Stories
Slash Boxes
Comments

News for nerds, stuff that matters

Symantec Rethinks Firefox vs IE Vulnerabilities

Posted by Zonk on Sun Mar 12, 2006 08:34 AM
from the double-think dept.
chill writes "Last September security software vendor Symantec issued a report claiming IE had fewer critical flaws than Firefox and thus was more secure. Well, it seem they have now rethought that position. 'How we did it before wasn't a fair comparison,' said Oliver Friedrichs, the senior manager of Symantec's security response group. 'It wasn't an apples to apples comparison.' The key was vendor acknowledged critical vulnerabilities. Thus, if Microsoft (or the Mozilla Foundation) didn't agree it was critical, then it didn't get counted."

Related Stories

[+] IE More Secure Than Mozilla? 534 comments
killproc writes "Symantec has issued a report that suggests that Internet Explorer may be more secure than the open source Mozilla Foundation browsers. "According to the report, 25 vendor-confirmed vulnerabilities were disclosed for the Mozilla browsers during the first half of 2005, "the most of any browser studied," the report's authors stated. Eighteen of these flaws were classified as high severity. "During the same period, 13 vendor-confirmed vulnerabilities were disclosed for IE, eight of which were high severity," the report noted." "
This discussion has been archived. No new comments can be posted.
Display Options Threshold:
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • imagine that (Score:5, Funny)

    by Anonymous Coward on Sunday March 12 2006, @08:39AM (#14902078)
    profit motive = incentive to lie

    I'm SHOCKED!
    • Re:imagine that by nevernamed (Score:2) Sunday March 12 2006, @09:25AM
    • Re:imagine that by Anonymous Coward (Score:3) Sunday March 12 2006, @09:39AM
      • Re:imagine that (Score:5, Insightful)

        by causality (777677) on Sunday March 12 2006, @12:02PM (#14902723)
        (Why would someone tell the truth if they didn't believe it was in their best interest, i.e. for profit?)

        I know this might come as a surprise to some of you, but there's a few strange individuals who have integrity, who do really strange things like telling the truth even when it may not be in their best interests. I suppose that might not fit into your worldview ...
        [ Parent ]
        • Re:imagine that by DarkJC (Score:2) Sunday March 12 2006, @12:25PM
        • Re:imagine that (Score:5, Insightful)

          by killjoe (766577) on Sunday March 12 2006, @02:32PM (#14903223)
          People with integrity can't run big businesses. If a person with integrity starts a business and runs it ethically it will never get past the small to medium business range. Untethical people will always outcompete you because there is so much profit in sleaze.

          So really there are no people of integrity (in charge) in a company with more then a 100 employees.
          [ Parent ]
          • Re:imagine that by procrastin8r (Score:1) Sunday March 12 2006, @02:44PM
          • Re:imagine that by ppanon (Score:2) Sunday March 12 2006, @09:52PM
          • Re:imagine that (Score:4, Insightful)

            by hey! (33014) on Monday March 13 2006, @08:40AM (#14906724)
            (http://kamthaka.blogspot.com/ | Last Journal: Wednesday March 30 2005, @03:18PM)
            People with integrity can't run big businesses. If a person with integrity starts a business and runs it ethically it will never get past the small to medium business range. Untethical people will always outcompete you because there is so much profit in sleaze.

            Oh, I don't think that is true at all. Ask people about Bill Hewlett, and they'll tell you he was a great engineer who was fanaticaly about treating his employees with respect. Although ethics issues have arisen in some of Berkshire Hathaway's insurance subsidiaries, nobody has anything but stellar things to say about Warren Buffet's personal integrity and of course business acumen.

            The thing is, these guys are are rare combinations of technical genius, organizational ability, and personal insight -- what they call these days "emotional intelligence". Most entrepreneurs fall short in one or more areas, and so bluster, pretense, and faking of results is common. With a bit of luck a sense of timing, these guys may achieve a measure of success. Nonetheless, while you can never predict how chance may affect the outcome of the best laid plans, in a one to one contest of entrepreneurship, I'd put my money on Warren Buffet against a guy who's main qualification is that he's willing to lie and cheat.

