IE More Secure Than Mozilla?

killproc writes "Symantec has issued a report that suggests that Internet Explorer may be more secure than the open source Mozilla Foundation browsers. "According to the report, 25 vendor-confirmed vulnerabilities were disclosed for the Mozilla browsers during the first half of 2005, "the most of any browser studied," the report's authors stated. Eighteen of these flaws were classified as high severity. "During the same period, 13 vendor-confirmed vulnerabilities were disclosed for IE, eight of which were high severity," the report noted." "

Questions

[daveschroeder]

How many of these vulnerabilities were discovered or aided because of the very fact that the Mozilla family of products are open source, open to the intense peer scrutiny of the community, one of the core, fundamental facets of the Mozilla products, and open source projects in general, that will help quickly make them more secure? Do they even grasp this concept?

How quickly and effectively were the Mozilla/Firefox vulnerabilities patched in comparison to IE?

Is there any consideration given to the fact that Internet Explorer is a decade old and integral to the OS, and STILL routinely has extremely critical vulnerabilities, and may have an untold number of yet-to-be-discovered critical vulnerabilities?

Assuming customer choice is important, a customer can elect to not use Firefox and remove it from their system. Can the customer remove IE? Can the customer even elect to not use IE, or does the OS still force them to use IE for some tasks?

I could go on, but I think it goes without saying that at best this "report" uses extremely flawed logic to draw its conclusions, and at worst, Symantec is shilling for Microsoft.

Or both.

Re:Questions

[servo335]

How many virus writers have designed their virus just to attack symantec? Gues they are just as insecure. Seems like they are verry biased in their reports.

Re:Questions

[Directrix1]

Just to show that CNet News is not unbiased against open source. Bugs Found In Open Source AntiVirus Tool [com.com] talks about a bug that was only in versions from June 23 and BEFORE. And yet it makes the headlines today. And with an advertisement for Trend Micro. How peculiar.

Re:Questions

[tchernobog]

It's Symantec, boys!

You know what, they have large revenues from a MS Windows-related market, and they produce Norton Antivirus, Norton Utilities, and all the damn product line.

If they start saying that a free (as in beer) OpenSource browser (maybe one that works even on GNU/Linux, sheesh!) is able to actually lower the number of virus/malware you get, people may start considering the switch.

If people get less virii/malware, this means less revenues for them. And what if people discover things like ClamAV, which also works on GNU/Linux? What next?

I ain't saying that Symantec is creating new virii by itself (that's an urban legend like alligators in sewers), but I ain't saying they want to lose customers too.

I'll just wait a less biased source than Symantec, or "Microsoft Watch". It's like Microsoft saying that the TCO of Windows is less than the one of GNU/linux (or vice-versa, for what matters).

PS: this doesn't mean that Firefox is "the most secure" thing around. It isn't. But it is free software and works really well for me. I won't switch to Opera now because of this stupid report, nor because Opera has gone free as in beer. A lot of /.-ters make a tragedy out of a rumor (speaking in general). We're a bunch of chattering mothers-in-law... :-)

Anyway, the damage a Firefox bug can do is limited to user space; a hole in IE, which is tightly tied with Windows kernel... brrr.

True but

[einhverfr]

First I will say that I am a Mozilla user that has been considering going to other nonXUL-based brousers in order to get better security. I now regard Mozilla and Firefox design at more or less the same level of security as IE.

IE's main problem is that you have this concept of security zones. These zones are supposed to allow one to trust intranet sites with activeX controls that might not be trusted on the internet. However, there are plenty of ways to cross this barrier so it is fairly porous. Hence t

head-in-sand (or head-in-ass?)

[jusdisgi]

Jesus fucking Christ. This has got to be the worst number doctoring all day long. From TFA:

There is one caveat: Symantec counts only those security flaws that have been confirmed by the vendor. According to security monitoring company Secunia, there are 19 security issues that Microsoft still has to deal with for Internet Explorer, while there are only three for Firefox.

Oh, well that's just a minor fucking nuclear bomb. Doesn't that make the count 28 to 32? For fuck's sake....the 19 vulnerabilities that Microsoft simply hasn't acknowledged just don't count? This new revelation should make it much cheaper to make secure software...after all, I'm sure it takes far fewer man-hours to do nothing then it does to fix something, and according to Symantec, it produces better results, too!

Re:Questions

[ShieldW0lf]

Microsoft found a great way to make their browser more secure than the competition. They pay their staff to contribute code to Mozilla!

Re:Questions

[TurdTapper]

I don't want to completely argue with you, I believe that most of your points are valid. But I don't agree with this one:

Is there any consideration given to the fact that Internet Explorer is a decade old and integral to the OS, and STILL routinely has extremely critical vulnerabilities, and may have an untold number of yet-to-be-discovered critical vulnerabilities?

10 years from now, the latest Mozilla version will probably have critical vulnerabilities. Each new version will have different technologies to deal with as well as have new developers/programmers involved. If one thing is constant in programming any app, as time goes on and new versions come out, there are always new bugs and problems. Mozilla won't be immune to those.

10 year old latest version?

[nlinecomputers]

10 years from now, the latest Mozilla version will probably have critical vulnerabilities. Each new version will have different technologies to deal with as well as have new developers/programmers involved. If one thing is constant in programming any app, as time goes on and new versions come out, there are always new bugs and problems. Mozilla won't be immune to those.

This is true. However IE is supposed to be a mature application. It isn't a new version that comes out every few months. At some point shouldn't a developed app reach a point that it is locked down and secure?

Re:10 year old latest version?

