[devper94]

Sorry, but that is some very twisted rationalization. By that rational, how can ANYTHING be trusted? Or are unspotted problems only an issue with IE?

No one makes perfect software. The problem is whether you patch the software early enough.

And I am sorry again, but open source does not mean more secure. It actually can mean there is less control over what happens, and whether that is good or bad is case dependent. Yes, I would like to see MS push out fixes faster, but it averages 4 days, which I don't think is too bad, considering the update must be setup to be tested and pushed out via Windows Update.

Then you haven't seen open source development. Everyone can look at the code, but that doesn't mean anyone can modify the code. Big software projects like Firefox and Chrome perform strict checking of source code sent by contributors before committing it into the main branch. Plus, every stable version must first pass QA before being released.
A comparison of exposure window for various browsers: http://www.symantec....dow_of_exposure

I'd say that all browsers are secure, but relative security should be assessed by the time taken to fix a bug, not the number of bugs.

[Advertisements]

Big software projects like Firefox and Chrome perform strict checking of source code sent by contributors before committing it into the main branch.

I agree - but that (open source or not) IN NO WAY indicates a product is more, or less secure. And surely, Microsoft performs strict checking of source code changes before it goes into the main branch too.

It is simply not valid to suggest open source means better.

but relative security should be assessed by the time taken to fix a bug, not the number of bugs.

Says who? I totally disagree with that statement.

Relative security should be assessed by (1) the severity of the specific threat, and (2) the exposure of the vulnerability. The latter is the most crucial. There is a HUGE difference between a vulnerability, and an "exposed" vulnerability. A broken bank vault does not mean your money will be stolen. The badguys must still bypass all the other security measures (surveillance, building locks, alarms, guards, etc. | firewall, router, anti-malware, anti-phishing, etc.), then open the vault, then escape with the cash.

And while I agree that the number of bugs may not be as important as the severity, there is NO WAY I can believe 50 vulnerabilities fixed in 1 patch should be discounted or not assessed as significant (or that they were all just discovered in the last 2 days).

I find your Symantec link interesting. For one, it verifies my 4 day average statement - while twice as long Mozilla, is still pretty good, IMO. But I note Symantec also says,

It may also be more or less trivial to patch some vulnerabilities in comparison to others.

So even Symantec suggests your comments about being the fastest in delivering patches is, "more or less trivial" - depending on the threat. That said, IE did have some unacceptably long times, that certainly impacted their averages, but Symantec also reports,

Of the vulnerabilities affecting Internet Explorer in 2010, 81 percent were patched in less than one day after becoming public knowledge

I find it interesting how you have turned this into a discussion about Microsoft, and not IE. Certainly the company behind the product is important, but the product must stand on its own merits.

[Digerati]

Big software projects like Firefox and Chrome perform strict checking of source code sent by contributors before committing it into the main branch.

I agree - but that (open source or not) IN NO WAY indicates a product is more, or less secure. And surely, Microsoft performs strict checking of source code changes before it goes into the main branch too.

It is simply not valid to suggest open source means better.

but relative security should be assessed by the time taken to fix a bug, not the number of bugs.

Says who? I totally disagree with that statement.

Relative security should be assessed by (1) the severity of the specific threat, and (2) the exposure of the vulnerability. The latter is the most crucial. There is a HUGE difference between a vulnerability, and an "exposed" vulnerability. A broken bank vault does not mean your money will be stolen. The badguys must still bypass all the other security measures (surveillance, building locks, alarms, guards, etc. | firewall, router, anti-malware, anti-phishing, etc.), then open the vault, then escape with the cash.

And while I agree that the number of bugs may not be as important as the severity, there is NO WAY I can believe 50 vulnerabilities fixed in 1 patch should be discounted or not assessed as significant (or that they were all just discovered in the last 2 days).

I find your Symantec link interesting. For one, it verifies my 4 day average statement - while twice as long Mozilla, is still pretty good, IMO. But I note Symantec also says,

It may also be more or less trivial to patch some vulnerabilities in comparison to others.

