Symantec Rethinks Firefox vs IE Vulnerabilities

chill writes "Last September security software vendor Symantec issued a report claiming IE had fewer critical flaws than Firefox and thus was more secure. Well, it seem they have now rethought that position. 'How we did it before wasn't a fair comparison,' said Oliver Friedrichs, the senior manager of Symantec's security response group. 'It wasn't an apples to apples comparison.' The key was vendor acknowledged critical vulnerabilities. Thus, if Microsoft (or the Mozilla Foundation) didn't agree it was critical, then it didn't get counted."

imagine that

[by Anonymous Coward]

profit motive = incentive to lie

I'm SHOCKED!

The tables have turned.

[babbling (952366)]

... and now the tables have turned, and Microsoft is competing with Symantec. (Windows OneCare)

All of a sudden Symantec retaliates by deciding that Internet Explorer does indeed have more "critical" flaws than Mozilla Firefox does.

Re:imagine that

[causality (777677)]

(Why would someone tell the truth if they didn't believe it was in their best interest, i.e. for profit?)

I know this might come as a surprise to some of you, but there's a few strange individuals who have integrity, who do really strange things like telling the truth even when it may not be in their best interests. I suppose that might not fit into your worldview ...

Re:imagine that

[killjoe (766577)]

People with integrity can't run big businesses. If a person with integrity starts a business and runs it ethically it will never get past the small to medium business range. Untethical people will always outcompete you because there is so much profit in sleaze.

So really there are no people of integrity (in charge) in a company with more then a 100 employees.

So Symantec hates microsoft now??

[nich37ways (553075)]

I guess the latest TCO Microsoft is great checks failed to appear this week....

It took them

[colonslashslash (762464)]

Over 6 months to realise and admit that? Nice going ...

Surely it's just about potential for harm.

[91degrees (207121)]

Weakest point, and amount of possible damage.

If one browser allows an attacker to read arbitrary files, and another allows an attacker to delete arbitrary files, then the one that allows the deletion is surely worse however many ways there are to read files.

If one browser can be attacked in a generic manner, and the other needs some knowledge of the victim, then the one that can be attacked in a generic manner is less secure.

Now, exactly how an easy to implement low impact and a hard to implement high impact attack compare is still going to be subjective, but wherever you draw the line, it's going to be better than simply counting the nuber of critical bugs.

Re:Surely it's just about potential for harm.

[syntaxglitch (889367)]

If one browser allows an attacker to read arbitrary files, and another allows an attacker to delete arbitrary files, then the one that allows the deletion is surely worse however many ways there are to read files.

This isn't necessarily true. For instance, if the files that can be read include ones with, say, credit card information, wouldn't it be better to have those deleted (you can always re-enter the info to order online) than to have the information read without your knowledge and let someone else charge to your credit card?

The basic point you're making is quite correct, though.

OneCare

[ROOK*CA (703602)]

I wonder if Symantec's "rethinking" of it's position has anything to do with Microsoft Announcing a Competeing offering (OneCare Live), apparently Symantec will no longer just take Microsofts word whether a suspected flaw is actually a bug/vulnerability or not, Sorry Microsoft that ole "Naw, that's not a vulnerability, it's just an undocumented feature" doesn't look like it's going to fly anymore.

:D

Re:OneCare

[brian0918 (638904)]

Of course they're connected; there's no other possibility. Listening to Symantec's opinion on this would be like asking Philip Morris for an opinion on the link between cigarettes and lung cancer. So, how long until MS OneCare starts getting flagged as malicious spyware by Norton, or vice versa?

Re:OneCare

[ROOK*CA (703602)]

So, how long until MS OneCare starts getting flagged as malicious spyware by Norton, or vice versa?

LOL, Great Point, I can see it now "Symantec Client Security Has Detected A Serious Vulnerability On Your Computer Click OK to Uninstall ..... Microsoft Office" :D

Great way to drive pay-per-incident Technical Support too.

"Personal Security Suite Wars 2006 Coming to a Windows PC Near You."

Re:OneCare

[chill (34294)]

LOL, Great Point, I can see it now "Symantec Client Security Has Detected A Serious Vulnerability On Your Computer Click OK to Uninstall ..... Microsoft Office" :D

You were modded funny, only because "prophetic" isn't a legitimate mod. Actually, McAfee beat them to it. [com.com] Their virus update sigs on Friday, March 10th classified MS Excel as a virus.

  -Charles

Re:OneCare

[sqlrob (173498)]

vice versa happened a couple of weeks ago. [zdnet.com]

Re:OneCare

[ntsucks (22132)]

Perhaps the Symantec marketing trolls have embarked on a subtle campaign to undermind the general public's trust in Micro$oft's ability to deliver secure products. Basically a "Who do you trust?" positioning of themselves against OneCare Live. Strange as it may seem Joe Six Pack probably does not have the Slashdot crowd's contempt for Micro$oft's ability to deliver secure products, thus leaving some room for Symantec to discredit them.

