Firefox Myths?
18 05 2006
Alan mentioned Firefox myths which catch my attention. For some reason, I saw this website but never check it till now.
Basically, they nailed it.
Not too long ago, I talked with one of guy from Browsehappy.com – I told him they are being biased. It is full of misleading. He got bitch at me for saying that. Whatever.
Now, I feel better that it doesn’t matter which browser you use, just use latest version and you will be fine. Really.
Grant W Laird, Jr.
http://blog.grantlairdjr.com
The concept of this page is nice, since there are quite a few myths floating around about Firefox (really, it isn’t 100% standards compliant, etc.).
However, the article itself is full of factual errors and misleading statements. It used to be sort of okay — although from the very beginning it misrepresented the data in my standards support resource — but the author has since embarked on some crusade and added a lot of nonsense to the page just to try to make Firefox look bad. The purpose of the “Fanboy Quotes” section in the sidebar is to deliberately misquote people who pointed out factual errors in his page, and he lies about things I have done with my standards support resource. He has even resorted to spamming his article on a website using my name.
Here’s a debunking of some of the stuff on his page, although it doesn’t cover all of the errors.
Secunia does not list an extremely critical vulnerability that ever affected Windows users. It did list one that affected *nix systems (which was fixed the day after it was discovered), but his page clearly says that it is only dealing with Windows and he has used that excuse in numerous debates about his article.
The browser speed tables come from the website of an Opera employee and the results I’ve gotten from the same tests have been quite different in some areas.
He claims to debunk the “myth” that Secunia keeps vulnerabilities secret to give Opera a chance to fix them, but if you read Secunia’s e-mail response and the page it links to, Secunia itself confirms this supposed “myth” he’s trying to debunk. Here’s Secunia’s official statement from their own website: “All vulnerabilities discovered by Secunia Research are reported directly to the vendors in a responsible manner, giving the vendor two weeks to reply with a confirmation and details about the expected release date for the security update. Secunia always wait for the security update – as long as the vendor keeps a reasonable time frame for issuing the update and actively co-operate with the Secunia Research team.”
He pretends like Firefox’s vulnerabilities aren’t quickly patched, noting two old vulnerabilities (both with a 2/5 criticality rating from Secunia). Only one of them affects Windows users, and Internet Explorer has the exact same vulnerability discovered the same day and still unfixed, plus several older vulnerabilities. Among IE, Firefox, and Opera, Firefox has also averaged at the fastest patch time for exploited vulnerabilities and has averaged at fewer exploited vulnerabilities per day than IE or Opera.
Regarding ActiveX, here’s what Microsoft themselves have to say: “An ActiveX control can be an extremely insecure way to provide a feature. Because it is a Component Object Model (COM) object, it can do anything the user can do from that computer. It can read from and write to the registry, and it has access to the local file system.”
The author refers to Opera’s fast-forward/rewind feature as being “the same thing” as Firefox’s cached history feature. If you spend five minutes to actually read what they are, you’ll see they’re totally different things. Opera does have some form of caching system, but it isn’t related to the fast-forward/rewind feature at all.
His article argues that Firefox doesn’t block all popups because you need to tweak settings or install a plugin to do it perfectly. However, at the same time he says that IE6 supports tabbed browser because you can get it through an extension.
He says that I tried to redirect visitors coming from his article away from my standards support summary page, which I never did. Then he says that Internet Explorer visitors going to my standards support resource get redirected to a browser warning page, which they don’t and never did. Then he took a quote from me out of context (I was talking about how frustrating Internet Explorer is in web development and how IE is the only browser that doesn’t play nicely with the standards). Then he claims that I’ve been deliberately lowering my figures for Internet Explorer just for the sake of doing so, when the truth is that the figures have been lowering for all browsers (as new bug information is added to the support tables, the percentages will naturally go down).
I could go on, but I think you get the point by now. Don’t take something like this at face value: it has lots of factual and logical errors, and sadly the author absolutely refuses to hear any criticism. Whenever anyone points out errors on his page, he just calls them a “Firefox fanboy”. Without realizing it at the time, he has even referred to an Opera fan site and Internet Explorer developers as Firefox fanboys just because quotes from them contradicted his article.
I like Firefox and Opera (and although I don’t think Safari and Konqueror are quite mature enough yet, they are making a lot of progress in the right direction). Firefox and Opera are both very good browsers and have strengths in different areas. I personally use Firefox, but I have specifically recommended Opera to some people based on personal needs. I don’t like Internet Explorer simply because Microsoft was irresponsible and cut off development for so long, and even now with IE7 it’s making slower progress than its competitors.
Well… There are few miss for example…
IE don’t support PNG-24 while Firefox does. Of course, IE required lot of goodie download to plug-in for IE which is annoying.
IE’s requirement is full of bullshit because it’s actual built-in IE under OS.
First of all notice who just spammed your blog and then look under the corresponding name in the Fanboy section, enough said.
Don’t be fooled by all the excuses Mr. Hammond makes.
1. There is not a single factual error on the page and absolutely nothing is misleading all the sources are linked directly, there is nothing to hide.
2. From day one I have never misrepresented ANT and Mr. Hammond knows this. Even when he asked me to make the initial correction I did, which he noted in his blog. The fact was he doesn’t want anyone using his data to criticize firefox.
3. I am on no crusade and nothing was added for any other reason then to debunk the said Myth.
4. The Fanboys Quote section is self explanatory, it is called “Fanboy Quotes” for a reason.
5. I have never lied about anything in relation to his page but merely interpretted what I saw. Mr. Hammond is still mad for getting caught redirecting visitors from my page to his specially created warnings.
6. I have never spammed my website anywhere and especially never under his name.
7. That page doesn’t debunk anything. What it does is provide alot of excuses nothing more.
8. The extremely critical vulnerability does exist in Firefox no matter how bad Mr. Hammond wants to cover it up.
9. The Opera speed tests were done BEFORE the author became an Opera employee and are fully documented and sourced. To this day not one reuptable source has been able to come up with documented, reproduceable results to dispute them. Even Mr Hammond failed here when he tried to do this himself comparing IE running in emulation under Linux to a natively supported Firefox build. The author of the speed tests did not try to mislead anyone with misleading speed data like Mr. Hammond initially tested.
10. The Myth was that Secunia had an exclusive agreement only with Opera to cover up vulnerabilities. This is clearly not so and has been debunked. I quickly and simply destroyed this Myth before it even got started.
11. There is nothing to pretend, it is clear Firefox vulnerabilities are not quicky patched. You cannot cover this up, it is a fact. Mentioning IE is an excuse.
12. Microsoft’s comments are clear, you can write and insecure ActiveX vulnerability. Just like you can write an insecure Firefox Extension or an insecure executable. But that is irrelevant because it does not change how the ActiveX control is delivered. You always must confirm installation of the ActiveX control, this is no different then downloading and running an executable.
13. Pop-up blocking is not the same as supporting a feature. Firefox clearly supports ab blocking with the ad block extensions but does not natively. I can disable every manner of scripting in IE too and not have any pop-ups or install a Pop-up blocking or adblocking extension but those would be unfair comparisons. Pop-up blocking tests must compare native support to be fair.
14. Oh clearly he did do both but does not appear to do either as of today. He moved pages to different domains and web hosts and then wants to cry innocence, please.
15. I have never referred to an Opera user or IE developer as a fanboy. The fanboys I refer to are ONLY obsessive Firefox users like Mr. Hammond. His insanity over covering up the truth about Firefox is demonstrated here, which is why I added him to the spammer section for good reason.
Oh I am sure he will try to add even more lengthly replies in the future. He thinks that if he talks enough it covers anything up.
“IE’s requirement is full of bullshit because it’s actual built-in IE under OS.”
Sam, why is that bullshit? If IE can run on lower hardware than Firefox why does OS integration matter? Seriously think about this for a minute.
1. Keep repeating yourself all you like, it won’t make it true. People have conclusively proven a lot of stuff on your page wrong, and you haven’t come up with any defense except, “Nuh uh, my sources are irrefutable!” even when your sources disagree with what you say on your page.
2. You say you never misrepresented my page and then you immediately turn around and admit that you had to correct stuff. You didn’t even correct it at first, despite my very thorough explanation of why your claim was incorrect. You responded saying that you weren’t going to listen to me unless I changed my blog post and remove the part about you trying to make Internet Explorer look superior to Firefox. You finally changed your page a few e-mails later, although you freaked out when I corrected Internet Explorer’s support values for XHTML 1.1 changes and you started bashing me all over your page.
3. “Opera is able to do the same thing without consuming anywhere near as much memory.” was added to disprove the myth that Firefox’s memory leak is a bug? “Internet Explorer has very good support (81-86%) for the most important web standard, HTML 4.01.” was added to disprove the myth that Firefox fully supports W3C standards? The Fanboy Quotes section was added to disprove myths? Obviously things were added for purposes other than just “to debunk the said Myth”, so don’t lie about it.
4. “Fanboy Quotes” isn’t very self-explanatory. The title implies that what you have there are quotes, not misquotes.
5. “I have never lied about anything in relation to his page but merely interpretted what I saw.” Wow. Just, wow. Amazing how you think that argument works when you use it, but you don’t think it should work when I use it. I said on my blog that you were trying to make Internet Explorer look somehow superior to Firefox. That was my interpretation of the page. You said that I was lying and demanded that I remove it, repeatedly saying that you wouldn’t listen to a thing I had to say until then. Explain how this isn’t a double standard. No, I don’t mean reply with “This isn’t a double standard, this was my interpretation and you are lying,” I mean actually explain it rationally. You seem unable to do that.
6. 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, … and under my name. You were banned from digg for posting 24 stories (out of 32 total submissions) about your own two websites, including 12 stories about your Firefox Myths page alone, plus countless copy/paste comment spams on seemingly any browser-related story, often in multiple comments per page. Oh, but according to your article, the real reason you were banned is that digg is full of Firefox fanboys. Right.
