The article is essentially correct. From what I've seen, Firefox is only slightly more secure than MSIE, and much of that is due to the fact that it does not support ActiveX components. I've always taken for granted that the browser would not be truly secure, as that would require a rigor in coding and a preoccupation with security that clearly doesn't exist with Firefox.
No, the article's argument is a strawman.
It's asking for a perfect browser with no vulnerabilities, and finding that Firefox is not that browser, so it concludes it's no better than Internet Explorer.
But nobody ever pretended there would be no vulnerabilities in Firefox. The real thing that upsat everybody about IE is that it went monthes with a list of more than two dozen publicly known, upatched vulnerabilties.
And that is not the case with Firefox. I know only one vulnerability that had to go public before it was fixed (*), but then in a few days, and many were fixed within a few days of being reported.
If you want to stay at the tip of the most secure release with a stable browser, you can use the nighlies of 1.0.x. Then the public release in which it was made sure the fix did not cause regressions are released fairly often (**).
It don't believe Firefox has done so bad in the last monthes, except the javascript problem that was really serious, but still could be fixed rapidly. It has been under a level of scrutiny that it never encountered before and that revealed a number of problem comparable to the number found for IE in the same period, despite IE has been under that level of scrutiny for years and has had no significant functional evolution. It probably will be fun to see how many things they will get wrong if they implement tab in IE 7. It's not unlikely for Firefox that after that initial period in addition to be fixed rapidly the rate of new security issues will be lower.
But the most interesting part of the article is the solution the author suggests. Use a HTTP/Virus filter (or more use the HTTP filter I'm selling). That's the fun part. How can he know what will have bad effect on Firefox before the security issues are found ? Oh, he can't, so he can implement the filtering only after they are revealed. And if so, there is no interest in using his solution WRT using the latest version of Firefox that also fixes thoses problems very short after they are revealed. Even if he manages to be faster, FF is fast enough that it's not significant. And it's much cleaner to fix the problem in the browser, whereas content filter is an added layer that can break and can easily have a lot of unwanted effets.
Some security issues can not be solved by his filter (like the one in (**) below), so I need the latest version of FF anyway, therefore where is the interest of the solution he's selling ? Not even talking about the fact I prefer the free update to the paying solution.
(*) OK, it's known there are other vulnerabilities hidden since very long inside bugzilla. But I think the reason for that is that those vulnerabilities are either quite minor, or something that would require a very clever solution to fix without breaking the web as we know it today.
(**) This said the fix that went in official releases for the problem when saving .lnk files, Security Advisory 2005-21, that broke browsing the disk using shortcuts in the save dialog, was quite poor in terms of the security benefit/loss of functionnality ratio, but Doug T is working on a better trade off.
_______________________________________________
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security
