Browser Vulnerability Study Unkind to Firefox

Browser Buddy writes "A new Symantec study on browser vulnerabilities covering the first half of 2006 has some surprising conclusions. It turns out that Firefox leads the pack with 47 vulnerabilities, compared to 38 for Internet Explorer. From Ars Technica's coverage: 'In addition to leading the pack in sheer number of vulnerabilities, Firefox also showed the greatest increase in number, as the popular open-source browser had only logged 17 during the previous reporting period. IE saw an increase of just over 50 percent, from 25; Safari doubled its previous six; and Opera was the only one of the four browsers monitored that actually saw a decrease in vulnerabilities, from nine to seven.' Firefox still leads the pack when it comes to patching though, with only a one-day window of vulnerability."

Truth to the market segment argument?

[RingDev]

What's this? Could it be an indication that there is some truth to the market segment correlation to vulnerabilities and attacks?

-Rick

Re:Truth to the market segment argument?

[Nos.]

This article is pretty light. Sure, more vulnerabilities is bad, but it doesn't necessarily that more vulnerabilites is worse. Firefox is patched quicker, which is very important. Also, I don't see anything about the nature of these vulnerabilities. Are they all critical, you box is getting trojaned? Just comparing the pure numbers doesn't tell us much.

Re:Truth to the market segment argument?

[Daniel_Staal]

For that matter, they all could basically be because someone ran a code-audit on Firefox recently. Something like that would raise the 'found vulnerablities' level through the roof for the moment, but it really doesn't mean there are bigger problems with it; just that there was a concerted effort to find them recently. (I don't know of any such audit off the top of my head, but I don't follow that closely. It wouldn't nececarrally make the news.)

Re:

[advocate_one]

For that matter, they all could basically be because someone ran a code-audit on Firefox recently. Something like that would raise the 'found vulnerablities' level through the roof for the moment, but it really doesn't mean there are bigger problems with it; just that there was a concerted effort to find them recently.

somebody did... [g2zero.com] recently... like just a very short while ago...

Re:

[bunratty]

Earlier this year Coverity analyzed the Firefox source code also [internetnews.com].

Re:

[rapidweather]

I figured something like this would come along, and that's why I provide three web browsers in my Knoppix remaster, (see screenshots below). Right now, I am using it with Opera 9.02, but also have Flock and Firefox in the CD. They are keeping me busy updating these browsers, I cannot use the automatic update setup that Firefox uses on Windows machines, mine is a livecd setup.
Having said that, I don't see how my machine can be trojaned. This is knoppix, after all. I do have Firefox protected somewhat with th

Re:

[packeteer]

self promote more please...

Re:

[catwh0re]

I've said this ad nauseam on here, and generally most people will agree: The number of patches released for a piece of software is not an indication of the software's security.

There seems to be a journalistic approach that equates more patches with less security.. More patches means a -more- secure product, not a less secure product. We're not talking about Windows XP here, where the tide of patches has never stemmed, to the point where their patches have been guilty of creating new security vulnerabilities

Re:

[shaitand]

"Sure, more vulnerabilities is bad,"

More vulnerabilities is bad, but more reported vulnerabilities is not. More reported vulnerabilities is good as long as the vulnerabilities are being patched. I would be happy to hear that they ironed out a thousand vulnerabilities in FireFox this month.

No software is without vulnerabilities, but the more vigorously they are hunted out and patched the more obscure the ones left will be. If a thousand vulnerabilities are found and fixed in FireFox this month they will prob

How about measuring days of vulnerability

[cryptoguy]

A much better measure of security is how many days the users spend being vulnerable after a vulnerability is made public. The browser with the fewest days of vulnerability is the safer browser. And that's no contest.

Re:

[Mistshadow2k4]

The fewer the safer? I wouldn't say that -- Active X is a huge vulnerability all by itself. You may be able to disable Active X in IE7 beta but you can't in 6 without 3rd-party software, to my knowledge.

Re:

[aztracker1]

Set the security level for the "internet" zone to "high"... no active-x, you can also do custom for dissabling active-x, while leaving javascript. I wouldn't mind seeing a "permitted controls" list, so you could allow say javascript, xmlhttprequest, flash and java, while leaving the rest disabled... I usually put those sites that *NEED* it into the "trusted" zone (set to medium security).

I use Firefox for my general browsing, and am now using linux as my main OS. My wife/kid's pc's are setup as above..

Re:

[jacksonj04]

Just out of interest, is there any way to 'slipstream' (to use an MSism) an extension into a FF install? I want to build some to just hand out to people with IETab ready to go.

Re:

[fuzzix]

Just out of interest, is there any way to 'slipstream' (to use an MSism) an extension into a FF install? I want to build some to just hand out to people with IETab ready to go.

