[marko386]

Your nasty comment shows you read the article while sleeping. It states explicitly that one second in loading a page means nothing.

[yojimboryuu]

Has anyone else experienced problems with the new IE8? When I load pages such as whitepages.com to do reverse searches on phone numbers, IE shuts down and keeps trying to redisplay the page and shuts down. It has also done it on netflix and some other sites. Loaded IE8 on my laptop and will try to figure out the problem.

[dragon69]

i run vista home premium 64 and win 7 64
dual core x2 600
4gb kit gskill
i have both beta and the latest non beta of fire fox and both 32 and 64 bit versions of ie 8 and use the tweak network settings add on in fire fox
and in vista fire fox still is faster then either ie 8 's but have not compared them in win 7 yet
high speed cable Extreeme ( 20 mbs with peaks of 30 )
maybe ie 8 needs some sort of tweaks for broadband ? might be good for dial up users but i still think fire fox is the way to go ( both fire foxes have about 25 to 30 add ons)
which is more secure ?
i usually only use ie for micro$oft'$ web site and fire fox for everything else!

[dlauber]

This is one of the darned silliest debates I've ever seen -- sadly not atypical of IT writing.

The value of a browser is measured by a lot more than pure speed of loading pages. Your productivity does not depend on whether a browser loads pages a second or two faster than other browsers. The features make all the difference in the world. That's the big advantage that FireFox offers -- the add-ons that enable you to customize FireFox to work the way you want it to work.

And then there's the security of the browser.

So these articles that focus just on speed kind of miss the point. It's the whole package, not just how fast pages load or how quickly the browser opens. Thinking about browsers solely in terms of speed is no different than measuring the worth of a car by how quickly it goes from 0 to 60 -- while it gets just 20 miles per gallon and tips over way too easily.

[WinTard]

I agree it's not all about speed. However, considering security aspects, FF isn't any more secure than IE. That's mere urban myth fallacies.

Quoting winning hackers as demonstrated by Nils and Charlie Miller during a PWN2OWN competition at CanSecWest 2009 and echoed by the news:

Excerpt from http://voices.washin...fix/2009/03/macosxtoptargetinbrowser.html?wprss=securityfix
{Snipped}
Nils won $5,000 and a Sony Vaio netbook for his IE8 vulnerability (which Microsoft fixed the very next day in its release of the first non-beta version of IE8 ) plus another $5,000 each for the Firefox and Safari bugs.
{Snipped}
Both the Firefox and Safari vulnerabilities that he proved were exploited on a Mac OS X system. The German hacker said the latest versions of both Firefox and IE take full advantage of features built in to Windows Vista that make it far more difficult to reliably exploit than on the current version of OS X. Those features, including "data execution prevention" (DEP) and "address space layout randomization," (ASLR) don't appear to be properly implemented between OS X and versions of Safari and Firefox built for that operating system, Nils said.

"It's quite easy to write an exploit for Firefox on OS X compared to Firefox on Vista," he said.

Attackers usually craft exploits so that they write data or programs to very specific, static sections in the operating system's memory, but ASLR counters that approach by constantly moving those points to different positions. DEP makes it so that even if the attacker succeeds in guessing the location of the memory location point they're seeking, the code placed there will not execute or run.

While few cyber crooks are attacking Mac users through Safari and Firefox at the moment, that may change soon if a large number of Windows users migrate to Windows 7, the successor to Windows Vista, due to be released sometime later this year.

"It's getting pretty hard to do a lot of this stuff on Windows Vista and Windows 7," Nils said. "Especially when a lot of people who stayed with [Windows XP] switch to Windows 7 because they didn't want Vista, the bad guys may start to figure out they can more easily exploit these bugs more reliably on a Mac."

Charlie Miller, an analyst with Baltimore-based Independent Security Evaluators, also won a Macbook and $5,000, for developing an exploit for a previously unknown critical flaw in Safari on Mac OS X.

"Mac OS X has some ASLR but not much, and there is no DEP in OS X," Miller said. "My exploit relied on exploit code being in certain spot, and that it would [execute], and in Vista neither of those things would have happened."

