back to article Firefox went ton up in bugs in 2008

Firefox had more vulnerabilities than Internet Explorer last year, but zero-day threats to the Mozilla browser were fixed more quickly than those affecting IE. An annual scorecard report from security notification firm Secunia found that Firefox was hit by 115 security flaws in 2008, more than the combined number of its three …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Stop

    Great

    Here come the anti-fanbois, whining about what they think the fanbois will say... Do us all a favor and give it a miss, will you?

    Irony? What's that?

  2. Andrew Norton
    Paris Hilton

    Shock Horror!

    quality of work lots of people can participate in found to be low. Thats not news, thats common sense. Maybe this, though, will cut down on those saying 'I use Firefox, because IE's just too buggy'. Well, I use Opera, because Firefox is just too buggy (and system-heavy, and slow)

    If you really want an eye opener, go look at the numbers on there for Firefox 2.x and 3.x, and compare it to opera 9.x - which covers pretty much the same timeframe. Kinda blows the 'Firefox is safer' argument out of the water.

    BTW, its true about the speed. I still use an 'older box' (around 1Ghz - some of the parts date back to January 2000) and using firefox is horribly slow. Its not as obvious with a newer system (like my Q6600 desktop, or QL-62 laptop, but if you time it, you'll see it.

    There's also a general stability issue with Firefox, with that memory leak I hear about. I've an old server (poweredge1650) that's mainly a research machine, I've not closed a single tab on it since September. There's nearly 300 open, across 7 windows. Had I been running Firefox, the ram usage would be astronomical. Of course, with an upgrade now to 9.64, the session will need restarting, and the ram counter starts again (but the back and forward arrows still work :-)

    Paris because, well she's even wondering where the surprise is

  3. Chronos
    Flame

    Flamefest

    in 3... 2... 1...

    Perhaps a little more relevant would be the numbers for how many of these vulns were actually exploited in the wild divided by market share with a fudge factor for those who refuse to upgrade. That would then be a meaningful number upon which to base decisions on which browser to choose. It is also an impossible task without omniscience of the 'net's browser usage. All else is blind conjecture and quoting the number of patched vulnerabilities and bugs is rather misleading in this context.

    Firefox 3 + Noscript + Adblock Plus + Refcontrol - Google crap pulled out of about:config and the whole shebang made privacy-safe to my standards [1] here, although I'm no fanboi specifically because of the Google crap, that shitty URL bar (which I also castrate using about:config) and the level of knowledge required to make Fx privacy-safe. YMMV, depending on your priorities. For me, Fx is about the best of a bad bunch. Konqueror is getting there (and so is compatibility with NS plugins), but without fine-grained referrer and scripting control, it's no replacement for a well set up Fx installation.

    [1] This carries over to upgrades within the same major version number. I've never had to re-do this config except on the 2->3 upgrade. No, this isn't because I spend all day on pr0n sites; it's because I have an almost rabid hatred of private companies that think they have a right to track people about the interwibble. As I said, YMMV depending on your priorities. A big thanks to ElReg and the EFF for alerting me to the dom.storage.enabled key, too. I missed that crafty little bugger.

  4. David Eddleman

    No surprise

    Not to bash on Firefox (love it & use it), but the more popular something becomes the more it gets targeted by attackers. See: Windows.

    ...waitaminute, didn't I say this before about the iPhone? I think I did.

    http://www.theregister.co.uk/2007/07/28/comments/

    Yep, I did. There must be a trend here.

  5. Anonymous Coward
    Stop

    All I say is this...

    http://www.theregister.co.uk/2007/10/12/microsoft_uri_reversal/comments/

    Now who's laughing?

  6. Len
    Unhappy

    Too bad it doesn't tell us about security

    The problem with Secunia's reports are that they punish companies that disclose and fix their bugs. The best way to become Secunia's "browser with the least flaws" is not to disclose any of your security issues and certainly don't patch them (as that is a disclosure as well).

    Sure, a handful of issues may be discovered outside your test labs but those will always be fewer than those from browsers that are open about security.