            [ Parent ]
          • 2 replies beneath your current threshold.
        • Re:imagine that by McGiraf (Score:1) Sunday March 12 2006, @03:06PM
        • Re:imagine that by Mistshadow2k4 (Score:2) Sunday March 12 2006, @05:01PM
        • Re:imagine that (Score:4, Insightful)

          by tyme (6621) on Sunday March 12 2006, @01:34PM (#14903015)
          (http://members.bellatlantic.net/~dutky | Last Journal: Thursday November 03 2005, @12:13AM)
          some nitwit of an anonymouse coward wrote:
          Human nature tells us that an individual can't possibly make a decision against what he sees as his best interests

          Complete bullshit, people do all sorts of things that are completely irrational, because at the moment that they did them they couldn't think straight (due to emotion, intoxication, haste, etc.). In a moment of irrational exuberence (or panic) a persion is at least as likely to act against their own best interests (whether we are talking monetary, psychological or even physical) as they are not to. This is the sort of circumstance in which a person might jump into a freezing cold river to save a drowning person or run into a burning house to save a person calling for help, even though ration thought would tell them that they are far more likely to perish themselves than to effect a successful rescue.

          While this sort of action might benefit the species or society or the geneome, it is clearly detrimental to the individual, and can't be reconciled with some naive notion of pure utility and self-interest. Simply put, the absurd notion that people always act in some manner to maximize some intelectual goal (profit, moral integrity, etc.) depends upon the notion that people always act rationally, since it is clear that people don't always act rationally (in fact, many people seem to act irrationally most of the time) the proposition fails on it's own premises.

          [ Parent ]
        • Handgrenades? by gstovall (Score:3) Sunday March 12 2006, @03:25PM
        • Re:imagine that by runderwo (Score:2) Sunday March 12 2006, @09:03PM
        • Re:imagine that by Rufus88 (Score:2) Monday March 13 2006, @07:05PM
        • 1 reply beneath your current threshold.
      • Re:imagine that by Hosiah (Score:3) Sunday March 12 2006, @03:05PM
      • 1 reply beneath your current threshold.
    • Re:imagine that by Skuld-Chan (Score:2) Sunday March 12 2006, @12:07PM
    • The tables have turned. (Score:5, Insightful)

      by babbling (952366) on Sunday March 12 2006, @12:10PM (#14902747)
      (http://www.getogg.org/)
      ... and now the tables have turned, and Microsoft is competing with Symantec. (Windows OneCare)

      All of a sudden Symantec retaliates by deciding that Internet Explorer does indeed have more "critical" flaws than Mozilla Firefox does.
      [ Parent ]
    • Re:imagine that by barefootgenius (Score:1) Monday March 13 2006, @10:53PM
  • by nich37ways (553075) <slashdot@37ways.org> on Sunday March 12 2006, @08:42AM (#14902084)
    (http://37ways.org/)
    I guess the latest TCO Microsoft is great checks failed to appear this week....
  • It took them (Score:5, Funny)

    by colonslashslash (762464) on Sunday March 12 2006, @08:43AM (#14902088)
    (http://www.tlm-project.org/)
    Over 6 months to realise and admit that? Nice going ...
  • by 91degrees (207121) on Sunday March 12 2006, @08:44AM (#14902093)
    (Last Journal: Friday June 11 2004, @11:15AM)
    Weakest point, and amount of possible damage.

    If one browser allows an attacker to read arbitrary files, and another allows an attacker to delete arbitrary files, then the one that allows the deletion is surely worse however many ways there are to read files.

    If one browser can be attacked in a generic manner, and the other needs some knowledge of the victim, then the one that can be attacked in a generic manner is less secure.

