It seems that stuartd (with no link so pretty much synonymous with Anonymous Coward) has some interesting points regarding my previous post on the recent FireFox problems.
Users are hardly "stuck with security problems" - the vulnerabilities are simply not being exploited (or if they are it's on such a small scale that nobody on bugtraq or /. has noticed, which is effectively the same thing) - unless you know differently?
Dude. Exploited or no, these are flaws that are rated “Extemely Critical”. They are stuck with the problems and it is not a case of whether or not they are being exploited but rather that they could be if someone so desired. You also forget that not a whole lot of people have the desire to hack FireFox. There's no margin in it yet because the FireFox user population is still small and relatively sophisticated. The fact that bugtraq or /. has not noticed is a moot point. Just like mutual funds, past performance is not an indicator of future performance.
Not like users stuck with IE on Windows 2000, of course, which is a big holey bag full of opportunities for drive-by downloads of activex): I would be much, much safer surfing with Phoenix 0.4 than vanilla IE6.
Users on Win2K have a choice. In order to become a victim of a drive-by ActiveX download, you have to actually drive-by. Nobody comes looking for you. Anyone dumb enough to be lured to such a site deserves what they get. You won't get one at Disney. You are absolutley right that you'd be safer with Phoenix 0.4 not because it's inherently better, but because nobody is trying to exploit the thing. As far as “vanilla IE6“ goes, updates are available. They're even automated. Something you don't get with FireFox at the moment.
While we're on the topic of ActiveX, just what do you think the plug-ins for FireFox are? It's a different implementation that amounts to the very same thing. And where are the security holes this time around? In the plug-ins. “Hello Kettle? This is Pot.“
Your point on the release schedule is a little unfair, now I think about it FireFox 1.0.6 is the same browser as 1.0, same featureset, same bugs - except the ones which merited a security release. Why do browsers issue a security release as soon as they fix a security bug? Because that's what the market leader does...
I beg to differ. Same browser or no, regression bugs can still creep in. What you seem to so conveniently forget is that 1.0.5 was broken before they even got it fully out the door. It was existing functionality that was broken. Not a new feature.
Furthermore, following the procedures of the market leader ( Microsoft in this case) is astoundingly misguided. First, Microsoft doesn't always issue a patch right away. There are some holes they've flat-out refused to issue a patch for preferring to wait for the next service pack release. Usually it's because the exploit is not being widely, well, exploited. If FireFox is following the market leader, then issuing a fix right away for a problem that is not being actively exploited is exactly the wrong thing to do.
Second, Microsoft has the experience, resources and infrastructure to pull that off. The FireFox community does not. There's nothing wrong with that but they need a vastly different strategy. Time and again history has shown that just about anyone going head-to-head with a market leader in any industry usually gets crushed. It's the innovative one's that find their own path that eventually topple the giants. It would be a vastly different story if David had chosen a sword to face Goliath rather than the sling.
and remember while you're ragging on it - it's a 1.0 release. Maybe ask yourself why you're so bothered?
Good question. The thing that bothers me the most is that FireFox proponents have been extolling the virtues, especially those related to security, of the browser at the top of their lungs and never miss an opportunity to slag Microsoft. Now that the same pattern of repeated flaws in the program is happening with FireFox, those same proponents are now making excuses for their errant ways while continuing to claim that they are better than IE. You just did it here yourself, stuartd. If that is your real name.
Contrary to how it may appear, I'm not “picking” on FireFox. I think it's cool. I'm merely pointing out that people shouldn't flock to it thinking that it's safer. For those of you not paying attention the first time:
(FireFox != Microsoft Product) != (FireFox == Inherently Safe)
Dave
Just because I can...