    The central issue is that Secunia has no data about the amount of existing security issues. It only has data about the amount of issues that are in their database. There is an unknown 'dark number' of issues that nobody knows the exact size of, and certainly not Secunia. They can only take a stab at it, a rather unreliable one.

    One can only hope that browsers developers ignore Secunia (as most fortunately do) and keep vigilant about their security.

  7. Keith T
    Paris Hilton

    Haste makes waste?

    I wonder if the haste with which the FF folks fix bugs introduces new bugs.

  8. Nicholas Ettel
    Stop

    *sigh*

    As always, this sort of thing is horribly misreported. Firefox did not "have more" vulnerabilities than IE, Opera or Safari - it *fixed* more vulnerabilities. Fixing vulnerabilities is a good thing. But it could mean one of two things: 1) the product actually has more vulnerabilities; or 2) the company is more actively involved in trying to fix it's product. No company or product will ever be perfect, but taking an active approach to making it better is not only commendable, but a good business practice.

    The only way to prove that one product has more vulnerabilities than another is to count them. But there's one problem: no one knows how many unknown vulnerabilities there are, and no one will ever know. So, we can only report on the amount of *known* vulnerabilities, which is ambiguous in and of itself - how many vulnerabilities were fixed that weren't divulged?

    Instead, the article should only report on how many vulnerabilities have been publicly fixed thusfar, but NEVER how many total vulnerabilities there are. Just stick to the facts, Jack.

  9. David Barr

    Thankfully demographics keep the impact down

    For now it seems that the malware is still targetted at Internet Explorer. However Firefox doesn't have the update deployment that MS has, and I'm guessing has an ever increasing user base. Just like Apple are starting to warn their consumers that they aren't bulletproof I guess that we'll start to see Firefox holes targetted eventually.

  10. Adam
    Paris Hilton

    JavaScript Vulnerabilities?

    Anyone know how many JavaScript vulnerabilities there were for the major browsers in 2008? Would be interesting to compare the to Flash and Java.

  11. Anonymous Coward
    Anonymous Coward

    So if you put the figures together

    FF = 115

    IE = 31

    ActiveX = 366

    So MS browser technology had 397 security bugs compared to Firefox's 115

  12. Anonymous Coward
    Anonymous Coward

    BMW

    I have a BMW because it drives great and you can tell the engineering and craftsmanship are of inherently good quality. That being said, by many statistical measures, it is not a very reliable make of car. I also use Firefox because it feels better engineered and the user experience is finely crafted--even when it crashes, the user experience is 10x better than IE's. (Pleasant dialog offering to bring up your tabs again, with windows in the same locations, etc.) I'm not convinced it has more security flaws than IE but even if that's the case I'll still prefer using it just as I prefer driving my BMW to a Toyota.

  13. Anonymous Coward
    Paris Hilton

    @BMW

    BMW!? What a piece of crap. Quality German engineering is found in Mercedes Benz. And I know of a few ex-BMW fanbois that, once after getting behind the wheel of a Merc, stopped being fanbois. After all, fanbois do not drive Mercedes Benz. Class != fanbois.

    Paris. As she drives a Merc too.

    PS. Thought I redirect the flamewar to something more interesting than FF vs IE.

  14. raving angry loony

    whatever.

    Whatever. I use Firefox only because of Noscript and Adblock. Give me that functionality in an easy-to-use form in another browser, and I'll consider it. Requirements (control over my screen), meet solution.

    Remember, all hardware sucks, all software sucks, the rest is personal preference.

  15. Anonymous Coward
    Anonymous Coward

    Not convinced

    All we know is that Mozilla admit to fixing more vulnerabilities.

    Anyway, until Opera and IE come with Adblock and NoScript, I'll give 'em a miss. They prevent far more risky things than exploitation of obscure vulnerabilities.

  16. Mark Aggleton
    Thumb Down

    @ Various

    Obvioulsy the last version of IE BMW drove was 5.01. Have a look at 8.

    Chronos doesn't seem to realise that most people just want a browser that works, not one that they have to faff around with to make it work.

    Remember Fartfux sucks.

