Symantec Rethinks Firefox vs IE Vulnerabilities 214
chill writes "Last September security software vendor Symantec issued a report claiming IE had fewer critical flaws than Firefox and thus was more secure. Well, it seem they have now rethought that position. 'How we did it before wasn't a fair comparison,' said Oliver Friedrichs, the senior manager of Symantec's security response group. 'It wasn't an apples to apples comparison.' The key was vendor acknowledged critical vulnerabilities. Thus, if Microsoft (or the Mozilla Foundation) didn't agree it was critical, then it didn't get counted."
imagine that (Score:5, Funny)
I'm SHOCKED!
Re:imagine that (Score:2, Insightful)
Re:imagine that (Score:3, Funny)
Plus, IE doesn't use the page renderer to handle the user interface like Firefox does - that's already bitten Firefox several times and doubtlessly will continue to as people find ways to jump from "unsafe" content to "chrome" content.
Re:imagine that (Score:3, Interesting)
That's like saying windows 95 is more mature than [linux distro using kernel version 2.6.x] because as anyone can see, 95 > 2.6.
Re:imagine that (Score:3, Interesting)
Re:imagine that (Score:5, Insightful)
I know this might come as a surprise to some of you, but there's a few strange individuals who have integrity, who do really strange things like telling the truth even when it may not be in their best interests. I suppose that might not fit into your worldview
Re:imagine that (Score:2, Insightful)
Re:imagine that (Score:3, Insightful)
Re:imagine that (Score:3, Interesting)
Re:imagine that (Score:2)
Some people choose to act in a particular way as part of an intelectual construction of a particular way of acting. Motivations can be strange things.
Re:imagine that (Score:5, Insightful)
So really there are no people of integrity (in charge) in a company with more then a 100 employees.
Re:imagine that (Score:4, Insightful)
Oh, I don't think that is true at all. Ask people about Bill Hewlett, and they'll tell you he was a great engineer who was fanaticaly about treating his employees with respect. Although ethics issues have arisen in some of Berkshire Hathaway's insurance subsidiaries, nobody has anything but stellar things to say about Warren Buffet's personal integrity and of course business acumen.
The thing is, these guys are are rare combinations of technical genius, organizational ability, and personal insight -- what they call these days "emotional intelligence". Most entrepreneurs fall short in one or more areas, and so bluster, pretense, and faking of results is common. With a bit of luck a sense of timing, these guys may achieve a measure of success. Nonetheless, while you can never predict how chance may affect the outcome of the best laid plans, in a one to one contest of entrepreneurship, I'd put my money on Warren Buffet against a guy who's main qualification is that he's willing to lie and cheat.
Re:imagine that (Score:2)
Re:imagine that (Score:2)
You see, the idea of selling security related products and releasing reports that the more secure web browser is actualy less secure only increases those sales and deepens the need for the public to purchase thier products.
What they didn't count on was the target audience's core constituants aren't the type that know only what product advertising tells them. When people started calling bull on these claims and demonstrating the differences between the two browsers, and
Re:imagine that (Score:4, Insightful)
Complete bullshit, people do all sorts of things that are completely irrational, because at the moment that they did them they couldn't think straight (due to emotion, intoxication, haste, etc.). In a moment of irrational exuberence (or panic) a persion is at least as likely to act against their own best interests (whether we are talking monetary, psychological or even physical) as they are not to. This is the sort of circumstance in which a person might jump into a freezing cold river to save a drowning person or run into a burning house to save a person calling for help, even though ration thought would tell them that they are far more likely to perish themselves than to effect a successful rescue.
While this sort of action might benefit the species or society or the geneome, it is clearly detrimental to the individual, and can't be reconciled with some naive notion of pure utility and self-interest. Simply put, the absurd notion that people always act in some manner to maximize some intelectual goal (profit, moral integrity, etc.) depends upon the notion that people always act rationally, since it is clear that people don't always act rationally (in fact, many people seem to act irrationally most of the time) the proposition fails on it's own premises.
