Gnomie Lee Gillette had some trouble with Firefox and wrote me this:

My point, however, is that even Firefox is vulnerable. At least, that’s how it appears from here. Any time you claim a product to be invincible, you tend to challenge a lot of hacks out there who just love to play the game. Sounds like a case of too much of a good marketing thing.

His e-mail prompted me to respond with this, which I thought was of value to most of the rest of you:

Um – I’ve never said that Firefox is invincible (see here) and I don’t think any of the other Lockergnome contributors have said that, either. All software has weaknesses – that’s why the rush to release new versions saddens me, somewhat – I think that software should be patched until it’s bulletproof. My attitude probably isn’t economically viable, though.

HOWEVER, Firefox’s Open Source nature means that anyone can look at the code and either find or fix holes – and development can go on 24 hours a day, as programmers in different time zones around the world wake up and begin their day. 24 hour development is extremely difficult for most proprietary software companies to do – they need to be very large – like Microsoft – and then they run into ‘large corporation’ difficulties – politics, turf wars, who gets credit for accomplishments, project coordination, how does a boss in one time zone supervise employees around the world when he has to sleep… I’m sure there are more, but this is what I can come up with off of the top of my head.

The other good thing about Firefox is its restriction of ActiveX controls. These have proven to be a major source of security headaches for MS because of the tight integration of Internet Explorer into the Windows OS. Now, that integration was a management decision – MS argued that ‘IE is an integral part of Windows and can’t be removed without making the OS inoperable’ in the Netscape antitrust case to beat the DoJ, and that tactic (mostly) worked.

BUT, having made that decision, it has an obligation to write tight code so as to prevent ActiveX controls from escaping the IE ‘sandbox,’ and it doesn’t (until recently) seem to be able to do that. I’m not a programmer, but the techniques to write secure code have been pretty much known for a while now, and MS was not following the simplest procedures to avoid most buffer overflows until Gates wrote the ‘Trustworthy Computing’ memo. It’s got a lot of code to go over – XP alone is supposed to have ~40 million lines – and throwing the code out and starting fresh would not only be stupid and the flushing of a lot of work down the drain, it also would seriously hurt and might kill MS (see: Joel On Software for someone who agrees with me), so it’s going to take a while to fix the old stuff. And now the only legal trouble it’s having is with private companies, so maybe management will decide that it’s finally safe to separate IE from Windows.

It hasn’t done that yet, though, so until it does, we’re stuck with the consequences of its decisions – unless we decide to use a more secure product. Furthermore, MS has publicly stated that it will not be developing or fixing IE anymore EXCEPT for IE on Windows XP [and newer I assume - that would be Windows Server 2003]. I think that it is being shortsighted as far as Windows 2000 goes – there are many shops that adopted it in the early MS push to convert from NT4 – and now, with a few words, MS has stuck all of these shops with a huge bill for upgrading to XP – or a decision process that may result in the shop adopting Linux on the desktop.

Windows 98 and ME – sure. They were good or OK in their time – but MS has a better Windows available now and the boxes that are running DOS-based Windows are old enough that hardware failures are now very likely. If customers phone me asking for virus removal on a Windows 98 box, I tell them that ‘I’m happy to do it, but it’s going to cost somewhere between $120 and $240 [CDN] – and maybe they would be better off spending that money on a new tower with Windows XP – that costs $600 or $700.’

All of these factors are the reasons I’ve been publicizing the IE vulnerabilities I’ve been notified of and why I continue to suggest to Gnomies that switching to Firefox is a very good idea. I can only hope that you find my arguments to be compelling.

Thanks, Lee!