  17. Greg

    More bugs got fixed because...

    ....it's open source, so more get found? I mean, on Linux I get a million times more updates than I do on Windows. Does this mean that Linux is less secure than Windows? Hell no! It simply means that the good folks over at Ubuntu are doing their best to improve and secure the system, often knuckling stuff before it becomes a problem.

    I'd much rather have an open source browser with vulnerabilities that get fixed quickly than a browser with vulnerabilities that get fixed when Microsoft feel like it.

  18. Wladimir Palant
    Thumb Down

    Misrepresentation

    I don't know what I have to think about this piece of bad reporting - usually the security stories published here are pretty accurate. Issues with this article:

    1) Not a single word mentioning that the number of security issues fixed are absolutely meaningless, esp. the headline is misleading. See Nicholas Ettel's comment for an explanation. Note that Mozilla has a strict policy of publishing all security issues fixed (and even issues that *might* be security-relevant). In particular, many of these issues have been discovered internally - Microsoft typically silently patches internally discovered issues.

    2) "It reports that Mozilla took an average of 43 days to deal with three such incidents last year, not all of which covered critical flaws" - why use "not all" instead of "none"? Fact is, none of the zero-day vulnerabilities discovered in Firefox were critical. Even quoting the average is misleading because it is being dragged down by issues rated as "not critical". The only "less critical" issue was fixed in merely 15 days.

    3) "Microsoft took an average of 100 days to deal with three zero-day flaws" - this gives the impression that the number of zero-days in IE is the same as for Firefox. That's what you get from the article if you don't read it too carefully. Also, the figures are certainly not 43 days vs. 100 days since three IE issues remain unpatched (and they have the same criticality as the issues that went into Firefox numbers).

    There aren't that many good sources of security news, please don't let this one become another "we just print press releases without asking questions" publication.

  19. James Dunmore

    @Andrew Norton

    Opera has less bugs/flaws because less people us it, and therefore has less exposure to allow bugs to be found/exploited.

    Still Firefox or Opera > IE by a country mile !

  20. Anonymous Coward
    Flame

    @AC

    Using a BMW is crap example. They still haven't maged to fix the 20 year old flaw where the ****** inside still insists on tailgating every chance they can.....

  21. Aristotles slow and dimwitted horse

    Really...

    Does anyone give a flying f**k as long as they are reported and fixed.

  22. Bob Gateaux
    Thumb Up

    Better to just use IE

    I decide not to have the Firfox because of too slow - this will always be the problem when writing a browser in Javs.

    The IE comes free and does all my needs and it can use the ActiveX which make things run better and more exciting.

  23. Anonymous Coward
    Paris Hilton

    Begyourpardon?

    Bob, are you joking? Please advise, my irony meter blew about 6 posts up so I'm flailing around in the dark here.

    Need a "my irony meter is down" icon... Paris'll do. She goes down all the time.

  24. Cameron Colley

    What are these bugs though?

    All I've read about recently are "bugs" that could make gullible people think they've arrived at their internet banking site when they haven't -- but you've still to get them there.

    Other than the latest memory-leak crashing for both Opera and Firefox I don't recall a bug that caution, or NoScript, couldn't prevent.

    Is the interweb really so trustworthy nowadays that people just put their details in anywhere when asked -- or am I missing something?

  25. Chronos

    @Mark Aggleton

    That's why I said "YMMV." Do try to keep up back there, old son.

  26. Kajiki
    Thumb Up

    @Bob

    That comment made my Friday. But I'll remind you that April 1st is not for another 3 weeks or 4 weeks.

  27. Anonymous Coward
    Anonymous Coward

    Securina flawed

    I manually removed Flash and Java, then downloaded the newest versions, but Securina still insists I have the old, insecure versions.

    As mentioned above, this only covers Browsers, it does not take into account the various add-ons that stop 99% of all exploits dead in their tracks, NoScript, ABP, and similar are now so vital to ALL browsers that it is criminal for MS to ignore the job they perform.