[TurdTapper]

I would agree if the app was being developed against a non-changing set of technologies. If there are not any other changes that need to be accounted for, then at some point the app should be completely secure. Unfortunately, that doesn't work when it comes to software. There will always be a new version of something that new functionality is needed for (XML, Java, CSS, etc). If a program does not keep updating and incorporating the latest technologies, especially if it's a web browser, then it would quickly become unusable. Can you use any old version of IE and still be able to do EVERYTHING on the web? No. The same way that I would guess if you keep the current version of Mozilla without ever upgrading, 10 years from now you won't be able to do 90% of what is available on the web.

Re:10 year old latest version?

[Zak3056]

There's a problem with the point you're making:
IE6 is four years old. While SP2 was released last year, this version is applicable ONLY to WinXP SP2--all other platforms are stuck at IE6 SP1, which was released almost exactly three years ago. Everything since then has supposedly been security fixes and the like.

It's not a moving target--it really IS supposed to be mature code. There's a far cry between this and something under active development!

Re:10 year old latest version?

[Zoop]

I would agree if the app was being developed against a non-changing set of technologies.

Every technology IE 6 supports is older than IE 6. IE 6 was released years ago, and hasn't upgraded its support for internet technologies, nor has it added new ones. So really, the argument that "IE 6 is vulnerable because it supports changing technologies" is hogwash. IE 6 is an unchanging application with multiple years available for fixing vulnerabilities.

Re:Questions

[urmensch]

It may be true that Mozilla browsers will continue to have new technologies that create new bugs. However, IE 6 has been stagnant for years now and the only changes have been security patches. Yet it still has many critical vulnerabilities *and* these are tied to the OS as well.

Re:Questions

[John Whitley]

Given the topic, I'm amused that your sig is simultaneously on topic and out of date:

Keep firefox secure, vote for bug #262536

Bug 262536 [mozilla.org] "Bigger notice for updates and critical updates" has been marked resolved by Ben Goodger: "This is fixed by the new update system UI."

8-)

Re:Questions

[erroneus]

You are making a completely invalid assumption. The assumption you make is that all software will always have bugs. This is provably untrue. When software is designed against such failure, then it is likely that they will accomplish that end. An example of this is QMail. (check here for the only ones I could find [uni-dortmund.de])

This isn't meant to bash any project in particular, but the fact remains that a program is a series of instructions and the computer folows them. It is possible to write a series of instructio

Re:

[account_deleted]

Comment removed based on user account deletion

Re:Questions

[Proc6]

You're right. It sounds retarded.

Anything that can deceive the user like spoofing a title bar should be taken as a security risk. I'm sorry you don't, I just hope you're not someone working on the Firefox code.

Re:Questions

[toddestan]

I Really think Mozilla should start defining "vulnerabilities" as "visiting a website can cause evil code execution on your computer".

Other stuff, like "spoofing a titlebar" or "click here, then here, then here, then pray while performing a rain dance, then click here and your infected!" should be classified as something like "user experience glitches" or something.

On the other hand, rebuilding my Windows installation is a lot less hassle than rebuilding my credit rating.

If anything, it's the issues where t

Re:Questions

[man_of_mr_e]

I'm curious, but can you explain exactly what makes 'integral to the OS' inherantly insecure? Do you even know what that phrase means in regards to IE? Do you know HOW it's "integral"?

It's not running in the kernel. It doesn't run with privileges that are above the current users. In fact, there's nothing about IE's "integration" that Mozilla isn't just as vulnerable to (in effect, anything IE can do, so can Mozilla, because IE just uses userland API's the same as Mozilla does).

Re:Questions

[malfunct]

The big reason that being integral to the OS is bad is that firstly everyone knows it will be on the box which means its a good target for attack, secondly the core dll's are exposed in many applications so securing the surface of IE isn't enough to close all possible vulnerabilities (the security has to be at every single layer that any application is allowed to call into). Mozilla could get away with only securing the top levels and benefits from the fact that it is only on like what 30% of windows boxes?

Re:Questions

[man_of_mr_e]

What you're describing is security through obscurity. Mozilla has core libraries as well, and they are exposed to any application that wants to take advantage of them.

Of course you can get around this problem by statically linking all the code together, but then you create far more maintenance work.

Re:Questions

[fatboy]

It's not running in the kernel. It doesn't run with privileges that are above the current users. In fact, there's nothing about IE's "integration" that Mozilla isn't just as vulnerable to (in effect, anything IE can do, so can Mozilla, because IE just uses userland API's the same as Mozilla does).

A privilege elevation vulnerability exists in Internet Explorer because of the way that Internet Explorer handles Drag and Drop events. An attacker could exploit the vulnerability by constructing a malicious Web pa [microsoft.com]

Re:Questions

[man_of_mr_e]

You didn't really answer the question. I'll take that as a "No, I don't know what that really means. No, I don't know how it really effects security, i'm just assuming things".

Re:Questions

[pcx]

Better to ask -- how many vulnerabilities were discovered or aided because of the very fact that Mozilla family of products are open source but have not been reported.

Open source cuts both ways.

Re:Questions

[shades66]

>Can the customer even elect to not use IE, or does the OS still force them to use IE for some tasks?

I have IE disabled (well as much as you can using the built in functions for disabling certain microsoft programs like outlook,IE,messenger). I wanted to print out a visio2003 page but did not have visio on my machine! So I install the Microsoft Visio Viewer and double click on the file. Does it open in its own window? NO. Does it open in firefox? NO. Does it run it in IE? YES ! So YES you still are for

Re:Questions

[SpectreBinary]

Saw a great comparison on firefox and mozilla a few months ago. Looking at the age of critical vulnerabilities and the time it took to patch them, IE was safe to use for a total of seven days in 2004. All other days had an unpatched known critical vulnerability. Firefox fared better by far, being only vulnerable for small patches at a time.

If I weren't so lazy I'd find the comparison. I'll leave that as an exercise for the reader and google.

Re:Questions

[man_of_mr_e]

I hate to say it, but apparently you believe everything you read.

