Jump to content


Photo

IE alternative to Firefox?


  • Please log in to reply
13 replies to this topic

#1 ObscureReferenceMan

ObscureReferenceMan

    Advanced Member

  • Full Member
  • PipPipPip
  • 113 posts

Posted 20 August 2011 - 05:24 PM

Just wondering... What alternate browser should I use while waiting for Firefox to become useable? Right now, I'm using Internet Explorer 7.

#2 cnm

cnm

    Mother Lion of SWI

  • Retired Staff
  • PipPipPipPipPip
  • 25,317 posts

Posted 20 August 2011 - 09:24 PM

IE 7 is out of date and a serious security risk. If you are using XP, update Internet Explorer to IE 8. If using Windows 7, you can use IE 9 which is considered very secure.

I use Chrome and like it very much.
Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE

#3 dave38

dave38

    Devout Murphyite!

  • Retired Staff
  • PipPipPipPipPip
  • 8,508 posts

Posted 21 August 2011 - 01:09 PM

I don't see why you say that firefox is not useable. I have been using firefox for several years and now I am using the latest version 6.0. i find it very good. Sorry to disagree with cnm, but I can't seem to get on with chrome at all!
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#4 Budfred

Budfred

    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 21,637 posts

Posted 21 August 2011 - 10:34 PM

I think he was referring to Firefox being disabled by malware which he is addressing in Malware Removal...
Budfred

Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"

#5 Stickney Computing

Stickney Computing

    Member

  • Full Member
  • Pip
  • 2 posts

Posted 26 August 2011 - 11:34 AM

I like to use chromium (open source google chrome) as a backup to firefox. You can use it in a standalone zip file from here:

chromium builds

Grab the latest snapshot, unzip, and go. No install needed.

#6 mikey

mikey

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 104 posts

Posted 27 August 2011 - 07:29 AM

Internet Explorer is best at protecting against drive-by downloads


Ref; http://www.infoworld...ownloads-169909

As I've said many many times durring the past few yrs;


It always has been.

The only time any other browser was actually 'safer' to use was when it's market share was too low to be targeted by the 'jackers'.

Just like the old 'stealth' propaganda from a decade ago, the idea that another was more 'secure' was just a farce perpetuated in mass by those witthout a clue.

#7 snemelk

snemelk

    inżynier

  • Expert
  • PipPipPipPipPip
  • 3,101 posts

Posted 27 August 2011 - 09:04 AM

Internet Explorer is best at protecting against drive-by downloads

In the case of this test, as far as I can see, you can say the statement above is true only if the SmartScreen Filter is turned on for IE...
c18903e63196580f.gif

snemelk.hekko.pl - - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#8 mikey

mikey

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 104 posts

Posted 27 August 2011 - 10:02 AM

Well, let's go back to the start of the Firefox craze shall we. :)

I like this thread because my o'lady took the lead but you'll note my comments and examples of the fact that NO BROWSER IS SECURE/NO CONNECTABLE IS SECURE and I listed the current (at the time) CVEs related; http://www.spywarewa...opic.php?t=4447 However, there were many similar threads from the era.

So why weren't more vulnerabilities posted in the public domain? Because most researchers of the time were also more concerned with the impact of their work. There wasn't enough interest in a non-market share. Those of us who were actually studying TCP/IP filtering implementations at the time knew that it was just a matter of time before reality set in.

Back in 05, Fred had some comments that I liked too;

Ref; http://www.informati...endly=this-page

While Microsoft, with a 95% market share, struggled to patch the myriad security holes in all its operating systems, the Mac and open-source products such as Linux gained a reputation for being more secure. In fact, that's one of the main reasons cited now for people switching to Firefox--that it's more secure than Internet Explorer. It's a very appealing concept, and has become part of computing's conventional wisdom: Non-Microsoft = More Secure.

Trouble is, that's a falsehood based on a common error: Failure to adjust for the effects of the installed base.

Leap Of Illogic
Imagine two products--it doesn't matter what kind. Let's say that one product has 1,000 customers, and a terrible reputation for reliability. The other has only 50 customers, but a great reputation. Why the difference in reputation? The small product has only 2 or 3 customers with problems, but the large product has fully 50 customers with problems. In other words, the large product has as many trouble-plagued customers as are in the total user base of the small product. No wonder it has a bad reputation!