Handgrenades? (Score:3, Insightful)
Re:imagine that (Score:3, Insightful)
Well, see, this story's example shows "the truth will always out." This is another one of those shifting paradigms you heard your PHB muttering about. In the present information age, with a battalion of bloggers on the job and snoopers ferreting to the very bottom of the data pile, it's damn near impossible to keep anything secret. So, you publicly deny that your product has *any* flaws, then get caught;
Re:imagine that (Score:2)
The tables have turned. (Score:5, Insightful)
All of a sudden Symantec retaliates by deciding that Internet Explorer does indeed have more "critical" flaws than Mozilla Firefox does.
Re:The tables have turned. (Score:2)
AV products can protect you from what happened two weeks ago, but the will never protect you from what's going to happen next week. Never.
If you rely on AV to protect your assets, then you might as well declare bankruptcy.
Since SP2 was released, we've taken a different approach. W
So Symantec hates microsoft now?? (Score:5, Funny)
Re:So Symantec hates microsoft now?? (Score:2)
Re:So Symantec hates microsoft now?? (Score:2)
It took them (Score:5, Funny)
Re:It took them (Score:2, Funny)
Re:It took them (Score:3, Funny)
Surely it's just about potential for harm. (Score:5, Insightful)
If one browser allows an attacker to read arbitrary files, and another allows an attacker to delete arbitrary files, then the one that allows the deletion is surely worse however many ways there are to read files.
If one browser can be attacked in a generic manner, and the other needs some knowledge of the victim, then the one that can be attacked in a generic manner is less secure.
Now, exactly how an easy to implement low impact and a hard to implement high impact attack compare is still going to be subjective, but wherever you draw the line, it's going to be better than simply counting the nuber of critical bugs.
Re:Surely it's just about potential for harm. (Score:5, Insightful)
This isn't necessarily true. For instance, if the files that can be read include ones with, say, credit card information, wouldn't it be better to have those deleted (you can always re-enter the info to order online) than to have the information read without your knowledge and let someone else charge to your credit card?
The basic point you're making is quite correct, though.
Re:Surely it's just about potential for harm. (Score:2, Insightful)
Re: Surely it's just about potential for harm. (Score:2)
I'd say, based on previous performance, that both browsers probably have exploits allowing people to read files, delete files, get local root privileges, etc. The question should really be: how many such problems are there, how eas
OneCare (Score:5, Interesting)
Re:OneCare (Score:5, Insightful)
Re:OneCare (Score:5, Funny)
LOL, Great Point, I can see it now "Symantec Client Security Has Detected A Serious Vulnerability On Your Computer Click OK to Uninstall
Great way to drive pay-per-incident Technical Support too.
"Personal Security Suite Wars 2006 Coming to a Windows PC Near You."
Re:OneCare (Score:5, Funny)
You were modded funny, only because "prophetic" isn't a legitimate mod. Actually, McAfee beat them to it. [com.com] Their virus update sigs on Friday, March 10th classified MS Excel as a virus.
-Charles
Re:OneCare (Score:2)
Coming up with heuristics to sort out legit from malicious macros is probably a pain in the ass.
Re:OneCare (Score:5, Informative)
Re:OneCare (Score:5, Interesting)
Re:OneCare (Score:4, Insightful)
I suspect there is little public trust in the security of Microsoft's products that is worth undermining. Most people have been beaten into submission and have simply accepted their fate of dealing with the maladies which accompany Microsoft's products. At the same time everyone has also accepted that open source offerings are much more secure than Microsoft products but are beyond their technical skills.
It is more likely that the Symantec marketing trolls are merely attacking their new enemy, Microsoft. Before the enemy was open source because of its public perception as a secure solution that does not need Symantec services, now Microsoft is the enemy because they are competing directly with Symantec. By scaring people away from products which don't require Symantec's services by refuting wide spread beliefs they hoped to maintain their market of installed Microsoft products which require their service, but now their greatest risk is that of losing their market directly to Microsoft.
I'm with you in that Symantec's sudden change of heart concerning the security of IE verus Firefox appears rather disingenuous and loaded with ulterior motives, but I doubt there is a general feeling of trust between Microsoft and their customers which Symantec needs to break. Symantic is merely adding fuel to a long raging fire of mistrust of Microsoft and a perception of a need for protection against Microsoft's security failures. One could hardly say the negative perception of security in Microsoft's products is undeserving, to the contrary they made the mess they are in, but that doesn't mean that Symantec is suddenly devoid of malice towards Microsoft these days.
