Please read my earlier post "
Revisiting the "Firefox Myths" Part 2, the Tangent" for background information on where these quotes came from and what the heck is going on.
This post represents a return to the comment Andrew K posted on
September 18, 2007 1:49 PM. He had a lot to say, and I haven't replied to all of it yet.
Myth - "Firefox Vulnerabilities are Quickly Patched"
This clearly proves that Firefox vulnerabilities are not quickly patched thus this Myth is debunked. IE is irrelevant to this Myth and another excuse as you seem to like to make many of them
Statements about the speed with which a bug is fixed requires a context, specifically the context of how quickly other browsers fix their security problems.
Most of Firefox's reputation for fixing bugs faster than IE comes from Microsoft's bungled handling of the
createTextRange() Vulnerability. Few people can name the vulnerability, but many remember that their web browsers can be hijacked by hackers just by visiting a web site. They'd never even get a confirmation dialog before hostile software was installed.
Please see my comments on Brian Krebs article "
Internet Explorer Unsafe for 284 Days in 2006" below.
Myth - "Firefox is More Secure because it is not integrated into the OS"
The examples are not the sources of the MYTHS!! I know you failed to read that but it is getting old. Mozilla clearly stated what they said. The Myth was debunked by Microsoft.
Andrew is partially right. The browser is not made more secure by not being integrated into the Operating System. The Operating System itself is more secure when a web browser isn't integrated.
This is another example of Andrew attacking my initial write-up even though I agreed with his final conclusion. I used the myth as a starting point to discuss a separate issue, but Andrew has chosen to reassert his original debunking as if it somehow debunked my points about OS security.
Andrew seems a bit confused regarding my intent in responding to his Firefox myths page. I was using his article as a jumping off point to discuss other issues. Yes, I went off on a few tangents, but no, those tangents were no necessarily intended to debunk Andrew's Debunking.
The bottom line is, I've personally seen instances of an Operating System being compromised because some idiot decided to integrate the Web Browser into the File Browser. A single Zero-Day Drive-By exploit was all that was needed to infect several machines.
If Internet Explorer was not integrated into Windows Explorer, I wouldn't have had to clean up several virus infected PCs.
Myth - "Firefox is More Secure because it does not use ActiveX"
Again debunked by Microsoft
To be fair, it WAS true at the time the claim was circulating. Andrew seems to enjoy playing with time frames to his advantage. For example, when discussing the system requirements for web browsers, he happily compares IE 6 to Firefox 2, and ignores IE 7, claiming that since the myth was about IE 6, IE 7 is "irrelevant."
On the ActiveX Myth, Andrew ignores the fact that ActiveX was a major security hole at the time the claim was circulating. He relies upon the fact that most those problems have been fixed to debunk the myth.
Wouldn't it be more honest to admit "Yes, ActiveX was a problem in the past but if you're running IE 7, it isn't a real issue now"?
Just do a Google Search for
activex vulnerability and you'll get a whole list of major security holes that Firefox never had to contend with.
Microsoft Security Bulletin MS05-013Vulnerability in the DHTML Editing Component ActiveX Control Could Allow Remote Code Execution (8917http://www.blogger.com/img/gl.link.gif81)
National Cyber Alert System Cyber Security Alert SA06-258AA vulnerability in ActiveX and Internet Explorer could allow an attacker to take control of your computer.
Microsoft Internet Explorer WebViewFolderIcon ActiveX VulnerabilityThe Microsoft Windows WebViewFolderIcon ActiveX control contains an integer overflow vulnerability that could allow a remote attacker to execute arbitrary code.
Microsoft XMLHTTP ActiveX Control Code Execution VulnerabilityA vulnerability has been discovered in Microsoft XML Core Services, which can be exploited by malicious people to compromise a user's system.
New Active-X Vulnerability DiscoveredActiveX VulnerabilityMyth - "Firefox Extensions are Safe"
It is proven that they can clearly not be safe, thus debunked.
