Security -- Firewall and the shortcomings of Internet Explorer 7compared to Mozilla Firefox

A. I have generally been satisfied with Windows Vista so far. I am
still planning on connecting directly to the modem and checking out the
security of the Windows Vista software firewall through this method. I
will not allow any exceptions and am looking for the core strength of
the firewall. There is nothing of importance in the Windows Vista test
RC1 build 5728 if someone does indeed break in and destroy the tes
operating system then I can report back to Microsoft the areas that need
to be improved in the operating system. BTW, I did run this test with
Windows XP SP 2 firewall with no exceptions and it failed. Zone Alarm
Professional passed this test. Anyway, that is other stuff so I now
must focus on my question at hand.

1. The problem with Internet Explorer 7 is that the encryption
method has not been upgraded from 128 bit encryption RC4 strength to a
higher encryption method. Mozilla Firefox is setting the standard here
by providing 256 bit AES encryption method. Unfortunately, the industry
is somewhat lacking here as well. For example, Bank of America is only
protected by a 128 bit RC4 encryption method and does not utilize the
256 bit encryption method that Mozilla Firefox utilizes. I have
contacted Bank of America to warn them and let them know that the 128
bit encryption method is not the highest encryption method available as
incorrectly stated on their site. This is in comparison to sites such
as Charles Schwab which will utilize the greater 256 bit encryption
standard AES of Mozilla Firefox when available and will use 128 bit RC4
encryption when Internet Explorer is used. I really think Microsoft
needs this higher encryption scheme and in good faith should back date
it to Windows 98, 98SE and ME since these operating systems only
recently ended support on July 11, 2006 and deserve the greater
encryption method as well.

2. The lack of plugins that Mozilla Firefox utilizes. Mozilla
Firefox has plug ins that make the browser much better and more
functional. For example, the Geotrust plugin for Mozilla Firefox shows
what sites are safe to browse to. I now take advantage of these plug
ins for more and better security. I recently picked up a bit of adware
that Zone Alarm Professional -- the antispyware component picked up and
I concluded that I got it by going to different sites after searching
that I had no idea if they were safe or not so I really appreciate the
author of this plugin. The plugins for Mozilla firefox are protected
under an encryption scheme that makes them relatively safe for download
but you should still scan anything you download for viruses and spyware
for added security.

3. Mozilla Firefox is open source and does not have the Active X
which is nice in some cases but adds lots of vulnerabilities as well.
Please see below government web link on a current Internet Explorer
vulnerability dealing with Active X that has not as of yet been patched.
It is still crucial to have the latest browser -- 1.5.0.7 for Mozilla
Firefox and Mozilla Thunderbird in order to maximize security protocol
and previous versions of this browser and newsreader do have
vulnerabilities.

(I cross posted this to the Mozilla newsgroup for an interesting and
informative debate about the two browsers -- no cussing or flaming
please --- rats only send one message to one news server at a time --
well copy and paste here I go and so much for the debate)

"Dan" wrote:

> 1. The problem with Internet Explorer 7 is that the encryption
> method has not been upgraded from 128 bit encryption RC4 strength to a
> higher encryption method.

You wrong! IE7 has Cipher Strenght: 256 bit under Windows Vista

> 2. The lack of plugins

You wrong! IE7 has a lot of plugins http://www.ieaddons.com if you want
And by the way I don't feel needing plug-ins: a web browser is just a web
browser.


> 3. Mozilla Firefox is open source and does not have the Active X
> which is nice in some cases but adds lots of vulnerabilities as well.

ActiveX in IE7 are disabled by default
Mozilla Firefox had a lot of vulnerabilities in these months!