It is also possible that the people at Symantec are truely printing what they believe to be the truth, its always good to give people the benefit of the doubt, but it does seem rather suspicious considering the circumstances.
burnin
Re:OneCare (Score:2)
Thats what he said
Re:OneCare (Score:2)
But I see how I was ambiguous.
Re:OneCare (Score:3, Informative)
Joe Sixpack believes all software is from Microsoft. In fact, they invented computers, ya know.
How can you trust them? (Score:4, Insightful)
They make some b.s. statements that just aren't founded in logic, or in a reasonably cynical view of how people/companies behave. The result is that they suggest you do the ridiculous, with your security (not theirs). Then they (for whatever reason) say something else.
I'm not even suggesting that they "came to their senses", but perhaps, for one reason or another, decided that Microsoft was not their friend anymore (or maybe firefox is their friend now).
Re:How can you trust them? (Score:5, Insightful)
No sane person would. By their own admission, it is clear that they gave a blank check to Microsoft. Whatever their motive for doing that, it shows a lack of devotion to the stated goal of their products.
If a company wants my money for securing my computers, they better show some integrity that doesn't shift depending on how their relationship with the bigger company is going that day.
A Scenario (Score:5, Funny)
Microsoft: We don't consider that critical.
Comment removed (Score:5, Interesting)
Re:But there's more... (Score:5, Insightful)
Re:But there's more... (Score:2)
Undoubtedly there are. And Microsoft's PR flacks, who apparently decided which vulnerabilities are labeled as critical in TFA (very few), also argue that Windows is attacked more because it's more popular. By that reasoning Apache should have a much worse security record than IIS since it's at least twice as popular. But if anything it's the other way around. The simple truth is your basic cracker/delinquent types are
That's not exactly correct. (Score:5, Insightful)
On the Internet, it is possible to scan whole ranges of addresses looking for vulnerabilities. Automatically. 24/7. And exploit them automatically, 24/7.
What matters is whether the box has open ports or not. The system's security should be configured to account for the home user's non-patching.
Apple has. Their boxes, by default, have no open ports.
Ubuntu has. Their default install has no open ports.
No matter how many worms and infected machines are out there, a default Ubuntu box will never be infected by them.
The first step in security is to reduce the avenues of attack.
Re:That's not exactly correct. (Score:2)
Scary thing is that it's true. I still get hits from bots trying to find old versions of PHP XML-RPC to exploit, and that itself is annoying. It's simple enough to run `nmap -p80 -oX boxen-to-pwn.xml 66.0.0.0/8 67.0.0.0/8` (or whatever IP subnets you wish) and then make a script to check all those servers that respond and to attempt to use the XML-RPC exp
Re:That's not exactly correct. (Score:2)
Unless, of course there is a vulnerability in the networking part of the Linux kernel. It has happened before, but of course it is quite unlikely thing to happen - although I wouldn't say "never".
Re:That's not exactly correct. (Score:2)
The parent stated that it's possible, however unlikely, that there may be vulnerabilities in the linux kernel that don't require open ports.
You stated that the Windows NT kernel is quite secure and most vulnerabilities are in drivers and API layers and that Linux may have such (Driver and API) vulnerabilities.
I fail to see any connection here, although I agree that Linux certainly does have vulnerabilities in driver and API layers.
Re:But there's more... (Score:2)
Re:But there's more... (Score:2, Insightful)
It is not unknown for updates to have new "features" and EULA clauses. It isn't just a matter of repairing the original product, it is a matter of transforming the original product into something new and not necessarily what the customer intended to purchase.
It would be a good thing for the IT industry, in the long term, for these things to get a good legal test. This would rein in the abusers, while clarifying the rules of business for the honest folk.
Re:But there's more... (Score:2)
That should be So if you are a noob and don't patch your systems within one hour of connecting it to the net ! People do connect vigin boxes directly to the net, you know...
Re:But there's more... (Score:3, Insightful)
My virus software performs a full scan daily at 8am. Weekdays at that time I'm on my way to work; weekends, I'm either still in bed or busy with something other than my PC. I rarely run full spyware scans, but when I do they take a few minutes and are always negative (other than the odd cookie).
