lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <05b301c5550b$a436c060$0e3eac18@MLANDE>
Date: Tue May 10 03:52:55 2005
From: mlande at bellsouth.net (Mary Landesman)
Subject: Firefox Remote Compromise Leaked

I find security in understanding how best to secure a browser, rather than
switching to whichever one advertises the least vulnerabilities regardless
of how open that interpretation might be.

My point is that crunching numbers reveals different results, depending
solely on the desired outcome. One could equally argue that Firefox had the
advantage of learning from IE's mistakes, hence comparing the first six
months of a browser three years later becomes a moot point. But, of course,
if one were to make that argument, one would expect Firefox to have done
better in the previous six months, which it clearly has not.

Regards,
-- Mary

----- Original Message ----- 
From: "Eric Paynter" <eric@...ticbears.com>
To: <full-disclosure@...ts.grok.org.uk>
Sent: Monday, May 09, 2005 8:24 PM
Subject: Re: [Full-disclosure] Firefox Remote Compromise Leaked


On Mon, May 9, 2005 4:46 pm, Mary Landesman said:
> Well, that's one way to crunch the numbers.
>
> Of course, IE 6 has been out since 2001, Firefox 1.x was released three
> years later. Looking at the advisories on a timeframe basis for 2005,
> Firefox 1.x has had 12 Secunia advisories compared to 6 for IE 6. In other
> words, the odds you're banking on shift quite a bit depending on how you
> look at it.

Ah, but new releases always have more bugs, which are supposed to get
ironed out over time. I guess for a more accurate look at the overall
quality of the release, compare IE in its first six months to Firefox in
it's first six months... I get 12 advisories (2 highly critical) for
Firefox and 18 advisories (7 highly critical) for IE in that time period.
It still looks to me like the future is safer with Firefox.

OK, so next you'll say "but Firefox didn't have the same market share when
it first came out. Now that people are using it, the numbers of found
vulnerabilities will go up..."

Well, I guess it's just a game of numbers at this point. But the fact is,
I feel more secure with Firefox because they actively work with the
community to fix the problems. The team seems to really care and take
pride in the quality of their work. I somehow don't think we'll ever see
something like "Microsoft MCIWNDX.OCX ActiveX Plugin Buffer Overflow"
rated highly critical and still not patched almost two years after the
announcement, or "Windows Explorer / Internet Explorer Long Share Name
Buffer Overflow", also rated highly critical and over a year old with no
patch available. If we did have things like that start happening, I'd bail
off of Firefox pretty quickly. But for now, they've been very responsive,
and that makes me feel more secure.

To each his or her own...

-Eric

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