BillD wrote:
>
> "Dan" wrote:
>
>> 1. The problem with Internet Explorer 7 is that the encryption
>> method has not been upgraded from 128 bit encryption RC4 strength to a
>> higher encryption method.
>
> You wrong! IE7 has Cipher Strenght: 256 bit under Windows Vista
>
>> 2. The lack of plugins
>
> You wrong! IE7 has a lot of plugins http://www.ieaddons.com if you want
> And by the way I don't feel needing plug-ins: a web browser is just a web
> browser.
>
>
>> 3. Mozilla Firefox is open source and does not have the Active X
>> which is nice in some cases but adds lots of vulnerabilities as well.
>
> ActiveX in IE7 are disabled by default
> Mozilla Firefox had a lot of vulnerabilities in these months!

Well thanks for the correction --- I should have said Internet Explorer
6 sp1 --- I will have to research these findings to prove you are
correct but I will take your word for it for now. There is no reason to
be so negative if I made a mistake. Just tell me and I will go along
with it. Geotrust plugin provides safety by showing verified plugins.
Are www.ieaddons.com encrypted like the add ons for Mozilla Firefox.
Sure, Mozilla Firefox has had lots of vulnerabilities but it is open
source which gives it an advantage of being patched more quickly.

Current Vulnerabilities:

(I have to go to work now and I will post more on this later but this is
a start)

http://www.us-cert.gov/cas/techalerts/TA06-270A.html


Microsoft Internet Explorer WebViewFolderIcon ActiveX Vulnerability
Original release date: September 27, 2006
Last revised: September 28, 2006
Source: US-CERT

Systems Affected

* Microsoft Windows
* Microsoft Internet Explorer


Overview

The Microsoft Windows WebViewFolderIcon ActiveX control contains an
integer overflow vulnerability that could allow a remote attacker to
execute arbitrary code.

I. Description

The Microsoft Windows WebViewFolderIcon ActiveX control contains an
integer overflow vulnerability. An attacker could exploit this
vulnerability through Microsoft Internet Explorer (IE) or any other
application that hosts the WebViewFolderIcon control. More information
is available in Vulnerability Note VU#753044.

Exploit code for this vulnerability is publicly available.

II. I

"Dan" wrote:

> Sure, Mozilla Firefox has had lots of vulnerabilities but it is open
> source which gives it an advantage of being patched more quickly.
>

That's not true becase a new Firefox release is avaible not before 1 or 2
months,
so Mozilla takes about 1 or 2 months to patch the flaws.

According to the most recent update to security-firm Symantec's biannual
Internet Security Threat Report, the last six months saw a significant uptick
in the number of security vulnerabilities found in web browsers. Leading the
way was Firefox, with 47 bugs discovered. Researchers and hackers discovered
38 vulnerabilities in Internet Explorer, 12 in Safari, and seven in Opera.

"Dan" wrote:

> Are www.ieaddons.com encrypted like the add ons for Mozilla Firefox.

IE handles the adds-on by seeing if they're digitally signed or unsigned and
it prompts the user.
Firefox doesn't have the support for digitally signed extensions

BillD wrote:
>
> "Dan" wrote:
>
>> Are www.ieaddons.com encrypted like the add ons for Mozilla Firefox.
>
> IE handles the adds-on by seeing if they're digitally signed or unsigned and
> it prompts the user.
> Firefox doesn't have the support for digitally signed extensions

Okay, I'll just say you win because I am tired of arguing.

Dan W. wrote:
> BillD wrote:
>>
>> "Dan" wrote:
>>
>>> Are www.ieaddons.com encrypted like the add ons for Mozilla Firefox.
>>
>> IE handles the adds-on by seeing if they're digitally signed or
>> unsigned and it prompts the user. Firefox doesn't have the support for
>> digitally signed extensions
>
> Okay, I'll just say you win because I am tired of arguing.

One more thing -- why can't I confirm that the page is encrypted by 256
bit encryption in Vista like I can in Internet Explorer 6 with 128 bit
RC4 maximum encryption and Mozilla Firefox 1.5.0.7 with 256 bit AES
encryption (maximum -- I do not know)