Interestingly, none of the contestants managed to find a remotely exploitable vulnerability in Google's Chrome, the other remaining browser targeted in the Pwn2Own contest.
{Snipped}

[eMJay]

Really? Firefox not more secure? Actually, Nils says that FF on Windows is the hardest to target. He even said that it's harder to target FF on Windows than IE. Read the article i posted below.

Exact quote from Nils -

"For all the browsers on operating systems, the hardest target is Firefox on Windows. With Firefox on Mac OS X, you can do whatever you want. There?s nothing in the Mac operating system that will stop you."


http://blogs.zdnet.c...ecurity/?p=2941

[WinTard]

Thank you for yet another good source of info.

Excerpt from http://blogs.zdnet.c...ecurity/?p=2941
Really? What?s the difference between what you can do on IE but can?t do on Firefox?

The technique he used works against IE but not Firefox. It allows you to place code in a specific spot in memory.

Perhaps you missed my argument? That flaw is already patched in IE8 non-beta.

Try asking Nils to rephrase that today:

Excerpt from http://voices.washin...fix/2009/03/macosxtoptargetinbrowser.html?wprss=securityfix
{Snipped}
Nils won $5,000 and a Sony Vaio netbook for his IE8 vulnerability ( which Microsoft fixed the very next day in its release of the first non-beta version of IE8 ) plus another $5,000 each for the Firefox and Safari bugs.

You see, having open-source can be an advantage, or not...

But as an end-user, I vastly prefer open-source offerings.

[eMJay]

My point is that this hacker says that he has an easier time exploiting IE on Windows than FF on Windows. That's all I need to hear.

It doesn't matter that this particular IE vulnerability was patched quickly, because IE8 is brand new and is therefore guaranteed to have still-undiscovered exploits in its new code. If hackers are finding it easier to exploit IE, there will obviously be more hackers out there with the technical expertise to hack IE than there would be to hack FF. The harder the exploit, the less people there are that can use it.

[WinTard]

Yes I agree with your points, however, that article you provided is obsolete. And makes no mention of

Excerpt from http://voices.washin...fix/2009/03/macosxtoptargetinbrowser.html?wprss=securityfix
Both the Firefox and Safari vulnerabilities that he proved were exploited on a Mac OS X system. The German hacker said the latest versions of both Firefox and IE take full advantage of features built in to Windows Vista that make it far more difficult to reliably exploit than on the current version of OS X. Those features, including "data execution prevention" (DEP) and "address space layout randomization," (ASLR) don't appear to be properly implemented between OS X and versions of Safari and Firefox built for that operating system, Nils said.

"It's quite easy to write an exploit for Firefox on OS X compared to Firefox on Vista," he said.

Attackers usually craft exploits so that they write data or programs to very specific, static sections in the operating system's memory, but ASLR counters that approach by constantly moving those points to different positions. DEP makes it so that even if the attacker succeeds in guessing the location of the memory location point they're seeking, the code placed there will not execute or run.

While few cyber crooks are attacking Mac users through Safari and Firefox at the moment, that may change soon if a large number of Windows users migrate to Windows 7, the successor to Windows Vista, due to be released sometime later this year.

"It's getting pretty hard to do a lot of this stuff on Windows Vista and Windows 7," Nils said. "Especially when a lot of people who stayed with [Windows XP] switch to Windows 7 because they didn't want Vista, the bad guys may start to figure out they can more easily exploit these bugs more reliably on a Mac."

Charlie Miller, an analyst with Baltimore-based Independent Security Evaluators, also won a Macbook and $5,000, for developing an exploit for a previously unknown critical flaw in Safari on Mac OS X.

"Mac OS X has some ASLR but not much, and there is no DEP in OS X," Miller said. "My exploit relied on exploit code being in certain spot, and that it would [execute], and in Vista neither of those things would have happened."

