Security firm F-Secure warned on Wednesday that the vulnerability, which allows the URL in a Firefox download dialog box to be spoofed, could be exploited by online fraudsters.
Some of you took issue with the experts, arguing that the flaw shouldn't be regarded as a security vulnerability because a Firefox user would already have to have clicked on a phishing email and been taken to a fake site. "Where is the problem? I hardly think that a spoofed site would link you to a legit download area," commented Pete Molina, a PC and LAN administrator.
"As far as a 'security hole' it should be more of a user vulnerability, as only a dumb person goes clicking links in emails from odd places," argued Killian, another reader. "Granted, it's nice to know, but come on. Most of these 'announcements' just give the phishermen a reason to try to exploit it."
Mozilla's Firefox browser is proving popular with surfers who want an alternative to Microsoft's Internet Explorer, which has been prone to many security problems. Some readers were adamant that Firefox is still a much safer product than IE. "Firefox without a doubt, is the best and most secure browser on the market today, and no matter what propaganda is spread throughout the Net regarding its security in a negative way, those who actually know will continue to use Firefox and wait until the patch is complete, not actually even thinking nor caring whether it is released or not while using it," wrote one Web developer.
Some members of the Firefox camp weren't happy about any criticism of their favourite browser. "Thanks but no thanks for the information. We still trust and love FireFox," said Abe, an engineer.
But other readers pointed out the importance of holding all software to the same standards. "Firefox is undoubtedly a better and more secure browser than IE, but any site that reports on flaws or possible flaws in IE -- and gives Firefox coverage -- should report on Firefox's flaws too," said Seb, an artist based in London. "Essentially, Firefox is better but it's not perfect, and anyone who thinks or claims it is as bad as anyone who gets taken in by Gates' marketing spiel."
A software developer from London wrote: "If this vulnerability had been identified in IE, the anti-Microsoft community would no doubt be quick to criticise the product as insecure."
"Users are smart enough to make up their own minds about which Web browser to use - and the more information that is available about all products on the market, including open source efforts, the better."
One reader even took issue with the claim that Firefox is inherently more secure than IE. "Firefox may offer some 'security through obscurity', but once it gets to any sort of critical mass then it will be targeted. Since the hackers have the source code their lives will be that much easier, and when a patched version is released it will be easy for them to see where the vulnerability is and target older versions," said one London-based IT worker.
Another reader suggested that Firefox may have an uphill task breaking IE's dominance."Most users couldn't spell 'browser' without help. The only reason so many people use IE is because it is built into the operating system that was on the PC they bought," said Philbert, a computer and electronics specialist.
Got a different view? Post a TalkBack below, or in the original story.
You can also rate the browser yourself in our Firefox review, where it currently enjoys a 100 percent rating from ZDNet UK readers.
Talkback
According to http://www.securityfocus.com/bid the Vendor Mozilla with Title FireFox of Version 1.0 scores 3 vulnerabilities whereas Vendor Microsoft with Title Internet Explorer of Version 6.0SP2 (which means you run Internet Explorer on XP with SP2 fully installed; how many actually do?) scores 20 vulnerabilities.
For those of us who are interested in it. There's also the Open Source Vulnerability Database to research at http://www.osvdb.org
Or the US-CERT Vulnerability Notes Database at http://www.kb.cert.org/vuls
And there's also http://secunia.com/ which simply list Mozilla FireFox 1.x (http://secunia.com/product/4227/) with 5 Secunia Advisories rated as Moderately Critical and Microsoft Internet Explorer 6 (http://secunia.com/product/11/) with 75 Secunia Advisories rated as Extremely Critical.
Do compare the various pie charts that can be found there. And, for example, Secunia Advisory Release Date 2004-10-20 for both products.
Then remember the amount of R&D budget both vendors have available and how many years they've already been working on their own product (complete with user responces, test labs, etc). Then ask yourself the question: which product is more likely to give me the best overall security, availability, functionality, stability, etc compared to "value for money" today, next year, the year thereafter.
