Is Spyware an IE-only problem?

Is Spyware an IE-only problem?

  • Comments 5

Recently, I had someone make the following comment on a post announcing IE 7:

Hahahaha....dude we don't need it! I'm a Microsoft person 100%, but creating something we already have is useless! We have Firefox! The FLAWLESS web suite. It's awesome enough. I can't imagine IE matching and beating it by 200%(that is the % required to warrent a switch). That's just not right. Reinvesting the wheel is actually a sin.

Well, according to the article below, the "flawless" web suite may soon be visited by spyware issues of its own:

http://internet.newsforge.com/internet/05/01/31/2121249.shtml

Part of the problem I see here is the assumption on the commenter's part that it's possible to make "flawless" software. As long as human beings are involved in the process, that's highly unlikely. We can make software that's more secure, and we should, hence the updates to IE with XP SP2, and the ongoing work in that area.

But the other problem I see is the lack of recognition that any time you provide the ability to run executable code in the context of a browser, you have a potential avenue for attack. So, sure, Firefox may not be vulnerable to attack via ActiveX, but in order to run Flash, Java, or any number of other embedded goodies that web surfers don't want to live without, there has to be the ability to run executable code, and that's where people will start looking for flaws. Will Firefox hold up better to this scrutiny than IE? Only time will tell. But it's a good bet, IMO, that those who claim Firefox is "flawless" will be proven wrong sooner rather than later.

Oh, and please don't bother flaming me about supposed FUD. It really doesn't ultimately matter to me which browser people use. But it does matter to me that we discuss browser security realistically, and not pretend that a 1.0 product that has not had to withstand a great deal of scrutiny is "flawless".

Lastly, no matter which browser you choose to use, it's a good idea to avoid running day-to-day with an admin account. Why give any malware you might accidentally run complete ownership of your machine if you don't have to?

  • Software homogeneity is the real problem. With so many targets running internet explorer it is simply more fruitful for malicious people to target IE over Firefox. Not to say that it doesn't happen but the ones I have seen directed towards Firefox/Mozilla so far seem like half hearted attempts that nobody with an ounce of computer security knowledge would fall for.

    Likewise linux may or may not be more secure but it doesn't matter overly much as long as windows has a significantly larger base of clueless users and a larger install base overall.
  • Kristoffer,

    That's an interesting point, but the whole point of the article was that as Firefox gains market share, it will be fruitful for malicious people to attack Firefox as well.

    As to the cluelessness of Windows users, I would note that as companies like Lindows make consumer-grade Linux PCs (and have them running by default using admin-level accounts), the balance will start to shift. I'd definitely agree that one of the things Linux has going for it currently is a user base that tends to know quite a bit more about computers, and one that does not habitually run as root. If Linux use continues to grow among the general public, however, this is unlikely to remain true.
  • This is obviously an idiotic comment - and I'd guess made by someone who isn't a developer. To claim any software is perfect is idiotic. *Right now* Firefox appears to have fewer flaws than IE in terms of Spyware (maily though the non-support of BHO and ActiveX controls). Will there be a XUL / Firefox extension Spyware product eventually - well there's known 'spoof' issues in the current release of Firefox (not least the IDN issue) - in addition, Firefox does not (that I'm aware of) automatically self update...so it's likely that issues will hang around for a while...
  • Quote:

    "Lastly, no matter which browser you choose to use, it's a good idea to avoid running day-to-day with an admin account. Why give any malware you might accidentally run complete ownership of your machine if you don't have to?"

    Perhaps as a side-thought this article by Michael Howard would be worth mentioning (http://msdn.microsoft.com/security/securecode/columns/default.aspx?pull=/library/en-us/dncode/html/secure11152004.asp). It deals with browsing the Web as an Administrator (but in a safer manner). This is what I use now.....

    Let's face it the only reason that Spyware etc is aimed at IE is becuase of the dominent market share. If FireFox becomes the No 1 browser then the focus will switch to them. Fact - people will always attack however is on top.
  • Fraser,

    While I'm certainly not going to argue against reading Michael Howard, I would note that his advice is targeted at those who either absolutely cannot, or absolutely will not, run their computer with a least-privilege account.

    Since I find that there are very few circumstances where running as admin is truly necessary, I don't usually link to Michael's "safer admin browsing" advice.

    Also, I don't think it'll take Firefox becoming #1 before folks will start attacking it. The threshold is probably considerably lower than that.
Page 1 of 1 (5 items)