IE More Secure Than Mozilla?

killproc writes "Symantec has issued a report that suggests that Internet Explorer may be more secure than the open source Mozilla Foundation browsers. "According to the report, 25 vendor-confirmed vulnerabilities were disclosed for the Mozilla browsers during the first half of 2005, "the most of any browser studied," the report's authors stated. Eighteen of these flaws were classified as high severity. "During the same period, 13 vendor-confirmed vulnerabilities were disclosed for IE, eight of which were high severity," the report noted." "

Questions

How many of these vulnerabilities were discovered or aided because of the very fact that the Mozilla family of products are open source, open to the intense peer scrutiny of the community, one of the core, fundamental facets of the Mozilla products, and open source projects in general, that will help quickly make them more secure? Do they even grasp this concept?

How quickly and effectively were the Mozilla/Firefox vulnerabilities patched in comparison to IE?

Is there any consideration given to the fact that Internet Explorer is a decade old and integral to the OS, and STILL routinely has extremely critical vulnerabilities, and may have an untold number of yet-to-be-discovered critical vulnerabilities?

Assuming customer choice is important, a customer can elect to not use Firefox and remove it from their system. Can the customer remove IE? Can the customer even elect to not use IE, or does the OS still force them to use IE for some tasks?

I could go on, but I think it goes without saying that at best this "report" uses extremely flawed logic to draw its conclusions, and at worst, Symantec is shilling for Microsoft.

Or both.

Re:Questions

Just to show that CNet News is not unbiased against open source. Bugs Found In Open Source AntiVirus Tool [com.com] talks about a bug that was only in versions from June 23 and BEFORE. And yet it makes the headlines today. And with an advertisement for Trend Micro. How peculiar.

Re:Questions

It's Symantec, boys!

You know what, they have large revenues from a MS Windows-related market, and they produce Norton Antivirus, Norton Utilities, and all the damn product line.

If they start saying that a free (as in beer) OpenSource browser (maybe one that works even on GNU/Linux, sheesh!) is able to actually lower the number of virus/malware you get, people may start considering the switch.

If people get less virii/malware, this means less revenues for them. And what if people discover things like ClamAV, which also works on GNU/Linux? What next?

I ain't saying that Symantec is creating new virii by itself (that's an urban legend like alligators in sewers), but I ain't saying they want to lose customers too.

I'll just wait a less biased source than Symantec, or "Microsoft Watch". It's like Microsoft saying that the TCO of Windows is less than the one of GNU/linux (or vice-versa, for what matters).

PS: this doesn't mean that Firefox is "the most secure" thing around. It isn't. But it is free software and works really well for me. I won't switch to Opera now because of this stupid report, nor because Opera has gone free as in beer. A lot of /.-ters make a tragedy out of a rumor (speaking in general). We're a bunch of chattering mothers-in-law... :-)

Anyway, the damage a Firefox bug can do is limited to user space; a hole in IE, which is tightly tied with Windows kernel... brrr.

head-in-sand (or head-in-ass?)

Jesus fucking Christ. This has got to be the worst number doctoring all day long. From TFA:

There is one caveat: Symantec counts only those security flaws that have been confirmed by the vendor. According to security monitoring company Secunia, there are 19 security issues that Microsoft still has to deal with for Internet Explorer, while there are only three for Firefox.

Oh, well that's just a minor fucking nuclear bomb. Doesn't that make the count 28 to 32? For fuck's sake....the 19 vulnerabilities that Microsoft simply hasn't acknowledged just don't count? This new revelation should make it much cheaper to make secure software...after all, I'm sure it takes far fewer man-hours to do nothing then it does to fix something, and according to Symantec, it produces better results, too!

Re:Questions

Microsoft found a great way to make their browser more secure than the competition. They pay their staff to contribute code to Mozilla!

Re:Questions

I don't want to completely argue with you, I believe that most of your points are valid. But I don't agree with this one:

Is there any consideration given to the fact that Internet Explorer is a decade old and integral to the OS, and STILL routinely has extremely critical vulnerabilities, and may have an untold number of yet-to-be-discovered critical vulnerabilities?

10 years from now, the latest Mozilla version will probably have critical vulnerabilities. Each new version will have different technologies to deal with as well as have new developers/programmers involved. If one thing is constant in programming any app, as time goes on and new versions come out, there are always new bugs and problems. Mozilla won't be immune to those.

Re:Questions

You're right. It sounds retarded.