Of course, I know what I'm doing, which is more than can be said for most PC users...
This is a well known point that MS has dismissed with the 'If linux was as popular...' FUD.
If Li
Re:But there's more... (Score:2)
(The original release of XP should have had a firewall active, but that's another story.)
Re:Why didn't you post the next paragraph... (Score:4, Insightful)
In short, the "bashing" is justified. If I, a humble geek, can figure out on my own that killing all of these unnecessary services can make the unpatched machine safer, then why can't the smart geeks at Microsoft? Why does the thing ship with so many services enabled? The average user does not know that there are "services" or how to kill them. For the average user, it is impossible to install and patch Windows without getting infected - that is a pretty damning security situation.
Re:Why didn't you post the next paragraph... (Score:2)
My problem with this article's statement about Windows XP being infected so quickly is that on an unpatched XP system the OS is over 4 years old. That's 4 years of known insecurities, it's not surprising that it would be compromised so quickly. Are
Re:Why didn't you post the next paragraph... (Score:2)
As for Linux, I guess it depends on the distribution - but I imagine that the box would be okay long enough to get patches on it even if you start from a 4-year-old distribution. This is because there usually aren't any open po
Re:Why didn't you post the next paragraph... (Score:2)
Re:Why didn't you post the next paragraph... (Score:2)
If you're immature enough to let a Slashdot post get to you, you really need to work on your critical thinking skills.
Whee, you went and read an article full of lies, then
Not too surprising (Score:5, Interesting)
But Symantec has known for ages that MS is pushing into their space. Maybe they had a Netscape-esque agreement with Symantec and maybe Symantec found new evidence that convinced them partnering with MS isn't the best way to go?
It *could* be as simple as an upper-management type listening to the feedback the last report got, but I haven't seen an icy weather forecast for Hell today.
(For those who missed the MS Anti-trust days: it was 'alleged' that when MS decided that the 'net was not just a fad and MS needed to throw all their resources into making IE the dominant browser, MS offered not to compete in Mac-space if they left the Windows market quietly. Netscape refused, MS bundled IE with windows, and the rest is history)
Re:Not too surprising (Score:3, Informative)
Yes, I work for Symantec. Any opinions I express in a post are my own and not necessarily those of my employer.
Actual security breaches compared? (Score:2)
I believe that Firefox would have a significantly lower security breach rate than IE, but further compared with Opera or Safari?
__
Funny Adult Vids and Clips [laughdaily.com] from Laugh Daily.com
The obvious answer (Score:3, Insightful)
Re: (Score:2)
Oi norton... (Score:4, Interesting)
another undocmented feature...
Re:Oi norton... (Score:2)
Some people do want to read the comments that come after yours.
ooops, sorry (Score:3, Interesting)
It seems almost disingenuous to "rethink" this so late. Of course it's more than a little irritating, it directly impacts the perceptions and usage levels of the competing browsers. It's kind of like yelling "fire" in a crowded theater, waiting until the resultant stampede kills many in the theater and then saying, "I'm rethinking this, and it looks as if there is no fire."
"We just stick to the facts"...yeah buddy.. (Score:2)
Maybe they should do a security software resource usage comparison!
There is a difference between "truth" and "honesty" where truth is about "a point truths" where you can be selective and deceptive. But "Honesty", thats full scope.
They are not very honest.
It does seem that one of teh things they do to help secure your system is to be having your system so busy running their software that it doesn't have time to run anything else.
Number of bugs means... (Score:5, Insightful)
I have seen IT managers getting upset because there were 100's og bugs*.
Turned out all of them were because of ONE faulty thing.
I have seen bug reports of the form
1. pressing button A and then pressing button Y gets critical error.
2. pressing button B and then pressing button Y gets critical error.
3. pressing button C and then pressing button Y gets critical error.
etc etc
In other situations a manager was not upset, "there were only a few bugs*".
Later, this same manager became upset at a time that there were on the order of 50 or so "bugs*".
Turned out fixing those few bugs took more than o month, while those 50 were 'fixed' within a week.
So my professional view is that bug-counting doesn't count, the correct question is:
how sick did you get? (Compare getting bitten by a tsetse fly to getting bitten by a red ant...)
* To be honest: I am referring to a non-English term which is NOT equivalent to a bug, but more to 'a problem'.