7. No, it shows that even though some writer at eWeek agrees with you, Microsoft doesn’t. Plus it exposes all of those misquotes- er, “Fanboy Quotes”.
8. First of all, no, it doesn’t exist on any platform anymore. It was fixed less than 24 hours after it was discovered. And your page lies about that vulnerability. You have said many times and even on the page itself that Windows is the only operating system you’re addressing. You said that you weren’t going to put anything only related to Linux/Unix on that page. Well, that vulnerability is only related to Linux/Unix, so by your own argument, you shouldn’t have that on the page. Sorry, but you’re holding double standards. You can’t have it both ways.
9. I failed with what now? I was experimenting with changes to my database so I could put speed test stuff in there, and I had a mockup speed test to test my internal changes. It was a mockup. Notice I never linked to it from the main site and I never promoted it in any other way. While it was up (all of four results or whatever I had), there was a big fat bold disclaimer saying that the page was only a test, it was done exclusively on Linux, and the values should not be regarded as legitimate. I took it down shortly afterward, once I had finished my internal changes. I still plan to make a proper speed test page, testing on a real Windows system with default settings, etc. And yes, I have tried to produce his results. Firefox on Windows consistently starts up faster than Mozilla on Windows for me, and I also got other different results in some of the areas I tested. You should notice that he only ran three tests per aspect per browser. Three! That isn’t enough data for it to be considered an accurate test, especially when we’re talking about differences in milliseconds.
10. Uh, no, that wasn’t the myth. Again, you’re reading too much into what people are saying. The claim was that “Opera usually coordinates its browser updates with Secunia, so that Secunia doesn’t release any information about security vulnerabilities in the browser before a patch is made available.” That is true. Firefox also coordinates its browser updates with Secunia so that Secunia doesn’t release any information about security vulnerabilities in the browser before a patch is made available. So does Microsoft. That’s how these security researching companies typically work. They privately inform the company of the vulnerability and give them a reasonable amount of time to fix it before they publicly disclose the information. Secunia even says this on their site. There’s no myth here.
11. “Quickly” relative to what? How quick is quickly? A month? A day? There’s no definitive length unless you want to just make something up that sounds good to you, but then it’s merely opinion. Relative to the competition, Firefox fixes its vulnerability very quickly. There are those two little vulnerabilities (the only one you listed that affects Windows users only has 2/5 criticality) which pull the average out a bit, but even still, the average per vulnerability is faster than Internet Explorer *and* Opera. So why don’t you just go out and say that every browser is slow at fixing vulnerabilities? That’s essentially what you’re saying anyway, except you’re twisting it to make Firefox look bad.
12. Yes it is different, since an ActiveX component’s access to your entire system is just one click away. This will be improved in IE7, and then it will be more comparable to Firefox’s extension system. But right now, in the real world, they are two very different beasts as far as the likelihood of a typical user to grant access. Furthermore, a Firefox extension would need to be specifically written to interface with websites and allow any website to make direct use of its functionality. With ActiveX, the whole idea is that websites themselves interface with the control, and in IE 6 SP2 and below, any website can interface with the control on the same terms without site-by-site permissions. A Firefox extension can be perfectly functional without ever giving the website a means to detect or use it, and this is how Firefox extensions typically work. It’s intrinsically much more secure.
13. I completely agree, which is why your claim about IE6 supporting tabs is B.S. Who cares if it supports tabs via a plugin? It doesn’t by default. Compare apples with apples. Double standards, can’t have it both ways.
14. My standards support resource *never* redirected anyone to the browser warning page. You’re imagining things. My personal site (the Nanobox, with the whole red design and the sidebar to the left) is the only one that did. Get your facts straight. (And no, I didn’t change web hosts, I just bought a domain. My current host is still the one you whined to and asked to shut my site down because you don’t think parody sites should be legal.)
15. I’m an Opera user. I use Firefox most of the time, but I also use Opera from time to time. It’s a good browser. I use a lot of extensions for Firefox to provide functionality that I can’t easily get in Opera (if I can at all), but if Opera supported all of the features I like, I would definitely consider switching to it full-time. The only browser I really have a problem with is Internet Explorer, because of the limitations it creates during web development. I also don’t care for Safari and Konqueror as much as Firefox and Opera (what? I prefer a closed source browser to an open source browser? It’s true!) because the layout engines aren’t very sturdy and have a lot of IE-esque bugs in fundamental areas. I really like Firefox and Opera, and I don’t know why you seem to think that I’m all about one specific browser, but you’re wrong.
As for the lengthy replies, sorry, but I actually try to explain myself. My responses to criticism aren’t just, “No, I’m right, you’re wrong, now be quiet.” For someone who claims to want to reveal “the truth”, you sure don’t present your arguments very well.
Oh yeah, I should mention that, aside from the hard drive space, Internet Explorer 7 actually has equal or higher system requirements than Firefox. Same minimum processor, same minimum memory, higher minimum operating system, and it also seems to leak memory a lot faster than Firefox in some cases (open up your task manager and start opening and closing blank tabs in IE7 and watch as the memory goes up and up).
Sam you are full bullshit and it starts to come out of your mouth. Even that IE is integrated to some part… How comes Opera is much faster than Firefox? Is Opera too integrated? Idiot.
One of the reasons Firefox starts relatively slowly is the fact that the entire interface is actually an XML format that’s rendered like a webpage with heavy scripting. It was designed this way so that extensions/themes can change literally any aspect of the interface, something that can’t be done in Opera or Internet Explorer (at least without seriously huge hacks that would dig deep into the program itself and certainly conflict with any other such addons). This was a trade-off the Mozilla/Firefox developers chose to take, and one that I personally think is worth it unless you’re on old hardware where the startup time is more significant. K-Meleon (a Windows-only web browser) also uses the Gecko rendering engine that Firefox uses, but because it doesn’t use the elaborate XUL model for the interface, it starts up much faster than Firefox. Likewise, Epiphany on Unix/Linux and Camino on Mac OS X also start up faster than Firefox because they use native widgets for the interface instead of XUL, at the expense of Firefox’s powerful extension model.
1. You making statements that people have done anything are meaningless. Nothing on the page is factually wrong no matter how bad you wish it were. The sources are irrefutable. As for YOU being the sole source that disagrees that is a personal issue with you. Your data is being used not you biased opinions.
2. I will never listen to anyone who spreads lies about me, get over it. But I will always correct any errors. In your case the wording was not initially clear. I made no changes on the data however until the data showed different results. And I will leave it to the public to decide the coincidence of you changing your XHTML support values for IE after you saw what I stated was factually correct.
3. Notes are added to make any points I feel are necessary. Usually so I do not have to explain them in emails. Quotes and Testimonials are seperate from the content of the page and are there for commentary on it. I have never lied about anything.
4. Get over it.
5. You deliberately and maliciously lied about my page because you believed it criticized your beloved Firefox. Typical Fanboy retaliatory nonsense. This is quite clear. I asked you to remove a lie about my page and you refused. That was from day one and the first email you sent. It is not complicated.
6. Those are not “spammed” but posted for reading. I’ve never posted anything under your name. If that was not you then someone else did. I only posted my sites to Digg when a new version was released. There is nothing wrong with that. There is no proof of any of your other absurd claims. Digg is full of Firefox fanboys which apparently includes the administration.
7. Oh Microsoft agrees with me, you are attempting to take what they say out of context. What is stated in the Eweek article is clear enough that even a fanboy could undertand it but you see that destroys the lies they spread about ActiveX.
8. Oh yes it does exist on the version of Firefox affected by the vulnerability. My page doesn’t lie about anything, the security vulnerability exists. Unlike you I do not wish to cover it up. Unlike fanboys I let them know the truth about Firefox’s security problems. Get over it, it is not going anywhere the public will know the truth.
9. You have nothing but alot of words.
10. This is pathetic, you are now trying to talk your way out of it. Too bad, game over you and your fanboys got owned.
11. Wait so it is “MY OPINION” that those vulnerabilities are not patched since 2004? You are getting desperate. You have nothing again. Though I am sure you think by using alot of words you have made some point, rather just excuses.
12. Firefox extensions can be written to be insecure just like ActiveX controls can be written to be insecure. An insecure extension is no different than downloading a malicious executable.
13. Oh IE6 supports Tabs no matter how bad you want to cover it up.
14. Do you think this sort of nonsense really works? You showed a warning only to people coming from my page to yours. You got caught red handed and then BEGGED me to link back directly. Never in a million years. I realize getting caught doing something dishonest like this is embarrassing, now all the world nows who you truely are.
15. Your whole actions in relation to my page speaks for itself.
There is nothing to argue when the facts are on your side. You have to argue to make excuses for everything. What I present is clear and unbiased, it is brutally honest with no excuses.
Molto,
Bravo, you get what Mr. Hammond just tried to make excuses for. Opera starts up faster than both IE and Firefox. That means there is no excuse for Firefox loading like a dog, no excuse. I could see Mr. Hammond racing cars for NASCAR and then when he loses trying to make excuses why. NO ONE CARES = YOU LOST.
Wow. You managed to have a “response” for every number, yet you said a lot of nothing.
I’ve pointed out numerous factual errors on your page and you haven’t responded to my allegations except with your typical, “Nuh uh, my sources are irrefutable!” response.
I will repeat (these numbers are not related to the ones above):
1. Secunia does not list an extremely critical vulnerability that ever affected Firefox on Windows. Prove me wrong.
2. Firefox has on average fixed total vulnerabilities and exploited vulnerabilities more quickly than Internet Explorer and Opera. Prove me wrong.
3. Microsoft has acknowledged inherent security issues with the ActiveX model and has responded by making ActiveX opt-in on a site-by-site basis in IE7 due to the security problems. Prove me wrong.
4. Opera’s Fast-forward and Rewind features do entirely different things than Firefox’s cached history feature. Prove me wrong.
5. Firefox will block all forms of popups if you use extensions. Therefore, it blocks all popups on the same terms that IE6 supports tabs. On the other hand, if extensions don’t count, then IE6 doesn’t support tabs. Prove me wrong.