    Now, exactly how an easy to implement low impact and a hard to implement high impact attack compare is still going to be subjective, but wherever you draw the line, it's going to be better than simply counting the nuber of critical bugs.
  • OneCare (Score:5, Interesting)

    by ROOK*CA (703602) * on Sunday March 12 2006, @08:46AM (#14902097)
    I wonder if Symantec's "rethinking" of it's position has anything to do with Microsoft Announcing a Competeing offering (OneCare Live), apparently Symantec will no longer just take Microsofts word whether a suspected flaw is actually a bug/vulnerability or not, Sorry Microsoft that ole "Naw, that's not a vulnerability, it's just an undocumented feature" doesn't look like it's going to fly anymore.

    :D
    • Re:OneCare (Score:5, Insightful)

      by brian0918 (638904) on Sunday March 12 2006, @08:53AM (#14902122)
      Of course they're connected; there's no other possibility. Listening to Symantec's opinion on this would be like asking Philip Morris for an opinion on the link between cigarettes and lung cancer. So, how long until MS OneCare starts getting flagged as malicious spyware by Norton, or vice versa?
      [ Parent ]
    • Re:OneCare (Score:5, Interesting)

      by ntsucks (22132) on Sunday March 12 2006, @09:17AM (#14902198)
      (http://www.rtsports.com/)
      Perhaps the Symantec marketing trolls have embarked on a subtle campaign to undermind the general public's trust in Micro$oft's ability to deliver secure products. Basically a "Who do you trust?" positioning of themselves against OneCare Live. Strange as it may seem Joe Six Pack probably does not have the Slashdot crowd's contempt for Micro$oft's ability to deliver secure products, thus leaving some room for Symantec to discredit them.
      [ Parent ]
      • Re:OneCare by Bloater (Score:1) Sunday March 12 2006, @09:36AM
        • Re:OneCare by dnoyeb (Score:2) Sunday March 12 2006, @09:44AM
          • Re:OneCare by Bloater (Score:2) Sunday March 12 2006, @11:26AM
        • Re:OneCare by Dehumanizer (Score:3) Sunday March 12 2006, @11:23AM
      • Re:OneCare (Score:4, Insightful)

        by burnin1965 (535071) on Sunday March 12 2006, @01:56PM (#14903110)
        (http://xmission.com/~burnin)
        "Perhaps the Symantec marketing trolls have embarked on a subtle campaign to undermind the general public's trust in Micro$oft's ability to deliver secure products"

        I suspect there is little public trust in the security of Microsoft's products that is worth undermining. Most people have been beaten into submission and have simply accepted their fate of dealing with the maladies which accompany Microsoft's products. At the same time everyone has also accepted that open source offerings are much more secure than Microsoft products but are beyond their technical skills.

        It is more likely that the Symantec marketing trolls are merely attacking their new enemy, Microsoft. Before the enemy was open source because of its public perception as a secure solution that does not need Symantec services, now Microsoft is the enemy because they are competing directly with Symantec. By scaring people away from products which don't require Symantec's services by refuting wide spread beliefs they hoped to maintain their market of installed Microsoft products which require their service, but now their greatest risk is that of losing their market directly to Microsoft.

        I'm with you in that Symantec's sudden change of heart concerning the security of IE verus Firefox appears rather disingenuous and loaded with ulterior motives, but I doubt there is a general feeling of trust between Microsoft and their customers which Symantec needs to break. Symantic is merely adding fuel to a long raging fire of mistrust of Microsoft and a perception of a need for protection against Microsoft's security failures. One could hardly say the negative perception of security in Microsoft's products is undeserving, to the contrary they made the mess they are in, but that doesn't mean that Symantec is suddenly devoid of malice towards Microsoft these days.

        It is also possible that the people at Symantec are truely printing what they believe to be the truth, its always good to give people the benefit of the doubt, but it does seem rather suspicious considering the circumstances.

        burnin
        [ Parent ]
      • 1 reply beneath your current threshold.
    • 1 reply beneath your current threshold.
  • How can you trust them? (Score:4, Insightful)

    How can you trust these guys with your security?

    They make some b.s. statements that just aren't founded in logic, or in a reasonably cynical view of how people/companies behave. The result is that they suggest you do the ridiculous, with your security (not theirs). Then they (for whatever reason) say something else.

