Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

IE More Secure Than Mozilla?

Posted by CmdrTaco on Tue Sep 20, 2005 10:10 AM
from the now-wait-a-minute-here dept.
Security IT
killproc writes "Symantec has issued a report that suggests that Internet Explorer may be more secure than the open source Mozilla Foundation browsers. "According to the report, 25 vendor-confirmed vulnerabilities were disclosed for the Mozilla browsers during the first half of 2005, "the most of any browser studied," the report's authors stated. Eighteen of these flaws were classified as high severity. "During the same period, 13 vendor-confirmed vulnerabilities were disclosed for IE, eight of which were high severity," the report noted." "
+ -
story

Related Stories

[+] Symantec Rethinks Firefox vs IE Vulnerabilities 214 comments
chill writes "Last September security software vendor Symantec issued a report claiming IE had fewer critical flaws than Firefox and thus was more secure. Well, it seem they have now rethought that position. 'How we did it before wasn't a fair comparison,' said Oliver Friedrichs, the senior manager of Symantec's security response group. 'It wasn't an apples to apples comparison.' The key was vendor acknowledged critical vulnerabilities. Thus, if Microsoft (or the Mozilla Foundation) didn't agree it was critical, then it didn't get counted."
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

IE More Secure Than Mozilla? 25 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • Questions (Score:5, Insightful)

    by daveschroeder (516195) * on Tuesday September 20 2005, @10:11AM (#13604277)
    How many of these vulnerabilities were discovered or aided because of the very fact that the Mozilla family of products are open source, open to the intense peer scrutiny of the community, one of the core, fundamental facets of the Mozilla products, and open source projects in general, that will help quickly make them more secure? Do they even grasp this concept?

    How quickly and effectively were the Mozilla/Firefox vulnerabilities patched in comparison to IE?

    Is there any consideration given to the fact that Internet Explorer is a decade old and integral to the OS, and STILL routinely has extremely critical vulnerabilities, and may have an untold number of yet-to-be-discovered critical vulnerabilities?

    Assuming customer choice is important, a customer can elect to not use Firefox and remove it from their system. Can the customer remove IE? Can the customer even elect to not use IE, or does the OS still force them to use IE for some tasks?

    I could go on, but I think it goes without saying that at best this "report" uses extremely flawed logic to draw its conclusions, and at worst, Symantec is shilling for Microsoft.

    Or both.

    • Re:Questions (Score:5, Funny)

      by ShieldW0lf (601553) on Tuesday September 20 2005, @10:16AM (#13604351) Journal
      Microsoft found a great way to make their browser more secure than the competition. They pay their staff to contribute code to Mozilla!

    • Re:Questions (Score:5, Insightful)

      by TurdTapper (608491) <seldonsplanNO@SPAMgmail.com> on Tuesday September 20 2005, @10:17AM (#13604369) Journal
      I don't want to completely argue with you, I believe that most of your points are valid. But I don't agree with this one:

      Is there any consideration given to the fact that Internet Explorer is a decade old and integral to the OS, and STILL routinely has extremely critical vulnerabilities, and may have an untold number of yet-to-be-discovered critical vulnerabilities?

      10 years from now, the latest Mozilla version will probably have critical vulnerabilities. Each new version will have different technologies to deal with as well as have new developers/programmers involved. If one thing is constant in programming any app, as time goes on and new versions come out, there are always new bugs and problems. Mozilla won't be immune to those.

      • Re:Questions (Score:5, Insightful)

        by urmensch (314385) <ectogon <ata> hotmial> on Tuesday September 20 2005, @10:34AM (#13604591)
        It may be true that Mozilla browsers will continue to have new technologies that create new bugs. However, IE 6 has been stagnant for years now and the only changes have been security patches. Yet it still has many critical vulnerabilities *and* these are tied to the OS as well.