6. On the issue of tabbed browsing, allow me to use your own fallacious logic against you. You claim that “Opera developed it back in 1995″. Well according to this definition, “develop” means “make something new, such as a product or a mental or artistic creation”. If Firefox didn’t make tabbed browsing new, then neither did Opera, because InternetWorks had it back in 1994. Prove me wrong.
7. According to the World Wide Web Consortium, CSS 2.1 and CSS 3 are not yet W3C standards. Prove me wrong.
8. The founder of the World Wide Web Consortium originally created and defined HTML, which is part of your definition of “webpage”. Prove me wrong.
These are just some of the factual errors. It doesn’t even address the contradictions you make in your arguments and the sheer bias and deliberately misleading information on your page.
You know you don’t have any logical defense, so you have to resort to calling me a Firefox fanboy, pretending that I don’t promote Opera all around my site, and making lame excuses for things on your page that clearly don’t belong there. Your solution seems to be taking everything that you’re doing and saying that we’re guilty of it and you aren’t.
You’re a proven liar, there is conclusive proof that you have lied about your identity multiple times (here, here, and here, all with the same IP address you used on my site). Tell me, are you still claiming that a few of the “Mastertech”s out there are you and that other “Mastertech”s that sound exactly like you and argue exactly like you and claim to be you are actually different people? It seems that once their IP address is publicly revealed and shown to be the same guy as David Dobsen, Mike G., Realist, FFeLEET, the Mastertech who posted on my site, etc., you have a sudden revelation that that Mastertech really wasn’t you. How convenient.
By the way, the liar’s known IP addresses are 69.136.66.50 and 206.137.1.33. I’d really like to know if “Andrew” here has one of those IP addresses, as that would prove once again that he is lying about his identity. But hey, then the “real” Andrew K. will probably come out and say the one here isn’t really him. I’m kind of surprised he hasn’t changed his IP after all this time.
Wow. You managed to spam more nonsense.
You have pointed out ZERO fatual errors. Let me save you some time. I WILL NEVER CHANGE ANYTHING ON MY PAGES EVER AGAIN IN RELATION TO ANYTHING YOU SAY EVER FOR ETERNITY. (Just in case you don’t want to waste your time.)
I will repeat:
1. Secunia does list an extremely critical vulnerability in Firefox. Prove me wrong. Your obsession with it only effecting Linux is correct! I’ve never disputed it does not only effect Linux. I also never said otherwise. This does not mean I am going to EVER stop listing it. Get over yourself. Your response will be typical. You are arguing with yourself.
2. Averages? Nice way to mislead people. I don’t care about averages, I care about Myths. Again you are arguing with your self. The common Myth is not that Firefox on AVERAG fixes vulnerabilities quicker it is that Firefox quickly pathced vulnerabilities. It doesn’t period. There are unpatched vulnerabilities since 2004. Prove yourself wrong no one cares.
3. ActiveX has been opt-in. Microsoft has acknowledged that ActiveX like Firefox extensions can be written to be insecure.
Prove yourself wrong.
4. Opera’s cached features works similiar to Firefox’s. Prove yourself wrong.
5. Keep crying about this. The public can test this themselves. I can also tell people how to disable all scripting in IE and have it do the same thing. This does not make the browser functional for everyday use. Get over yourself nothing will EVER change about this.
6. This is the most pathetic argument yet. You seem to think that if you can find some absurd technical fallacy in your own mind it can dispute something. Get over yourself.
7. Again the technical fallacy argument. I am never ever again changing anything on the page because of your tactics. I don’t care what they are “officially” pandered. CSS 2.1 and CSS 3 are clearly standards.
8. Who cares.
What you are pointing out are so pathetic it is not even funny. You dispute nothing because you have to look for such ridiculous extreme points. There are no contradictions, bias or misleading information. Everything is sourced.
I’ve just defended every point with ease. You mentioning Opera is hardly promoting.
I have never lied about anything. None of those names are mine except Mastertech. In your delusional world they are. You Mr. Hammond are one of the worst Human Beings I have ever dealt with ever. Not only do you continue to lie and slander me you violate my copyrights and steal my work. There is a special place in Hell for people like you.
“Now, I feel better that it doesn’t matter which browser you use, just use latest version and you will be fine. Really.”
Well, that’s not really true. Users of Internet Explorer have been exposed to auto-installing spyware due to the lateness of patching. Here are two videos, one of auto-installing spyware on the latest version of IE, fully patched, and another on an unpatched version of IE, where the patch had been available for a few days:
http://sunbeltblog.blogspot.com/2006/04/video-of-createtextrange.html
http://www.sysinternals.com/blog/images/spyware-infestation.wmv
If you want to see auto-installing spyware on Firefox, you have to be using version 1.0.4, which has long since been updated:
http://sunbeltblog.blogspot.com/2006/04/pssstyou-wanna-see-firefox-exploit-in.html
Research has found that users of unpatched versions of IE are vulnerable to auto-installing spyware, whereas users of similarly unpatched version of Firefox (1.0.6) were not:
http://www.cs.washington.edu/homes/gribble/papers/spycrawler.pdf
There is a difference in the security record of various browsers, with IE having the worst record. Opera and Firefox are a much better bet, security wise.
As to the Firefox Myths page, IMO it is a piece of anti-Firefox, pro-IE propaganda. Despite claiming not to be a comparison page, it goes on about the past security vulnerabilities in Firefox, but then includes a paragraph about how secure IE is, it talks about possible installation of Spyware in Firefox via Java as a security “exploit”, but then includes a passage about how secure ActiveX in IE is supposed to be, and it mentions how standards support in Firefox is not perfect, but then praises IE’s standards support, which the source quoted shows is in fact far less good.
Where the page can’t even attempt to claim IE is as good as Firefox, it turns its praise to Opera, for example in the Acid2 standards test, which IE makes a complete pigs ear of.
In conclusion, it does matter which browser you use: if you are concerned about security or standard support, Opera and Firefox have definite advantages.
If, by “defending every point”, you mean pluggin your ears and whistling, then yeah, excellent job. Luckily most people are smart enough to realize that you can’t back up your claims. I’m just annoyed by your fanatic persistence.
I asked you to disprove those claims. Obviously this concept is beyond you; strange, considering the purpose of your page is supposedly to disprove myths. Try e-mailing an Opera employee and ask if the rewind and fast-forward buttons has similar functionality to Firefox’s cached history feature. Up where you page says “All Myths relate to running the default install of Firefox in Windows with no Extensions.” perhaps you want to add “Er, except that vulnerability one.” Perhaps you should reread that “myth” about Secunia keeping vulnerability information private until Opera releases a fix, and notice that Secunia’s site and the e-mail they sent you confirms the claim, not refutes it.
But what am I saying? You’ve already expressed that you won’t listen to anyone who disagrees with you. You’re just about the most fanatic fanboy of anything I’ve ever met, and as people on various sites have pointed out, you’re nearing the edge of insanity now. You’ve been gradually deteriorating since you first published that page, and you really need to wake up and take a look at yourself. You aren’t well.
Holy hell, the truth from Mastertech!
Andrew “I will never listen to anyone… ”
Andrew “I WILL NEVER CHANGE ANYTHING ON MY PAGES EVER”
Andrew “the page [Firefox Myths] is factually wrong”
Andrew “I realize getting caught doing something dishonest like this is embarrassing, now all the world nows… my page… is… nonsense”
This is Grant…
The reason I said any browser with latest version are safe because I work for big corporate and they still use IE browser everywhere. Are you saying that IT department are too stupid to continue IE browser? I wonder…
Corporate use of Web Browser often has little to do with the inherent merits of the Browser itself to the end-user, but rather the manageability of the Browser. Check some of these articles;
http://www.computerworld.com/softwaretopics/software/story/0,10801,108622,00.html
The Boeing Co. has been discreetly providing feedback to the Mozilla Foundation for the past year or so on features that might encourage enterprise adoption of the open-source Firefox browser. At the top of the list has been a tool kit to help IT departments distribute Firefox with custom configurations to end users. The Chicago-based aerospace company had good reason to express interest in such a tool. Last August, Boeing made Firefox one of its corporate Web browser standards alongside Microsoft Corp.’s Internet Explorer (IE) and a version of Netscape Navigator that is being sunsetted.
http://4sysops.com/archives/firefox-versus-internet-explorer-in-a-corporate-network/
“I am using Firefox myself for a quite while and I really like this web browser. However, when it comes to the question of switching to a new web browser in a corporate network, other arguments have to be considered.”
http://news.com.com/2100-7344_3-6076320.html
“Another hurdle Firefox must overcome is the “heartbreakingly slow” process many enterprises go through to certify the use of a tool as critical as a Web browser, according to Baker.”
Think of it like this – you get a car; sure it comes with a radio built-in, it may not necessarily be the best one, but does that mean you a going to install a new, better radio? No, course it doesn’t; maybe it doesn’t fit right in the car, or you don’t like its styling, perhaps you just can’t be bothered to change it.
It’s not quite that simple unfortunately
“Keith Glennan, Northrop Grumman Corp.’s chief technology officer, said he has often thought that the Los Angeles-based company should run Firefox instead of IE as its default browser. Glennan uses Firefox at home and especially likes its printing and tabbed browsing capabilities and its ease of navigation. But when he thinks about giving the browser to Northrop Grumman’s 115,000 users, the decision boils down to economics.”
Grant,
Sorry about this but as you can see these guys are very scared about people reading this page. It looks like Frank from the Fanboy Spammers has chimed in.
Frank,
I am still waiting for a link that auto-installs spyware in the latest patched version of IE. The FUD you spread about IE does not relate to the real world. The fact that you consistently argue about IE vs. Firefox show where you are really at. You are a Fanboy of the worst kind. The Firefox Myths page has ONE purpose to stop people from lying to novice users about Firefox. If you want to be honest (something far beyond you or Mr. Hammond) you would not lie to people and try to scare them with nonsense. I support thousands of clients and have for over 15 years.