You can see where this is going, of course: Both imaginary products actually have exactly the same 5% trouble rate. It's only the disparity in the size of the user base that makes them seem different. In reality, they are both roughly equally reliable--or unreliable.

Using the same simplified analogy, and everything else being equal, a browser with a 95% market share will generate 95% of the problem reports in a given area. That doesn't mean that the browser with a 95% share is necessarily worse than a browser with a smaller share, just that a larger user base means larger numbers of problems; and a smaller user base means a smaller number of problems.

Of course, things do get more complicated when you shift to the real world. For example, the "everything else being equal" part of the above analogy fails when discussing Windows 95, 98, and Millennium Edition because they're not the equals of any of the current generation operating systems. Rather, Windows 95, 98, and ME have fundamental architectural problems that make them hard to secure: They are, at their core, still that "easy-to-connect-to" operating system from a decade ago; and not well suited to today's computing environment.

But on the flip side, the "everything else being equal" argument also breaks down for Linux and other open-source software because, as small-share players, they've gained a reputation for security that's at least partly undeserved: Low numbers of problems is not the same as a low percentage of problems. (We'll come back to this in a moment.)

Plus, this software has only recently begun to receive serious scrutiny from the malicious hackers, crackers, cyber-vandals, and other lowlifes that have traditionally focused on Windows. Consider that, historically, Linux was a numerically marginal player, attracting mainly users with a high degree of skill and knowledge; these users were "friendly" to their operating system of choice, and were not inclined to mount attacks against their fellow users. Instead, when these users found an exploitable hole in part of the operating system, they reported it and helped to correct it. In fact, this was an example of the open-source movement at its finest.

But today, open-source software has moved into the mainstream. For example, there now are enough unskilled and semi-skilled users of Linux that the operating system presents targets of opportunity for the unscrupulous. And with more crackers seeking open source security flaws for malicious exploitation, more and more are, in fact, coming to light, as a variety of independent sources confirm.

Reality: Open-Source Security Flaws Abound
US-CERT (United States Computer Emergency Readiness Team), a partnership between the Department of Homeland Security and the public and private sectors, impartially tracks all manner of security issues in operating systems and major applications, such as browsers. US-CERT issues a bulletin every week, outlining the current crop of problem areas. You can access all past and current bulletins here; I urge you to take a moment, click on over to their site, open several bulletins at random, and scroll down the page. In most cases in the more recent issues, you'll see the list of IE's vulnerabilities is shorter than those for Firefox, Mozilla, and the other alternate browsers. Likewise, with the more recent bulletins, you'll also see the list of Windows' vulnerabilities is actually much shorter than that for the other operating systems, even though Windows is far more widely installed.

US-CERT's findings aren't unique. For example, the Symantec Internet Security Threat Report provides a six-month update of Internet threat activity. It gathers data from


"...over 20,000 sensors monitoring network activity in over 180 countries. Symantec also gathers malicious code data along with spyware and adware reports from over 120 million client, server, and gateway systems that have deployed Symantec's antivirus products. In addition, Symantec maintains one of the world's most comprehensive databases of security vulnerabilities, covering over 11,000 vulnerabilities affecting more than 20,000 technologies from over 2,000 vendors. Furthermore, Symantec operates BugTraq, one of the most popular forums for the disclosure and discussion of vulnerabilities on the Internet ... The Symantec Internet Security Threat Report is grounded principally on the expert analysis of this data. Based on Symantec's expertise and experience, this analysis yields a highly informed commentary on current Internet threat activity...."
The most recent Symantec Internet Security Threat Report, covering the last six months of 2004, states in part:


Historically, most of the exploits targeting Web browser vulnerabilities have been directed at Microsoft Internet Explorer, the most widely used Web browser. In response to this, many people in the Internet community have turned to browsers such as Mozilla, Mozilla Firefox, Opera, and Safari as more secure alternatives. However, as security-conscious users have migrated away from Internet Explorer, attackers have followed suit....