Anything that can deceive the user like spoofing a title bar should be taken as a security risk. I'm sorry you don't, I just hope you're not someone working on the Firefox code.

10 year old latest version?

10 years from now, the latest Mozilla version will probably have critical vulnerabilities. Each new version will have different technologies to deal with as well as have new developers/programmers involved. If one thing is constant in programming any app, as time goes on and new versions come out, there are always new bugs and problems. Mozilla won't be immune to those.

This is true. However IE is supposed to be a mature application. It isn't a new version that comes out every few months. At some point shouldn't a developed app reach a point that it is locked down and secure?

Re:10 year old latest version?

I would agree if the app was being developed against a non-changing set of technologies. If there are not any other changes that need to be accounted for, then at some point the app should be completely secure. Unfortunately, that doesn't work when it comes to software. There will always be a new version of something that new functionality is needed for (XML, Java, CSS, etc). If a program does not keep updating and incorporating the latest technologies, especially if it's a web browser, then it would quickly become unusable. Can you use any old version of IE and still be able to do EVERYTHING on the web? No. The same way that I would guess if you keep the current version of Mozilla without ever upgrading, 10 years from now you won't be able to do 90% of what is available on the web.

Re:10 year old latest version?

I would agree if the app was being developed against a non-changing set of technologies.

Every technology IE 6 supports is older than IE 6. IE 6 was released years ago, and hasn't upgraded its support for internet technologies, nor has it added new ones. So really, the argument that "IE 6 is vulnerable because it supports changing technologies" is hogwash. IE 6 is an unchanging application with multiple years available for fixing vulnerabilities.

Re:Questions

I'm curious, but can you explain exactly what makes 'integral to the OS' inherantly insecure? Do you even know what that phrase means in regards to IE? Do you know HOW it's "integral"?

It's not running in the kernel. It doesn't run with privileges that are above the current users. In fact, there's nothing about IE's "integration" that Mozilla isn't just as vulnerable to (in effect, anything IE can do, so can Mozilla, because IE just uses userland API's the same as Mozilla does).

Re:Questions

The big reason that being integral to the OS is bad is that firstly everyone knows it will be on the box which means its a good target for attack, secondly the core dll's are exposed in many applications so securing the surface of IE isn't enough to close all possible vulnerabilities (the security has to be at every single layer that any application is allowed to call into). Mozilla could get away with only securing the top levels and benefits from the fact that it is only on like what 30% of windows boxes?

Re:Questions

It may be true that Mozilla browsers will continue to have new technologies that create new bugs. However, IE 6 has been stagnant for years now and the only changes have been security patches. Yet it still has many critical vulnerabilities *and* these are tied to the OS as well.

Re:Questions

Given the topic, I'm amused that your sig is simultaneously on topic and out of date:

Keep firefox secure, vote for bug #262536

Bug 262536 [mozilla.org] "Bigger notice for updates and critical updates" has been marked resolved by Ben Goodger: "This is fixed by the new update system UI."

8-)

Re:Questions

I have Cingular. I have Firefox. I have never experienced any difficulties in paying my Cingular bill on their website.

Re:Questions

IE can be downloaded, if you know how. One way to get all the client install files is to download and use the IE Administrators Kit [microsoft.com].

But yeah, I can't pay my power bill unless I use IE, so I know you pain and think it's stupid, too.

Re:Questions

Not true. Firefox does indeed make patches available. Look at Gentoo Linux - it is currently at Firefox v1.0.6_r7. That is seven revisions (i.e. patches) since v1.0.6. It was a decision of Mozilla to only bundle prebuilt-binaries as timely groupings of these patches. This was done, as far as I know, because it seemd the most intuitive way of doing so.

Re:Questions

Saw a great comparison on firefox and mozilla a few months ago. Looking at the age of critical vulnerabilities and the time it took to patch them, IE was safe to use for a total of seven days in 2004. All other days had an unpatched known critical vulnerability. Firefox fared better by far, being only vulnerable for small patches at a time.

If I weren't so lazy I'd find the comparison. I'll leave that as an exercise for the reader and google.

Re:Questions

I think it goes without saying that at best this "report" uses extremely flawed logic to draw its conclusions, and at worst, Symantec is shilling for Microsoft.