“As to the Firefox Myths page, IMO it is a piece of anti-Firefox, pro-IE propaganda. Despite claiming not to be a comparison page, it goes on about the past security vulnerabilities in Firefox, but then includes a paragraph about how secure IE is, it talks about possible installation of Spyware in Firefox via Java as a security “exploitâ€, but then includes a passage about how secure ActiveX in IE is supposed to be, and it mentions how standards support in Firefox is not perfect, but then praises IE’s standards support, which the source quoted shows is in fact far less good.”
Why is because you say so? This is how all your argument work. You declare it therefore it is. It doesn’t work like that in the real world. ONE of the spyware installation sources is using the Java exploit. The double standard is these types of exploits on IE are all FUD towards ActiveX, actually every single IE vulnerability which has nothing to do with ActiveX is all blamed on ActiveX. I don’t praise IE’s standard support but note that it supports standards. Something the Fanboys would like you to believe otherwise.
“Where the page can’t even attempt to claim IE is as good as Firefox, it turns its praise to Opera, for example in the Acid2 standards test, which IE makes a complete pigs ear of.”
In your fanboy mind this is some comparison or Anti-Firefox Page. NO it is an ANTI-Firefox Propaganda page. Get you facts straight.
“If, by “defending every pointâ€, you mean pluggin your ears and whistling, then yeah, excellent job. Luckily most people are smart enough to realize that you can’t back up your claims. I’m just annoyed by your fanatic persistence.”
No by taking your long winded responses and destroying them by pointing out the irrelevance. I’ve backed up EVERY claim with sources that ANYONE can read for themselves.
“I asked you to disprove those claims.”
You creating arguments about technical fallacies and attempting to rewrite the page is not going to happen. Maybe you need some more off topic long winded responses comparing all the failings of IE some more. I mean we would all like to hear more irrelevant things to a page about Firefox Myths.
I will always listen to anyone who doesn’t spread lies about me. You choose from day one to do so. If you cannot comprehend any of that then deal with the fall out. I’ve hired a staff.
“I am still waiting for a link that auto-installs spyware in the latest patched version of IE.”
Well, your wait is over! Check out the video I linked to earlier: the infecting URL is clearly visible. (Please, nobody visit that URL unless you have updated IE, will you? Assuming it still exists.)
Of course, for anyone without their head in the sand, the word of well-known companies like Sophos and Websense would be enough when they said that they had found hundreds of sites using the CreateTextRange exploit to auto-install malware.
http://www.sophos.com/pressoffice/news/articles/2005/12/msexploit.html
http://blogs.zdnet.com/Spyware/?p=801
As you like to say Andrew, look at the sources: The University of Washington, Sunbelt Software, Sysinternals, Sophos, Websense. Are all of these organisations spreading black propaganda against IE? Your site likes to suggest that all browsers are equal, security wise. The information in the links I have posted suggests otherwise. Readers can look at all the sources and make their minds up, I’m sure.
As to being a Firefox fanboy, if you notice, I’m very careful to recommend Opera and Firefox as more secure than IE. If I am a fanboy, it’s an alternative browser fanboy, thank you very much.
Playing down the risks of AvtiveX is fine if you apply the same standards to Java in Firefox, but you don’t: both can be used to install spyware if the user clicks ‘yes’ to the installation,but you call such an installation an ‘exploit’ under firefox (where clearly it does not fit the definition of the word ‘exploit.’) Who is trying to scare people I wonder, who has the double standards? In contrast, you try to set up IE as totally secure: “Anyone who claims Internet Explorer cannot be secured from Auto-installing Spyware either doesn’t know how or is lying.”
“I don’t praise IE’s standard support but note that it supports standards.”
Well, actually, you do praise IE’s standards support:
“Internet Explorer has very good support (81-86%) for the most important web standard, HTML 4.01.”
IMO talking about Firefox’s “incomplete” support of web standards, and then going on to mention how good IE’s standards support is, is making a comparison. The reader is invited to draw the conclusion that there is really little difference in standards support between browsers. Looking at the figures themselves reveals that there is a large difference:
http://www.webdevout.net/browser_support.php
To my mind the page attempts to compare browsers, always to the detriment of Firefox. Actually, Andrew, you rather give the game away with all those links to the ‘Firefox Sucks’ and similar sites: this is not a neutral mythical myths busting site, but an attempt to make Firefox look bad. God knows why you have such a Firefox Fobia.
You’ve been pointed to this link of IE auto-installation of malware many times;
http://sunbeltblog.blogspot.com/2006/04/video-of-createtextrange.html
“If you’re curious to see the exploit in action at one site, you can see this video here. In it, the AppWiz keylogger is installed.
Patrick Jordan
Senior Spyware Researcher”
Sunbelt Software are the creators of anti-spyware, anti-spam, network security and system management tools. But then again, Microsoft, Sophos, CERT & other vendors have all confirmed auto-installation of malware in IE, for example;
http://www.sophos.com/pressoffice/news/articles/2005/12/msexploit.html
“Experts at SophosLabsâ„¢, Sophos’s global network of virus, spyware and spam analysis centers, have warned internet users to take care when surfing the web, following sightings of malware which has been planted on websites exploiting an unpatched Microsoft security vulnerability.
The security vulnerability, which is not yet patched by Microsoft, allows hackers to run malicious software (such as a Trojan, virus or worm) on a user’s machines when they visit a website containing the exploit code.”
http://blogs.zdnet.com/Spyware/?p=801
“Websense is reporting a rapid increase in sites using this exploit. At the time of the blog post, nearly unique 100 URLs had been found attempting to run this exploit.”
You have to wonder why Andrew, for all his self-professed technical genius, denies what Microsoft & anti-virus/security vendors can & have all confirmed in the past. Yet curiously, when it comes to Firefox, he decries all the vulnerabilities – of which only 3 are unpatched on Secunia.
As regards corporate use of Firefox. There’s more to it than just “which browser is better”, manageability is a key issue. Check these out;
http://www.computerworld.com/softwaretopics/software/story/0,10801,108622,00.html
http://4sysops.com/archives/firefox-versus-internet-explorer-in-a-corporate-network/
http://news.com.com/2100-7344_3-6076320.html
Manageability is a key factor when it comes to Browser use in a corporate environment. Enter corporate Firefox into Google & you’ll find several articles which discuss this very topic. Suffice it to say IE currently offers easier management in a corporate environment than Firefox does.
As regards corporate Firefox use. Browser use in a corporate environment often has little to do with the Browser itself, check these articles;
http://www.computerworld.com/softwaretopics/software/story/0,10801,108622,00.html
http://news.com.com/2100-7344_3-6076320.html
http://4sysops.com/archives/firefox-versus-internet-explorer-in-a-corporate-network/
Manageability is a priority in businesses & it’s something Firefox (& other browsers too for that matter) are lacking in as the above highlights.
In Myth – “Firefox is a Solution to Spyware” Andrew posts a link to a Sunbelt blog as proof of malware auto-installation in Firefox;
http://sunbeltblog.blogspot.com/2006/04/pssstyou-wanna-see-firefox-exploit-in.html
Andrew however, still demands proof for malware auto-installation in IE occurring, despite being link to another (recent) Sunbelt blog video which proves it;
http://sunbeltblog.blogspot.com/2006/04/video-of-createtextrange.html
Perhaps Andrew would like to clear up why he uses Sunbelt as proving auto-installation of malware in Firefox, yet the same “reputable source” which proves malware auto-installation in IE is ignored. I’m sure we’d all appreciate an explanation for the hypocrisy, or perhaps Andrew can clear things up by providing a link to a webpage which will auto-install malware in Firefox.
The link doesn’t work anymore and the video is of a patched vulnerability.
“The createTextRange() zero-day vulnerability has been patched in the latest round of security updates from Microsoft.”
Which means it is useless. Every single one of your other links it just as useless. You have presented no links to something that currently auto-installs spyware on my fully patched version of IE. Not to mention most of these exploits before they were patched had no effect on IE 7 Beta 2. But see you spreading FUD about IE is a good distraction from the completely lack of facts you have about Firefox Myths. The information provided on the Firefox Myths page is to simply debunk the associated Myth.
Also the overwhelming majority of corporations do not use Firefox.
Again I want proof of Auto-installing Malware on my fully patched version of IE not some patched vulnerability sandboxed video.
The Sunbelt link on the Firefox Myths Page has one purpose to prove that Firefox can get infected with Spyware, it has nothing to do with IE.
“The link doesn’t work anymore and the video is of a patched vulnerability… Which means it is useless.”
The link you’ve provided for Sunbelt relates to a vulnerability patched in Firefox 1.0.5. So by your own admission that also makes the link you use “useless”. The writer notes similar too;
“Now, the Faithful (and admittedly few) Readers of My Blog are demigods when it comes to security, so most of you are running a patched version of Firefox (basically, any version 1.05 or higher). But checking browser stats on this site does show that there is a very small number of you that aren’t updated to a safe version.”
So perhaps you can clarify why the Sunbelt blog re: a patched Firefox vulnerability is not useless, yet a link proving auto-installation of malware for a now patched IE vulnerability *is* useless? The link provided proves that auto-installation of malware in IE can occur.
But as you say; I want proof of Auto-installing Malware on my fully patched version of Firefox not some patched vulnerability sandboxed video. Where’s the proof Andrew? All I see are sources relating to patched vulnerabilities – that makes your sources “useless” as you’ve stated in your previous post
Mmm… So mentioning auto-installing malware in IE is “spreading FUD,” but inviting readers to draw the conclusion that auto-installing malware in older versions of Firefox simply debunks a myth of Firefox security? I don’t think so.
“You can still easily get infected with Spyware using Firefox as these exploits demonstrate:”
Firefox Myths then goes on to quote from two sources, one regarding the Java spyware installation and the other auto-installing spyware in older versions of Firefox.
The author then states:
“Anyone who claims Internet Explorer cannot be secured from Auto-installing Spyware either doesn’t know how or is lying.”
This, of course, is proved false by the video of auto-installing malware in IE.