    I'm not even suggesting that they "came to their senses", but perhaps, for one reason or another, decided that Microsoft was not their friend anymore (or maybe firefox is their friend now).
    • Re:How can you trust them? (Score:5, Insightful)

      by spiritraveller (641174) on Sunday March 12 2006, @09:00AM (#14902141)
      (http://spiritraveller.blogspot.com/)
      How can you trust these guys with your security?

      No sane person would. By their own admission, it is clear that they gave a blank check to Microsoft. Whatever their motive for doing that, it shows a lack of devotion to the stated goal of their products.

      If a company wants my money for securing my computers, they better show some integrity that doesn't shift depending on how their relationship with the bigger company is going that day.
      [ Parent ]
    • Don't by ELProphet (Score:1) Sunday March 12 2006, @09:10AM
    • Re:How can you trust them? by booyabazooka (Score:1) Sunday March 12 2006, @12:54PM
  • A Scenario (Score:5, Funny)

    by BumpyCarrot (775949) on Sunday March 12 2006, @08:52AM (#14902116)
    Symantec: Internet Explorer feasted on my childs bones.

    Microsoft: We don't consider that critical.
  • But there's more... (Score:5, Interesting)

    by ABoerma (941672) <ABoerma.gmail@com> on Sunday March 12 2006, @08:53AM (#14902118)
    I like the other part of TFA better:

    "Windows XP Professional, said Symantec, stays safe just one hour and 12 seconds, while the Windows 2000 Server (with SP4) made it an hour and 17 minutes. An unpatched Windows Server 2003 system lasted somewhat longer.

    In contrast, unpatched Linux installations of both Red Hat Enterprise Linux 3 and SuSE Linux 9 Desktop were never compromised during their month-and-a-half exposure to attackers."
  • Not too surprising (Score:5, Interesting)

    by enigma48 (143560) <jeff_new_slash.jeffdom@com> on Sunday March 12 2006, @08:53AM (#14902120)
    (Last Journal: Tuesday October 31 2006, @05:20AM)
    My first thought was that this makes perfect sense - now that MS is a competitor of Symantec, they're going to discredit them as much as they can.

    But Symantec has known for ages that MS is pushing into their space. Maybe they had a Netscape-esque agreement with Symantec and maybe Symantec found new evidence that convinced them partnering with MS isn't the best way to go?

    It *could* be as simple as an upper-management type listening to the feedback the last report got, but I haven't seen an icy weather forecast for Hell today.

    (For those who missed the MS Anti-trust days: it was 'alleged' that when MS decided that the 'net was not just a fad and MS needed to throw all their resources into making IE the dominant browser, MS offered not to compete in Mac-space if they left the Windows market quietly. Netscape refused, MS bundled IE with windows, and the rest is history)
  • Considering Firfox still has a fairly tech-savvy userbase (who in theory patch often), it'd be interesting to see what percentage of security exploits actually happen when using to two browers in the real world.

    I believe that Firefox would have a significantly lower security breach rate than IE, but further compared with Opera or Safari?

    __
    Funny Adult Vids and Clips [laughdaily.com] from Laugh Daily.com

  • Oi norton... (Score:4, Interesting)

    StartKeyLogger

    another undocmented feature...
  • ooops, sorry (Score:3, Interesting)

    by yagu (721525) * <<moc.liamg> <ta> <ugayay>> on Sunday March 12 2006, @08:59AM (#14902137)
    (Last Journal: Wednesday August 15, @03:36PM)

    It seems almost disingenuous to "rethink" this so late. Of course it's more than a little irritating, it directly impacts the perceptions and usage levels of the competing browsers. It's kind of like yelling "fire" in a crowded theater, waiting until the resultant stampede kills many in the theater and then saying, "I'm rethinking this, and it looks as if there is no fire."

  • RTFA....then think about it. Then ask which set of facts are they sticking too?

    Maybe they should do a security software resource usage comparison!

    There is a difference between "truth" and "honesty" where truth is about "a point truths" where you can be selective and deceptive. But "Honesty", thats full scope.