    As someone else said, until other browsers allow programs like NoScript to work with them, I will be sticking to FF; besides, my spelling is crap, I couldn't live without the built-in spell checker for posts such as this one. :-0

  28. bass daddy
    Go

    Surely...

    it all comes down to openness.

    If you are more open about vulnerabilities then you gonna be at the top of these lists.

    But there again, Microsoft wouldn't hide problems with IE now would they?

  29. Donna
    Stop

    @Not convinced

    Firefox doesn't come with Adblock and NoScript, they're add-ons.

    Opera has better script, ad blocking and site rendering control than FF out of the box. F12 for quick preferences or right click for block content of individual pages.

    The reason I won't use FF has nothing to do with whether it's "secure." I won't use it because it has very little configurability unless you want to edit an .ini file and to make it do what you want, you have to download third party ad-ons.

    No wonder it crashes so much.

  30. richard

    still doesn't sort out...

    the fucking slow startup of FF! why are IE and safari quicker, i go and boil the kettle while firefox starts up...jeez

  31. Bob Gateaux
    Thumb Up

    @richard: still doesn't sort out...

    This is most correct Richard and it is as I say before - the Firfox will always run the much slowest because of the Javs. It is the price we pay for portability and the dream of write-once-run-most-times.

    But for me the slowest cannot be my desire since I must have speed on my internet at all times, and for this I settle my choice with the free internet Explorer which I gratefully recieve.

  32. Anonymous Coward
    Joke

    @Bob Gateaux

    "The IE comes free and does all my needs and it can use the ActiveX which make things run better and more exciting."

    Thanks for the laughs, Bob.

  33. Chronos

    Re: Not convinced

    Quite. This simply goes to prove my point (that everyone missed): There is no one browser to rule them all. They're all flawed. Firefox is time-consuming to set up correctly, *still* seems to leak memory, needs plugins to complete its feature set, has to be decrapified to be trusted and can be frustrating to newbie users but is the most configurable browser out there. At least you /can/ add plugins to the thing and it has a documented API for doing so.

    Opera is great for those who want it to Just Work [TM Apple Inc.], but its closed source nature is something of a problem and they tend to bitch a /lot/ when someone else points out a vulnerability. Remember the noise they made when Mozilla patched and disclosed a bug that also affected Opera[1]? That sort of attitude shows a certain evasive approach towards security.

    IE is getting better but it's Windows only and is too closely tied into the OS it runs on top of (actually, it's more like "within"), leading to any vulnerability being more serious than it should be. ActiveX also needs to die a quick, painful death, as do annoying BHOs that you can't get rid of.

    Chrome? One question: Why is the base source open but the finished product closed? Are they hiding something? Meh, the usual Google panopticon dream, which is a dream because everyone affected is asleep, metaphorically speaking. Iron is looking reasonable but lacks features. Safari and most of the rest of the non-KDE Webkit based browsers like Midori are unknown quantities, Safari especially given Apple's propensity for trying to trick you to install the thing with iTunes, are often feature incomplete and, in the case of Safari, platform specific (Win & OSX).

    Konqueror is looking like the browser I'll end up settling with eventually. Once it gets the same features as Fx with the plugins I mentioned (there are already wishlist entries with votes on the KDE bug tracker for these features and more) it will fit *my* idea of the "ideal" browser, assuming conditions on the web remain the same. It already has Adblock with support for unaltered Adblock blacklists. It also has fine-grained scripting control, but buried within several layers of menu and needs bringing to a more accessible place. Open, configurable, privacy-safe, fast (now, after much pain and suffering) and works on all platforms that support Qt4.x. Downsides include imperial arseloads of Qt and KDE libraries required (but since I'm running KDE4 anyway, what the hey) and possibly similar criticism to that I directed at IE, being too tied up with the window manager.

    As before, this isn't a choice I'd try to inflict on anyone. I'm already familiar with KDE4 from several points of view. My needs are not your needs, so go and do your own research and find your own ideal browser. This "blindly follow the pack" nonsense and criticising other people's choices based on numbers that, when taken out of context, mean sweet FA is worse than just sticking with what's already installed.