IMO the Firefox Myths page
a)attempts to spread FUD by mentioning as many Firefox vulnerabilities as it can without making clear that they are patched, and even implying that they remain unpatched by careful use of tense:
“Mozilla – lists 113 “known” security vulnerabilities in Firefox, 24 of which are rated as High and 47 Critical.”
b) attempts to diminish security problems in IE, to the point of contradicting reality, as in the suggestion that IE can be secured against all auto-installing spyware. (Despite not being a comparison guide, of course!)
We need a balanced picture here. All browsers have security vulnerabilities, and users need to apply patches and updates to prevent auto-installing malware. I believe Firefox has a better security record than IE. Does this make me a Firefox fanboy? Well actually I have been harshly critical of Firefox in the past, so that would be a perverse misinterpretation of the truth:
“16/5/2005
There have ben several Firefox updates recently, patching critical security vulnerabilities, the latest found by a 16 year old boy: ‘The incident is the latest black eye for the open-source software project’s security image.’”
“23/10/2005
Firefox is up to 1.0.7, after several security updates. The update process itself remains entirely manual. (I.e. most people won’t do it, making claims of greater security somewhat dubious. The fact that a ByteVerify exploit remains the seond most common malware in the world according to Trend Micro proves that if updating isn’t automatic, it won’t get done- the ByteVerify exploit was patched in IE in 2002.) Apparently the next major release, Firefox 1.5, now out in Beta, will fix this.”
http://www.geocities.com/dontsurfinthenude/blogarchive.htm
So I’m hardly a fanboy. I simply believe that the message of Firefox Myths, that all browsers are created equal but Firefox is less equal than others, is wrong.
“The link you’ve provided for Sunbelt relates to a vulnerability patched in Firefox 1.0.5. So by your own admission that also makes the link you use “uselessâ€. The writer notes similar too;”
That is not why the link is there. The link is there is to prove that Firefox can be infected with Spyware and to debunk the Myth that Firefox is a solution to Spyware. It clearly is not.
“So perhaps you can clarify why the Sunbelt blog re: a patched Firefox vulnerability is not useless, yet a link proving auto-installation of malware for a now patched IE vulnerability *is* useless? The link provided proves that auto-installation of malware in IE can occur.”
It has to do with the context of the argument. You and the other Fanboys here are attempting to combine two seperate arguments. I am not making any claims about a fully patched version of Firefox. That is not the purpose of that link. There is a widely held belief that Firefox is completely immune to Spyware. This link proves it is not, Firefox can clearly be infected. The other argument is that IE even fully patched can get infected. I am still waiting on proof of this.
“But as you say; I want proof of Auto-installing Malware on my fully patched version of Firefox not some patched vulnerability sandboxed video. Where’s the proof Andrew? All I see are sources relating to patched vulnerabilities – that makes your sources “useless†as you’ve stated in your previous post”
I am not making this claim you are in an attempt to try to manipulate the argument.
Two things are true here:
1. Firefox can be vulnerable to Spyware.
2. No one can prove my fully patched version of IE can be infected with Auto-installing Spyware.
It is that simple.
“This, of course, is proved false by the video of auto-installing malware in IE.”
Not at all because the claim is that IE can be secured from auto-installing spyware and it can! Simply install the latest patch and that vulnerability in the video cannot be exploited. Prove otherwise.
“So I’m hardly a fanboy. I simply believe that the message of Firefox Myths, that all browsers are created equal but Firefox is less equal than others, is wrong.”
Well you might want to read the page again because the page does not compare browsers. It is simply to debunk Firefox Myths. You don’t like it because I do not provide excuses for why Firefox fails each of the Myths. Too bad. The Truth hurts:
The reality is Firefox is not perfect and not the best at any of the widely held Myths that propagandize it as such.
“No one can prove my fully patched version of IE can be infected with Auto-installing Spyware.”
I think no one can prove it to Andrew because he is simply not listening. His dogmatic refusal to accept the evidence is obvious.
“You don’t like it because I do not provide excuses for why Firefox fails each of the Myths.”
I don’t like it because you make excuses for IE while slagging off Firefox. Firefox is insecure because of past vulnerabilities, but IE is not. Firefox has incomplete standards support but IE has good support. If you don’t think this is comparing browsers, you are the only one.
“The Truth hurts.”
Pleeeeaaase! Spare us the lame clichés. I can stand anything but that!
Before that patch was released IE *was* vulnerable to that exploit. That’s the “point”. The same goes when the next zero-day vulnerable occurs – & there have been a few in the past 6 months.
You seem to believe that because patches are now available that the unpatched period in-between where they *were* vulnerable doesn’t count. That’s a ludicrous position to hold. Auto-installation of malware is a reality (As dozens of security vendors have posted) & it’ll still be a reality when the next zero-day vulnerability occurs, the fact such a vulnerability may be patched some weeks after the fact doesn’t change it.
Your position on the matter is laughable. What was it you were saying while the createtextrange() vulnerabilities were exploited, yet still unpatched? ;
“1. You did not have all the security updates applied.
2. You never removed MSJVM.
3. You manually installed it.
Those are the only way you can get infected with IE.”
During that period your “fully patched” system was vulnerable, why? Because there was no patch for it, same as for everyone else.
See you propaganda tactics are getting old. You create up lies that I never said. If this is what you want to do, I can do the same.
“No one can prove my fully patched version of IE can be infected with Auto-installing Spyware.â€
I think no one can prove it to Andrew because he is simply not listening. His dogmatic refusal to accept the evidence is obvious.
“You don’t like it because I do not provide excuses for why Firefox fails each of the Myths.â€
I don’t like it because you make excuses for IE while slagging off Firefox. Firefox is insecure because of past vulnerabilities, but IE is not. Firefox has incomplete standards support but IE has good support. If you don’t think this is comparing browsers, you are the only one.
“The Truth hurts.â€
Pleeeeaaase! Spare us the lame clichés. I can stand anything but that!
“I think no one can prove it to Andrew because he is simply not listening. His dogmatic refusal to accept the evidence is obvious.”
You have no evidence that my fully patched version of IE can be infected with Spyware. Please provide a link.
“I don’t like it because you make excuses for IE while slagging off Firefox. Firefox is insecure because of past vulnerabilities, but IE is not. Firefox has incomplete standards support but IE has good support. If you don’t think this is comparing browsers, you are the only one.”
You are beyond pathetic. The page is about Firefox Myths NOT IE. Firefox is insecure not only for past vulnerabilities but also unpatched vulnerabilities. Firefox DOES have incomplete standards support!!! What part of that do you not get. I noted however that IE has good support for HTML. I did not say Firefox had bad support for HTML = you are trying to put words in my mouth to further your agenda or lying to people about Firefox and IE. In your world the only way you can endorse Firefox is by flat out misleading people. You need to compare it to IE as an excuse all the time. I will and can make any notes as I feel are necessary. Most of the notes are due to emails I received and I did not want to answer the same ones over and over. Firefox Fanboys live in this IE bashing world where they create the illusion of the Firefox Browser as perfect by bashing IE. I have destroyed that illusion.
“Before that patch was released IE *was* vulnerable to that exploit. That’s the “pointâ€. The same goes when the next zero-day vulnerable occurs – & there have been a few in the past 6 months.”
This is obvious with any security exploit ever. Tell us something we do not know. The difference is I never saw any proof of this. I have repeated for the last two years asked for a link that proves my fully patched version of IE can be infected with Spyware until you provide this, you are only spreading FUD. Online Zero day hysteria makes good news stories but it does not translate into real world use.
“You seem to believe that because patches are now available that the unpatched period in-between where they *were* vulnerable doesn’t count. That’s a ludicrous position to hold. Auto-installation of malware is a reality (As dozens of security vendors have posted) & it’ll still be a reality when the next zero-day vulnerability occurs, the fact such a vulnerability may be patched some weeks after the fact doesn’t change it.”
Yes it is a reality on unpatched versions of IE. I have yet to see a single bit of proof otherwise. I use IE 24/7 all during the unpatched time and had no infections, neither did a single one of my thousands of clients. Hysteria and reality are two different things.
“Your position on the matter is laughable. What was it you were saying while the createtextrange() vulnerabilities were exploited, yet still unpatched? ;”
Exploited by whom? Please provide proof that I can reproduce… Oh wait the vulnerability is patched? See Firefox has code execution vulnerabilities as well, what happens in between patch time? Oh thats right Secunia initially rates the vulnerability as Low and then changes it to high when the patched version of Firefox is released. Have you ever wondered why so many security firms are quick to post vulnerabilities for IE but never Firefox? It couldn’t be a widespread hatred of Microsoft by irresponsible people determined to see them Fail? No they really care about security.
“During that period your “fully patched†system was vulnerable, why? Because there was no patch for it, same as for everyone else.”
Just like every other browser is during this time. The reality is Microsoft was not seeing any indications of it being exploited and neither did I. Funny how few security sites covered this “widespread” exploit being exploited. Maybe because it wasn’t?
Interesting how the whole conversation has shifted completely off of the Firefox Myths article and gone completely towards IE bashing. Typical Fanboy tactics.
The conversation was about the blog author’s conclusion from the page that: ‘it doesn’t matter which browser you use, just use latest version and you will be fine. Really.’
My original comment was to address that point. Auto-installing malware in a current and fully patched version of a browser is something which has happened only in IE. It proves that it does matter which browser you use: some have a better security record than others.
Security sites reporting this exploit being used to install malware include Sophos, Websense and Sunbelt software.
Another link was posted to auto-installing malware in IE where a patch was applied a few days late to IE (the Sysinternals link above.)
There have been other occasions where a vulnerability in IE has been exploited before a patch was put out:
http://www.theregister.co.uk/2005/12/01/ie_exploit_trojan/
This is in contrast to Opera and Firefox, whose users have not been exposed to such exploits in patched versions of their browsers. Discussion of IE is “on topic” considering the blog author’s conclusion from the Firefox Myths page.
“You are beyond pathetic. The page is about Firefox Myths NOT IE.”