The statistic you're talking about is misleading because it only takes into account the length of time from the vulnerability being publicly disclosed and the time of the patch. Typically bug details are embargoed for weeks to months before a patch is made public and the vulnerability is publicly reported.

Don't believe me? Go ahead and look at the bugzilla database for when the vulnerabilities were created, not when the security alert was is

Re:Questions

[lgw]

I think it goes without saying that at best this "report" uses extremely flawed logic to draw its conclusions, and at worst, Symantec is shilling for Microsoft.

FTFA, it looks like the *conclusion* that IE is more secure is News.com's, and Symantec is just presenting the numbers. Symantec is quoted as saying "at the time of writing, no widespread exploitation of any browser except Microsoft Internet Explorer has occurred" which doesn't sound like they're drawing the conclusion that IE is more secure.

Does anyone have a link to the actual report? My first instinct is that TFA is just trolling, but I could be wrong.

Re:Questions

[op12]

My first instinct is that TFA is just trolling, but I could be wrong.

Not only is TFA trolling, so is Slashdot. We're just rehashing all the debate from 4 days ago [slashdot.org].

(or 10 days ago [slashdot.org], and so on...)

Re:Questions

[pjrc]

and Symantec is just presenting the numbers.

As I explained in another post, I believe their numbers are wrong [slashdot.org].

The simple reason is because many bugs where viewing a malicious web page could allow remote code execution (or something similarly nasty) are reported as "windows" bugs rather than "internet explorer" bugs.

If you actually read throught the microsoft bulletins, and consider anything where simply using IE allows an attack (which requires reading the vulunerability info rather than Microsoft's searchable fields of impacted software), you'll find a lot more bugs than Symantec is claiming.

But you don't need to do all that work... I did it, admittedly rather quickly, a few days ago. Just follow that link, and the one in that post, to my quick summary of "simply using IE" bugs.

While googling around, I also found several others mentioned on various security sites, which didn't seem to correspond to any of the bulletins. And complaints of known bugs still not fixed. And some microsoft "notices" which basically claim "that's not a bug, you just need to avoid doing XYZ".

My quick list alone almost puts IE to the raw number of bugs as firefox, and I'm sure if someone did all the digging needed to compile a list that also included other non-microsoft-bulletin sources, we'd see what is plainly known... that IE has a lot more bugs.

It's sad that Symantec couldn't do this. Looks like they simply using Microsoft's database, which ignores lots of bugs Microsoft doesn't "officially" consider IE bugs (even though simply viewing a page with IE is the attack vector), and all the bugs Microsoft is ignoring or denying, or has quietly fixed.

Re:Questions

[Mr. Underbridge]

Or...how many of Firefox's bugs allowed root-level execution of arbitrary code?

A little adovcating for the devil...

[sterno]

How quickly and effectively were the Mozilla/Firefox vulnerabilities patched in comparison to IE?

While this is important in the grand scheme of things, ultimately, the more often vulnerabilities come out, the less likely it is that everybody is going to stay up to date consistently. Lest we forget, most attacks are exploiting publicly known and well understood software flaws. Many attackers are simply using the lists of critical bugs as specifications for their next attack.

Having said that, I think this i

Flaw in the methodology

[Bruce Perens]

Symantec only counts vendor-acknowledged flaws in this study. Microsoft has yet to handle 19 flaws, and this is admitted by Symantec. If they had counted those, IE would have been less secure in their study. It seems to me that the methodology is deliberately flawed.

Bruce

How to respond to bad Mozilla security news on /.

[Overly Critical Guy]

How to respond to bad Mozilla security news on /.

1.) First, immediately dismiss the results, just like you did in the last Mozilla security story. Mozilla is flawless.

2.) Randomly reference Open Source, claiming the flaws were easier to find because of it, which has nothing to do with the report in the article and actually sounds like a criticism of Open Source, if anything.

3.) Accuse the study of bias or "shilling." ALWAYS do this when the study goes against your pre-made worldview (in this case, Mozilla being flawless). When the study gives the opposite conclusion, agree with it and praise it, often with related anecdotal stories.

4.) Reference Internet Explorer's age, which has little to do with and doesn't change Mozilla having more flaws than Internet Explorer today.

5.) Ask how quickly the Mozilla vulnerabilities were patched, ignoring that Mozilla has marked vulnerabilities "Confidential" before for them to sit for two years unfixed.

6.) Claim Internet Explorer is integral to the OS, when you argued that Internet Explorer was easily removed from Windows during the anti-trust trial.

7.) Claim matter-of-factly that, for some reason, it "goes without saying" that the study uses some sort of flawed logic, without citing the logic, giving proof, or backing the statements in any way. Simply claim it, knowing everyone will mod you up because they, too, want to believe Mozilla is flawless.

Re:How to respond to bad Mozilla security news on

[d34thm0nk3y]

If these responses are so predictable should you not have had time enough to think of some actual rebuttals. I have another for your list:

8.) Pointless troll ranting against the Slashdot groupthink without adding anything to the discussion.

Re:Questions

[Citizen of Earth]

I could go on, but I think it goes without saying that at best this "report" uses extremely flawed logic to draw its conclusions, and at worst, Symantec is shilling for Microsoft.

Hmmm, an anti-virus vendor would prefer people to be using IE. Kinda sounds like Symantec is shilling for themselves.

Re:Questions

[morgan_greywolf]

I have Cingular. I have Firefox. I have never experienced any difficulties in paying my Cingular bill on their website.

Re:Questions

[Pieroxy]

Never had any issues beyond the login guy

There is a guy doing the login? Which century do we live in already ??? ;-)

Re:Questions

[slaker]

IE can be downloaded, if you know how. One way to get all the client install files is to download and use the IE Administrators Kit [microsoft.com].

But yeah, I can't pay my power bill unless I use IE, so I know you pain and think it's stupid, too.