Again, I agreed with Andrew on this one. I mused about the vulnerability of extensions for other browsers but that's as close as I came to disagreeing with him on this myth. Entirely too much trust is put on Extensions just because you find them through the "Get Extensions" link in Firefox.
Myth - "Firefox is a Solution to Spyware"
The nonsense about drive-by infections are from those who run unpatched versions of IE and has nothing to do with IE fully patched. I have used IE since it came out and have never been infected by "drive-by" installs and neither do my clients. You can do the same using this guide:
http://mywebpages.comcast.net/SupportCD/MalwareRemoval.html
All for free. But Firefox is clearly not a solution to Spyware and thus debunked.
I'm really questioning Andrew's Research skills here. Several times in these threads I've mentioned the
createTextRange() Vulnerability, which remained unpatched for weeks and allowed drive by infections.
Andrew's claim that a fully patched IE install will be immune to Drive-By exploits is dangerous and misleading lie. I encourage readers to do a quick online search for phrases like "Drive-by" and "Internet Explorer." Andrew's irrational denial of reality is confusing to say the least.
Brian Krebs wrote an excellent article entitled "
Internet Explorer Unsafe for 284 Days in 2006" in which he exhaustively researched the security flaws in Internet Explorer and the time taken to patch them. He even submitted his information to Microsoft to give them a chance to respond.
The following quotes are from that article.
For a total 284 days in 2006 (or more than nine months out of the year), exploit code for known, unpatched critical flaws in pre-IE7 versions of the browser was publicly available on the Internet. Likewise, there were at least 98 days last year in which no software fixes from Microsoft were available to fix IE flaws that criminals were actively using to steal personal and financial data from users. In a total of ten cases last year, instructions detailing how to leverage "critical" vulnerabilities in IE were published online before Microsoft had a patch to fix them.
Since this whole thing is about Firefox Myths, I'd like to also quote something Krebs had to say about Firefox:
Mozilla's Firefox browser -- experienced a single period lasting just nine days last year in which exploit code for a serious security hole was posted online before Mozilla shipped a patch to remedy the problem.
He even has a chart of
Internet Explorer vulnerabilities in 2006.
I encourage Andrew to read the article above. I suspect he'll have difficulty dealing with information from someone who did actual research, and he'll be further enraged by something that contradicts his dogma about a fully patched Internet Explorer, but he needs the information in the article.
Myth - "Firefox 2's Phishing Protection is better than Internet Explorer 7"
No I did no lie. The Google Anti-phishing tech was built right into Firefox 2, regardless I added more sources and the myth is still debunked.
One of Andrew's new sources is Ed Bott's article
IE7 or Firefox 2: Which browser is more secure? Testing was done with
Firefox 2 Beta 1, not a production release.
The recent information paints an interesting picture for Firefox's anti-phishing features. On one hand, you have a Mozilla sponsored report that gives
a glowing review and people claiming that Firefox caught all the phishing sites listed on
dslreports.comOn the other hand, we have things like Ed Bott's article that raises some concerns about the Phishing filter. Specifically, he found two sites that IE caught but Firefox didn't and he wants more information on the false positives from the test where Firefox caught more Phishing sites.
While Ed Bott does say:
The two “live” sites I visited in each browser hardly constitute a scientific sample, but it’s still worth noting that IE7 flagged both pages as confirmed phishing sites, while Firefox 2 missed them both
He later states:
I haven’t spent enough time with the Firefox/Google code to form an opinion.
Interesting enough, he also reports that
Update 4-August, 3:40PM PDT: A representative of Mozilla's PR agency contacted me and says that the anti-phishing feature in Firefox 2 Beta 1 "was intended to test the core Phishing Protection framework within the browser, not to provide a full list of suspected scam sites."
Remember, his tests were done with a beta. Would the results change if the tests were repeated with Firefox 2.0.0.7?
I did some more digging, wondering why IE would appear to perform so much better than Firefox. Then I found my answer.
Firefox processes URLs locally, on your own machine while
IE7 sends URLS to a Microsoft server for checking.