So even Symantec suggests your comments about being the fastest in delivering patches is, "more or less trivial" - depending on the threat. That said, IE did have some unacceptably long times, that certainly impacted their averages, but Symantec also reports,

Of the vulnerabilities affecting Internet Explorer in 2010, 81 percent were patched in less than one day after becoming public knowledge

I find it interesting how you have turned this into a discussion about Microsoft, and not IE. Certainly the company behind the product is important, but the product must stand on its own merits.

[devper94]

I surely agree that MS has strict QC too, but you are suggesting that open-source development is not good:

It actually can mean there is less control over what happens

While severity and exposure affects a lot, the actual number of holes are not as important as the time taken to fix it. A day late, and the hole could be easily used for targeted attacks.

50 vulnerabilities fixed in 1 patch should be discounted or not assessed as significant

http://www.mozilla.org/security/known-vulnerabilities/firefox40.html#firefox4.0.1

Bugs != vulnerabilities. They might be simply stability or memory problems.


I didn't turn this into a Microsoft discussion; you did, by mentioning which sites are "MS-haters" and which are not. If you take a close look, you will see that I simply stated about the neutrality of NSS Labs and the development model of various browsers. I have no problem with MS, they make good soft (though expensive as [bleep]), but the open-source model allows as good (if not better) development speed.

[Digerati]

but you are suggesting that open-source development is not good:

I NEVER made any suggestion of the kind! Please don't twist my words around. What I am suggesting is exactly what I said,

It is simply not valid to suggest open source means better.

and

It actually can mean there is less control over what happens

"can mean" indicates there is the potential - it does not mean there is less control, or that something is not good. FTR, I am in favor of open source, if it means a quality product, and lower costs for consumers.

Bugs != vulnerabilities. They might be simply stability or memory problems.

Here's my problem with this whole line of discussion. You bring up all these points and somehow apply them only to FF or only to IE. That does not make sense. You said,

relative security should be assessed by the time taken to fix a bug, not the number of bugs.

Now you try to rationalize the 50 bugs by saying they "might be" stability or memory problems.

I have shown repeatedly, from multiple sources, that IE does not deserve the bad rap it continues to get. And I have shown repeatedly where the alternative browsers, in particular FF, does not deserve the praises its fans continue to garnish upon it. Until I see something conclusive to the contrary, I'm sticking with that conclusion.

[devper94]

"Bug", in this context, means "security vulnerabilities"; general aesthetic bugs won't affect an application's security. I am not "rationalizing", you just misunderstood the context. Mozilla misspelling "Full Screen" as "Fll Screen" will have no impact at all on Fx security.

"can mean" indicates there is the potential - it does not mean there is less control

IMO I think IE doesn't deserve its bad reputation (mainly got from IE7) but Fx and Chrome do deserve their praise for their extensibility and development.

[Digerati]

(mainly got from IE7)

IE7 was the start (though feeble) of MS getting serious with security. IE6 is the version that caused, and still causes MS relentless grief.

Fx and Chrome do deserve their praise for their extensibility and development.

Chrome does not impress me. I'm not faulting it, it just does not provide any feature, service or capability over IE9 that would compel me to change. I have it on one of my systems, as I have Firefox on another - as I like having an alternative for testing sites when IE appears to have problems. But IE9 is my default on all.

Extensibility? I don't understand this - Firefox fans make the same claim. Except for a spell checker and a built in adblocker, there's nothing more I need IE to do.

[devper94]

Nah, I think IE6 is better than IE7. That's why it couldn't die.

https://addons.mozil...browse=featured
Extensions can so just about anything. Very convenient when the browser is often the first thing you open after starting the computer, and often the only thing.

[Digerati]

Nah, I think IE6 is better than IE7. That's why it couldn't die.

Huh? It may have a nicer look and feel, but this topic is about security, and in that area, there is no question. IE7 is inherently, and undeniably more secure than IE6.