Re:Questions

[Zeveck]

Not true. Firefox does indeed make patches available. Look at Gentoo Linux - it is currently at Firefox v1.0.6_r7. That is seven revisions (i.e. patches) since v1.0.6. It was a decision of Mozilla to only bundle prebuilt-binaries as timely groupings of these patches. This was done, as far as I know, because it seemd the most intuitive way of doing so.

Yea but...

[P0pinjay]

I have yet to get a spyware infection from using Firefox...

Re:Yea but...

[RingDev]

I disagree. I beleive FF users are, on average, smarter/more computer literate then IE users. I'm not saying all FF users are rocket scientists, but they atleast have some grasp of the social circle that is the net. That rules out a lot of stupid people that do not perform safe browsing.

The fact is, that we can both come up with anecdotal evidence for both sides of this arguement, but large amounts of anecdotal evidence != data. As mentioned in another post, you really have to look at the number of peopl

dupe?

[webagogue]

Is this a dupe story? 'course not! (rolls eyes)

Security is a process!

[DeadSea]

Security is a process not a state.

A browser that has 5 reported vulnerabilities is not more secure than a browser that has 30. All it takes in one vulnerability to make your browser insecure

Once any vulnerability is discovered, relative security depends upon is how many users are exposed, and for how long.

Given that vulnerabilities have been found in both, security comparisons should compare the steps taken to reduce the window of vulnerability.

• How quickly a patch is issued
• How quickly are users notified
• How easy it is to apply the patch or upgrade
• What percentage of users actually apply the patch

A simple comparison of the number of vulnerabilities does not give much indication about how long the average user was exposed. Nor does it give an indication of how many hackers are taking advantage of the vulnerability to give you a useful security indicator: "How likely is that any given user was hacked via the product".

Currency calculator that accepts free form input such as "23 canadian dollars --> rupees" [coinmill.com]

Re:Security is a process!

[SillyNickName4me]

Security is not (just) a process [bartsplace.net] Not that I disagree with what you are saying, but I disagree with the 'security is a process' statement.

Re:Security is a process!

[TheRaven64]

You are missing the most important thing:

• What is being done proactively to ensure that the system remains secure?

Once a new form of vulnerability is discovered, is the rest of the code audited to ensure that no other vulnerabilities of this nature exist? Is the vulnerability class documented, and are the coding guidelines for the project updated to ensure that people who read them (all committers, at a minimum) don't make the same mistake again?

There is a reason why I trust the security of OpenBSD more than most other projects. Security is not just a process, it's an attitude.

Symantic?

[NETHED]

Don't they write software for Windows, which *GASP!!* is owned by the SAME company as Internet Explorer. Woah. Now here's some news!

In other news, Hershey funded a study that eating chocolate is not only good for you, but makes you a better person.

Vunerable?

[rampant mac]

How many of those Mozilla exploits compromise the entire OS?

How many?

[sglider]

Two points to consider:

1. How many 'high severity' bugs did IE have to fix to get to that point? Remember also that IE is integrated into Windows, so any vulnerability that affects Windows affects IE in one way or another (and vice versa).

2. How many have been disclosed by Microsoft before being fixed? They are notorious for not disclosing these things until after it is fixed, and even then they don't always label it as a "IE" fix.

Re:How many?

[minginqunt]

What drivel.

There are several massive logical ballsups here, made by the linker and the linkee.

1) Not all exploits are created equal. Look at the number of those Moz exploits rated by Secunia as 'Extremely Severe' or 'Critical' compared to those for IE.

2) Mozilla Firefox is not bug free. No piece of software is bug free, and only a mentally retarded moron would believe otherwise. What is important is not that security flaws get found, but (a) how open the organisation is about the flaw [full disclosure] and (b) timeliness of fixes.

3) Mozilla believes in full disclosure, Microsoft does not.

4) The average time taken to patch a flaw in Firefox is two days. IE has unpatched vulnerabilities going back SIX YEARS.

5) Critical components of Firefox run in an sandboxed unprivileged space. When Firefox flaws are discovered, the damage done is minimised. IE runs everything with administrator privileges. When IE is exploited (regularly), a full-on system-rape inevitably follows.

6) ActiveX. The unsafe system by which 90% of spyware, adware, trojans, porn diallers etc. enter your system. Guess which browser has ActiveX turned on by default? Yes, IE. Firefox doesn't support ActiveX because it's just too bloody dangerous.

The security arguments being made about IE vs Firefox in that argument are unreconstructed luddite ballacks.

Although, honestly, we all know security is not the reason we geeks like Firefox. We like it because OMG 3XT3NSI0NZ!!!

So squish.

Martin

Bug Free

[Mark_MF-WN]

Bug free software is quite possible. It's just prohibitively expensive, because it usually requires that the developers use a mathematical validation system. Thus it's typically confined to projects where system failure would result in Human casualties. It's an irrelevant quibble though, since web browsers are far, far too complex to ever be formally validated.

Re:Bug Free

[shis-ka-bob]

Is that why TeX is so expensive? Its well over a decade since the bug in TeX was acknowledge by Knuth. Validating may be costly, but that doesn't prevent the software from being inexpensive.

Re:Bug Free

[podperson]

Bug free software is quite possible. It's just prohibitively expensive, because it usually requires that the developers use a mathematical validation system. Thus it's typically confined to projects where system failure would result in Human casualties.

It also requires specifications to be expressed mathematically, which tends to restrict it to programs where the specifications are written by scientists or engineers.

Security flaws?

[mokiejovis]

Personally, I think it's stunning that a browser as old as IE6 STILL HAS CRITICAL vulnerabilities. They've had litterally YEARS to root out and discover these sorts of things. To compare that to a much newer Mozilla browser seems like apples and oranges to me.

Re:Security flaws?

[Red Flayer]

I'm not apologizing for IE, but...

