Somehow, the public security issues are not the ones I am worried about. It is the ones not in the public domain that worry me.
Where's the horse? Better close the stable door.
Microsoft is promising to release an emergency patch that tackles a zero-day vulnerability in Internet Explorer on Friday. In the meantime, the software giant is pointing customers towards a temporary fix, issued on Wednesday. The stop gap fix uses Redmond's "application compatibility shim mechanism" as a sort of battlefield …
One of the reasons I use Linux is purely trust. I don't trust Microsoft to (a) produce secure software (b) to put in back doors (c) fix known issue quickly.
When there are security issues with Linux you generally know what has caused them plus the fixes are usually far faster - sometime distro X may be slow to release fixes however you ALWAYS have the choice to patch it yourself.
I agree with you yossarianuk - a lot of people realised this decades ago, but we get called all sorts of names for thinking it and then the reasons we state get misconstrued to things like "if we can see the code, it's somehow magically more secure even if it's crap". It's not a question of security, or business, or affordability, or readability, or features, or even neat coding tricks.
The question of who you rely on is a big one in computing and, in my history, Microsoft is not a front-runner. I honestly can't guarantee that my Windows servers will be running tomorrow, even if I don't count hardware failure as a possibility. And I can't even say how long it would take to get a fully-functional replacement up and running either. And it's because of my lack of trust in Microsoft products given my experience with them.
Browsers are probably THE most important application that I allow to traverse my firewalls - they act on untrusted input all day long and have to do so fast, efficient and change constantly to keep up with standards. As such, I haven't used IE since, literally, IE4. It was just that bad. I was on Netscape before most people had ever even heard of the Internet (I remember my CS teacher being flabbergasted that I got an email from someone in Canada because they'd downloaded one of my games, and they read it out in class they were so overawed!) and from the first days, IE was always a heap of junk. It takes a lot more than "making good" those problems I find myself to get me to use it again, after that amount of bad history.
I have a sort-of-plan at the moment to write a video game. I have lots of code running already, and the expertise to make it work, and I don't think it will be anything fabulous or fantastic but, hey, I might sell a few copies in the style of some shareware-type games from back-in-the-day even if it's just as a smartphone app or an indie bundle game or something.
And occasionally I get to dreaming about how I'd scale up if it sold millions. Employ programmers and artists, setting up a compile farm, testing environments, distribution channels, payment processing, server hosting, version control, software patching, etc.
First item on the wishlist would be linux desktops, linux server, linux hosting, linux cross-compliation, linux virtual-machine hosts. The only MS-reliant item I'd have would be a real home PC with Windows on it as a sort of acid-test (because I would not like to think that making something "Windows compatible" would go out to the public without at least one real-world test on the intended OS). I literally would actually go out of my way, if I had enough funds, to avoid anything to do with "that" company even if I was writing games for their platform. I'm not even sure it would cost more or cause a lack of features on my end if I did either. But for sure, the productivity of updates, security and the simple things in life (like having a fecking desktop work how ****I****, the user, want it to) would be worth any hassle I did encounter.
I honestly don't trust MS to make a game that I won't hate to install any more. Just how do people trust it to run their most-critical and attack-vulnerable piece of software? I spend half my time setting up new PC's to turn off lots of the MS junk and install things that I know will do a better job (AV is one, software firewall is another, browser is another).
I don't get people that still use IE. Hell, at absolute maximum, I'd run it with settings that prevented it from accessing anything external whatsoever. A hole sitting in it for a week or so is nothing compared to the nightmares that it's experienced over the years.
On a side-note: My employer has just asked me to block anything IE talking out at the proxy that controls the web filtering (even though it's not accessible in any of our standard disk images). Totally unrelated to this vulnerability, and we've been a Firefox shop for years now, but just one of those things that even non-techies are starting to pick up on. It's just too much of a liability to have around and to trust to work how you expect.
"The question of who you rely on is a big one in computing and, in my history, Microsoft is not a front-runner. I honestly can't guarantee that my Windows servers will be running tomorrow, even if I don't count hardware failure as a possibility. And I can't even say how long it would take to get a fully-functional replacement up and running either. And it's because of my lack of trust in Microsoft products given my experience with them."
Given your experience with them... Which given the rest of the paragraph, I'd say is basically none. I could say all the same about linux (well, I couldn't because I work with linux all the time, but for arguments sake) and it wouldn't mean it's true, just that I don't know how to use it.
Partial quotations for the win....
The BSI only recommends the use of an alternate Browser until the flaw in IE has been fixed. It does not recommend to ditch IE.:
Daher empfiehlt das BSI allen Nutzern des Internet Explorers, so lange einen alternativen Browser für die Internetnutzung zu verwenden, bis der Hersteller ein Sicherheitsupdate zur Verfügung gestellt hat.
https://www.bsi.bund.de/ContentBSI/Presse/Pressemitteilungen/Presse2012/Internet%20Explorer%20Warnung%2017092012.html
This is done because the work-around published by MS, EMET, is only available in English and not in German or any other language.
we've seen a big rise in non-IE exploits recently
Source perhaps? We'd probably have to trawl with the release notes of the various patch releases, but as a user of Opera, Firefox, Chrome and Internet Explorer I'm pretty sure that I've had more patches of IE in the last 12 months than of the others.
All browsers suffer from exploits but the makes deal with them very differently. Google is currently pimping its security credentials by offering bounties for discovered vulnerabilities. More importantly, perhaps, is the system of silent delivery of patches that they have established. Like it or not, it's probably the most effective way to get patches out to the great unwashed masses out there.
But even if exploits are discovered for other browsers, it's a relatively simple and painless operation to replace one browser with another and deinstall if desired. This is not an option with Internet Explorer because it is part of the Windows operating systems. That has always been Microsoft's biggest mistake.
So what you're saying is that a piece of software which has no patches is totally secure and bug free? Or maybe it's not well maintained?
No, I was only countering the assertion that recently there has been a "big rise" in exploits for browsers other than Internet Explorer. All my browsers have been patched as opposed to being updated.
AC, the article you refer to cites some numbers (for which no sources are offered BTW) The author is not talking about exploits, he is talking about some vulnerabilities, where severity is taken into account. See the difference?
I'd like to see at least one exploited (severe) vulnerability in the wild to be found in both FF and Chrome(ium). Google can afford to pay cash for every (purely browser) exploitable vuln. A wise policy. They are pretty confident that such vulns are scarce. So, if one takes your and the authors' point of view, google must have been bankrupt a long time ago.
I myself prefer firefox on GNU/Linux. It is as secure as Chromium. However, it has a richer set of plug-ins, like noscript (making it more secure), adblock and flashkiller (making me so much less annoyed) and others. I also enable apparmor profiles for it.
You are very much mistaken (except for maybe Opera) or you need to update to IE9 then. See Secunia.org:
http://secunia.com/advisories/product/34591/
http://secunia.com/advisories/product/30282/
http://secunia.com/community/advisories/search/?search=chrome&page=1
http://secunia.com/advisories/product/28698/
This post has been deleted by its author
Well, not really. I didn't find the Trend Micro Analysis terribly useful; it just lists numbers of vulnerabilities patched, while not mentioning severity. The fact of the matter is, in IE blackhats and researches keep finding one hole after another that completely subverts security, sometimes even in kernel mode. The vast majority of the Firefox holes were like "We found a potential problem in the source code" and it's fixed without necessarily even knowing if it's exploitable.