    They are not very honest.

    It does seem that one of teh things they do to help secure your system is to be having your system so busy running their software that it doesn't have time to run anything else. There is a less expensive way to do this. Just unplug your system. Hell you'll even save electricity, while being absolutely secure.
  • Obvious (Score:1)

    by fireheadca (853580) on Sunday March 12 2006, @09:08AM (#14902164)
    With VISTA coming out, Symantec is going to
    obviously be pushing its own products for that
    platform.

    However, to give the semblence of non-preferance
    they will side with the better product for the
    term being.

    However, expect them to do a 360 in six months again
    citing VISTA the most secure product ever, bar none.
    • Re:Obvious by pla (Score:3) Sunday March 12 2006, @09:36AM
      • Re:Obvious by despisethesun (Score:3) Sunday March 12 2006, @11:30AM
    • 1 reply beneath your current threshold.
  • Number of bugs means... (Score:5, Insightful)

    by plankrwf (929870) on Sunday March 12 2006, @09:09AM (#14902168)
    I'm working in the IT industry myself, and one of the well-known problems with bug-counting is... well, counting bugs.
    I have seen IT managers getting upset because there were 100's og bugs*.
    Turned out all of them were because of ONE faulty thing.

    I have seen bug reports of the form
    1. pressing button A and then pressing button Y gets critical error.
    2. pressing button B and then pressing button Y gets critical error.
    3. pressing button C and then pressing button Y gets critical error.
    etc etc

    In other situations a manager was not upset, "there were only a few bugs*".
    Later, this same manager became upset at a time that there were on the order of 50 or so "bugs*".
    Turned out fixing those few bugs took more than o month, while those 50 were 'fixed' within a week.

    So my professional view is that bug-counting doesn't count, the correct question is:
    how sick did you get? (Compare getting bitten by a tsetse fly to getting bitten by a red ant...)

    * To be honest: I am referring to a non-English term which is NOT equivalent to a bug, but more to 'a problem'.
    • Re:Number of bugs means... by cgenman (Score:2) Sunday March 12 2006, @03:33PM
      • Re:Number of bugs means... (Score:4, Interesting)

        by mav[LAG] (31387) on Sunday March 12 2006, @04:48PM (#14903779)
        This reminds me of a friend of mine who used to be a professional game tester for an EA dev team near where I live. Although somewhat looked down upon, testers are actually a terribly important part of the game dev process. If you're looking for budget to save, look somewhere else.

        Nobody told that to the manager. For the next project my friend was given absolutely nothing to work with - no design docs, no resources, no source code, no debug version, no reporting sheets - zip. Just a crappy PC with - occasionally - the latest build on. All his requests for the basic tools to let him do his job properly went unheeded. So he started filing bug reports via email like this:

        To: Developers
        Subject: Game is broken - fix it

        To: Developers
        Subject: Game crashes - needs to be fixed

        To: Developers
        Subject: Game broken - needs fixing

        He was quickly provided with the tools he needed :)
        [ Parent ]
      • Re:Number of bugs means... by bogado (Score:3) Monday March 13 2006, @09:09AM
      • 1 reply beneath your current threshold.
    • Re:Number of bugs means... by SeeMyNuts! (Score:1) Sunday March 12 2006, @04:09PM
    • 1 reply beneath your current threshold.
  • Hi Symantec (Score:4, Insightful)

    by babbling (952366) on Sunday March 12 2006, @09:09AM (#14902171)
    (http://www.getogg.org/)
    Welcome to 2 years ago. This new Firefox browser is pretty cool, eh?

    I wonder if anyone ever took Symantec seriously when they made this claim. Most computer illiterate users wouldn't have even heard about Symantec saying this, and those that did (eg. Slashdot readers) would already know better. It's as if Symantec is in their own little universe where it seems as thought everything incorrect is actually correct.
  • Vendor acknowledged? (Score:2, Informative)

    by DarthChris (960471) on Sunday March 12 2006, @09:10AM (#14902174)

    FTFS:

    "The key was vendor acknowledged critical vulnerabilities. Thus, if Microsoft (or the Mozilla Foundation) didn't agree it was critical, then it didn't get counted."