(1) Even though IE is old, the nature of threats changes -- not all the security holes could have been predicted five years ago.

(2) Just because Mozilla is newer doesn't mean that they don't have the responsibility to have fewer holes in security. On the contrary, the Mozilla developer community has had the opportunity to learn from all the security holes of IE, and to develop the code from the ground up in such a way that limits vulnerabilities.

That said, response time to threats is better for Firefox. The total threat posed is probably less, because the time of exposure is a fraction of IE vulnerabilities.

But Mozilla faces a tough road ahead -- if they maintain or gain market share, they have to be very cautious, as their vulnerabilities will begin to be targeted seriously by malware.

Anyone who uses any browser online should still be running virus-detection software. This will never change, no matter what OS or browser you use.

No.

[khasim]

Anyone who uses any browser online should still be running virus-detection software. This will never change, no matter what OS or browser you use.

I'm running FireFox with the NoScript extension. That way, no JavaScript runs from any site I don't specifically whitelist. So, no exploits from that side.

FireFox, by default, requires you to whitelist sites to install software from them. So, no exploits from that side.

And so on and so forth.

The key to security is to reduce the avenues of attack.

If my browser wi

a few days ago

[bcrowell]

We had a similar story a few days ago [slashdot.org]. It was not very informative, and for the same reasons this one's not very informative, e.g., IE is closed-source, so they don't disclose all the bugs.

Mozilla hits back at browser security claim

[anandpur]

Mozilla has reacted to a Symantec report issued on Monday which said serious vulnerabilities were being found in Mozilla's browsers faster than in Microsoft's Internet Explorer. The study was conducted over the first six months of 2005.
http://www.zdnet.co.uk/print/?TYPE=story&AT=392191 86-39020375t-10000025c [zdnet.co.uk]

Re:Mozilla hits back at browser security claim

[tktk]

In the article, from a Symantec researcher:

People who have swapped [from IE to Firefox], even if this is a blip, should ask whether the assumption that Firefox is more secure than IE is valid anymore. They shouldn't just rely on changing their browser, but may think about having to look at a different configuration."

By different configuration, I think he means, "Buy our products! Or else."

So spyware installation is a feature?

[jurt1235]

My neighbours using firefox on MS windows have had zero problems due to these security flaws. The neighbours using IE under XP with service pack 2 installed and automated update on still get tons of spyware.
So the alternative conclusion of the symantec report would be: Spyware holes in MS IE are not spyware holes, but easy software installation features.

Symantec is a scourge

[Shaman]

Anyone who thinks Symantec isn't acting in a *VERY* self-serving manner in the past few days worth of FUD is kidding themselves.

I kid you not, Symantec has been saying "Don't use the Mac, it's insecure! Or Linux! Or Mozilla! They're not secure, oh noes!!!"

Guess why... maybe it's because they don't have products for those operating systems... or maybe it's because there are no virii in the wild, and they haven't been able to figure out how to write good enough virii for those OS' to scare people into buying their shitty product?

You decide. I already have.

Re:Symantec is a scourge

[ScarabDrac]

Actually Symantec does have a OSX version of Norton Antivirus, I've seen it on the shelf at the retail store I work at. But as a friend of mine explained to me, writing a virus/worm for Windows is much easier and "can reach a larger audience" (his own words). So as you can imagine, Norton AV for OSX doesn't sell very well at all. In fact, it's the joke I use to close a Mac sale. But seriously, the sad thing is that many people will buy this FUD and let it dissuade them from trying Firefox. I probably wou

Symantec's Business?

[DarkBlackFox]

Since Symantec is best known for their Anti-Virus products, wouldn't it make sense for them to promote IE as the more "secure" browser?

I mean, it may not be secure in the traditional sense of the word, but with all the trojans/malware/ActiveX vulnerabilities out there, surely IE is the best way to "secure" profits for themselves?

Mod up insightful!

[incom]

Hit the nail on the head there.

Let the zealots start their engines...

[bogaboga]

Let the open source zealots start their engines. Guys, this is just one company's opinion. BTW you are entitiled to yours as well.

Re:Let the zealots start their engines...

[starfishsystems]

Guys, this is just one company's opinion.

Don't be a troll. An opinion is a statement based on subjective criteria. And yes, everyone has them, and comparisons between them are not particularly interesting.

But we're not talking about subjective matters here. Symantec has released a security analysis, whose premises and reasoning may or not be correct at various points. That's what we're discussing here. Symantec is not saying, "We think Britney Spears is cute." It's claiming that vulnerabilities have been found faster in one browser versus another over a certain period of study.

Our discussion is about the merits of that claim. It's called a rational discussion. I'm sure there will be some subjective opinions thrown in as well. After all, we're not a corporation issuing a press release on the findings of a security study, so tests of intellectual rigor are a bit different here.

Another repost... almost word for word this time

[Beatbyte]

Seriously would it hurt anyone's feelings if the duplicate stories were just pulled off /. ?

It not only makes /. look bad, but it is a known problem with an easy fix.

Anywho...

Cliff notes of last story:
IE's exploits would be someone taking over your computer remotely
Firefox's exploits would be malicious popups/crashing (of browser only)

So the "severity" thing doesn't really matter here.

Re:Another repost... almost word for word this tim

[PepeGSay]

"Malicious popups"?? "Crashing browler only"??

Yeah right. Please! Stop! I'm laughing so hard it hurts.

2003-2005
http://secunia.com/graph/?type=imp&period=all&pro d =4227 [secunia.com]
2005 Alone
http://secunia.com/graph/?type=imp&period=2005&pro d=4227 [secunia.com]

IE is more secure...

[suso]

if you don't use it.

Re:IE is more secure...

[sootman]

IE is more secure... if you don't use it.

