Firefox is secure, FUD?

How many times have you heard, “hey drop IE, it is full of security holes. Try Firefox, it is secure.”?

I’m not saying IE hasn’t had its own problems, but Firefox has had security holes in past, has security holes today and will in the future. To say Firefox is secure is simply untrue.

Reality check:

IT Vibe

“Security firm Secunia have advised on three vulnerabilities in popular Internet browsers Mozilla and Firefox.

The vulnerabilities can be exploited by malicious people and used to plant “MalWare” (MALicious softWARE, designed to destroy, aggravate and otherwise make life unhappy) on a user’s system, conduct cross-site scripting attacks and bypass security restrictions.

The three vulnerabilities can be exploited to trick a user into changing some sensitive configuration settings.

The vulnerabilities have been confirmed in Mozilla v1.7.5 and Firefox v1.0. Other versions may also be affected.

Full details of the security issues are available in the Secunia advisory.”

“A non-profit security think tank called the Shmoo Group has announced the discovery of a flaw in Firefox and other recent browsers, including Mozilla, Safari, Opera and Camino, that leaves users open to a spoofing or phishing attack. Microsoft Internet Explorer is not affected.

“Want to own ANY domain? Want a trusted SSL cert for it? We 0wnz0rd PayPal, but left the rest for you. We have no idea how to fix this and neither do the browser developers,” states the group’s Web site.

The concept of “Homograph attacks” is not a new one. Johanson himself cites a December 2001 research paper that describes how such an attack could occur, though he notes at that time no browser had implemented Unicode/UTF8 domain name resolution. Almost every recent browser (Firefox, Mozilla, Safari, Opera) except for Microsoft’s Internet Explorer currently implements IDN and Unicode/UTF8 domain name resolution.”


A phishing flaw in all major browsers, with the exception of Microsoft’s Internet Explorer, could be putting users at risk.

Phishing attacks, which try to fool consumers into handing over sensitive information by creating legitimate-looking Web sites and email messages, have become a central security concern recently. While vulnerabilities in Microsoft’s Internet Explorer have been the focus of much of the concern, other browsers also have had their fair share of flaws.”

Update (10 Feb 2005)

Damien Gaurd pointed out a useful clarification here and here on the what ZDNet described as a ‘phishing flaw’ relating to Firefox and with how it relates to IE.  Thanks Damien.

Comments (15)

  1. Jason says:

    I agree.

    I also predict this blog entry will be a major Microsoft bashing magnet…

  2. Damien Guard says:

    The flaw regarding configurations is a real one, and needs to be addressed.

    These phishing "flaws" are not flaws with Firefox or other browsers but a problem with the registries and the way they are handling IDN (International Domain Names).

    There exists an RFC for implementing domain names using the full unicode character set which most modern browsers (IE not included it seems) support. The problem is that some of the characters in unicode appear very similar, if not identical, to some existing ASCII codes.

    The potential for phishing using this substitution of identical-looking-but-different-characters was identified in the RFC and recommendations were given to registries on preventing the registration of domains that would be confused with their plain-ASCII counterparts.

    It appears however only the Japanese registry has bothered to implement them and as shown from the Shmoo Group exploit Verisign "The Trust Company" certainly aren’t.

    But then if anyone reporting these issues had done even a few minutes of research they’d know this.


  3. Damien Guard says:


    The Microsoft KB article detailing that IDN support is not available in Internet Explorer exists here:

    If you take their advice and install the plug-in’s to add IDN support, such as the first one from Verisign, you too get exactly the same "exploit" as described.


  4. Anonymous says:

    Visto che ormai la guerra tra Microsoft e Firefox è nel pieno… ecco un post che spara sulla “presunta” sicurezza di Firefox…

  5. Whatever says:

    Whatever. The vulns are rated ‘less critical’, the IE vulns patched yesterday were ‘critical’. Maybe it has something to do with the way IE is integrated into the kernel? Go figure.