    • Re:Questions (Score:5, Interesting)

      by SpectreBinary (913950) <spectrebinary@hotmail.com> on Tuesday September 20 2005, @10:20AM (#13604413)
      Saw a great comparison on firefox and mozilla a few months ago. Looking at the age of critical vulnerabilities and the time it took to patch them, IE was safe to use for a total of seven days in 2004. All other days had an unpatched known critical vulnerability. Firefox fared better by far, being only vulnerable for small patches at a time.

      If I weren't so lazy I'd find the comparison. I'll leave that as an exercise for the reader and google.

    • Re:Questions (Score:5, Insightful)

      by lgw (121541) on Tuesday September 20 2005, @10:22AM (#13604440) Journal
      I think it goes without saying that at best this "report" uses extremely flawed logic to draw its conclusions, and at worst, Symantec is shilling for Microsoft.

      FTFA, it looks like the *conclusion* that IE is more secure is News.com's, and Symantec is just presenting the numbers. Symantec is quoted as saying "at the time of writing, no widespread exploitation of any browser except Microsoft Internet Explorer has occurred" which doesn't sound like they're drawing the conclusion that IE is more secure.

      Does anyone have a link to the actual report? My first instinct is that TFA is just trolling, but I could be wrong.

  • Yea but... (Score:5, Insightful)

    by P0pinjay (909846) on Tuesday September 20 2005, @10:12AM (#13604287)
    I have yet to get a spyware infection from using Firefox...

  • Security is a process! (Score:5, Insightful)

    by DeadSea (69598) * on Tuesday September 20 2005, @10:12AM (#13604295) Homepage Journal

    Security is a process not a state.

    A browser that has 5 reported vulnerabilities is not more secure than a browser that has 30. All it takes in one vulnerability to make your browser insecure

    Once any vulnerability is discovered, relative security depends upon is how many users are exposed, and for how long.

    Given that vulnerabilities have been found in both, security comparisons should compare the steps taken to reduce the window of vulnerability.

    • How quickly a patch is issued
    • How quickly are users notified
    • How easy it is to apply the patch or upgrade
    • What percentage of users actually apply the patch

    A simple comparison of the number of vulnerabilities does not give much indication about how long the average user was exposed. Nor does it give an indication of how many hackers are taking advantage of the vulnerability to give you a useful security indicator: "How likely is that any given user was hacked via the product".

    Currency calculator that accepts free form input such as "23 canadian dollars --> rupees" [coinmill.com]

    • Re:Security is a process! (Score:5, Interesting)

      by TheRaven64 (641858) on Tuesday September 20 2005, @10:31AM (#13604533) Homepage Journal
      You are missing the most important thing:

      • What is being done proactively to ensure that the system remains secure?
      Once a new form of vulnerability is discovered, is the rest of the code audited to ensure that no other vulnerabilities of this nature exist? Is the vulnerability class documented, and are the coding guidelines for the project updated to ensure that people who read them (all committers, at a minimum) don't make the same mistake again?

      There is a reason why I trust the security of OpenBSD more than most other projects. Security is not just a process, it's an attitude.

  • Vunerable? (Score:5, Insightful)

    by rampant mac (561036) on Tuesday September 20 2005, @10:12AM (#13604301)
    How many of those Mozilla exploits compromise the entire OS?

  • Mozilla hits back at browser security claim (Score:5, Informative)

    by anandpur (303114) on Tuesday September 20 2005, @10:14AM (#13604315)
    Mozilla has reacted to a Symantec report issued on Monday which said serious vulnerabilities were being found in Mozilla's browsers faster than in Microsoft's Internet Explorer. The study was conducted over the first six months of 2005.
    http://www.zdnet.co.uk/print/?TYPE=story&AT=392191 86-39020375t-10000025c [zdnet.co.uk]

  • Symantec is a scourge (Score:5, Interesting)

    by Shaman (1148) <shaman.kos@net> on Tuesday September 20 2005, @10:14AM (#13604326) Homepage
    Anyone who thinks Symantec isn't acting in a *VERY* self-serving manner in the past few days worth of FUD is kidding themselves.