    Mozilla has Bugzilla to keep track of it's issues, MS is notorious for claiming bugs are in fact features.

    Also, IMHO any security issue is 'critical'. Someone once said that MS's 'critical vulnerabilities' are security flaws that should never have made it past design stage [vanwensveen.nl].

  • "We have substatially tested Windows XP and have found the operating system to be completely bug free. Out tests were conducted in a time period of 1 minute, which contains 60 seconds. As all seconds are effectively the same, we can safely say that Windows XP will be safe for all future occurances of seconds."
  • by xianfox (732298) on Sunday March 12 2006, @09:22AM (#14902207)
    (http://www.xianfox.com/)
    I guess I'll have to "rethink" my reliance on any Symantec security program.
    • 1 reply beneath your current threshold.
  • This coming from symantec (Score:2, Insightful)

    by saboola (655522) on Sunday March 12 2006, @09:25AM (#14902215)
    Whose company products in all my years of computer maintenance have overall caused me more problems than all the malware/viruses they were supposed to be fighting. Thanks for the heads up!
  • Seriously? (Score:3, Insightful)

    by user24 (854467) on Sunday March 12 2006, @09:32AM (#14902232)
    (http://www.puremango.co.uk/)
    You're seriously telling me that Symantec just added up the number of times a flaw was labelled "critical" by the owning company of the product, and based their 'report' on that - wtf?

    I mean, *I* could have done that. When I hear that one of the leading security companies has issued a report on the security of two competing products, I assume that they've actually evaluated those products, rather than just spat back the company literature.

    My already little faith in the company that brought us Norton has sunk lower still.
    • Re:Seriously? by ScrewMaster (Score:3) Sunday March 12 2006, @11:46AM
  • Damn (Score:5, Funny)

    by pHatidic (163975) on Sunday March 12 2006, @09:38AM (#14902249)
    (http://www.alexkrupp.com/)
    Oh shit I'm going to have to switch back now! Do you have any idea how long it took to get IE running on Linux?
    • Re:Damn (Score:4, Funny)

      by psocccer (105399) on Sunday March 12 2006, @05:37PM (#14903981)
      (http://hoopajoo.net/)
      Do you have any idea how long it took to get IE running on Linux?

      About 10 minutes [tatanka.com.br]? I run ie5.5 and ie6 under wine setup by this installer script so I can check web stuff without having to fire up qemu. And yes I know you were just kidding :p

      [ Parent ]
  • by Anonymous Coward on Sunday March 12 2006, @09:46AM (#14902273)
    Symantec used to make top notch products. When I recently was exposed to their client software again assisting friends, I was shocked to see that they now make the worst security suite. It is just completely unsuable for customers. Their failure to even have their software work with Windows XP SP2 (and letting their customers take the problems such as all programs stop having internet connectivity but their own ...) is evidence that they with their "platform play" is becoming increasingly at odds with Microsoft. If they were able to understand that at least until recently Microsoft have only provided basic functionality to help protect customers (such as the basic firewall and a central place to see security status) and that there is considerable space in which to provide superior technology, I might have believed some of their comments.

    The way it stands now, I cannot possibly recommend their products nor their "advice".
  • It seems to me that a 1:1 comparison of flaw counts is just going to show you how may potential problems there are...not your risk of getting hit through one of them.

    Let's say that I wrote the world's most flawed web browser (Anger Browser 1.0), with several hidden RC function and a welcome mat for specially scripted spyware installers. Yes, it has 500 more flaws than IE, but I only have an installed user base of two. Does this mean that my browser presents a higher risk than a browser with 100,000,000 users and one flaw?

    All things the same, a flaw in IE presents a higher weighted risk than a browser with a fraction of the user base. Combining that with the relative ignorance of the average IE user, I say that a flaw in IE presents a much higher return to the bad guys than any other browser out there.

