Security with Open source browsers ...

Some 6 - 9 odd months ago the linux advocates claimed that the open source
browsers had much better security than any CS browser could ever hope to
provide.
Microsoft counter claim was that the people using the OS browsers were
such a small % of market, and therefore had little appeal to the hackers,
which the OS avocates dismissed as utter crap.

Then i stumbled upon this article yesterday.

http://news.com.com/Mozilla+flaws+could+allow+attacks
%2C+data+access/2100-1002_3-5674883.html?tag=nefd.top

Details of the nine flaws were published on Mozilla's security Web site
over the weekend.

So now with a market share of around 5 % in the browser market there were
9 security flaws in one weekend...
Yikes my smug feeling of having used a OS browser for the last 12 months
went up in a puff of smoke.


So i guess market share does indeed motivate people to look for holes and
bugs

 

Wait until it hits the magic 15% which is supposedly when normal people
have to start paying attention to the browser, and it gets a lot more
"mind share"

 

BTW big-dog, it's not nice to use someone elses domain when posting to
usenet, I'm pretty sure that "somewhere.com" exists, and that you're not
the owner.

 

OS browsers got the attention of non geeks when micorsoft announced the
end of IE6 ..

cheers

 

it can't have been very good at keeping attention if the browser stats
are anything to go by then.

flash in the pan then?

 

Why?

A flaw isn't a virus....though the one does take advantage of the other.

People - most often researchers - are always looking for security flaws in
popular software.

It's a good thing. The flaws get fixed and we all move on.

Because the source for Open source browsers is publicly available, I'm
betting the turnaround time between detection and fixing is pretty
short.....

 

A bug is not an active exploit, plus an exploit on IE seems to go right
into the OS and causes mayhem unlike say Mozilla.

Then add that bugs within OSS are reported with a totally open process,
you see all of them.

With IE how many are fixed without being reported publically?

Compare apples with apples.

By the same defination Apache which has 68% of the web server v IIS's 20
something % should show 3 times the attacks and vunerabilities, it does
not.

While yes I can see there is an argument that market share == mind
share, I cannot see any justification extrapolating this hypothese into
the seriousness of the exploit. Saying that given an equal share OSS's
problems would be as bad just does not hold up IMHO.

regards

Thing

 

I would also add that what ever the share maybe in 1,2 or 5 years, at
present running an OS browser on a MS OS or even totally OSS gives you a
substantial security improvement now and probably for 1~2 years. So even
if the worst comes to the worst and 2 years from now you are no better
off, you have gained real security benefits for that 2 years.

regards

Thing

 

Look all software has bugs in it. Only a fool says otherwise.

The point is that people have to take on the responsibilty of
patching/updating.

Now that the hounds have discovered the Fox it is taking notice of any
holes it has and slaming the door shut before the hounds get near.

It seems to me that the Fox is telling people to get the new and patched
version. Its as free as a download.

When the red cicle with a triangle in appears at the right hand side of
the top window frame, then please do something, ie upgrade. Click on it
and take it from there.

 

History shows this to be true. With no money in the equation, all that
left is the determination to fix the problem. With the source code
avaliable to all the best fix is found.

 

Oh dear, OS browsers got the attention of MS, then MS decided to end
MSIE6SP1

Is that more correct?

 

So, if there is a buffer overflow vulnerability in FF, are you saying it is
not as likely to be as damaging as a buffer overflow in IE?

Clearly, you do not understand the issues.

A buffer overflow is a buffer overflow. If it exploitable, it is
exploitable. If the overflow exploit exists in say a PNG graphics lib in FF
and the same lib is used in IE (it was, past tense), then you have more or
less the same exploit in 2 different browsers due to the same coding error.

Now, if two people are silly enough to log on as Admin- one runs FF, the
other IE then they are equally vulnerable and the impact is equal and is
entirely up to the coder of the exploit.

Your choice of browser will not save you. Not logging in as Admin or Root
will help greatly. Keeping your browser and OS up to date regardless of type
will help greatly.

Security is determined by the system administrator, not the OS. Installing
Linux (or Windows) in a legal office then walking off with a Job Well Done
without an on-going plan for keeping the OS and apps secure equates to an
open door for future exploits. It also represents blatent stupidity. Post
back and I might tell you why.

- Tim

 

Put it this way
I have seen many hacks attempted on one of my PCs visiting sites that
try to install trojans diallers and all kinds of hacks
Not one ofthem succeeeded... using Mozilla

Before that IE was getting hacked all the time, homepage changed,
search page, favourits being created

Mozialla may not be perfect but it is hugely better than IE

 

if it didn't keep breaking the extensions that it so badly needs, I'd
upgrade.

maybe even if they made the patches that, patches, not whole new
versions it'd be decidedly easier to download 100k of updates rather
than ~4MB whole program.

 

oh yeah, I forgot about that

 

you should see what my web-browser is called

I like to mess with peoples stats

 

use lynx!
(not the deodorant... the browser)

 

BTW, you're time is off.

 

its yours rob
might be your timezone setting

 

No idea how I got Tijuana time. Don't even like tequila.

oops

Rob