioned Firefox doesn't run client-side scripts, what about running something like a Google search component (tool)? I'm not sure if a "Form Method" would be considered a script. Actually in this case, Google is playing the role as a server-side host instead of HMS.

Just to help clarify now though...

MSJavaVM is not being released any longer and it's been quite some time since it's been offered.

ActiveX controls are only allowed with the user giving explicit permission for the control to be installed.

ActiveContent (such as VBScripts) raise alerts.

The other two are totally relevant.