Ummm, I know what extensions are and do. They are not unique to FF. And that is why they are nothing special.

[devper94]

Firefox has many more extensions than IE...

[Digerati]

So what?

(1) That has absolutely NOTHING to do with security.
(2) That has absolutely NOTHING to do with quality.
(3) That has absolutely NOTHING to do with the browser's ability to browse.

If you value clutter and bloat, then great! I am glad FF meets your needs. I just want a browser that browses and keeps me safe. Bells and whistles are not for me. There is nothing that IE9 does not do that I wish it did. And there is nothing that FF does that I wish IE did.

The only exception is a built in spell checker - but that is resolved with Speckie.

And frankly, I would rather have a Desktop gadget than use yet another add-on in my browser. Though in reality, I like a tidy desktop too, so I don't use many gadgets either.

Having more extensions is nothing to brag about.

[devper94]

In case you didn't realize, we are done with security. All browsers are the same, they are all secure. Period.
Your browser/extension choice has nothing to do with Fx's extensibility. Just because you don't need extensions doesn't mean nobody needs them. You don't see the point of extensions - well, I showed you exactly that.
Now I want to use regex-based URL redirect. Can IE do that?
Clearly, IE loses at extensibility. Saying that extensions are meaningless because you don't need them makes absolutely no sense.
If you like IE, okay. I won't challenge your favorite browser. However keep others' needs in mind.
But wait - I don't use IE.

[Digerati]

In case you didn't realize, we are done with security. All browsers are the same, they are all secure. Period.

In case you didn't notice, this isn't your thread. This thread is about IE9 security. If you want to discuss something else, start your own thread.

[Amst3rDamag3]

Chrome does not impress me. I'm not faulting it, it just does not provide any feature, service or capability over IE9 that would compel me to change.

I stopped at IE6-7 to be honest and switched to FF, which has turned into a pile of security-problems as well, like the many links provided already clearly back up.
So I've been using Chrome for the past year or 2, and I do notice some important differences to IE(6 & 7, cannot judge IE8 & 9)

• Context Menu: Right-clicking in Chrome will give you multiple options to inspect the current page. Is that true for new IE as well?
• Speed: IE and FF take ages to start up (well.., seconds, but Chrome is instantaneous) and page-loading is faster on Chrome as well, in my experience.
• Simplicity: as stated, I don't know about the latest IE, but IE7 security menus were 99.8% non-understandable for the average Joe... Does this in itself not affect safety? Or do you consider IE as having "safe" settings out of the box? I'm talking about elderly people new at computing here, not Bill gates himself
• Number of users: Does a mass of users not invoke security-issues on it's own? Like Mac nowadays is targeted more often, because of it's growing market share?

I do want to point out that chrome starts a lot of processes (14 x chrome.exe in Task manager right now) which I dislike a lot, for more then 1 reason.
It also is installed in a pre-defined directory in the Documents and Settings\ directory, in stead of allowing the user to install Chrome in the Program Files\ dir for all users at once. I'm talking about standard-XP-installation, ofcourse.
And it is from Google, the largest marketing-platform in the world.., let us NOT forget that...


In all honesty, I don't consider myself to be the greatest fan of MS ever, nor as their biggest basher.
I like the fact Windows always has been so versatile and dislike the fact that for the first time since Windows 3.1, MS actually is giving security a real thought by introducing MSE... A little bit "too little too late" if you ask me...



I suppose my question is , Digerati, how did you come to the conclusion IE is safe enough to advice it to other people and even defend it's saftey?
By experience, by following web-based advice, or something different???


NOTE: I'm trying to learn here, don't mean to offend you at all.., and yes I read everything you said / linked, I am just wondering about the production of your conclusion in itself....

[Digerati]

and dislike the fact that for the first time since Windows 3.1, MS actually is giving security a real thought by introducing MSE

Ooh, no. I think you need a history lesson. Microsoft tried to get into security but was ordered out!