I know you're joking, but as it happens, you're actually wrong. [microsoft.com]

2/2/2004: KB832894: Security Update for IE6/Windows XP: "This affects all computers with Internet Explorer installed (even if you don't run Internet Explorer as your Web browser)."

Yes, IE is that fucking bad.

New /. vulnerability found!

[Spy der Mann]

I think it's going to be called "dupeware" :P

Statistics my ass.

[Andr0s]

Well, perhaps Mozilla -does- have 'more' vulnerabilities than IE. Or it doesn't. But that kind of statement doesn't buy me. I've started using alternate browser (Phoenix) sometime in 2002, and I've switched to Firefox more or less fulltime well over a year ago. In all that time, I didn't have a single incident of spyware/adware infection, much less anything approaching disaster-scale events some of my friends and customers had, where ad/spyware infection rendered the computers completely useless, pending wi

Essentially dupe

[karvind]

We discussed this before [slashdot.org] on slashdot.

The Statistic I Want To See...

[JohnPerkins]

...is an aggregate measure of vulnerability time. How many days/weeks/months of total time will I experience between a vulnerability becoming public knowledge and the patch becoming available? How many for the Mozilla browsers? Even if there are 10 times as many vulnerabilities in the Mozilla browsers, if they get patched 100 times as fast, I would think the user would still be safer with some flavor of Mozilla than with IE.

Seems a bit unfair...

[jerkychew]

How many years has IE6 been on the market? Four, right? [hatch.org] It's had time to mature as a product, and be patched, secured, etc. Mozilla has been on the market for far less time, so I'd expect it to have more bugs in the code. This is like comparing straight Windows XP to Windows 2K with SP4 and all patches in place.

Let's look at it in another light: IE 6 is a 4-year-old software product, and still has a boatload of security vulnerabilities. I'd be more pissed that my 4-year-old app had 13 vulnerabilities, while

All lies!

[GrayCalx]

These are all a bunch of horrible horrible lies of course. There is no way that Mozilla is worse than IE in any aspect.

All of those bugs reported last year for IE were well founded, with serious implications that needed to be released to the public for THEIR OWN SAFETY!

Obviously these Mozilla bugs reported this year are miniscule at best, and it does the community a great disservice to release any information about them!

Gates is the devil! Impeach Bush! Katrina is a direct result of WalMart cutting lunches! And Starbucks is lacing their coffee with microscopic beta nanomachines, built to track and report our intake of caffeinated beverages!

Current Secunia Ratings

[Epeeist]

For Firefox

Mozilla Firefox 1.x with all vendor patches installed and all vendor workarounds applied, is currently affected by one or more Secunia advisories rated Less critical

This is based on the most severe Secunia advisory, which is marked as "Unpatched" in the Secunia database. Go to Unpatched/Patched list below for details.

Currently, 3 out of 22 Secunia advisories, is marked as "Unpatched" in the Secunia database.

And IE

Microsoft Internet Explorer 6.x with all vendor patches installed and all vendor workarounds applied, is currently affected by one or more Secunia advisories rated Highly critical

This is based on the most severe Secunia advisory, which is marked as "Unpatched" in the Secunia database. Go to Unpatched/Patched list below for details.

Currently, 19 out of 85 Secunia advisories, is marked as "Unpatched" in the Secunia database.

duh

[sniggly]

New orleans is more secure from flooding than Denver! Thats because Denver has no levee system whatsoever and ehhh I'm not sure how they can relate the number of flaws found to the level of protection afforded. It's usually the flaws that arent found and that are breached that lead to disaster. These virus vendors will cook up anything weird for a bit of a story...

IE more secure than Mozilla?

[Inoshiro]

The answer is still no [slashdot.org].

The key point, to me is...

[callipygian-showsyst]

The key point about the Mozilla folks is in this sentence:

Mitchell Baker, president of the foundation, said earlier this year that its browsers were fundamentally more secure than IE.

This is misleading! Fundamentally more secure means there's something inherent in their technology that makes it more secure. There really isn't. They're both written in similar langauges, both support plugs-ins and extensions, both are susceptible to the same sort of exploits.

Re:The key point, to me is...

[starfishsystems]

Fundamentally more secure means there's something inherent in their technology that makes it more secure.

There are indeed fundamental differences in the security between the two approaches. One obvious difference is modularity. A browser which is monolithically integrated with a system is a greater security risk than one which can be removed or replaced, since its risk cannot be mitigated.

Another fundamental difference is in transparency. Security fundamentally requires verification. Closed source s

Opera

[lilmouse]

Thanksfully, Opera is now available as a free browser. Yes, free as in beer, but it's still good. Why? Because when you have multiple browsers, a single infection can't hit all of them.

Yay Opera for windows, and Konquerer for Linux!

--LWM

Methodology

[starfishsystems]

And what methodology was followed in order to ensure that such comparisons would be meaningful?

This is old stuff, as we all know. So why does a supposed authority on security not only miss the obvious analytical and statistical requirements of meaningful comparison, but go on to publish its findings?

Could there be any possibility of bias as a result of the strategic partnership between Symantec and Microsoft? Just a thought.

More info before a conclusion

[Wubby]

Not to MS bash (which I admit I do from time to time), but what about vulnerabilities that are not vendor-confirmed?

What I'm concerned about is that the "study" relies on vulnerabilities that the vendor acknowledges. If one vendor is faster at, or more accepting of those vulnerabilities, then they will be seen to be "less secure".

OTOH, if the vendor rejects them more often, regardless of their merit (which MS has been known to do) the product seems "more secure".

I'm sorry, but if I disagree with the premis

Just an artifact of reporting mindsets.

[Entropius]

The Firefox devs are much, much more likely to acknowledge flaws and try to fix them, while Microsoft likes to downplay such things. Notice that the article said "vendor-confirmed flaws"?