FTFA, it looks like the *conclusion* that IE is more secure is News.com's, and Symantec is just presenting the numbers. Symantec is quoted as saying "at the time of writing, no widespread exploitation of any browser except Microsoft Internet Explorer has occurred" which doesn't sound like they're drawing the conclusion that IE is more secure.

Does anyone have a link to the actual report? My first instinct is that TFA is just trolling, but I could be wrong.

Re:Questions

My first instinct is that TFA is just trolling, but I could be wrong.

Not only is TFA trolling, so is Slashdot. We're just rehashing all the debate from 4 days ago [slashdot.org].

(or 10 days ago [slashdot.org], and so on...)

Re:Questions

and Symantec is just presenting the numbers.

As I explained in another post, I believe their numbers are wrong [slashdot.org].

The simple reason is because many bugs where viewing a malicious web page could allow remote code execution (or something similarly nasty) are reported as "windows" bugs rather than "internet explorer" bugs.

If you actually read throught the microsoft bulletins, and consider anything where simply using IE allows an attack (which requires reading the vulunerability info rather than Microsoft's searchable fields of impacted software), you'll find a lot more bugs than Symantec is claiming.

But you don't need to do all that work... I did it, admittedly rather quickly, a few days ago. Just follow that link, and the one in that post, to my quick summary of "simply using IE" bugs.

While googling around, I also found several others mentioned on various security sites, which didn't seem to correspond to any of the bulletins. And complaints of known bugs still not fixed. And some microsoft "notices" which basically claim "that's not a bug, you just need to avoid doing XYZ".

My quick list alone almost puts IE to the raw number of bugs as firefox, and I'm sure if someone did all the digging needed to compile a list that also included other non-microsoft-bulletin sources, we'd see what is plainly known... that IE has a lot more bugs.

It's sad that Symantec couldn't do this. Looks like they simply using Microsoft's database, which ignores lots of bugs Microsoft doesn't "officially" consider IE bugs (even though simply viewing a page with IE is the attack vector), and all the bugs Microsoft is ignoring or denying, or has quietly fixed.

Flaw in the methodology

Symantec only counts vendor-acknowledged flaws in this study. Microsoft has yet to handle 19 flaws, and this is admitted by Symantec. If they had counted those, IE would have been less secure in their study. It seems to me that the methodology is deliberately flawed.

Bruce

How to respond to bad Mozilla security news on /.

How to respond to bad Mozilla security news on /.

1.) First, immediately dismiss the results, just like you did in the last Mozilla security story. Mozilla is flawless.

2.) Randomly reference Open Source, claiming the flaws were easier to find because of it, which has nothing to do with the report in the article and actually sounds like a criticism of Open Source, if anything.

3.) Accuse the study of bias or "shilling." ALWAYS do this when the study goes against your pre-made worldview (in this case, Mozilla being flawless). When the study gives the opposite conclusion, agree with it and praise it, often with related anecdotal stories.

4.) Reference Internet Explorer's age, which has little to do with and doesn't change Mozilla having more flaws than Internet Explorer today.

5.) Ask how quickly the Mozilla vulnerabilities were patched, ignoring that Mozilla has marked vulnerabilities "Confidential" before for them to sit for two years unfixed.

6.) Claim Internet Explorer is integral to the OS, when you argued that Internet Explorer was easily removed from Windows during the anti-trust trial.

7.) Claim matter-of-factly that, for some reason, it "goes without saying" that the study uses some sort of flawed logic, without citing the logic, giving proof, or backing the statements in any way. Simply claim it, knowing everyone will mod you up because they, too, want to believe Mozilla is flawless.

Re:Symantec?

I think you may be confusing Symantec with another company . Last I heard Symantec were a menace who enjoyed spreading fear so people would buy their security products (which in a lot of cases did more harm than good) .

Yea but...

I have yet to get a spyware infection from using Firefox...

dupe?

Is this a dupe story? 'course not! (rolls eyes)

Security is a process!

Security is a process not a state.

A browser that has 5 reported vulnerabilities is not more secure than a browser that has 30. All it takes in one vulnerability to make your browser insecure

Once any vulnerability is discovered, relative security depends upon is how many users are exposed, and for how long.

Given that vulnerabilities have been found in both, security comparisons should compare the steps taken to reduce the window of vulnerability.

• How quickly a patch is issued
• How quickly are users notified
• How easy it is to apply the patch or upgrade
• What percentage of users actually apply the patch

A simple comparison of the number of vulnerabilities does not give much indication about how long the average user was exposed. Nor does it give an indication of how many hackers are taking advantage of the vulnerability to give you a useful security indicator: "How likely is that any given user was hacked via the product".