The IE blog gives some more detail on how this works:
So, for example, if you were to visit http://www.msn.com, nothing will be checked on the Microsoft server because "msn.com" and other major websites are on the client-side list of OK sites. However, let’s say the URL looked like this: http://207.68.172.246/result.aspx?u=Tariq&p=Tariq’sPassword, in this scenario phishing filter will remove the query string to help protect my privacy but it will send "http://207.68.172.246/result.aspx" to be checked by the Microsoft Server because 207.68.172.246 is not on the allow list of OK sites. As it turns out, 207.68.172.246 is just the IP address of MSN.com server, so its not a phishing site but this example should help you understand more about how Phishing Filter checks sites on the server.
IE7 has a local cache of "OK" sites, and if you visit a site that isn't on that approved list, the URL, minus URL data, is sent to a Microsoft server for further evaluation.
The advantage is that the server side analysis can be changed in a matter of minutes. The down side is if you visit a site that Microsoft hasn't deemed "OK" then
the URL is sent to Microsoft. In addition to the latency of waiting for the approval to come back from the Microsoft server, This means a lot of your web browsing is likely to end up logged on a Microsoft server.
Microsoft has its own take on the Privacy issues involved.In terms of the myth as stated by Andrew, it does look like IE 7 has better anti-phishing than Firefox. However,
they both suck.
The article "
Firefox 2 vs. IE 7 Anti-Phishing: Who Cares? Use Multiple Layers" points out that even the pro-Firefox test "puts it at 460 sites missed by one browser or the other. Which means neither one is really good enough." The article goes on to recommend a variety of anti-phishing technologies to help improve your odds of escaping scammers.
The more I dug into this issue, the more I realized that when it comes to anti-Phishing technology IE7 and Firefox 2 are fighting for dregs. Both anti-phishing technologies suck, but at the moment, it looks like IE's implementation sucks a little less, assuming you're OK with the privacy issues raised.
Myth - "Firefox supports Extensions and Internet Explorer does not"
You excuses are meaningless, this is not about which is better which is an opinion, the Myth is clearly debunked.
Yet again, I didn't disagree with Andrew on this. I went so far as to explain how the myth came to be. Yes, I took a pot shot at IE's Add-On support, largely because I've written add-ons for both Browsers, and found Firefox far easier to work with.
Why did he feel compelled to refer to me making "excuses" when I didn't even disagree with him?
Myth - "Firefox supports an Inline Search Feature and Internet Explorer does not"
Don't put words in my mouth and stop making excuses, this myth is clearly debunked. Tweaking tutorials? WTF? Are you insane?
Fact: A default install of Firefox supports Inline Search.
Fact: You have to install an add-on to get the same feature in Internet Explorer 7.
Fact: Andrew provided no sources for this "myth" on his web site, so I had to find some of my own.
Internet Explorer 7 ReviewThere are also a number of features I miss from Firefox, such as inline find, which opens a handy and less obtrusive Find toolbar instead of the annoying IE Find dialog. This concern is partially offset by the IE Addons Web site and a new generation of small downloads that improve IE's functionality...
Internet Explorer Not A Monster Anymore
He thinks IE7 has its issues - what he calls "interface gaffs", along with features that Firefox has that he can't live without (such as inline search). But in terms of standards compliance Thurrott says IE7 is an improvement. Suddenly, I see why Andrew included no sources for the myth. Several times in his replies to my site, he's made a big deal of addressing the myth
as he found it in the wild. The discussion about his not including IE 7 in the "System Requirements" myth is a prime example. He refuses to include IE 7 in part because he didn't find examples of people claiming Firefox 2 had lower requirements than IE 7. (The source he links tof ro the myth doens't actually mention browser versions AT ALL, but that's a different issue)
The "Inline Search" myth does not appear to exist in the wild in the way Andrew describes. The complaints I found are that the feature is missing from the base install, or that you have to install an add-on to get Inline Search in IE. Every site that mentions the lack of Inline Search in IE seems to mention an add-on that adds inline search.