  • From the article:

    "In the last six months of 2005, Microsoft confirmed 12 vulnerabilities in Internet Explorer, down slightly from the 14 in the first half of last year. Firefox, however, sported 13 vendor-confirmed flaws, one more than IE, but also down from the 27 in the previous period."

    Even in the revised count it was 17 Firefox, 24 Internet Explorer...
    And that doesn't account for the vulnerabilities within embedded tech like Java, Flash, Quictime, Windows Media [kotay.com], et al... that'll affect EVERY (modern) browser.

    NONE of this is particularly great if you're a consumer. If you're Symantec of another Security vendor though - weel, life is OK. :P

  • evaluate relative security by impact (Score:3, Insightful)

    by pikine (771084) on Sunday March 12 2006, @10:09AM (#14902339)
    (Last Journal: Saturday November 03, @09:51AM)
    Since arguing the merits of one browser over another leads to no end, I hope this post would be somewhat refreshing to read.

    Assuming a security measurement can sway users for switching from one browser to another, I propose the following measurement: multiply the number of vulnerabilities by market share, and call this the impact. At first glance, this is brutally unfair for IE, which continues to have the majority market share, but hear me explain.

    Let's make another assumption. Suppose all competing browsers have vulnerabilities that lead to the same outcome, then the likelihood that script kiddies choose one browser over another to exploit is more or less determined by the browser's market share. Every vulnerability adds to this likelihood. Therefore, in the end, we end up summing a browser's market share a number of times that is the number of vulnerabilities for that browser. This is the same as multiplying number of vulnerabilities by market share. The result is a measurement of insecurity impact.

    What happens if we adopt measuring impact for insecurity?

    Since Firefox is a minority in browser market share, it can afford to have more bugs and be relatively secure. Its most critical vulnerabilities have lower impact than IE's equivalent. Suppose users then decide to switch to Firefox. The increase in Firefox market share means its vulnerabilities have higher impact. At one point, it becomes less secure than IE, and users start to switch back. We go back and forth and eventually reach an equilibrium. If users are perfectly "browser elastic" (have no resistence to switch browsers), then at the equilibrium, market share is inversely proportional to the number of vulnerabilities for all browsers. Of course, in the real life, things are never that simple, but let's keep things simple. It is good enough to point out that letting impact determine market share is more desirable than letting vulnerability count to determine market share.

    How can the impact score improve current measurement of security?

    We all know that some vendors like to play the optimist game by purposely reducing the severity of a vulnerability or even hiding it. If a certain highly popular browser vendor wants to manipulate the impact score, it has to to cheat a lot, and at one point this cheating will become painfully obvious. Hopefully, the risk of causing a scandal would limit the vendor's cheating to a degree that does not significantly variate the impact score.
  • Well surprise surprise, Symantec demonstrates themselves to be of the calibre of Wall Street "analysts": regurgitating things that other people tell them, and passing it off as insight. How about doing some critical thinking of their own?

    Why do we keep reading about opinions of "analysts" everywhere? I guess I need to stop reading the Mac rumor sites so regularly; their "news" are often just "analyst predicts ..." The news media certainly don't paint "analysts" as being anything more than sock puppet mouthpieces without any independent skills.

    -b
  • The Secret to Success (Score:2, Funny)

    by burntsigil (898978) on Sunday March 12 2006, @10:21AM (#14902381)
    "Thus, if Microsoft (or the Mozilla Foundation) didn't agree it was critical, then it didn't get counted."

    That's it! That's the secret to making bug-free software! Not fix anything then deny it's a bug! That's what I'm gonna do!

    "Hey, this is a critical exploit!"
    "No, it's not."
    "Okay."

    BRILLIANT!
  • Who would trust Symantec? (Score:2, Insightful)

    by OrangeDoor (936298) on Sunday March 12 2006, @10:54AM (#14902505)
    (Last Journal: Friday December 16 2005, @08:28PM)
    Symantec is hardly a trusted objective source of security information. For them it's all about fear factor. Now with the two articles combined they paint both browsers as being unsecure.