    Bob, WTF are "Javs?" Fx uses quite a bit of JS internally but is certainly not wholly coded in Java. A huge clue is that it compiles with GCC and runs fine without a JRE on all platforms. You're ferreting around in your .mozilla or $HUGE_PATH\Mozilla directory on Windows, aren't you? You're seeing all those .jar and .js files and jumping to conclusions, aren't you? I'm looking at the parser source right now and it would appear to be C++. The Javascript engine is written in good old C, as are other bits like SSL. Stick with IE by all means, just don't make obviously false shit up to justify it. You don't need to justify your choice of app to anyone else anyway, providing you'll be fixing your own fuckups. Clues may be obtained from Wilkinson's, aisle 9. Go and get one, there's a good chap.

    [1] http://www.theregister.co.uk/2008/02/18/opera_moz_security_disclosure_row/ Yes, I have a long memory, especially when it comes to security issues. Did Mozilla mention Opera in the disclosure? No, but don't take my word for it, check the release notes yourself. They even had the courtesy to privately warn Opera at the same time, without making anything regarding their product public. Did Opera bitch anyway? Yes. Gun | Foot > Ouch, or perhaps reminiscent of a certain Barbara Streisand.

    I was bored, having been woken at this $DEITY-forsaken hour by a small dog who shall remain nameless but has enough brownie points to be forgiven immediately for it. That's my excuse ;o)

  34. Pete "oranges" B.
    Thumb Down

    I blame marketing people.

    Of course browsers are going to be insecure, slow and clumsy; companies have tried to turn them into a bloody interface replacement!

  35. Anonymous Coward
    Alert

    @chronos

    "but its closed source nature is something of a problem"

    Right, because I'm sure you, like everyone else that touts 'open source' as a major plus feature go through the source code with a fine tooth comb before installing it, right? And then do it again before you install any newer versions, and with any other open source software?

    If you do, great, but some of us have better things to do with the rest of our lives.

    If you don't, then you're assuming someone else will, and there isn't the 'millions of eyes' looking, there's just the few with enough time on their hands (read students, or the unemployed) to do so.

    There's also the other problem - accountability. The big downside of open source projects is, because everyone can contribute, and no-one works for 'the company', there's no accountability. If a trojan slipped into the Firefox source code, or any other open source project of choice, and wasn't discovered until after it went public, who's held accountable? It won't be Mozilla, because they 'don't own the code, its open source, and someone should have caught it.' If it was a closed source program (lets say a rootkit) and it was installed who's held accountable? I believe the FTC's shown the company would be (see Sony and the CD rootkits)

    People claim closed source is bad, but but if something goes badly wrong because of their software being bad, the company is at fault. WIth an open source program, who's at fault? Mozilla certainly won't own up to it, even if they distribute it from their site, and claim it to be safe (http://www.theregister.co.uk/2008/05/08/firefox_component_compromise/print.html)

    The firefox site says "Firefox has security, speed and new features that will change the way you use the Web. Don’t settle for anything less." Sorry, but there pretty much isn't any less, short of old browsers. We've talked about the security and speed, but they even lie about the new features. The much touted 'awesome bar' was in opera 9.5, released days before Fx3 (and beta's before that) and to this date, there is only one feature I can think of in Firefox that isn't included by default in opera - spelling. Every firefox user knows the basic stuff included in Opera that isn't in Firefox, Adblock etc.....

    Let's cut to the chase, Firefox is favoured because of a large advertising campaign (millions thrown at it) and some odd notion that just because it's open source, it's better/safer. It's not, doesn't work that way (and the figures support that). It's also not very fast, doesn't follow standards, doesn't come with a lot of stuff, and is still a bigger download (7.1Mb to opera's 5.4Mb) Sounds like general bad/lazy coding to me.

  36. Donna
    Happy

    @Anonymous Coward

    Spell check is in Opera 10 alpha and it actually works. I'm going to assume it will be available in Opera 10 final.

    PS: I've had Opera 10 alpha running for the last month or so and I've yet to encounter a bug. That makes me happy.

This topic is closed for new posts.

Other stories you might like