I wonder how Andrew would react if I countered one of his other debunkings with a link to a Firefox Extension that fixed the problem? Would he accuse me of making "excuses" for Firefox? Would he rely upon the exact working of the myth as it's stated in his Source?
My main issue with this myth is not if it's true, but that the debunking Andrew uses violates his own rules. If the tables were turned I don't think Andrew would concede that a Firefox Extension that resolved the issue would be sufficient to change his conclusion about the myth.
"Opera also introduced tabbed browsing. I'm surprised Andrew didn't mention this"
Um I did mention Opera invented Tab Browsing under the myth labeled: TABBED BROWSING! It is now clear to me that people read what they want and not what is there.
Funny, I did a keyword search on the page before I wrote that line. It wasn't there. Perhaps I was tired and just missed it, but since I've already seen an
example of Andrew editing firefoxmyths and pretending the statements were there before, I'm inclined to suspect my search was valid, and that Andrew edited the page after reading my original post.
In Comic Book terms, it looks like he
retconned the article.
Myth - "Firefox had Pop-up Blocking before Internet Explorer"
No this is a Myth and debunked, Firefox is NOT the Mozilla Suite. The only thing misleading is stating it any other way.
I'll grant that, in terms of the Myth as written, Andrew debunks it. However, His debunking makes it sound like Internet Explorer was the first to introduce the feature. Mozilla based browsers had
pop-up blocking way back in 2002, two years before IE introduced the feature. There was even some anger over the fact that Netscape 7, based on the Mozilla core, removed the feature in order to coddle AOL popups.
Myth - "Firefox Blocks all Pop-ups"
I am not going to go over this again. The sources and examples are NOT the same ect... Myth debunked.
I should point out here that I never claimed that Firefox blocked all pop-ups. In terms of Andrew's debunking of the Myth, he's right. Firefox does not block all pop-ups.
My issue is that I've never heard the claim that "Firefox Blocks all Pop-ups." Andrew can disperse this concern by linking to a few more sources for the myth, something he has failed to do.
Show me the references.
Clearly you read nothing on my page as my sources for the Myths were multiple locations none of which were the examples.
I'm going to give Andrew the benefit of the doubt and assume he was tired when he wrote that line as it's very poorly worded.
He seems to be claiming that he listed multiple sources for his myths. However, the "Firefox blocks all Pop-ups" myth only lists one source, and that source is a graphic on Andrew's own web site.
The "Firefox has lower System Requirements than Internet Explorer" myth is also nothing but a link to a graphic on his site. I noticed that there's no mention of the browser version in the linked graphic, but Andrew made a BIG deal out of the browser version when rationalizing his exclusion of IE 7 from discussion of the myth.
The following "Myths" have a graphic on firefoxmyths.com as their only "Example" of the myth.
"Firefox's Memory Leak is a Bug"
"Firefox Blocks all Pop-ups"
"Firefox was the first Web Browser to include Tabbed Browsing"
"Firefox fully supports W3C Standards"
"Firefox has lower System Requirements than Internet Explorer"
I believe Andrew needs to do a better job of finding, and linking to, examples for his myths.
I didn't "massage" any data and it is all clearly sourced. I also did not try to hide anything as this page came out in 2005 and is clearly SOURCED!!!!
I encourage anyone reading this little flamewar to go back and review what Andrew and I have written. Decide for yourselves if Andrew is massaging his data or not. Don't take my word for it, and don't take his. Read the arguments and counter-arguments and decide for yourself.
"Ironically, he fails to mention the fact that the free Opera browser is no longer ad supported."
Really? "Opera (now 100% Ad free)"
Give me a break, try reading my page completely next time and not make assumptions or jump to ridiculous conclusions.
Again, this is another example of Andrew editing the page and then claiming that the modified version is what was there when I first read it. When I wrote my original post, I searched for the word "Free" on firefoxmyths.com, both by scanning the page and by using my browser's "search" feature. I didn't see the mention of Opera being Ad Free, and I believe Andrew added it after reading my article.