    A Firefox monopoly market wouldn’t be secure (there is no such thing) but I have no doubt that it would be orders of magnitude more secure than the current IE monopoly market.

  6. Whatever redux says:

    Also, note that Mozilla gives $500 to every new remote exploit found!

    When will Microsoft do things like this, instead of saying ‘its not really a security problem’? Basically, regardless of actual security, when considering ATTITUDES towards security and security process issues Firefox trumps IE completely.

  7. Quote: "To say Firefox is secure is simply untrue."

    I think this is what Alex was trying to get across. It is a fact – no matter which browser you choose – IE, Opera, Firefox etc none of them are 100% Secure and never will be.

    The argument continues.

  8. Whatever redux redux says:

    Yes, no browser is secure. Therefore we must consider relative security – severity of vulns, severity of exploits, design flaws, etc.

    Firefox is relatively more secure than IE, by a long way. It is not secure, anyone who says so is stupid. It is however far MORE secure.

  9. T says:

    Well I think you are spreading some FUD as well. Concerning the IDN vuln, if IE actually implemented the spec, it would be vulnerable too, and is with the plugin that someone else has also pointed out.

    Funnily enough, following some of the links provided, the first thing you see at the top is a vuln for IE, listed as highly critical. See

    The less critical vuln listed at has already been fixed (although you would have download the nightlies), and the IDN vuln is listed as moderately critical. A vuln no doubt, that will need to be fixed The FUD mentioned that they don’t see any way of fixing the vuln is very definition of FUD.

    Magnitudes of security. Since the average Joe six pack user will just get software and never update it, which provides a more secure environment out of the box? FF is vulnerable and will continue to be, but IE is many times more vulnerable.

  10. IanG says:

    It would be amazingly great if you could do your research before making a post.

    For starters, IE is not affected because it doesn’t support IDN at all. Basically, you’re lazy and feature-less AND you got "critical" vulnerabilities.

    Second, the same vulnerability in IE needs us to wait a couple of months before being fixed. Compare that to Firefox? Fixed under 12 hours and available in the latest nightly build.

    Agreed that there is no such thing as secure but don’t jump the gun. IE is still cr@ppy compared to the others. And it always will be. While this was just a not-so-critical vuln, IE’s are usually "severe" or "critical" or something like that.

  11. Anonymous says:

    There are certainly arguments to be made that Firefox is not the be-all and end-all in secure browsers, but picking on this flaw is probably not the right way to go about it. Especially given that IE never bothered to implement the standard in question. And the large numbers of vulnerabilities in everything from graphics handling to hyperlinks that were patched yesterday.

    I think there’s a positive story to be told about Microsoft’s security response efforts. I also think that the company and its representatives have a long way to go before they can be credible calling another software effort insecure.

  12. chrixian says:

    I believe a majority of the buttons I see state that firefox is -safer- not 100% safe. shrug.

  13. Alex Barnett says:

    ‘Thanks for the feedback’ 😉

    So. Relax, just stay with facts here:

    I wrote, "I’m not saying IE hasn’t had its own problems".

    I did not write that one browser is more secure than the other.

    I did not write that either browser is, or could ever be, 100% secure.

    I did not write that Firefox is insecure.

    I did my research. I had no clue about the IDN issue until I looked around for articles relating to browser security. I found the ZDNet article and pointed to it as an example of a vulnerability. And it is a vulnerability. Damien pointed out a useful clarification and how it relates to IE – I’ll be updating the post accordingly.

    Fraser Dickson seems to have actually read what I wrote. Thanks Fraser.

    Anyway, happy flaming 🙂

  14. Alex Barnett says:

    Update on IDN: Firefox, via Netcraft:

    Firefox to Disable IDN Support as Phishing Defense

    "The Mozilla development team will disable a browser feature that allows URL spoofing and could leave users open to scams. Support for Internationalized Domain Names will now be turned off by default in Firefox and Mozilla."