In my book the above means that FireFox is two steps ahead of IE in everything that matters. The price is right (I don't have to buy XP and then install SP2 to get the latest fix for IE; not even mentioning hardware and third-party product upgrades as a result of that), security problems are not only less but also less severe and resolved quicker, stability is way better as is performance and innovation speed is picking up speed. Clearly having the source available to many eyes has it is advantages.
As a tax payer I would hope (the above would be just one example of the reasons why) that the networks of various public services and government sites will opt for FireFox (or similiar; keep in mind the benefits of diversity) rather then an expensive upgrade to XP SP2 (only to be followed by yet another expensive upgrade to who-knows-what who-knows-when given Microsoft's actual release dates). I will certainly question the common sence (and personal agenda) of any political figure opting for the latter.
Just a small issue with this article, you chose to make Firefox look just as unstable as IE, but this issue only exists in OLD versions of firefox. It had been found and fixed by the firefox developers before this company found it. It is also avoidable if you use the 1.0 release of Firefox, or any subsequent trunk builds.
This would be like slamming Microsoft for vulnerabilities in IE 5.0...
I love Firefox. !!!
I wont use Internet Explorer unless it is absolutely
necessary.
No more add pop ups or wasted time using Fireforx !!
If James is correct, then you should post a correction (and apology) to your article.
I also agree that the original article was not a balanced article and seemed to be designed to denigrate and belittle Firefox and open source.
We should also point out that IE had a similar problem this time last month. I do think an apology is in order for the article as it didn't mention that the vunerability was only in older versions.
Thanks for your comment James. According to the Mozilla bug report this bug has not been fixed in version 1.0.
I have the final version of Firefox (downloaded from the Mozilla website) and when I tried the demonstration on https://bugzilla.mozilla.org/show_bug.cgi?id=275417 it spoofed the source of the download.
Thanks again for your comment,
Ingrid Marson
Opening a link from an email is the resposibility of the USER. When the software must be made foolproof for the user, so that malicios intent is averted, I would suggest that when the computer is turned on, a screen appears saying: Access denied.
Any process which occurs after the power switch is turned on is the responsibility of the human sitting at the terminal.
It occurs to me that todays users need to be reminded of an old axiom from long ago: Garbage in: Garbage out.
In closing let me postulate a lousy analogy, between automobiles and computers; Just because you are behind the wheel, and have a license, it doesn't make you a good driver.
Seems to me someone would have to not notice that they were taken to a spoofed site in the first place, which is easy to spot. Only after that, and when they've elected to download the file, could the location of the file be faked. So it's pretty unlikely that anyone would be taken in by it. That said, it's still a bug in the software that needs to be fixed.
I'm glad this article popped up because it shows that people *are* analysing Firefox for vulnerabilities. It needs to be shown that when the two browsers are placed on equal footing Firefox wipes, cleans and polishes the floor with IE.
The fact is since release 1 of Firefox came out there have been about 2 problems, one of which was actually a Windows problem anyway and this one, which is so minor that people argue whether it's actually a flaw or not. Whereas IE has had at least 4 in the same period, and that's with Windows XP SP2 ("with advanced security technologies" - hahahahahaaa).
LOL
Firefox blows IE out of the water, and it's just that simple. I service endless Microsoft machines crippled again and again by browser spyware, adware, virus, etc...and with Firefox it just doesn't happen. I tell people to switch if they don't want this to happen anymore.
i think this firefox is realy a great browser. but all this talk about firefox being the first to introduce tabbed browsing, integrated search, etc is disgusting.
OPERA (yeah, that's the name of a browser, in case you never heard) had this feature since way back and is at least as fast as firefox
Firefox blows. I'm tired of everyone saying they get infected with spyware, adware, virues and etc.. because of Internet Explorer. I've been using IE for years now, and I almost never have problems with the above mentioned forms of malicios code. (and when I say almost never, I mean literally once in the three years I've been using computers, and the problem was back when I was new with computers and computer illiterare.) If you don't want to get infected with spyware when you use Internet Explorer, then configure it properly. Firefox can not compete with Internet Explorer's ability to parse html.