.:Computer Defense:.

I don't even know what to say these days... Operating Systems, Office Suites, Consoles and Browsers.... All you ever hear is "Mine is better than yours".... In fields dominated by nerds and geeks, guys and gals who are generally the antithesis of "getting laid" the world is still dominated by battles regarding penis size... However, instead of the usual "I put in 200 hours of wrech time, added a 50 shot of NOS and added 200HP to this baby" we get "Software that I didn't write, don't pay for and didn't contribute to is cooler than the software you use, so I'm cool".... leave it to the geeks ...This is being driven by an article I read on arstechnica about Microsoft misleading Firefox users when they visit this page...  I loaded it up and didn't get the warning they were talking about.... and I was using Firefox at the time... so I thought about this... and we have the following points..

• Microsoft can't fully support Firefox on it's pages for special features like this because Firefox doesn't have the same functionality as IE.
• Firefox doesn't have the functionality because Microsoft makes use of proprietary technologies and even technologies that they make available.... the MSDN is quite cryptic at times.
• Microsoft is a software vendor... logically they are going to have proprietary technologies and software that they don't want to share... this is how they make money.

Now all the open source bleeding hearts are going to cry that Microsoft shouldn't be concerned with making money... (For those of you that are wondering... I'm typing this in Firefox on OS X... sitting next to me I have a Mac running Ubuntu, a PC Running Ubuntu, a PC running SuSE and a PC Running Windows XP so I'm by no means a die hard MS supporter)... So on the issue of MS making money... people think they shouldn't... that they should share everything... If that was the case... how would they ever make money...  Somewhere, someone is crying but look at all the open source projects... but how many of those open source project authors retire comfortably... and how many of them have to maintain a job to pay the bills while they work on their project.

If you still think Microsoft should be giving everything away freely, look at it this way... When was the last time the doctor didn't bill you for that check up... or offered you heart surgery for free... Did the mechanic tune up your car and then say don't worry about your bill? Did the lawyer offer to defend you free of charge, no strings attached? You need to make money... so you can't give MS grief for wanting to make money.

Now... On to the topic of this post... IE vs Firefox... Firefox has become the browser of choice for the IT "31337"... It's like saying I run Linux instead of 95 or 98 a decade or so ago... Running Firefox somehow makes you cool... makes you better because your browser is better... I say bullshit (I wonder if I need permission from Penn and Teller to say that). Firefox is more secure??? Not true.... Does that mean that IE is more secure.... nope... Both of these browers are full of flaws..  I'm pretty sure HD Moore proved that to us with MoBB.

Firefox may protect you from ActiveX problems... but that's because it doesn't run ActiveX... Common sense and the addition of XP SP2 will also protect you from most drive by ActiveX installers... Which is why it doesn't work with Microsoft's site as mentioned in the arstechnica article above... It's a trade off... security for functionality.... the same trade off that's always occuring... and not just in IT.
The Symantec Internet Securty Threat Report had some interesting points to offer as well.

1. Microsoft Internet Explorer was the most frequently targeted Web browser, accounting for 47% of all Web browser attacks.
2. Mozilla browsers had the most vulnerabilities, 47, compared to 38 in Microsoft Internet Explorer.
3. Internet Explorer had an average window of exposure of nine days, the largest of any Web browser. Apple Safari averaged five days, followed by Opera with two days and Mozilla with one day.

What I find interesting about these comments is the context you have to take them in.  #1 makes sense because more people are using IE so the smart attacker would target it because of the larger user base... #2 is interesting... I laugh that people are finding issue with this, calling it number fudging, creative analysis and many other things. So I decided to count for myself.. I want to the Mozilla Security page and counted all the Firefox Advisories since 1.5 was released (first bulletin was dated April 13th), so I went back to April for IE Cumulatives (and the recent VML release) on the MS Advisories site (MS06-055, MS06-042, MS06-021, MS06-013). I counted 59 vulns that were patched in Firefox vs only 29 that were patched in IE. Now it's possible that I have missed some advisories so if I have feel free to let me know, but I'd say this is proof that those numbers are accurate. #3 is also interesting... IE takes longer to get patches out... (this is from when publically released mind you).. Obviously IE will win here because more people are targetting IE so those vulns will be publicized and have public exploits out to take advantage of a large group of victims... Firefox isn't as popular so releasing the exploit code doesn't make as much sense.. Microsoft's monthly patch cycle also causes their release time to length... However this doesn't speak against either in my opinion.. 9 days isn't bad to wait for a patch.... At least you know it's been tested... How much testing can occur in a single day.. That opens a whole other bucket of worms though that we'll discuss another day... (Is a quick fix or a well tested patch better). The interesting thing about #3 is that if you read further into the report you'll find that from the previous reporting period... Microsoft significantly reduced their window of exposure while Firefox's window increased. Perhaps this is a telltale sign of the increasing popularity of Firefox...

There was also the presentation at Toorcon this weekend, where Mischa Spiegelmock and Andrew Wbeelsoi presented an alarmingly dangerous vulnerability in Firefox.... they also claimed to have 30 more unreleased Firefox vulnerabilities. More can be found @ ZDNet. I'm very curious to see the slides they presented, I haven't seen them on any of the mailing lists yet... but if anyone comes across them... fire them my way..

I guess I've written a fair amount... All I wanted to say is that Firefox and IE (or Windows and Linux, or OOo and Office 2k3) are not like those pills that I keep getting ads for in my email... They aren't going to add extra inches to your "member"... Neither is more secure... in fact both are plagued with holes... Both have their advantages and disadvantages... I'm actually interested in seeing what happens... with IE7 adding tabs (the only real reason I use firefox) and it's Phishing detection coming out on top in recent tests... we may actual see a subtle drop in Firefox usage...  However that test was MS sponsored, so perhaps we'll have to have a ComputerDefense browser bakeoff and see which Anti-Phishing software comes out on top... Maybe I'll do that this coming weekend. Anyways... the moral of this post (which just seemed to go on and on didn't it?) Your browser is not better than anyone elses browser... they all suck equally. Also, it's not YOUR browser.

Peace,
HT