Re:Number of bugs means... (Score:2)
At the beginning of a bug-squashing beta period, your team may be killing a hundred bugs per day. By the end, you may spend the last weeks desperately
Re:Number of bugs means... (Score:4, Interesting)
Nobody told that to the manager. For the next project my friend was given absolutely nothing to work with - no design docs, no resources, no source code, no debug version, no reporting sheets - zip. Just a crappy PC with - occasionally - the latest build on. All his requests for the basic tools to let him do his job properly went unheeded. So he started filing bug reports via email like this:
To: Developers
Subject: Game is broken - fix it
To: Developers
Subject: Game crashes - needs to be fixed
To: Developers
Subject: Game broken - needs fixing
He was quickly provided with the tools he needed
Re:Number of bugs means... (Score:3, Insightful)
Hi Symantec (Score:4, Insightful)
I wonder if anyone ever took Symantec seriously when they made this claim. Most computer illiterate users wouldn't have even heard about Symantec saying this, and those that did (eg. Slashdot readers) would already know better. It's as if Symantec is in their own little universe where it seems as thought everything incorrect is actually correct.
Re:Hi Symantec (Score:2)
Remember, these are corporate IT people. They don't think for themselves much. This way, if there's a total security meltdown, at lea
Re:Hi Symantec (Score:3, Interesting)
Vendor acknowledged? (Score:2, Informative)
FTFS:
Mozilla has Bugzilla to keep track of it's issues, MS is notorious for claiming bugs are in fact features.
Also, IMHO any security issue is 'critical'. Someone once said that MS's 'critical vulnerabilities' are security flaws that should never have made it past design stage [vanwensveen.nl].
Symantec tests windows xp (Score:5, Funny)
Rethinking Symantec (Score:2)
This coming from symantec (Score:2, Insightful)
Re:This coming from symantec (Score:3, Interesting)
You can say that again. Where I'm working now, "Are you using Norton Internet Security or Anti-Virus?" is about question number 2 on the process for troubleshooting email problem calls. The first one is "What is your email address?". It's a 50/50 decision on if I'd rather taken on the virus/trojan world.......
Seriously? (Score:3, Insightful)
I mean, *I* could have done that. When I hear that one of the leading security companies has issued a report on the security of two competing products, I assume that they've actually evaluated those products, rather than just spat back the company literature.
My already little faith in the company that brought us Norton has sunk lower still.
Re:Seriously? (Score:3, Insightful)
Damn (Score:5, Funny)
Re:Damn (Score:4, Funny)
About 10 minutes [tatanka.com.br]? I run ie5.5 and ie6 under wine setup by this installer script so I can check web stuff without having to fire up qemu. And yes I know you were just kidding :p
Maker of the worst antivirus software ... (Score:2, Interesting)
Agree completely: Worst Antivirus Software EVAR (Score:2)
FIVE PAGES OF INSTRUCTIONS.
Countless services and hooks into the operating system, tied into Microsoft's automatic installation system, forcing itself to re-install if you miss a trace of the uninstall procedure (which is, itself not complete).
Before uninstalling, it would take up to 5 minutes to boot XP, after uninstalling, the bootup w
How about: Flaw + User Base = Risk (Score:3, Insightful)
Let's say that I wrote the world's most flawed web browser (Anger Browser 1.0), with several hidden RC function and a welcome mat for specially scripted spyware installers. Yes, it has 500 more flaws than IE, but I only have an installed user base of two. Does this mean that my browser presents a higher risk than a browser with 100,000,000 users and one flaw?
All things the same, a flaw in IE presents a higher weighted risk than a browser with a fraction of the user base. Combining that with the relative ignorance of the average IE user, I say that a flaw in IE presents a much higher return to the bad guys than any other browser out there.
evaluate relative security by impact (Score:3, Insightful)
Assuming a security measurement can sway users for switching from one browser to another, I propose the following measurement: multiply the number of vulnerabilities by market share, and call this the impact. At first glance, this is brutally unfair for IE, which continues to have the majority market share, but hear me explain.