    I kid you not, Symantec has been saying "Don't use the Mac, it's insecure! Or Linux! Or Mozilla! They're not secure, oh noes!!!"

    Guess why... maybe it's because they don't have products for those operating systems... or maybe it's because there are no virii in the wild, and they haven't been able to figure out how to write good enough virii for those OS' to scare people into buying their shitty product?

    You decide. I already have.

  • Symantec's Business? (Score:5, Interesting)

    by DarkBlackFox (643814) on Tuesday September 20 2005, @10:15AM (#13604337)
    Since Symantec is best known for their Anti-Virus products, wouldn't it make sense for them to promote IE as the more "secure" browser?

    I mean, it may not be secure in the traditional sense of the word, but with all the trojans/malware/ActiveX vulnerabilities out there, surely IE is the best way to "secure" profits for themselves?

  • Another repost... almost word for word this time (Score:5, Informative)

    by Beatbyte (163694) on Tuesday September 20 2005, @10:15AM (#13604343) Homepage
    Seriously would it hurt anyone's feelings if the duplicate stories were just pulled off /. ?

    It not only makes /. look bad, but it is a known problem with an easy fix.

    Anywho...

    Cliff notes of last story:
    IE's exploits would be someone taking over your computer remotely
    Firefox's exploits would be malicious popups/crashing (of browser only)

    So the "severity" thing doesn't really matter here.

  • IE is more secure... (Score:5, Funny)

    by suso (153703) * on Tuesday September 20 2005, @10:16AM (#13604349) Homepage Journal
    if you don't use it.

  • Current Secunia Ratings (Score:5, Informative)

    by Epeeist (2682) on Tuesday September 20 2005, @10:19AM (#13604401) Homepage
    For Firefox

    Mozilla Firefox 1.x with all vendor patches installed and all vendor workarounds applied, is currently affected by one or more Secunia advisories rated Less critical

    This is based on the most severe Secunia advisory, which is marked as "Unpatched" in the Secunia database. Go to Unpatched/Patched list below for details.

    Currently, 3 out of 22 Secunia advisories, is marked as "Unpatched" in the Secunia database.

    And IE

    Microsoft Internet Explorer 6.x with all vendor patches installed and all vendor workarounds applied, is currently affected by one or more Secunia advisories rated Highly critical

    This is based on the most severe Secunia advisory, which is marked as "Unpatched" in the Secunia database. Go to Unpatched/Patched list below for details.

    Currently, 19 out of 85 Secunia advisories, is marked as "Unpatched" in the Secunia database.

  • RTFA (Score:5, Insightful)

    by mothlos (832302) on Tuesday September 20 2005, @10:24AM (#13604455)
    There is one caveat: Symantec counts only those security flaws that have been confirmed by the vendor. According to security monitoring company Secunia, there are 19 security issues that Microsoft still has to deal with for Internet Explorer, while there are only three for Firefox.
    I think that says it all.

  • With a MAJOR Caveat (Score:5, Interesting)

    by mjh (57755) <mark&hornclan,com> on Tuesday September 20 2005, @10:24AM (#13604456) Homepage Journal
    From TFA:
    There is one caveat: Symantec counts only those security flaws that have been confirmed by the vendor. According to security monitoring company Secunia, there are 19 security issues that Microsoft still has to deal with for Internet Explorer, while there are only three for Firefox.
    Interesting methodology. That means that the browser vendor is in complete control of the vulnerability counts. This is NOT the kind of reporting of vulnerabilities that I think should be encouraged. I'd rather see vulnerability reports that encourage full disclosure. This creates an incentive for the vendor to hide vulnerabilities. I think that's bad.

    How about this: a report that identifies the vulnerabilities associated with a vendor, and not a product. In other words, after the initial public announcement of a vulnerability, we report how long it took the vendor to release a patch. Lower scores are better.