And based on what Hacker Nils said, that the IE8 beta that was hacked depended on a static memory location "specific spot in memory" in his own words, that vulnerability is gone today in the IE 8 non-beta full general public availability release.

How do you think Nils earned $15,000? By hacking FF obviously. So he stating that FF is harder, is understandable. He has to make it work under all platforms. Whereas IE was a beta version... With a glaring hole. Now the finished product is out, those beta unpolished touches are gone.

I'd really be interested in Nils demonstrating today his IE8 exploits. In the absence of that, then the weaker product is FF. By proof of facts and reality as it is today. Tomorrow is another matter altogether.

And now that all this is known, don't you think someone would have attempted the same exploit onto a production quality version of IE8?

I am not saying IE8 is invulnerable, but I hope you're not sayin FF is invulnerable either?

[rifter]

Exactly right. Firefox has historically been tougher to hack than IE. They are also much more likely to put out a timely patch to fix a problem than Microsoft is.

[WinTard]

rifter said:

Exactly right. Firefox has historically been tougher to hack than IE. They are also much more likely to put out a timely patch to fix a problem than Microsoft is.

Has been is exactly right.

It took Microsoft exactly less than a day to put out that fix. And go through the full-regression testing cycle of a GA release product.

Whereas, FF is already fully patched and also a GA build. (General Availability in contrast to Beta). And is still hackable. Where's the timely patch from FF? The clock is ticking...

~~~~~~~~~~
The only constant is change.
~ Confucius

[pikeman]

I didn't read every comment, but I do have a question. Last year I agreed to try out IE8 Beta. It was OK until I noticed that there was a conflict with my McAfee security program. Have compatability issues been resolved?

[WinTard]

I can tell you that I use IE8, and FF, and Chrome, without any issues under Windows XP Pro SP3 x86 fully patched to the latest:

>"All required security hotfixes (using the 03/10/2009 Microsoft Security Bulletin Summary) have been installed" according to Belarc Advisor

My anti-virus are Panda, MSRT, Windows Defender, and Malwarebytes. Also all the latest.

I can also report that under Windows 7 Ultimate x64 beta also fully patched to the latest, IE8 64-bit is completely trouble-free, ultra-fast and completely running in the Protected Mode.. However, I can only find 32-bit versions of FF 3.0.7 binaries (no issues), and that Chrome 32-bit doesn't work under Windows 7 64-bit.

>"All required security hotfixes (using the 03/10/2009 Microsoft Security Bulletin Summary) have been installed" according to Belarc Advisor

My anti-virus are Avast 64-bit, MSRT, Windows Defender and Malwarebytes. Also all the latest.

Thus my advice would be for you to install the GA build of IE8 (whatever OS word length type since both 32-bit and 64-bit versions are available for free) and see what happens under McAfee... If you encounter problems, I can state with 99.9% confidence the trouble is outside IE8.

Good luck.

[VHMP01]

@eMJay. "We now know the Limits", come on man! If that were any close to truth, IE5 would still be MS browser proposal. They will develop version 9 you know, and then 10, 11 and so forth. Perhaps in 2 or 3 years time IE10 will be fastest again, that is what make competition great, and MS has $ to invest in R&D. So your are just deluding yourself with no real bases. Right now IE8 is the fastest, simple, we will wait for others to catch up, even improve, and then the story will do its cycle once again when they are bitten over.

[eMJay]

I'm not arguing that any browser is invulnerable. I'm simply making the point that this hacker finds FF harder to exploit on Windows than IE is. That's his general opinion about the browsers. The hacker's own actions on Day 1 of Pwn2Own also confirm this - He hacked the OSX version of FF on the mac, not the windows version on the Sony Vaio machine. He said that the vulnerability was also present on the Windows version but that it was unreliable when attempted on Windows.

I find it interesting that IE8 was hacked on a machine running Windows 7, despite the added protection supposedly provided by 7's DEP and ASLR. It just goes to show that there's no such thing as a completely secure browser or OS - whether it's a beta or release version, its still vulnerable. New software versions ALWAYS have new vulnerabilities - for instance, the exploit that Nils used on IE8 doesn't work on IE7.

