Bill said:
I guess you've made your decision then, since IE7 will be available only for
Windows XP Service pack 2, before Longhorn, at any rate.
Thank you for responding thoughtfully...
Our companies target is to not migrate from 2K until Longhorn (sigh).
I have input and I'm very pro XP for many reasons, but I do not control
budgets, applications nor the shareholders.
What's been your experience with security patches for Firefox, and how would
you compare that experience with the available tools and mechanisms
Microsoft uses to distribute patches. I'm not talking about frequency or
"urgency" of patches--lets take it as a given that there will be security
flaws found and patches needed regardless of browser vendor.
My experience with Firefox has only seen two security updates rolled out
since version 1.0 and my experience was the first failed when using the
browsers auto-installer (FF gets a notification of updates in the title
bar area similar to a Windows update notification in the sys tray) but
the update worked when installed from their website. Second update went
fine. My thoughts are that the browser is two new to effectively analyze
the process from an end user standpoint.
What are the
standards Firefox adheres to in this area? What's the proportion of
I don't know though, just like I don't know Microsofts.
Here's a relevant page, open to the public mind you....
unpatched to patched vulnerabilities?
At this point I believe it's 100% of know issues, time will tell!
My major security concern with Firefox / Mozilla products are the
Extensions. See the text below as to why Firefox is inherently more
secure out of the box and why no matter how many patches MS puts out,
until they change core functions/features (IE 7?, Longhorn?) they will
have ongoing issues.
Firefox does not allow programs to be installed on your computer without
your permission (partially addressed in XP SP2), does not have access to
"local" execution, and does not have ActiveX. These are the bane of IE /
Windows security, all of which exist for "luxury" level functionality
and were all know to be security issues when deployed.
Mozilla Security
<
http://www.mozilla.org/security/>
Know bugs that have been fixed (seems out of date)
<
http://www.mozilla.org/projects/security/known-vulnerabilities.html>
Cash rewards for security bugs
<
http://www.mozilla.org/security/bug-bounty.html>
<
http://www.mozilla.org/security/security-announcement.html>
Recent security failings in Internet Explorer have caused experts
(Including the United States Department of Homeland Security's Computer
Emergency Readiness Team) to recommend that consumers stop using
Internet Explorer and switch to other browsers. Mozilla Firefox and
other Mozilla browsers use a fundamentally different security
architecture than does Internet Explorer. As a result, Mozilla browsers
are not affected by a range of security problems that compromise
Internet Explorer. For more detail on exploits leading to the suggestion
to switch see:
http://www.kb.cert.org/vuls/id/713878 and
http://secunia.com/advisories/12048/.
The Mozilla design approach is to provide multiple layers of defense so
that if one protection mechanism performs imperfectly, another
protection mechanism (or two or three) will act as a safety net, thus
strengthening the system's ability to defeat attacks.
Security benefits of Mozilla browsers include:
1. Firefox and other Mozilla browsers do not allow a website to download
onto, install onto, or execute code on a user's computer without the
user's agreement.
2. Firefox and Mozilla browsers do not designate content as "local." An
architecture that includes the concept of "local" content and then gives
such content upgraded security permissions and allows it greater access
to the user's machines, means that content which is mistakenly treated
as local has vastly more potential to do damage. Indeed we saw this type
of problem in the recent Internet Explorer vulnerabilities, in which
malicious content was secretly sent to users machines, managed to
falsely identify itself as "local" content to Internet Explorer, was
then granted enhanced access to machines running Internet Explorer, and
used that access to install a program which logged keystrokes, including
credit card numbers. Mozilla users were not affected. A more detailed
description can be found at:
http://www.kb.cert.org/vuls/id/713878.
It should be noted that these security policies can result in some loss
of convenience to the user. We all make these trade-offs in many areas
of life. For example, needing a key to open the front door of our homes
means we all have to get keys, find them in the morning and make sure
not to lose them during the day, which is far less convenient than
leaving the door unlocked. Most of us choose to trade the inconvenience
of locks on our front door for the greater security this provides. For
users who want increased security, Mozilla browsers are a great choice.
3. Internet Explorer uses a technology known as ActiveX. ActiveX,
particularly in combination with the "local" concept described above,
has been very fertile ground for those designing security exploits.
Here's how Slate summarized the problem with Active X (see
http://slate.msn.com/id/2103152 for the complete article):
The problem is that hackers continue to find and exploit security holes
in Explorer. Many of them take advantage of Explorer's ActiveX system,
which lets Web sites download and install software onto visitors'
computers, sometimes without users' knowledge. ActiveX was meant to make
it easy to add the latest interactive multimedia and other features to
sites, but instead it's become a tool for sneaking spyware onto
unsuspecting PCs.
4. Mozilla browsers maintain a separation between the application and
the operating system. IE browsing functionality is becoming increasingly
integrated into Windows; a security problem in browsing functionality
may therefore affect services which are shared with, or relied on by,
other parts of the operating system. This makes a multi-layered
defensive strategy complex to design and implement effectively. The
convergence of Internet Explorer and the Windows operating system has
provided fertile ground for malicious programmers.