Since OSS projects have a better security track record in general, they're more likely to actively seek out bugs and try to squash them because security holes are less tolerated. Likewise, a flaw that might be considered minor in IE might be classified as severe in Firefox.

RTFA

[mothlos]

There is one caveat: Symantec counts only those security flaws that have been confirmed by the vendor. According to security monitoring company Secunia, there are 19 security issues that Microsoft still has to deal with for Internet Explorer, while there are only three for Firefox.

I think that says it all.

With a MAJOR Caveat

[mjh]

From TFA:

There is one caveat: Symantec counts only those security flaws that have been confirmed by the vendor. According to security monitoring company Secunia, there are 19 security issues that Microsoft still has to deal with for Internet Explorer, while there are only three for Firefox.

Interesting methodology. That means that the browser vendor is in complete control of the vulnerability counts. This is NOT the kind of reporting of vulnerabilities that I think should be encouraged. I'd rather see vulnerability reports that encourage full disclosure. This creates an incentive for the vendor to hide vulnerabilities. I think that's bad.

How about this: a report that identifies the vulnerabilities associated with a vendor, and not a product. In other words, after the initial public announcement of a vulnerability, we report how long it took the vendor to release a patch. Lower scores are better.

Anybody think that'll work? If not, why not?

Blowing smoke.

[SoupIsGood Food]

I have never, in the course of my IT career and in my daily personal web surfing experience, been affected by security exploits aimed at Firefox or any other Mozilla-based browser.

I can say with confidence that I have laughed mightily at colleagues, friends and family members running IE who have to juggle two or three anti-malware programs and still wind up shoulder-deep in the Windows Registry or re-install because of security holes in IE.

Symantic can only blow so much smoke up my ass before reality re-asserts itself. Theoretical vulnerabilities are bad. Giant screaming voids you could drive a Peterbilt through are worse. Open Source Software frequently gives you the former. Microsoft can be counted upon, in a lead-pipe cinch, to deliver the latter.

SoupIsGood Food

Yawn. Follow the money.

[petard]

Even symantec admits that this report is a steaming pile of crap.

From TFA:

Symantec counts only those security flaws that have been confirmed by the vendor. According to security monitoring company Secunia, there are 19 security issues that Microsoft still has to deal with for Internet Explorer, while there are only three for Firefox.

Nice. So in terms of checking off the reported vulnerabilities and counting each one equally, if the report would be honest, IE would have 32 issues and Firefox would have 29. For the sake of this report, all vulnerabilities are equally bad, right? Well, not according to TFA:

Symantec admitted that "at the time of writing, no widespread exploitation of any browser except Microsoft Internet Explorer has occurred," but added that it "expects this to change as alternative browsers become increasingly widely deployed."

So the IE vulnerabilities result in widespread exploitation and the Firefox ones don't, but firefox is somehow worse? I think the only way in which firefox is worse, from Symantec's perspective, is that the constantly malware-infested machines (where IE is the main infestation vector) inflate demand for the crap that Symantec peddles, and they're afraid that if people aren't constantly suffering from the pain of these infections this demand will evaporate.

Feh. Maybe I'm a cynic, but this looks like marketing poorly disguised as research to me...

They are just protecting their interests

[erroneus]

Yesterday there was something from them about how Firefox and Mac users are in a fantasy land for thinking they are safer for using them. Now they are asserting that within their selected window of time, more vulnerabilities were reported in FF than MSIE. How about we change the window from the beginning of their respective initial public releases until now? Would that be fair? How about if we pick a month window where no vulnerabilities had been reported in FF? Would that also be fair and balanced?

If people start jumping ship (Win+MSIE) onto another ship, Symantec will see that they will sell fewer floatation devices.

This is a pretty pathetic attempt to sway opinion by Symantec.

Criticality and Vulnerability Window

[Bob9113]

Aside from the question raised in many posts about whether the fact that Firefox is open source leads to faster and fuller disclosure, the following is an email I sent this past weekend regarding this article.

Lots is being made the past few days about the number of security holes found in various browsers. Just to try to keep the discussion from descending to complete irrelevance, here's the stats that actually matter:

Solution Status (has it been fixed?):
http://secunia.com/graph/?type=sol&period=all&prod =11 [secunia.com]
http://secunia.com/graph/?type=sol&period=all&prod =4227 [secunia.com]

Criticality (how bad is it if I get hit?):
http://secunia.com/graph/?type=cri&period=all&prod =11 [secunia.com]
http://secunia.com/graph/?type=cri&period=all&prod =4227 [secunia.com]

Unpatched Criticality (what can happen to me today?) Requires a little more looking - see the list at the bottom of each page:
http://secunia.com/product/11/ [secunia.com]
http://secunia.com/product/4227/ [secunia.com]
IE: 5 unpatched moderate or greater criticality
Firefox: 0 unpatched moderate or greater criticality

Finally, and unfortunately not clearly covered in [the Secunia] report is vulnerability window - how long does a bug go without being patched. You can, however, make a fairly good estimate by looking at the patch time for highly critical or worse bugs:

MS has been making big improvements lately, so I'll only look at the MS holes from the past year (the older ones have dramatically longer vulnerability windows) (I've also left out holes which were publicly discovered as a result of a windows patch)

IE Highly+ Critical Windows (past year)
http://secunia.com/advisories/12806/ [secunia.com] 103 days
http://secunia.com/advisories/12889/ [secunia.com] 108 days
http://secunia.com/advisories/12959/ [secunia.com] 29 days
http://secunia.com/advisories/13482/ [secunia.com] 53 days
http://secunia.com/advisories/15891/ [secunia.com] 7 days

Firefox Highly+ Critical Windows (all time)
http://secunia.com/advisories/14654/ [secunia.com] 7 days
http://secunia.com/advisories/14938/ [secunia.com] 24 days
http://secunia.com/advisories/15292/ [secunia.com] 5 days
http://secunia.com/advisories/16043/ [secunia.com] 7 days
http://secunia.com/advisories/16764/ [secunia.com] 3 days

Keep the discussion rational - security is hard, so is assessing security. Be skeptical of anyone who has a dog in the fight (eg: Symantec). [Which is not to say that Symantec cannot be trusted for Windows security, only that their PR department's press releases regarding software security should be treated as suspect - particularly when they draw questionable conclusions from insufficient data.]