One of the reasons why I rate FF as the most secure of the browsing platforms is that i can use extensions to increase my browsing security beyond that of the other browsers. A machine can also be compromised by hackers using exploits that make use of plug-ins like flash and Java. The problem with these types of exploits is that they are independent of the browser being used. However, in FF, i can protect my PC from such exploits by using NoScript to select which sites I will entrust with use of the plug-ins. With the other browsers, there's no way to selectively control which sites can use plug-ins, iFrames, javascript etc. Let's say that I'm using a search engine to do some research (using some other browser, or FF without NoScript), and I'm clicking links to arbitrary sites in the results list. Each time i go to a site I'm unfamiliar with, I'm exposing the required plug-ins to data from the site that might actually be compromising my machine. With FF and NoScript running together, that can't happen until I manually enable scripts and plug-ins for that site. Using FF protects me from browser exploits which target IE, and NoScript protects me from plug-in exploits that target all computers regardless of browser. Anything short of this level of control is less secure, in my view.

[WinTard]

All your points are well taken, and valid.

Please forgive me for re-iterating that a beta-release of IE8 doesn't make it valid to say that today the same would occur.

Specifically, I am proposing that BOTH FF 3.0.7 and IE 8.0.6001.18702 are somewhat secure to the best of our knowledge today. I am stating that if the same vulnerability that existed in IE8 beta were to exist today in the IE8 GA, it would be news by now.

Thus implying that FF is superior in security over IE8 or vice-versa is not a proven fact as it stands today. Of course, individual preferences may alter relative perspectives and perceptions somewhat...

Win-win for all?

Peace!

PS: I refrain from going digging up 'facts' either for or against anything at the moment. Precisely because I respect and trust your opinion eMJay. Let's say, enough for now? ;)

[oldschoolh4ck3r]

I'll gladly trade the 1 second difference in speed for the tremendous increase in security. When I used IE, I encountered malware. PERIOD. Now that I use Firefox almost exclusively (only use IE when an app specifically opens it), I have not encountered one single bit of malware. That's not to say Firefox is perfect, but it's a whole lot safer than IE. The plugins are awesome. The interface rocks. It's going to take a lot more than speed for IE to catch up.

[mikedgolf40505]

Hey Win, don't waster your energy. I have figured out you cannot discuss these things with Open Source/Mac/Linux fans rationally. You know me and I am all Mac; but I also reside on earth. I use Safari on my Vista Business PC (which I actually like) in my office at work. There are certain apps that only work on IE and I use IE8 and I like it as well. I cannot honestly say that IE is faster; but there is not much discernible difference on my PC. I am rational enough to know that Safari is the most flawed browser security wise; but it is also the fastest. You know what, no security problems. I believe that the biggest security risk is behind the keyboard. Follow my logic for a second; since your average OS/Mac user is usually downloading free, pirated or wavy software they need to be a lot more cautious than I am.

[eMJay]

My full statement was this -

We now know what IE's limitations in speed, design and standards compliance will be like for the next 2-3 years.

What's untrue about it? Are you suggesting that MS is going to enhance IE8 during the next 2 years? I made that statement to highlight the fact that once a version of IE has been released, its development where performance is concerned remains completely static until the final release of the next version of the browser in 2-3 years time. IE7 was released in October 2006 and since then its performance has not been improved. IE7 has maintained the same limits in speed, design and standards compliance since 2006. IE8 has now been released and as of last week, its performance, speed, design and standards compliance will remain as is until IE9 comes out in a few years time. In contrast, the other browsers undergo performance changes much, much faster, making IE's performance a 'limitation' in comparison. By the time the next version of IE is released, the speed war will likely be over.

[dragon69]

many members of railbird have had trouble with ie 8 loading pages sometimes clicking the refresh

button helps but many have just moved to fire fox because everything just works ( really slows down

productivety if you have to keep clicking the refresh button everytime you change pages) don't know if

they fixed that yet but the blogs have quit complaining about blank pages