Firefox is secure, FUD?

How many times have you heard, "hey drop IE, it is full of security holes. Try Firefox, it is secure."?

I'm not saying IE hasn't had its own problems, but Firefox has had security holes in past, has security holes today and will in the future. To say Firefox is secure is simply untrue.

Reality check:

IT Vibe

"Security firm Secunia have advised on three vulnerabilities in popular Internet browsers Mozilla and Firefox.

The vulnerabilities can be exploited by malicious people and used to plant "MalWare" (MALicious softWARE, designed to destroy, aggravate and otherwise make life unhappy) on a user's system, conduct cross-site scripting attacks and bypass security restrictions.

The three vulnerabilities can be exploited to trick a user into changing some sensitive configuration settings.

The vulnerabilities have been confirmed in Mozilla v1.7.5 and Firefox v1.0. Other versions may also be affected.

Full details of the security issues are available in the Secunia advisory."

"A non-profit security think tank called the Shmoo Group has announced the discovery of a flaw in Firefox and other recent browsers, including Mozilla, Safari, Opera and Camino, that leaves users open to a spoofing or phishing attack. Microsoft Internet Explorer is not affected.

"Want to own ANY domain? Want a trusted SSL cert for it? We 0wnz0rd PayPal, but left the rest for you. We have no idea how to fix this and neither do the browser developers," states the group's Web site.

The concept of "Homograph attacks" is not a new one. Johanson himself cites a December 2001 research paper that describes how such an attack could occur, though he notes at that time no browser had implemented Unicode/UTF8 domain name resolution. Almost every recent browser (Firefox, Mozilla, Safari, Opera) except for Microsoft's Internet Explorer currently implements IDN and Unicode/UTF8 domain name resolution."


"A phishing flaw in all major browsers, with the exception of Microsoft's Internet Explorer, could be putting users at risk.

Phishing attacks, which try to fool consumers into handing over sensitive information by creating legitimate-looking Web sites and email messages, have become a central security concern recently. While vulnerabilities in Microsoft's Internet Explorer have been the focus of much of the concern, other browsers also have had their fair share of flaws."

Update (10 Feb 2005)

Damien Gaurd pointed out a useful clarification here and here on the what ZDNet described as a 'phishing flaw' relating to Firefox and with how it relates to IE. Thanks Damien.