IE vs Windows bugs

[pjrc]

In a previous post I found 22 IE bugs [slashdot.org] by simply looking through all the 2005 Microsoft security bulletins. These don't include bugs that Microsoft hasn't even fixed. This probably isn't a complete list either (I did it in only 10 minutes or so, plus avoiding slashdot's lame lameness filters to post a nicely formatted list). There are lots of other bugs not covered by the bulletins, where they post "notices" (like the infamous "don't click on links, type them instead"). But even if I found them all, 22 is a lot more than 13. And most on that list of 22 allow remote code execution.

But within the bulletins, there are lots of bugs, like the one fixed by MS05-024 [microsoft.com] that aren't "technically" IE bugs. But the end result is that a malicious web page (or advert iframe) could do something nasty... usually execute arbritrary code (install spyware or a virus if the server is infected). If simply viewing a web page with IE allows an attack, I call that an IE bug, regardless of where the actual bug is located by Microsoft's way of thinking.

Notice how the "affected software" of MS05-024 is many versions of windows, but Internet Explorer isn't specificly mentioned. So when someone tallies IE bugs, this one probably doesn't make the list. But the "Vulnerability Details" section says:

Web View Script Injection Vulnerability - CAN-2005-1191:

A remote code execution vulnerability exists in the way that Web View in Windows Explorer handles certain HTML characters in preview fields. By persuading a user to preview a malicious file, an attacker could execute code. However, user interaction is required to exploit this vulnerability.

I can see how a journalist could do such poor research. But Symantec? Come on, I found 22 nasty IE bugs by just browsing though 40-some Microsoft bulletins. That Symantec only thinks there's 13 doesn't build much confidence in the supposed "market leader" of anti-virus products!

Symantec is living off of their rep from the 80s

[gothzilla]

Symantec stopped producing effective software a long time ago. There was a time though when any self-respecting geek had a copy of Norton Utils, you know, the ones with all two-letter file names like NU.EXE.
Brand familiarity and name recognition are suitable substitutes for quality when it comes to business and profits. I wouldn't touch any of their software with a 10 foot IDE cable anymore, and haven't for the past few years.

Vendor-confirmed?

[Todd Knarr]

I think this is the kicker. The 25 vulnerabilities for Mozilla are almost certainly all the known vulnerabilities. For IE, how many vulnerabilities are there that've been reported that MS hasn't publicly acknowledged?

In addition, what's the severity? The last Mozilla vulnerability was the IDN bug, which was trivially worked-around by changing one config setting until a patch was released. Contrast that to the recent vulnerability in IE that MS won't discuss details of, other than to say that it allows total compromise of the machine and they won't be patching it until next month, and there's no workaround for the bug because nobody knows what the bug is (outside of MS, the security company that found it and the black-hats, of course).

My take on it: Mozilla may be having more vulnerabilities reported, but it's still fewer than in IE and those vulnerabilities are less severe, easier to work around without crippling your system and fixed sooner than IE's holes. From a user's viewpoint, this makes Mozilla more secure than IE.

For those who may be fooled by this

[Trailer Trash]

This exposes the gulf between open source security and proprietary security. Ignore for a minute the fact that Symantec a) has a vested interest in you using insecure products and b) uses highly flawed methodolgy as their "count" is actually "count of vendor-admitted bugs". There's a major difference between a vulnerability in Mozilla and a vulnerability in IE.

Since we don't have the source for IE, any vulnerability found is, by definition, exploitable. Someone found a way to exploit it- you get a vulnerability.

Vulnerabilities found in Mozilla, on the other hand, are often theoretical in nature. Someone looking through the source finds the problem, but no exploit is written.

Another major problem is here:

The average severity rating of the vulnerabilities associated with both IE and Mozilla browsers in this period was classified as "high", which Symantec defined as "resulting in a compromise of the entire system if exploited."

My entire system isn't going to be compromised from me browsing with Mozilla. Period. Somebody is confused.

In other news...

[Glog]

... several Microsoft employees were found snuggling below the desks of the Symantec "experts" who recently performed a comparison between Firefox and IE security.

Show me a percentage

[Rick and Roll]

Show me a percentage of Firefox users that have had their computers screwed up, compared with IE. I'm sure the Firefox number will be lower.

If Firefox had been more popular, would it have been more exploited? Would it have been worse than IE? These are useless questions.

The point is, Firefox users are more secure than IE users. And Firefox developers are much better listeners than IE developers. People who use Firefox have a better experience with their computers. And that is why IE has lost market share.

I hope nobody takes all these B. S. articles seriously.

Re:Symantec?

[FidelCatsro]

I think you may be confusing Symantec with another company . Last I heard Symantec were a menace who enjoyed spreading fear so people would buy their security products (which in a lot of cases did more harm than good) .

Re:Symantec?

[tpgp]

These guys are actually somewhat reputable and they're saying this. Worth keeping and eye on.

No - Symantec are not reputable. They are a software company making a great deal of money off a particular business model (attempting to close the gate after the horse has bolted)

Of course Firefox/Linux/Mac/anything other then a microsoft hegemony scares the crap out of them.

I will leave it to others to say how the study is flawed (hint counting vulnerabilities without taking into account seriousness!) as other peop

Re:where is googleBrowser?

[Farmer Tim]

googleBrowser development has temporarily stalled because they're having a bit of difficulty working out how to make it a web delivered app.