Well, personal insults just show you’re losing the argument, if you ask me. If the page was about Firefox myths, why does it talk about IE at all?
Firefox has “incomplete” support for standards, oh, and by the way, IE has “good” support.
Firefox is insecure, oh, and by the way, IE is 100% rock solid, cast iron secure.
The implication is clear. You’re inviting your readers to draw the conclusion that “it doesn’t matter which browser you use,” a conclusion I have contested. As for “lying to people,” I’ll just use that favourite phrase of yours: look at the sources.
“During that period your “fully patched†system was vulnerable, why? Because there was no patch for it, same as for everyone else.â€
Just like every other browser is during this time.
[Sound of jaw dropping] I missed this previously. Andrew, are you now claiming that the CreateTextRange vulnerability affected other browsers apart from IE? What is you source for this astonishing claim?
“Just like every other browser is during this time. The reality is Microsoft was not seeing any indications of it being exploited and neither did I. Funny how few security sites covered this “widespread†exploit being exploited. Maybe because it wasn’t?”
No indications of it being exploited? Maybe it wasn’t? Well, admittedly hundreds of websites out of 75 million scanned by Websense every day is a small percentage, surely doubting the existence of exploits is a little, well, foolish?
Websense Press Releases
Websense Security Labs Reports Spreading of Unpatched Internet Explorer Vulnerability
Websense(R) Web Security Suite customers automatically protected from latest exploit by utilizing Real-Time Security Updates
San Diego March 27, 2006 — Websense, Inc. (Nasdaq: WBSN – News), a global leader in web security and web filtering productivity software, today announced that Websense® Security Labs(TM) has discovered a rapidly growing amount of unique URL’s attacking a recently found vulnerability within Microsoft Internet Explorer (IE). The latest “zero-day” vulnerability within IE, which currently has no patch available, allows the launching of malicious code on an end user’s machine without consent. Utilizing this exploit, a hacker could gain control over a vulnerable machine by crafting special code hosted on websites.
Websense Security Labs has discovered hundreds of websites that are specially crafted to exploit the IE vulnerability to run code on the user’s machine. The websites are each intended to take advantage of the vulnerability by running shell code that connect to the Internet via HTTP and download one of several pieces of malicious code, including Bot variants, backdoors, and other Trojan Horses. Websense Web Security Suite(TM) customers are automatically protected from these new threats by utilizing Real-Time Security Updates(TM) which provide real-time updates to Websense’s URL database as malicious websites exploiting this vulnerability are found.
“This exploit demonstrates the power of the Websense security solution. Even before the vulnerability can be patched and anti-virus signatures were available, Websense security customers were protected,” said Leo Cole, vice president, marketing for Websense, Inc. “This level of detection and automatic protection is only available with Websense’s web security approach.”
Utilizing honey clients, Websense Security Labs is constantly scanning the internet for malicious websites that are attacking this vulnerability. As new websites are discovered and researched, they are added to the Websense URL database and categorized.
“Websense Security Labs utilizes a sophisticated process to scan over 75 million websites per day, looking for malicious websites and advanced internet attacks,” said Dan Hubbard, senior director of security and technology research for Websense, Inc. “As Websense Security Labs discovers websites attacking this new IE vulnerability, we are able to provide immediate and continuous protection to our customers.”
http://www.websense.com/global/en/PressRoom/PressReleases/PressReleaseDetail/index.php?Release=0603271165
“My original comment was to address that point. Auto-installing malware in a current and fully patched version of a browser is something which has happened only in IE. It proves that it does matter which browser you use: some have a better security record than others.”
Nonsense. Grant was right on. Your FUD is intended to mislead as many people as you can to get them to switch to Firefox. Just like this FUD post:
“Another link was posted to auto-installing malware in IE where a patch was applied a few days late to IE (the Sysinternals link above.)”
Actually reading the link:
http://www.sysinternals.com/blog/2006/01/antispyware-conspiracy.html
You find this paragraph:
“About a week ago someone sent me a link to a web page, that if visited using a version of Internet Explorer that hasn’t been patched with December’s security updates, slams the system with deluge of malware (several sites download the same malware package using the recently discovered WMF vulnerability).”
Thats right visiting a site without the available PATCH! Stop posting FUD. NOT applying security patched is the real problem.. This exploit you hype was infecting people who did NOT apply the security patch. Stop trying to spin bullshit to hype Firefox and it’s pathetic security record.
“If the page was about Firefox myths, why does it talk about IE at all?”
Because some of the Myths relate to Fanboys comparing Firefox to IE. Key word SOME. Other notes are made where I feel like making them. I know you like to cry about this but get over it.
“Firefox is insecure, oh, and by the way, IE is 100% rock solid, cast iron secure.”
I never said that you are implying that. IE is also insecure but Firefox is no more secure than IE from Auto-installing Spyware.
Your vain attempts to prove otherwise are still without proof. Show me ONE link that auto-installs spyware in my fully patched version of IE! ONE LINK. Come on you think you can manage this.
But you did hit the nail on the head. As far as auto-installing spyware it doesn’t matter what browser you use. I love how you sit here and claim otherwise. I am using IE right now. Post a link to ANY site and I will go there and not get infected. This is elementary, really. Put up or Shut up.
“[Sound of jaw dropping] I missed this previously. Andrew, are you now claiming that the CreateTextRange vulnerability affected other browsers apart from IE? What is you source for this astonishing claim?”
I’m sorry but the fact that I have to continue to defend my comments from sorry ass Fanboys like you are getting old. Read it AGAIN.
“Websense Security Labs has discovered hundreds of websites that are specially crafted to exploit the IE vulnerability to run code on the user’s machine.”
And all I am asking for is one URL. Stop spreading FUD. Show me the money.
Andrew, I don’t know what audience you are aiming for with your continued insistence on an URL that will infect IE: someone incapable of grasping the concept that this expoit was used to auto-install malware for more than two weeks, as documneted by many sources, but that the vulnerability is now patched.
This is comparable to asking a jury to believe that the accused could not possibly have committed the murder, despite emptying a revolver into the victim in front of several witnesses because there is no longer a live round in the gun.
“During that period your “fully patched†system was vulnerable, why? Because there was no patch for it, same as for everyone else.â€
“Just like every other browser is during this time. The reality is Microsoft was not seeing any indications of it being exploited and neither did I.”
This statement cearly implies that other browsers were also vulnerable to the CreateTextRange vulnerability, which is simply false.
“IE is also insecure but Firefox is no more secure than IE from Auto-installing Spyware.”
Again, simply false: Firefo users have not been exposed to auto-installing malware in the same way that IE users have. Check out the University of Washington report above.
“Thats right visiting a site without the available PATCH! Stop posting FUD. NOT applying security patched is the real problem.. This exploit you hype was infecting people who did NOT apply the security patch. Stop trying to spin bullshit to hype Firefox and it’s pathetic security record.”
I quite clearly stated that the Sysinternals video relates to an unpatched version of IE, but in that case the patch had only recently been released. As users may be late in applying patches, an exploit occuring soon after a patch is released will affect users late in applying the patch. The University of Washington report shows that users of an unpatched version of IE were vulnerable to auto-installing spyware, were users of an unpatched version of Firefox were not. Obviously the Sunbelt video proves that there are older versions of Firefox which may be exploited, but the relative risk of late application of vendor patches is greater with IE.
“I’m sorry but the fact that I have to continue to defend my comments from sorry ass Fanboys like you are getting old.”
You do seem to have a problem with anybody using rational argument to challenge your opinions: they immediately become a Firefox fanboy, even when they have criticised Firefox in the past. Again, the fact that you are resorting to throwing insults around only proves to me that you are incapable of reasoned, rational and civilised discussion.
I think you are incapable of providing reproduceable proof that my fully patched IE system can be infected with Auto-installing Spyware.
“This statement cearly implies that other browsers were also vulnerable to the CreateTextRange vulnerability, which is simply false.”
You are clueless. It states that any browser during the unpatched state is vulnerable to the unpatched exploit. Just like since Firefox was released every version has been vulnerable to the latest vulnerabilities. Just because they are no published does not mean they cannot be exploited. This is irrelevant. Your “Zero-Day” hysteria is nothing but propaganda. These exploits have been in the browser for a long time just like all the Firefox vulnerabilities.
“Again, simply false: Firefo users have not been exposed to auto-installing malware in the same way that IE users have. Check out the University of Washington report above.”
Huh? The Sunbelt link I provided proves it can be. That is all you need to know, Firefox can be infected with auto-installing malware Period. The University of Washington report is a joke.
“I quite clearly stated that the Sysinternals video relates to an unpatched version of IE, but in that case the patch had only recently been released. As users may be late in applying patches, an exploit occuring soon after a patch is released will affect users late in applying the patch.”
Why would they be late in applying patches since Windows Update automatically installs them? Maybe you do not understand how Windows Updates work or do you actually tell people to disable this?
The University of Washington report shows that users of an unpatched version of IE were vulnerable to auto-installing spyware, were users of an unpatched version of Firefox were not. Obviously the Sunbelt video proves that there are older versions of Firefox which may be exploited, but the relative risk of late application of vendor patches is greater with IE.
“I’m sorry but the fact that I have to continue to defend my comments from sorry ass Fanboys like you are getting old.â€
You do seem to have a problem with anybody using rational argument to challenge your opinions: they immediately become a Firefox fanboy, even when they have criticised Firefox in the past. Again, the fact that you are resorting to throwing insults around only proves to me that you are incapable of reasoned, rational and civilised discussion.
You don’t use rational arguments. You mislead people with your limited security knowledge and limited IT experience. What do you do for a living Frank? You obviously do not support anyone let alone thousands of clients like I do. The fact is that Firefox is nothing but Hype. Once people know the truth it will set them free. I’m sure you will continue the propaganda campaign, instead of helping people.
Andrew, why do you choose to operate behind anonymous sites and domain redirects? Post a link to your company so that we may read about you. Otherwise I will choose to accept information obtained from well known security companies like Sophos, Websense, Sunbelt and Sysinternals over the opinion of some unknown using Comcast webspace.
