Firefox in the top 12 most vulnerable apps list!

[crunchie]

http://www.bit9.com/files/Vulnerable_Apps_DEC_08.pdf

Another good reason to use Opera

[HAN]

Credit where credit is due... Opera's ok. It seems to have few discovered bugs and they are usually patched very quickly. But is there more to this list than what first meets the eye?

IMO, the list has a definite agenda. I'm not saying the list is completely wrong, or their agenda for that matter. But one phrase kind of clears things up a bit...

Note that in most cases, the vendors of these applications have issued patches or other instructions for eliminating the vulnerability.

If they've been patched, what are they complaining about?

But the nature of these applications is such that the user is responsible for implementing the patch. Enterprise IT organizations can not reliably ensure these patches have been properly applied—if at all—representing an inherent exposure in protecting the enterprise network. Finally, the applications on the list have been ranked according to the popularity of the application, number and severity of vulnerabilities, and difficulty of detection and/or patching by central IT.

So, the bottom line is that because these apps have some bugs (all apps have bugs), they can't be centrally managed/updated (which covers most apps currently available), and because they are popular (which is a much smaller list), they make this particular list.

After all this, I have to admit that I don't feel too bad about staying with Firefox...

[jdlenke]

Until Opera becomes more popular then it too will have its share of exploits. There isn't a large test bed for Opera since it isn't as widely used as IE or Firefox. Security through obscurity. Keep utilizing the underdog.

[crunchie]

If they've been patched, what are they complaining about?

Only been patched if it is actually installed .

Until Opera becomes more popular

How does popularity equate to security?

[Train]

The more a browser is used, the more the, I shall use troublemakers, try to mess with it.

[crunchie]

I understand that point that the more popular the application, the more it is targetted, but that does not in itself, make any application insecure.

[Train]

I agree and also wonder why folks did not close the door in the first place. Cost is what I heard why it was not done.

[Broni]

If Firefox in number 1, and IE is not listed AT ALL, it's a big bogus to me.
What is that company anyway?

[HAN]

If Firefox in number 1, and IE is not listed AT ALL, it's a big bogus to me.
What is that company anyway?

Bit9 http://www.bit9.com/about/index.php

Since IE can be centrally updated/managed, Bit9 does not consider it a security risk of the level as the 12 on their news release. (I guess the latest unpatched IE7 threat wouldn't concern them, huh? )

[Broni]

Right...LOL

[SpywareDr]

Until Opera becomes more popular then it too will have its share of exploits. There isn't a large test bed for Opera since it isn't as widely used as IE or Firefox. Security through obscurity. Keep utilizing the underdog.

ZDNet > News & Blogs
December 16th, 2008
"Extremely severe" vulnerabilities in Opera browser
http://blogs.zdnet.com/security/?p=2315

Opera has released version 9.63 of its browser as a “recommended security upgrade” that fixes at least seven security vulnerabilities, some with serious risk implications.

The most serious of the flaws could lead to remote code execution if an Opera user is tricked into surfing to a maliciously rigged Web page. Two of the bugs are rated “extremely severe” while three others are rated “highly severe.”

...

[SpywareDr]

... (I guess the latest unpatched IE7 threat wouldn't concern them, huh? )

Microsoft is delivering an out-of-cycle, emergency patch for Internet Explorer (IE) today (December 17, 2008) at 01:00 PM Eastern time via its normal update mechanisms, including Windows Update, Microsoft Update and Windows Server Update Services (WSUS).

Microsoft said last weekend that they had seen a "huge increase" in attacks, and that some were originating from legitimate Web sites. So far about 6,000 infected sites are serving up exploits that target the IE vulnerability.

Microsoft also confirmed that attacks could be launched through Outlook Express. Since Outlook Express renders HTML-based messages using IE's engine, attackers could exploit the bug by getting users to open or view malicious messages.

IE versions containing the bug are 5.01, 6, 7 and 8 Beta 2.

According to Microsoft's advance notification, patches are being released for Windows 2000, XP, Vista, Server 2003 and Server 2008 for IE5.01, IE6 and IE7. A separate patch will apparently be issued tomorrow for IE8 Beta 2, a preview version of Microsoft's next browser that is not officially on the support list.

Computerworld.com > Microsoft preps emergency IE patch for Wednesday release
Second out-of-cycle update in the last two months is imminent
http://www.computerworld.com/action/...intsrc=hm_list

Computerworld.com > Microsoft sees 'huge increase' in IE attacks
Thousands of hacked sites, including porn URLs, exploit unpatched IE bug
http://www.computerworld.com/action/...icleId=9123398

Microsoft TechNet > Microsoft Security Bulletin Advance Notification for December 2008
Microsoft Security Bulletin Advance Notification issued: December 16, 2008
Microsoft Security Bulletins to be issued: December 17, 2008
http://www.microsoft.com/technet/sec.../ms08-dec.mspx

[crunchie]

Awww, you had to spoil my fun

[SpywareDr]

Didn't mean to step on any toes.

[usil]

Not sure if I am a minority in my view, but I don't see security vulnerability as a good enough reason not to use a program. You should always look at the whole picture when choosing to use a program. I think the positives of Firefox greatly outweigh the negatives of it. Every program has positives/negatives. The question is, if it has more positives than negatives. In Firefox's case, I am quite certain the positives greatly outweigh the negatives.
Additionally, if we were to choose our programs based solely on the number of vulnerabilities, we'd have some serious slim pickings. Just imagine a computer without Java, Flash, Acrobat and even programs such as MSN Live Messenger & Skype.

Definitely not a good enough reason to move to Opera if you ask me.