The discovery of vulnerabilities affecting browsers appears to be on the rise, with more Mozilla vulnerabilities documented in this period than those affecting Microsoft Internet Explorer. This runs contrary to a trend seen in previous periods where nearly all browser vulnerabilities affected Microsoft Internet Explorer exclusively.

Between July 1 and Dec. 31, 2004, Symantec documented 13 vulnerabilities affecting Microsoft Internet Explorer. This is notably lower than the 21 vulnerabilities affecting each of the Mozilla browsers that were documented during the same period. Six vulnerabilities were reported in Opera and none in Safari.
It should be no surprise that alternate browsers--or alternate operating systems, for that matter--contain flaws. All software is imperfect; anything built by human minds can be destroyed or compromised by other human minds. Alas, while that should not be a surprise, it is to many in the open-source community: Many users have developed an almost mystical belief in open-source software, as if it were a magical talisman against the problems that Microsoft has experienced. Or, conversely, that Microsoft software is somehow "evil" and prone to problems to which that open source software is immune.

Not so. All software is imperfect, and as more and more users come to employ any given piece of software, more flaws will come to light. At the same time, as more people come to use a given piece of software, that group will become an increasingly interesting target to miscreants, who will actively seek out the exploitable flaws.

Both these trends mean that we'll be hearing of more and more security problems in non-IE browsers and non-Microsoft operating systems in the future.

That doesn't mean there's no good reason to look at open-source products such as Firefox. In fact, there are several excellent reasons, including those we listed earlier: Firefox is free, open source, cross-platform, and multilingual; and it also brings some much-needed competition to the browser market. But it's not a panacea for browser security problems. In fact, changing to Firefox--or Mozilla, or any similar software--because "it's more secure" is a dangerous misconception; and demonstrably false.


Now that the market shares have equalized some, these points have manefested themselves and the story continues...

Was FF ever more safe to use? Yes

Was FF ever more secure to use? Never

#9 cnm

cnm

    Mother Lion of SWI

  • Retired Staff
  • PipPipPipPipPip
  • 25,317 posts

Posted 28 August 2011 - 10:19 AM

Was FF ever more secure to use? Never

Not sure you're right about that, mikey. The BHOs introduced in October 1997 with the release of version 4 of Internet Explorer were an easy entry point for malware, as was ActiveX. Firefox 1 introduced in 2004 never had those particular vulnerabilities.

That said, I agree about IE 9 (but still prefer Chrome).
Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE

#10 mikey

mikey

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 104 posts

Posted 28 August 2011 - 11:10 AM

Yea, I remember 97 very well. It was at the end of that year or early 98 when I found myself with my one and only personal experience of spyware or any other unwanted ware onboard but never since.

In the years leading up to the advent of FF we already knew that in order not to get a drive-by(BHOs etc), all you needed was to be sure not to tick 'Install on Demand' in IO. And by the time FF came out, as I recall, it was no longer ticked by default.

And as noted in the thread I linked, ActiveX was designed to be a very helpfull & usefull component and it was very easy to control. But like so many usefull things, it was exploited mainly because users wouldn't take the time to learn safe practices which is still true and as I see it a major failing on the part of the pri/sec community as a whole.

And as mentioned, FF had it's own set of vulnerabilities just like every connectable has and always likely will. We knew it then and we definitely know it now.

BTW Just so folks don't misconstrue my motives; I'm not particularly a fan of any particular browser. All I want is for folks to be aware that NOTHING is any more secure than what the user strives to make it...IOWs; the truth.

Edited by mikey, 28 August 2011 - 11:56 AM.


#11 Budfred

Budfred

    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 21,637 posts

Posted 28 August 2011 - 11:56 AM

I think the user is the weak link with all software and that the software programmers are not taking that into account... Software needs to come armored to the gills for security and then have the option of disabling some of it by people who know what they are doing, rather than leaking all over and having options to tighten it up... Most users will never have a clue about how to secure a system and reading some of the descriptions of what to do for security become immediately mind boggling for most people... Techies write for techies and most users are not techies... Most people I work with get boggled if I give them 3 steps to follow to do something... A colleague at work was having difficulty with her browser slowing down, so I showed her how to clear cookies and cache... She hadn't done that since she got the computer... It is a fairly simple process to do a basic cleaning, but even though she wrote it down, I know she wouldn't know how to do it if I asked her to again...