Let's make another assumption. Suppose all competing browsers have vulnerabilities that lead to the same outcome, then the likelihood that script kiddies choose one browser over another to exploit is more or less determined by the browser's market share. Every vulnerability adds to this likelihood. Therefore, in the end, we end up summing a browser's market share a number of times that is the number of vulnerabilities for that browser. This is the same as multiplying number of vulnerabilities by market share. The result is a measurement of insecurity impact.
What happens if we adopt measuring impact for insecurity?
Since Firefox is a minority in browser market share, it can afford to have more bugs and be relatively secure. Its most critical vulnerabilities have lower impact than IE's equivalent. Suppose users then decide to switch to Firefox. The increase in Firefox market share means its vulnerabilities have higher impact. At one point, it becomes less secure than IE, and users start to switch back. We go back and forth and eventually reach an equilibrium. If users are perfectly "browser elastic" (have no resistence to switch browsers), then at the equilibrium, market share is inversely proportional to the number of vulnerabilities for all browsers. Of course, in the real life, things are never that simple, but let's keep things simple. It is good enough to point out that letting impact determine market share is more desirable than letting vulnerability count to determine market share.
How can the impact score improve current measurement of security?
We all know that some vendors like to play the optimist game by purposely reducing the severity of a vulnerability or even hiding it. If a certain highly popular browser vendor wants to manipulate the impact score, it has to to cheat a lot, and at one point this cheating will become painfully obvious. Hopefully, the risk of causing a scandal would limit the vendor's cheating to a degree that does not significantly variate the impact score.
Par for the horse. (Score:2)
Why do we keep reading about opinions of "analysts" everywhere? I guess I need to stop reading the Mac rumor sites so regularly; their "news" are often just "analyst predicts
The Secret to Success (Score:2, Funny)
That's it! That's the secret to making bug-free software! Not fix anything then deny it's a bug! That's what I'm gonna do!
"Hey, this is a critical exploit!"
"No, it's not."
"Okay."
BRILLIANT!
Who would trust Symantec? (Score:2, Insightful)
A trusted source would say:
Excuse me? (Score:2, Insightful)
Now when there's a report on the most efficient way to waste CPU time, memory and disk space, making computers slow down to a crawl, their commentary will be respected.
Reminds you of the CVSS right? (Score:2)
Most vendors will downrank/ignore/contest vulnerabilities. Then they will try to make comparisons between themselves and their competitors off a biased vulnerability score, impact, etc.
Software vendors should have no part in acknowledging/ranking the legitimacy of vulnerabilities, once the security community has properly identified them, and repeated results, apart from sending a Thank you note to the security gurus th
I can believe I am going to reply to this but... (Score:3, Interesting)
Symantec is not a security authority. (Score:2)
Who is this loser? How can we still be stuck listening to this garbage?
Are we not men? Are we not people with critical thinking skills?
Where is the independent security consultant, the person who cares only for the study and the results? This Oliver Friedrichs guy only cares about profits. If a company doesn't agree with you that their product has vulnerabilities, then you publish the study anyway, and give them the results.
Where is the OSS front line these days? Do we even have a goal, or
Re:Obvious (Score:3, Insightful)
I agree, so far - All companies will want in on Vista, even though just about anyone who has seen or used Vista already will stick with XP until at least the server version comes out...
However, expect them to do a 360 in six months again citing VISTA the most secure product ever, bar none.
Why?
Symantec makes software that improves your PC's safety against attacks. If they can point to a million and
Re:Obvious (Score:3, Insightful)
Scratch that. They will stick with XP unless they buy a new computer with Vista already installed. You have no idea how many people I deal with on a given day that are still using Windows 98. I even come across people who think Windows 95 is the cat's meow. For most people, that shit is "good enough", so it's unlikely that people will jump en masse to Vista without some major incentive.
Re:If you want "browser" safe, go get Opera (Score:3, Interesting)
Opera 8.x [secunia.com] had 13 flaws, 3 highly severe, 0 extremely severe;
Firefox 1.x [secunia.com] had 27 flaws, 7 highly severe, 1 extremely severe;
MS IE 6.x [secunia.com] had 77 flaws, 22 highly severe, 11 extremely severe.
It's still not apples to apples. (Time periods aren't the same, etc.)
I think the more important thing to note: all of the Opera flaws (to date) are fixed, there are still 2 open in FireFox, and 23 open in MS IE 6.x.