Yes, it is quite amusing that Andrew constantly refers to his “thousands of clients”, yet never actually mentions the company he works for, or provides any such proof as to these claims.
I mean, you throw around this “fact” to add weight to your own opinion (Fair enough) yet you never actually state your job or company. For someone who deals in “just the facts” you seem to be expecting everyone to believe a lot just because you said so. While you could (quite reasonably) say “well, neither have you”, you are the 1 who chooses to make a point of it.
“You are clueless. It states that any browser during the unpatched state is vulnerable to the unpatched exploit. Just like since Firefox was released every version has been vulnerable to the latest vulnerabilities. Just because they are no published does not mean they cannot be exploited. This is irrelevant. Your “Zero-Day†hysteria is nothing but propaganda. These exploits have been in the browser for a long time just like all the Firefox vulnerabilities.”
In the context the statement seemed to imply that other browsers were vulnerable to the CreateTextRange exploit. I’m glad you have cleared up your meaning. You seem to be pretty “clueless” yourself about the subject because you are clearly confusing the terms “vulnerability” and “exploit.” A vulnerability means a potential for attack, but requires an exploit to instigate the attack. The vulnerability is in the browser but the exploit is in POC code or in malicious code intended to use the vulnerability to install malware. An attack on a browser requires a vulnerability, exploit code to take advantage of the vulnerability, and in-the-wild malware found using the exploit. (Actually, I’m quite surprised that such a self-proclaimed expert could produce such basic factual inaccuracies.)
All browsers have had instances where exploit code has emerged before a vulnerability was patched:
http://www.webdevout.net/security_summary.php#exploited
But in-the-wild malware exploiting an unpatched version of a browser is, as far as I know, unique to IE. If you know of an instance in Firefox or Opera, please post a link.
“Huh? The Sunbelt link I provided proves it can be. That is all you need to know, Firefox can be infected with auto-installing malware Period. The University of Washington report is a joke.”
The Sunbelt video of auto-installing malware in Firefox is in a version which was patched about a year ago. The video of auto-installing malware in IE from the same source was of the same thing happening in a current and fully patched version of the browser. If you cannot grasp the difference, I’m sure readers of this blog can. The University of Washington is a joke? I don’t think that statement needs a comment.
“Why would they be late in applying patches since Windows Update automatically installs them? Maybe you do not understand how Windows Updates work or do you actually tell people to disable this?”
Windows update works well with broadband, but I never had much success with it using dial-up. Recent research in Europe has found that 50% of people in some countries do not have SP2. Business users do not always use automatic updates:
“Some businesses take a long time to completely install all patches. In some cases, they are six months behind.”
(Roger Thompson, chief technical officer at Exploit Prevention Labs.)
http://www.eweek.com/article2/0,1895,1974100,00.asp
The title of the article above is final proof that people do not apply updates: “Web Attackers Train Guns on Patched Windows MDAC Flaw.” Exploit code is developed after a vulnerability is patched but is still used successfully to install malware.
Not only Windows and IE are affected in this way: other internet programs need updating: Java, Quicktime, Flash, RealPlayer… Users fail to update them: older insecure versions of Java are currently a major attack vector for spyware. Although Java has an auto-update feature, it has never told me that I needed to apply an update.
Older versions of Firefox are also vulnerable to attack, which is why I criticised Firefox in the past for not having an auto-update feature until version 1.5.
I certainly recommend everybody to install all updates for all the programs mentioned and to have automatic updates enabled, at least with broadband- doing a manual Windows update used to work a lot better with dial up.
http://www.geocities.com/dontsurfinthenude/microsoftupdates.htm
Frank you should ask yourself the same question. I do not publish personal information to reduce the risk of identity theft and so I do not have to deal with all the wackos I meet online in real life.
Regardless the Firefox Myths page is completely sourced to many reputable sources. So it is not simply taking my word for it.
The funny thing about all of this is how online nonsense can perpetuate for years. Anyone in the business knows what I am talking about. Microsoft started taking security seriously after 2001 and then move on to the present day monthly security patch cycle. They seriously overhauled security with Windows XP SP2 and Windows Server 2003. They bought and released for free a solid AntiSpyware Program. Then they IMO went overboard with the upcoming Vista Account User Control.
It doesn’t matter you guys will continue to spread the FUD about auto-installing spyware being an ActiveX problem and not an unpatched vulnerability problem. You will at every chance Hype Zero-Day exploits and completely mislead people into a false sense of security. Do you guys have any idea how many machines I now see that have trojans and malware running in memory ready to become Internet bot Zombies because they got stupid advice from someone who irresponsibly told them “Just install Firefox”?
Again the Sysinternals post talks about what happens if you visit an infected site WITHOUT the patch = you get infected. NO KIDDING!
“Frank you should ask yourself the same question.”
The difference is I do not claim to be “in the business” and that therefore my comments have more value that anybody else’s, without providing a shred of evidence. You have been dishonest when posting your pages across the internet, talking about the author in the third person, or even flatly denying that you were the author, and even claiming on one from to be called Vincent. Why should we believe that you have some special qualification to speak?
Andrew (aka Mastertech) talks about the author of Firefox Myths in the third person:
http://www.evilavatar.com/forums/showthread.php?s=4c1b170a753531e089afbad60eade9ae&t=8269&page=15&pp=10
Andrew denies being the author of the OptomiseXP page and claims that he is called Vincent:
http://techreport.com/forums/viewtopic.php?p=350389
“Anyone in the business knows what I am talking about.”
Please don’t get patronising with us: unless you can provide evidence, you are just a geek behind a computer like the rest of us.
“You will at every chance Hype Zero-Day exploits and completely mislead people into a false sense of security.”
I think “leading people into a false sense of security” is what you are on the record as doing.
In March this year you stated categorically:
“1. You did not have all the security updates applied
2. You never removed MSJVM
3. You manually installed it
Those are the only way you can get infected with IE.”
http://forums.3dgamers.com/showthread.php?s=7f8cd09b414b5457e0d233723b80e8a6&t=9647&page=3&pp=20
At the very same time, Microsoft employees sounded a very different note:
“Our initial investigation has revealed that if you turn off Active Scripting, that will prevent the attack as this requires script.
We’re going to continue to look into this but remind you also that safe browsing practices can help here, like only visiting trusted websites, etc.”
http://blogs.technet.com/msrc/archive/2006/03/22/422849.aspx
Firefox Myths still contains this bold statement:
“Anyone who claims Internet Explorer cannot be secured from Auto-installing Spyware either doesn’t know how or is lying.”
Various posters to this blog have pointed out that the sunbelt video of auto-installing malware in IE proves this statement to be quite clearly wrong, and yet Andrew continues to repeat the dogma here: you’re 100% secure with a fully patched IE.
Sorry Frank but I am in the business and have been doing this for over 15 years. Unlike you and all the other Fanboys, I actually have real experience dealing with these issues. Microsoft nor myself saw any problems during the inbetween patch time. I know you would like to spread more FUD about Zero Day Hysteria but the fact is it doesn’t relate to the real world.
The Sunbelt exploit shown in the video is patched. I nor anyone else that applied the patch can be infected. I know you want to keep spreading FUD otherwise but those are the facts.
If I am not secure than please provide a URL link that can infect my machine today. NOT some vulnerability that is patched. Prove me wrong. This is not complicated.
To repeat (ad nauseam):
If you are going to patronise us, you are going to have to back your claims up with some credentials. Otherwise, as somebody who has been proven to have been dishonest about his identity when posting in the past, your opinion is of no more value than anybody else’s.
Microsoft was warning people to exercise caution when browsing and to disable active scripting before the patch for CreatTextRange was issued; during the same period, you are on the record as stating dogmatically that auto-installing malware was simply not possible in IE. The Sunbelt video has proved you wrong.
Your wilful refusal to acknowledge that exploits only work as long as vulnerabilities are unpatched just shows that you are appealing to the less knowledgeable reader, who might be persuaded to believe that because there is no URL today that can infect a fully patched browser, there never was in the past.
For you to pop up all over the net and tell people that Firefox is insecure because of all the vulnerabilities it has (failing to mention that they are patched of course!) could not possibly be speading FUD, could it? For you to dismiss past vulnerabilities in IE saying “I nor anyone else that applied the patch can be infected,” doesn’t show any sort of bias or double standards, does it?
“Microsoft nor myself saw any problems during the inbetween patch time.”
Incidentally, this statement is untrue. The Microsoft Security Advisory clearly state that Microsoft did see problems:
“Revisions:
March 23, 2006: Advisory published
March 24, 2006: Advisory updated with indication of limited attacks.
March 28, 2006: Advisory updated with information regarding additional security software protections, current limited scope of attacks, and the status of the Internet Explorer security update.”
“Limited attacks” is not the same as not seeing any problems.
In fact, Microsoft saw enough problems to consider “rushing out a patch”:
http://news.com.com/Microsoft+mulls+rushing+out+IE+patch/2100-7349_3-6053961.html
“Microsoft indicated that a security patch might be released outside of the regular cycle.
‘It is on the table,” said Stephen Toulouse, a program manager in Microsoft’s Security Response Center. ‘Every time any kind of exploitation is going on, it is on the table.’”
The article also confirms that MaAfee as well as Sophos and Websense were seeing malware using the exploit:
“Computer code that demonstrates how a hacker can use the flaw to take over a PC was released onto the Net on Thursday. At least two such exploits were made public, and one has now been adapted to attack systems, Monty IJzerman, the manager of security content at McAfee, said on Friday.
‘This exploit code is being used in the wild in malware,’ or malicious software, IJzerman said. “I expect other attacks to be prepared and to be out there over the next few days.’”
Funny, maybe all the fanboys should back up their credentials. Oh wait what would we learn? Teenagers and others in non-computer related fields are giving people computer advice?
As for myself, I have always clearly stated my experience. You and you friends spreading lies about me and my identity does not change this fact. I can do no more than give the information away for free.
