“As Firefox becomes more popular, it becomes a more attractive target. People who have swapped [from IE to Firefox], even if this is a blip, should ask whether the assumption that Firefox is more secure than IE is valid anymore. They shouldn’t just rely on changing their browser, but may think about having to look at a different configuration.”
The above is a comment from Ollie Whitehouse, taken from ZDNet but is almost exactly what I said a few months back in an earlier post.
I don’t want to say I told you so, I don’t want to claim Firefox is any worse than IE, I don’t want to claim IE is better than Firefox.
What I do want to say is, hello, wake up, it is nothing more than common sense.
It should be obvious to almost anyone with an ounce of common sense that Firefox would at some point become the primary focus of the ‘underworld’. With such a small percentage using it in the past, it was hardly worth the effort of creating an exploit. But it should also be looked at as a measure of the success on the uptake of Firefox that it has now become the focus of these relevations. (Note I was careful not to say become the focus of the ‘exploiters’, because the study shows there were a greater number of ‘possible’ exploit points found, not that a greater number of exploits were released and out there).
I think the Firefox supporters should stop whinging about the facts because it was inevitable that it would happen. No one writes perfect code, whether it be open source or not.
Now Firefox supporters are rounding with counter claims that ‘we can fix our bugs quicker than them’, where before it was always ‘we don’t have any bugs, ours is more secure than yours’. (Firefox itself has never made those claims).
I will continue to use Firefox because its leaner,meaner and faster. But I will also continue to use IE in places where I believe it to be safer or I need functionality that is not present in Firefox.
If I were Firefox, I would ignore the claims and stick to the fact that Firefox is a much better browser. It just so happens that at the moment, there are not as many security problems as ‘some other’ browsers. But as I’ve said before, they will come, they will be found. That is fact of life that the software world will always live with until they adopt total 100% test coverage, but then as all software developers know, that can never be achieved.
There are those that say because the source code is open source, it means that it is open for the developers of the exploits to go through the code to look for vulnerabilities. In the case of IE, they have to go through the functionality and look for weaknesses. Surely by having the source code, I can search that for known weaknesses (looking for bad buffer usuage for example). Those are the points that can be reduced by increased test coverage and tighter coding standards. But there is always the human factor, and that will always lead to errors in coding. So in this respect, is Open Source better? That question is worthy of a whole post of its own.