Most attempts to simplify have resulted in systems being locked down so tight that they become unusable and so they release them with all sorts of doors open and tell the user to secure them... Many users don't even know whether they have an active antivirus or firewall... I work with another woman whose computer was badly infected and she thought she was protected because she had installed an on-demand malware scanner, but she had removed her antivirus because it kept demanding that she subscribe to run properly and because it slowed things down... Thanks to scareware, many users are now afraid to update because they aren't sure when window popups up saying that an update is needed if it is legit or if it is malware... To wait for average users to figure out how to protect their computers is to wait for Godot - it isn't going to happen... The software industry needs to start with security as the first priority and then build on that foundation... Until that is done, the war between us and the criminals will go on and we will continue to be on the losing side...
Budfred

Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"

#12 mikey

mikey

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 104 posts

Posted 28 August 2011 - 07:34 PM

I think the user is the weak link...

Unfortunately, I will have to agree with that.

As for devs tightening things up; We've been seeing a great deal of that all along but most noteably in recent years. An example is the new cores. Unless turned off, we now have what is basically a default HIPS implementation in UAC(not nearly as effective as I would like to see but still an improvement). Another example is IE9 itself...reasons already stated.

However, there are no magic bullets and likely never will be. Education is the only thing I've found that works. And nothing aggrevates me more than to see a so called pro telling a user to use Brand X, Y, or Z to be safe and secure because that is just BS unless they're also told how and why. In most cases, I don't even think the so called pro even knows how and why...they are usually just spouting the party line without a clue as to why. And more often than not, the brand is nothing but crap to start with.

IMO Most of the pri/sec community does very little to teach the noob proper practices. In fact, I'm of the opinion that the majority of the pri/sec community is washed up and useless now. There are very few sites now teaching real security to those who actually would like to learn. For those who don't want to learn, there is nothing we can do for a fool and no sense in wasting resources on someone who repeatedly comes back with the same type probs over and over again.

Perhaps these are some of the reasons why so much of the community now looks like a ghosttown.

Yes, I'm guilty too. Live and learn... :)

#13 Budfred

Budfred

    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 21,637 posts

Posted 28 August 2011 - 09:41 PM

I think we teach as much as people are willing to learn... Part of the problem is that it has even become more complicated for the pros and that is why I think it needs to be addressed at a systemic level... Blaming users for not choosing to learn is like blaming your dog for not bothering to learn English... For most users, even basic security has become impenetrable to understand and simply tools need to be used because that is all they can handle... In some ways, I think what needs to happen is for an OS to be built from the ground up with security as the underlying concern in every line of code... Even then, it would need to be at least as user friendly as Windows to be accepted and that is probably far too great a task to ever actually happen...
Budfred

Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"

#14 Freebird

Freebird

    Advanced Member

  • Full Member
  • PipPipPip
  • 196 posts

Posted 02 September 2011 - 05:36 PM

...Part of the problem is that it has even become more complicated for the pros...


That's true, so imagine how more difficult it is for the user.

I am by no means an expert but I have, bit by bit, accrued a reasonable amount of knowledge over the years. However, even competent users can be, and often are, overwhelmed by the sheer number of options that many programs offer. Take NoScript, for example. A very common and useful add-on. But there are a lot of options - how many people bother or have the time to read all the FAQ's and help files about what all the options actually do? This goes for a lot of software. People want things that just work straight out of the box. They don't want to have to read a lot of pages of instructions.

I have found that, often, the worst people to explain what software does or how to use it are the people who have actually created the programs or write the manuals. They seem to assume that everyone knows as much as they do, which, generally, they don't.

Because computers are becoming more and more complex, the majority of people will become less adept at protecting themselves. The sheer number of threats out on the Web will ensure that the general user will never catch up with the technology.

As Budfred says, good security has to be built-in from the kernel up.

As MIB's Agent K says, "A person is smart, but people are stupid." A person wants to surf safe. People just want to surf.


Just my thoughts



Freebird
We know the speed of light......but, whats the speed of dark? Steven Wright - Scientist and Comedian




Member of UNITE
Support SpywareInfo Forum - click the button