Currency calculator that accepts free form input such as "23 canadian dollars --> rupees" [coinmill.com]

Re:Security is a process!

You are missing the most important thing:

• What is being done proactively to ensure that the system remains secure?

Once a new form of vulnerability is discovered, is the rest of the code audited to ensure that no other vulnerabilities of this nature exist? Is the vulnerability class documented, and are the coding guidelines for the project updated to ensure that people who read them (all committers, at a minimum) don't make the same mistake again?

There is a reason why I trust the security of OpenBSD more than most other projects. Security is not just a process, it's an attitude.

Vunerable?

How many of those Mozilla exploits compromise the entire OS?

How many?

Two points to consider:

1. How many 'high severity' bugs did IE have to fix to get to that point? Remember also that IE is integrated into Windows, so any vulnerability that affects Windows affects IE in one way or another (and vice versa).

2. How many have been disclosed by Microsoft before being fixed? They are notorious for not disclosing these things until after it is fixed, and even then they don't always label it as a "IE" fix.

Re:How many?

What drivel.

There are several massive logical ballsups here, made by the linker and the linkee.

1) Not all exploits are created equal. Look at the number of those Moz exploits rated by Secunia as 'Extremely Severe' or 'Critical' compared to those for IE.

2) Mozilla Firefox is not bug free. No piece of software is bug free, and only a mentally retarded moron would believe otherwise. What is important is not that security flaws get found, but (a) how open the organisation is about the flaw [full disclosure] and (b) timeliness of fixes.

3) Mozilla believes in full disclosure, Microsoft does not.

4) The average time taken to patch a flaw in Firefox is two days. IE has unpatched vulnerabilities going back SIX YEARS.

5) Critical components of Firefox run in an sandboxed unprivileged space. When Firefox flaws are discovered, the damage done is minimised. IE runs everything with administrator privileges. When IE is exploited (regularly), a full-on system-rape inevitably follows.

6) ActiveX. The unsafe system by which 90% of spyware, adware, trojans, porn diallers etc. enter your system. Guess which browser has ActiveX turned on by default? Yes, IE. Firefox doesn't support ActiveX because it's just too bloody dangerous.

The security arguments being made about IE vs Firefox in that argument are unreconstructed luddite ballacks.

Although, honestly, we all know security is not the reason we geeks like Firefox. We like it because OMG 3XT3NSI0NZ!!!

So squish.

Martin

Bug Free

Bug free software is quite possible. It's just prohibitively expensive, because it usually requires that the developers use a mathematical validation system. Thus it's typically confined to projects where system failure would result in Human casualties. It's an irrelevant quibble though, since web browsers are far, far too complex to ever be formally validated.

Security flaws?

Personally, I think it's stunning that a browser as old as IE6 STILL HAS CRITICAL vulnerabilities. They've had litterally YEARS to root out and discover these sorts of things. To compare that to a much newer Mozilla browser seems like apples and oranges to me.

Re:Security flaws?

I'm not apologizing for IE, but...

(1) Even though IE is old, the nature of threats changes -- not all the security holes could have been predicted five years ago.

(2) Just because Mozilla is newer doesn't mean that they don't have the responsibility to have fewer holes in security. On the contrary, the Mozilla developer community has had the opportunity to learn from all the security holes of IE, and to develop the code from the ground up in such a way that limits vulnerabilities.

That said, response time to threats is better for Firefox. The total threat posed is probably less, because the time of exposure is a fraction of IE vulnerabilities.

But Mozilla faces a tough road ahead -- if they maintain or gain market share, they have to be very cautious, as their vulnerabilities will begin to be targeted seriously by malware.

Anyone who uses any browser online should still be running virus-detection software. This will never change, no matter what OS or browser you use.

a few days ago

We had a similar story a few days ago [slashdot.org]. It was not very informative, and for the same reasons this one's not very informative, e.g., IE is closed-source, so they don't disclose all the bugs.

Mozilla hits back at browser security claim

Mozilla has reacted to a Symantec report issued on Monday which said serious vulnerabilities were being found in Mozilla's browsers faster than in Microsoft's Internet Explorer. The study was conducted over the first six months of 2005.
http://www.zdnet.co.uk/print/?TYPE=story&AT=392191 86-39020375t-10000025c [zdnet.co.uk]