How can you trust them?

[putko (753330)]

How can you trust these guys with your security?

They make some b.s. statements that just aren't founded in logic, or in a reasonably cynical view of how people/companies behave. The result is that they suggest you do the ridiculous, with your security (not theirs). Then they (for whatever reason) say something else.

I'm not even suggesting that they "came to their senses", but perhaps, for one reason or another, decided that Microsoft was not their friend anymore (or maybe firefox is their friend now).

Re:How can you trust them?

[spiritraveller (641174)]

How can you trust these guys with your security?

No sane person would. By their own admission, it is clear that they gave a blank check to Microsoft. Whatever their motive for doing that, it shows a lack of devotion to the stated goal of their products.

If a company wants my money for securing my computers, they better show some integrity that doesn't shift depending on how their relationship with the bigger company is going that day.

A Scenario

[BumpyCarrot (775949)]

Symantec: Internet Explorer feasted on my childs bones.

Microsoft: We don't consider that critical.

But there's more...

[ABoerma (941672)]

I like the other part of TFA better:

"Windows XP Professional, said Symantec, stays safe just one hour and 12 seconds, while the Windows 2000 Server (with SP4) made it an hour and 17 minutes. An unpatched Windows Server 2003 system lasted somewhat longer.

In contrast, unpatched Linux installations of both Red Hat Enterprise Linux 3 and SuSE Linux 9 Desktop were never compromised during their month-and-a-half exposure to attackers."

Re:But there's more...

[DanteLysin (829006)]

So if you are a noob and don't patch your systems, you get by longer on Linux than Windows. No surprise there. My guess is that there are more Windows oriented viruses/worms circulating the Internet. The take home message is "patch your system". We Slashdotters know better, but does the regular home user?

That's not exactly correct.

[khasim (1285)]

My guess is that there are more Windows oriented viruses/worms circulating the Internet.

"More" is correct. But the implication being that that is why the Linux boxes were not cracked is incorrect.

On the Internet, it is possible to scan whole ranges of addresses looking for vulnerabilities. Automatically. 24/7. And exploit them automatically, 24/7.

What matters is whether the box has open ports or not.

The take home message is "patch your system". We Slashdotters know better, but does the regular home user?

The system's security should be configured to account for the home user's non-patching.

Apple has. Their boxes, by default, have no open ports.
Ubuntu has. Their default install has no open ports.

No matter how many worms and infected machines are out there, a default Ubuntu box will never be infected by them.

The first step in security is to reduce the avenues of attack.

Not too surprising

[enigma48 (143560)]

My first thought was that this makes perfect sense - now that MS is a competitor of Symantec, they're going to discredit them as much as they can.

But Symantec has known for ages that MS is pushing into their space. Maybe they had a Netscape-esque agreement with Symantec and maybe Symantec found new evidence that convinced them partnering with MS isn't the best way to go?

It *could* be as simple as an upper-management type listening to the feedback the last report got, but I haven't seen an icy weather forecast for Hell today.

(For those who missed the MS Anti-trust days: it was 'alleged' that when MS decided that the 'net was not just a fad and MS needed to throw all their resources into making IE the dominant browser, MS offered not to compete in Mac-space if they left the Windows market quietly. Netscape refused, MS bundled IE with windows, and the rest is history)

Oi norton...

[djsmiley (752149)]

StartKeyLogger

another undocmented feature...

Number of bugs means...

[plankrwf (929870)]

I'm working in the IT industry myself, and one of the well-known problems with bug-counting is... well, counting bugs.
I have seen IT managers getting upset because there were 100's og bugs*.
Turned out all of them were because of ONE faulty thing.

I have seen bug reports of the form
1. pressing button A and then pressing button Y gets critical error.
2. pressing button B and then pressing button Y gets critical error.
3. pressing button C and then pressing button Y gets critical error.
etc etc

In other situations a manager was not upset, "there were only a few bugs*".
Later, this same manager became upset at a time that there were on the order of 50 or so "bugs*".
Turned out fixing those few bugs took more than o month, while those 50 were 'fixed' within a week.

So my professional view is that bug-counting doesn't count, the correct question is:
how sick did you get? (Compare getting bitten by a tsetse fly to getting bitten by a red ant...)

* To be honest: I am referring to a non-English term which is NOT equivalent to a bug, but more to 'a problem'.

Symantec tests windows xp

[Centurix (249778)]

"We have substatially tested Windows XP and have found the operating system to be completely bug free. Out tests were conducted in a time period of 1 minute, which contains 60 seconds. As all seconds are effectively the same, we can safely say that Windows XP will be safe for all future occurances of seconds."

Damn

[pHatidic (163975)]

Oh shit I'm going to have to switch back now! Do you have any idea how long it took to get IE running on Linux?