Auto-installing spyware is not possible on a fully patched version of IE. If it is than please provide reproduceable proof.
I am appealing to reality – something you fanboys do not live in. You choose to scare people with FUD to get then to switch to Firefox due to some obsurd obsession, usually an inner hatred of Microsoft. I have for the last two years requested ONE URL that can infect my fully patched IE system with auto-installing Malware. Everyone has let to deliver.
I am telling people the truth about Firefox. Those vulnerabilities exist and are documented. And FYI they are NOT all patched. Yes of course a fully patched version of Firefox is more secure than a non patched version. This is nothing new. That is how security updates work. The double standard is failing to provide this same information about IE. Or are you so naive to think none of those Firefox vulnerabilities were know to the malware community before they were patched?
The truth has been out for some time, there is no going back now.
As you are unprepared to give us any credentials, we can only go on the quality of argument in your postings. On this blog you have shown yourself to be confused about the basic terminology of the subject of computer security by mixing up the terms “vulnerability” and “exploit,” and you have shown you don’t do your research, by telling us that Microsoft did see any problems with the CreateTextRange exploit, when their own advisory shows that they did.
I have not told any lies about you. I have said that you have been dishonest about your identity in the past, and provided links to prove it. To avoid being identified as the author of the sites you post from, you said your name was Vincent. Here you are posting as Andrew. You have either told or are telling a lie now.
http://techreport.com/forums/viewtopic.php?p=350389
Again, we have posted clear proof of auto-installing malware in IE. You have chosen to put your head in the sand, in which case, there is nothing I can add.
You are trying to have your cake and eat it, Andrew, which is really the only reason anybody takes the trouble to argue with you. You say that Firefox is insecure because of all the past vulnerabilities, yet Internet Explorer is secure despite past vulnerabilities.
I have presented evidence that in fact Firefox (and Opera) have a better security record than IE, all of which you have chosen to ignore, including video evidence of an attack occurring in IE.
There are unpatched vulnerabilies in Firefox (4 rated less critical,)but lest you accuse me of “the double standard is failing to provide this same information about IE,” let me point out that IE also has unpatched vulnerabilities (19 rated moderately critical.) I have clearly stated that past vulnerabilities do not affect current browsers; it is you who is unable to grasp this concept, constantly demanding an URL that will infect IE today, and banging on about how the number of vulnerabilities in Firefox make it insecure.
In absolute terms, Firefox is not 100% secure, but no browser is. Yet you claim that IE is 100% secure against auto-installing spyware: a claim which has been disproved. In relative terms, the evidence shows Firefox is more secure than IE, whether you look at current vulnerabilities, past vulnerabilities or speed of patching. Yet you claim “Internet Explorer with Windows XP Service Pack 2 installed provide the same level of Spyware security as Firefox”: a claim which can and has been contested by many.
A vulnerability may be known to the malware community, but without a working exploit it is useless. You have still failed to grasp the difference between a vulnerability and an exploit. I have yet to see reports of malware using current Firefox vulnerabilities to install. If you know of such an occasion, please post a link: unlike you, I will accept a report from any reputable security organisation.
Reality? You have chosen to ignore all the evidence presented to you. Face it, you are all that you despise in others, a fanboy, “zealously committed to their particular narrow area of interest, to the exclusion and derision of competing or similar products, regardless of their merits,” as the definition on Firefox Myths puts it.
I’ve already responded to everything you just posted above somewhere. But this is interesting:
“I have not told any lies about you. I have said that you have been dishonest about your identity in the past, and provided links to prove it. To avoid being identified as the author of the sites you post from, you said your name was Vincent. Here you are posting as Andrew. You have either told or are telling a lie now.
http://techreport.com/forums/viewtopic.php?p=350389”
I need to embarrass you really big on this one but I will have to wait for a larger audience.
You have responded as a typical fanboy, by ignoring any evidence presented to you that doesn’t fit your world view, making bold statements that turn out to be untrue, getting your facts wrong and insulting and condescending. Nice job at responding to reasoned criticism, Andrew!
I’m waiting to see how you are going to get out of that one, Andrew, or should I say Vincent?
Probably in the same way that you dealt with the discovery that you had been posting sock puppet responses to support your own page in these blogs, by claiming it’s all a conspiracy against you:
http://www.thingoid.com/2006/01/the-myth-of-firefox-myths/
http://robert.accettura.com/archives/2005/12/19/firefox-myths/
First you need evidence to ignore. But the fact that you continually try to slander who I am online is just beyond anything I have seen to date. Grow up. Don’t be so scared that people have found out the truth about Firefox, my page isn’t going anywhere. Next time try not lying to people to get them to use your browser. The truth has already set many free.
As has been pointed out before, you do not understand the meaning of the word ‘slander.’ It means ‘to damage someone’s reputation by making a false spoken statement about them.’
I believe the word you are looking for is ‘libel,’ which refers to writing.
But what I have said is not libel. I called you a liar and you have proved yourself a liar many times.
Andrew and Trevor, the authors of the blogs I linked to above caught you out lying, and proved it using you IP numbers.
You have lied about your identity in other places, most famously here:
http://techreport.com/forums/viewtopic.php?p=350389%E2%80%B3
Your lies on the internet have caught up with you, Andrew, and your response when the evidence was put to you showed you realised that, didn’t it, Clint?
http://www.browserdiscussions.com/showthread.php?tid=196
Andrew:
You are an idiot. I mean really you are. I’ve read everything through this blog you have had to say and others responses. And you are an idiot.
Fanboys … I think it really bothers people (myself included) when you make idiotic and illogical statements so they continue to try to refute you when they should realize that it doesn’t matter what they say, you are going to continue being an idiot. Quite possibly you are paid to be an idiot.
It’s like if I put up a website trying to debunk statements claiming the sun provides us with energy. And when thousands of people persistently try to educate me I dismiss them as fanboys of the sun. Dogmatically sticking to the truth does not make someone a fanboy.
2. Firefox vs. IE – My dad had IE and I was monthly cleaning up his system even after I explained to him how to keep windows and IE up to date. I installed Firefox and removed his link to IE from his desktop and start menu and the amount of spyware and viruses dropped to nothing. Whatever reasons, excuses, explanations you want to give I DON’T CARE. That is real world experience.
If you want to call me a fanboy I don’t care. I use firefox, cause it works for me and for those I have given it to. That’s the bottom line.
Idiot. I hope someday for your own sake you pull your head out of the sand and start actually listening to what people are saying.
“Auto-installing spyware is not possible on a fully patched version of IE. If it is than please provide reproduceable proof.”
“I have for the last two years requested ONE URL that can infect my fully patched IE system with auto-installing Malware. Everyone has let to deliver.”
http://www.websense.com/securitylabs/alerts/alert.php?AlertID=632
DO NOT VISIT THESE SITES. YOU WILL BE COMPROMISED.
http://www.websense.com/securitylabs/blog/blog.php?BlogID=82
WARNING:
Visiting the website shown in this video can and will infect your computer – even if you have removed vgx.dll – it contains multiple exploits, including one for an older version of Firefox. Please DO NOT visit this site.
“The double standard is these types of exploits on IE are all FUD towards ActiveX, actually every single IE vulnerability which has nothing to do with ActiveX is all blamed on ActiveX.”
“…that destroys the lies they spread about ActiveX.”
Here’s another exploit that can at the time of writing infect a fully patched version of IE on SP2:
There’s an URL (obscured).
http://explabs.blogspot.com/2006/09/webviewfoldericon-setslice-exploit-in_30.html
You guessed it, it’s an ActiveX exploit.
Just for the record, the following claim has been quietly dropped from Firefox Myths:
“Anyone who claims Internet Explorer cannot be secured from Auto-installing Spyware either doesn’t know how or is lying.â€
I’m guessing the evidence for auto-installing spyware using exploits in Internet Explorer (such as in the links above) just became too obvious to ignore: finally even Andrew couldn’t ignore the elephant in the room.
“Microsoft Internet Explorer is the most popular browser used for web surfing and is installed by default on each Windows system. Unpatched or older versions of Internet Explorer contain multiple vulnerabilities that can lead to memory corruption, spoofing and execution of arbitrary scripts. The most critical issues are the ones that lead to remote code execution without any user interaction when a user visits a malicious webpage or reads an email. Exploit code for many of the critical Internet Explorer flaws are publicly available. In addition, Internet Explorer has been leveraged to exploit vulnerabilities in other core Windows components such as HTML Help and Graphics Rendering Engine. Vulnerabilities in ActiveX controls installed by Microsoft or other vendor software are also being exploited via Internet Explorer.
These flaws have been widely exploited to install spyware, adware and other malware on users’ systems. The spoofing flaws have been leveraged to conduct phishing attacks. In many cases, the vulnerabilities were zero-days i.e. no patch was available at the time the vulnerabilities were publicly disclosed. The VML zero-day vulnerability fixed by Microsoft patch MS06-055 was widely exploited by malicious websites before the patch was available.”
SANS Top-20 Internet Security Attack Targets (2006 Annual Update)
http://www.sans.org/top20/#w1
“Security Fix recently published information about thousands of U.S. residents whose passwords and other data had been stolen by nefarious hackers.
Last week, I received more data about the number of victims caused by the hackers’ Trojan horse computer program and more details about the complexity of the attack.
I originally reported there were about 3,220 victims scattered throughout the United States. After reading the story, a security officer at a financial institution notified me that he has been monitoring this same trove of stolen data since its inception. I’ve agreed not to name the individual or his employer.
According to his data, the attackers have been running this operation since at least October 2006. That is when they began exploiting an unpatched vulnerability in Microsoft Windows PCs. Microsoft issued a patch for the flaw a few weeks later that month.
While he was unable to confirm more than 3,200 current, active victims, the data he collected suggests that the criminals have stolen data from at least 10 times that number of machines since December, according to the statistics page used by the criminals. As the graphic shows, the stats page showing the total number of compromised systems was reset in November.”
What was this unpatched vulnerability?
You guessed it, it’s an ActiveX exploit.