    A trusted source would say:
    1. Keep computer upto date.
    2. Use Firefox as default browser.
    3. Don't trust any ads, pop-ups, or unexpected e-mails.
    4. Don't install every free screensaver you run across (or other stupid games/junk you might download)
    5. Keep your A/V software upto date. (And use something better, cheaper, and faster than Norton/McAfee like AVG.

    But if Symantec said do these 5 simple things, and make sure your kids can do these 5 simple things (or keep them off computer), then they'd be undermining the fear factor they count on to sell their bloated POS products (their corp. products don't seem that bad though.) Symantecs software will NOT keep a computer clean if the people using it don't use safe computing practices. At least Dell stopped bundling exclusively Symantec and McAfee products, should save people some grief from having their security software breaking their computers.
  • Excuse me? (Score:2, Insightful)

    by mabu (178417) on Sunday March 12 2006, @10:56AM (#14902509)
    Since when does Symantec have any credibility relating to computer security issues?

    Now when there's a report on the most efficient way to waste CPU time, memory and disk space, making computers slow down to a crawl, their commentary will be respected.

  • by brennz (715237) on Sunday March 12 2006, @11:38AM (#14902645)
    This makes me think of the CVSS http://www.first.org/cvss/ [first.org] and how inaccurate it also is.

    Most vendors will downrank/ignore/contest vulnerabilities. Then they will try to make comparisons between themselves and their competitors off a biased vulnerability score, impact, etc.

    Software vendors should have no part in acknowledging/ranking the legitimacy of vulnerabilities, once the security community has properly identified them, and repeated results, apart from sending a Thank you note to the security gurus that found the flaws.
  • by Lightzout (697564) on Sunday March 12 2006, @02:08PM (#14903144)
    This has to be the best troll ever. I feel like I am the moth, there is the flame, gonna die, cant turn back now, going in anyway! I think this is funny for two reasons. One symantec has no interest in securing anything but profits and secondly the fact that symantec could make the "news" by publicly admitting something so obvious to most saavy consumers is all the proof I need that the joke is me. Expect Symantec to announce its Firefox browser bundle soon.
  • by Grand Facade (35180) on Sunday March 12 2006, @04:07PM (#14903626)
    I am seeing more and more of this crap!

    Who in their right mind let the fox count the chickens?

    You know the Fox by nature will always be holding a few chickens behind his back.

    I even see this in major corporate contracts.

    The Fox is in charge of the chicken coop, supplies the feed and builds the fences,

    but the contractor is held responsible for the number of chickens.

    Fuckin idiots put their own nuts in a vise when they signed the contract!

    And then they have the nerve to pay me pennies on the dollar to make their mess work.

    Bye Bye I'll left them to die a slow and ugly death on their own razor.
  • Oliver Friedrichs?

    Who is this loser? How can we still be stuck listening to this garbage?

    Are we not men? Are we not people with critical thinking skills?

    Where is the independent security consultant, the person who cares only for the study and the results? This Oliver Friedrichs guy only cares about profits. If a company doesn't agree with you that their product has vulnerabilities, then you publish the study anyway, and give them the results.

    Where is the OSS front line these days? Do we even have a goal, or are we just hoping that things will work themselves out?
  • by JPyObjC Dude (772176) on Sunday March 12 2006, @09:12PM (#14904704)
    One important point regarding the apples to oranges comparisons is that we are comparing one dynamic development process with constant changes and improvements (FireFox/Mozilla) and one that has had no new improvements for many years (IE).

    It is reasonable to expect that Mozilla/Firefox would have more flaws because over time because it is a product that is still in flux. Where in IE's case, we are still finding flaws that may have actually been there for many years or worse yet, were created through IE trying to fix other bugs.

    Basically, boiling it down to the raw numbers, Firefox is way more secure than IE ... PERIOD

    JsD
  • It's too late... (Score:2)

    by gamer4Life (803857) on Sunday March 12 2006, @09:49PM (#14904843)
    It's too bad companies realize dealing with Microsoft is usually a bad idea in the long run. Make a profitable business base