There were 4 HUGE factors that destroyed Microsoft's reputation with XP, unfairly, in my opinion.

1. The corporate world (by FAR, Microsoft's biggest client base) was fed up with having to retool (buy new computers and hire programmers to port their customized applications) every time there was a new OS change. They had to do it with CP/M to DOS, then again to Windows 3.x, then again, to some extent with Win95/98. They demanded Microsoft XP support all their expensive legacy hardware and software. So XP was designed to meet user demands by supporting less secure, DOS era stuff.

2. No one, I say again, no one predicted the explosive growth of the Internet, and no one anticipated how explosive the growth in the number and ferocity of badguys who exploited its weaknesses.

Here's the BIGGIE:

3. Norton, McAfee, CA, Trend Micro and the others went crying and whining to Congress and the EU crying it was their job to rid the world of malware and that Microsoft was trying to monopolize and rule the world!! They were right but that's not the point. Congress heard the word "monopoly" and that was it. Microsoft was ordered not to include an anti-virus applet in Windows or else Congress would step in and split up Microsoft up into several tiny companies.

Of course that was just a ploy by Norton and the others. Right? Really, what incentive does Norton, McAfee and the others have to rid the world of malware? That would put them out of business. Microsoft has every incentive - because they keep getting blamed for the actions of the badguys, and the impotent actions of the anti-malware industry.

4. Almost as big as 3. The biased IT media and Windows bashers relentlessly took every opportunistic bash Microsoft and Bill Gates for the next 10 years, blaming Microsoft for all the world's computer security woes, when in fact it is the badguys, not Microsoft who put us, and keeps us in this security state we are in.

So yeah, I defend Microsoft (or anyone) who is unjustly blamed for something they had no responsibility for. An OS, after all (at least at the time) was only supposed to make all your hardware components work together, and provide a UI to it.

Now if you want to criticize Microsoft for some of their past lousy business practices, to include small independent builders like me, then I'll bash right there with you. But the fact remains, they made and make great software. Or else they would not be where they are.

And for the record, Microsoft started getting serious with security long before MSE. It started with XPSP3 actually, then they bought Giant Anti-spyware, at the time, one of the best anti-spyware products, rebranded it to Windows Defender, then gave it away. IE7, then IE8, and now IE9, each more secure than the previous. MSE is huge because it is a complete anti-malware solution, it's free, but most importantly, it works great.

Digerati, how did you come to the conclusion IE is safe enough to advice it to other people and even defend it's saftey?

Huh? That's easy. There's no other better. I defend its safety because it is unjustly criticized. It has proven itself, hands down. How did I come to that conclusion? I read reports. I test. I look. Perhaps you need to go back to the beginning of this thread and start reading from the beginning and you will see how easy it is to come to that conclusion. But do note, I have no problem with the alternatives. I am just saying you cannot use security as an excuse not to use IE.

I note too that even IE6 was perfectly safe. 100s of Millions of XP users used it for years with never a problem. Why? Because they kept Windows patched and updated, they used a current anti-malware solution, and a software based firewall, perhaps Windows Firewall - which is and always was perfectly fine for most users. They did all the things anyone needs to do, REGARDLESS THEIR BROWSER OF CHOICE, to keep their systems safe.

It was never IE6 that was the problem. It is always the user who is the weakest link.

[DonnaB]

It was never IE6 that was the problem. It is always the user who is the weakest link.

BINGO!

How many computers are there now compared to how many computers there were in the home when IE6 was the browser to use?

Now, add in those who have no idea what safe surfing is and you'll get your answer.

I still believe that it doesn't matter how much security you have, it is the person behind the keyboard that does not practice safe computing!

Not to sound sarcastic but what gets my goat are the repeat offenders. They get infected, you spend valuable time cleansing them (well, I don't yet), you teach them and give them the tools to learn to prevent safe surfing practices and they come back blaming it on the world not them selves. I've seen this many times here at GTG and elsewhere.

Edited by DonnaB, 18 August 2011 - 05:53 PM.