    Anybody think that'll work? If not, why not?

  • Yawn. Follow the money. (Score:5, Informative)

    by petard (117521) * on Tuesday September 20 2005, @10:32AM (#13604551) Homepage
    Even symantec admits that this report is a steaming pile of crap.

    From TFA:

    Symantec counts only those security flaws that have been confirmed by the vendor. According to security monitoring company Secunia, there are 19 security issues that Microsoft still has to deal with for Internet Explorer, while there are only three for Firefox.

    Nice. So in terms of checking off the reported vulnerabilities and counting each one equally, if the report would be honest, IE would have 32 issues and Firefox would have 29. For the sake of this report, all vulnerabilities are equally bad, right? Well, not according to TFA:

    Symantec admitted that "at the time of writing, no widespread exploitation of any browser except Microsoft Internet Explorer has occurred," but added that it "expects this to change as alternative browsers become increasingly widely deployed."

    So the IE vulnerabilities result in widespread exploitation and the Firefox ones don't, but firefox is somehow worse? I think the only way in which firefox is worse, from Symantec's perspective, is that the constantly malware-infested machines (where IE is the main infestation vector) inflate demand for the crap that Symantec peddles, and they're afraid that if people aren't constantly suffering from the pain of these infections this demand will evaporate.

    Feh. Maybe I'm a cynic, but this looks like marketing poorly disguised as research to me...

    • Re:How many? (Score:5, Interesting)

      by minginqunt (225413) on Tuesday September 20 2005, @10:16AM (#13604360) Homepage Journal

      What drivel.

      There are several massive logical ballsups here, made by the linker and the linkee.

      1) Not all exploits are created equal. Look at the number of those Moz exploits rated by Secunia as 'Extremely Severe' or 'Critical' compared to those for IE.

      2) Mozilla Firefox is not bug free. No piece of software is bug free, and only a mentally retarded moron would believe otherwise. What is important is not that security flaws get found, but (a) how open the organisation is about the flaw [full disclosure] and (b) timeliness of fixes.

      3) Mozilla believes in full disclosure, Microsoft does not.

      4) The average time taken to patch a flaw in Firefox is two days. IE has unpatched vulnerabilities going back SIX YEARS.

      5) Critical components of Firefox run in an sandboxed unprivileged space. When Firefox flaws are discovered, the damage done is minimised. IE runs everything with administrator privileges. When IE is exploited (regularly), a full-on system-rape inevitably follows.

      6) ActiveX. The unsafe system by which 90% of spyware, adware, trojans, porn diallers etc. enter your system. Guess which browser has ActiveX turned on by default? Yes, IE. Firefox doesn't support ActiveX because it's just too bloody dangerous.

      The security arguments being made about IE vs Firefox in that argument are unreconstructed luddite ballacks.

      Although, honestly, we all know security is not the reason we geeks like Firefox. We like it because OMG 3XT3NSI0NZ!!!

      So squish.

      Martin

    • Re:Security flaws? (Score:5, Insightful)

      by Red Flayer (890720) on Tuesday September 20 2005, @10:37AM (#13604624) Journal
      I'm not apologizing for IE, but...

      (1) Even though IE is old, the nature of threats changes -- not all the security holes could have been predicted five years ago.

      (2) Just because Mozilla is newer doesn't mean that they don't have the responsibility to have fewer holes in security. On the contrary, the Mozilla developer community has had the opportunity to learn from all the security holes of IE, and to develop the code from the ground up in such a way that limits vulnerabilities.

      That said, response time to threats is better for Firefox. The total threat posed is probably less, because the time of exposure is a fraction of IE vulnerabilities.

      But Mozilla faces a tough road ahead -- if they maintain or gain market share, they have to be very cautious, as their vulnerabilities will begin to be targeted seriously by malware.

      Anyone who uses any browser online should still be running virus-detection software. This will never change, no matter what OS or browser you use.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.