Well, not as many people as need to be, but here are two blog entries from new converts:
Larry Osterman's WebLog: Running Non Admin
Boneman's Blog: Running as Non-administrator
Some nice insights.
Ah, the joy of popularity! As people began looking for an alternative to Microsoft's Internet Explorer because of its security vulnerabilities both real and imagined, Mozilla FireFox has become more popular. FireFox has two things going for it that provide a warm, fuzzy feeling of security: it's open source and it's obscure.
One of the (many) battle cries of the open source movement is that the resulting software is far more secure than proprietary software (read: Microsoft's) because anyone can read the source code and find vulnerabilities. And, presumably, fix them.
The other thing FireFox had going for it, for a little while anyway, was that it had only a miniscule portion of the browser market. If you're a hacker, so the theory goes, you can get the best and fastest results by going after the browser everyone uses, lately IE.
Alas, with its growing popularity and despite being a farily newcomer to the browser field, FireFox is beginning to show its weaknesses and perhaps reveal the invalidity of open source as an automatically better way to produce secure software. Here is the latest list from BugTraq of known vulnerabilities:
 | 2004-09-17: | Mozilla/Firefox Browsers URI Drag And Drop Cross-Domain Scripting Vulnerability |
| 2004-09-15: | Mozilla/Firefox Browsers Tar.GZ Archive Weak Permissions Vulnerability |
| 2004-09-15: | Multiple Browser Cross-Domain Cookie Injection Vulnerability |
| 2004-09-13: | Mozilla Firefox Default Installation File Permission Vulnerability |
| 2004-09-07: | Mozilla Cross-Domain Frame Loading Vulnerability |
| 2004-08-27: | Mozilla/Netscape/Firefox Browsers XPCOM Plug-In For Apple Mac OSX Content Spoofing Vulnerability |
| 2004-08-26: | Mozilla Browser Refresh Security Property Spoofing Vulnerability |
| 2004-08-26: | Mozilla Browser Cache File Multiple Vulnerabilities |
| 2004-08-26: | Mozilla Personal Security Manager Certificate Handling Denial Of Service Vulnerability |
| 2004-08-25: | LibPNG Graphics Library Multiple Remote Vulnerabilities |
| 2004-08-23: | Mozilla External Protocol Handler Weakness |
| 2004-08-14: | Mozilla Browser Non-FQDN SSL Certificate Spoofing Vulnerability |
| 2004-08-14: | Mozilla Firefox XML User Interface Language Browser Interface Spoofing Vulnerability |
| 2004-08-14: | Multiple Vendor Internet Browser User Action Prediction/Interception Weakness |
| 2004-08-14: | Mozilla SSL Redirect Spoofing Vulnerability |
| 2004-06-14: | Mozilla Browser URI Obfuscation Weakness |
| 2004-05-25: | Multiple Vendor URI Protocol Handler Arbitrary File Creation/Modification Vulnerability |
(There doesn't seem to be an easy way to provide a link directly to this list. But you can get the current list by going to the SecurityFocus Vulnerabilities site, selecting the By Vendor tab, selecting Mozilla from the Vendor list and clicking Submit, then selecting FireFox from the Title list and clicking Submit again, and by version if you want.)
Ah, the passage from innocent childhood to maturity can be painful. For the moment I'm staying with FireFox though because I've come to like it in many ways and that is still a reasonably short list. But this should be a reminder that the Internet is an inherently unsafe place to hang out and that secure software is difficult if not impossible for mere humans to produce.