You might try installing an extension on Firefox portable [portableapps.com] and giving them that in a self extractor that includes a shortcut to Firefox on the All Users desktop... or something... Man, it's so long since I've done this Windows stuff I'm not even sure what's feasible any more :)

Re:

[cp.tar]

I don't know whether it's a feature of Firefox itself, or an extension called MR Tech's Local Install, but if you place downloaded extensions in the Extensions folder, Firefox will prompt you to install them next time it's run.

FWIW, it would be nice to be able to slipstream extension installs into Firefox installs; you could make a tightened security... heh... distribution of Firefox with AdBlock, NoScript and so on included; a neat, quick install for people who have to do it a lot.

Then again, it doesn't

Re:

[bunratty]

You mean an arbitrary code execution vulnerability? Yes, Firefox and Opera have both had them, too.

Look at the uptick in reported vulnerabilities

[Beryllium Sphere(tm)]

Firefox's code base did not suddenly get far worse. The change must come from more people paying attention.

Agreed, pretty meaningless without specifying the severity of the vulnerabilities and the time to get them patched.

Plus, to a pragmatic user, does it really matter why there are so few exploits in the wild? "Inherent" security won't pay for a format and reinstall. If you can browse safely, the only reason to pay attention to the "It's not popular enough to exploit" arguments is to stay alert as your br

JC, mobs and mods

[RingDev]

I made no derogatory comment about either browser. I was merely commenting on the correlation between usage and detected vulnerabilities. Many people have discounted the notion that FF has less vulnerabilities because of its lower market penetration, but this article would suggest that as FF's popularity has increase, so has the rate of vulnerability discovery.

That said, I use FF. I think it is a superior product when compared to IE. And FF developers' ability to address and rectify those vulnerabilities has been proven time after time to be better than MS's ability.

So, the whole point I was hoping to provoke in conversation:

Vulnerabilities Discovered != Vulnerabilities

Increased Usage = Increased Vulnerabilities Discovered

-Rick

Re:

[Xichekolas]

Every /. user goes through their Pro-Microsoft stage... just usually it happens before they get a /. userid...

Re:

[RingDev]

That wasn't a pro-MS statement. That was a "don't be an idiot" statement.

-Rick

Re:

[achacha]

And text only browser on my atari 130XE would also be safe.

But come on, the study is obviously going after the huge market share of windows machines that run either IE or Firefox. If Kubuntu was as prevalent as Windoze then yes you would see a lot more hackers working on breaking them, it's a game of numbers; it doesn't help that for most novices windows is the first OS they get to use (and struggle with).

Then again, Symantec has always been in bed with IE and for them to claim that Firefox is insecure onl

Not so bleak

[Noksagt]

From the article (emphasis mine):

That said, Internet Explorer remains the most popular target for attacks, with 69 percent of all browser attacks targeted specifically at that browser alone. 20 percent of the attacks monitored during the period in question were targeted at Firefox.

When it comes to patching, all of the browsers are improving. Firefox is the fastest to get its patches out, with a one-day window of exposure. Opera had a two-day window of exposure, down from 18 days during the last half of 2005. The window of exposure for Safari is up to five days (from zero), while Internet Explorer typically has a nine-day window, down from 25 days in the previous study.

So Firefox is still less targeted than IE & also gets fixed much sooner.

If we look to Secunia, we see that IE has 106 advisories, 19 of which are unpatched. [secunia.com] Firefox has 3 of 36 unpatched [secunia.com]. The most sever unpatched advisory in IE is rated as "extremely critical." In Firefox, as "less critical."

Opera wins :-)

[RobbieGee]

Have a look at Opera 9.x's advisory list [secunia.com] :-)

Affected By 1 Secunia advisories

Unpatched 0% (0 of 1 Secunia advisories)

Most Critical Unpatched
There are no unpatched Secunia advisories affecting this product, when all vendor patches are applied.

Qt?

[pingveno]

I can't help but wonder if the Qt GUI toolkit has helped Opera be among the top few browsers, as well as the other factors involved (small user base, closed source). Is that possible?

An advantage for Opera: timing

[Kelson]

One advantage Opera has is that they manage to coordinate advisory releases and bug fixes. It's rare that someone announces a security vulnerability in Opera before the updated version is out.

This probably means that most vulnerabilities in Opera are found internally, or reported straight to Opera by researchers. At that point Opera works on a bug fix, then releases the update and the advisory together.

By contrast, many vulnerabilities for Microsoft and Mozilla products get posted to Bugtraq or otherwise

Re:

[rainman_bc]

Opera is a decent browser, unfortunately it has been known to break on some pretty common javascript.

Yup - I had the very same discussion [opera.com]with Opera devs about my bank's web site. I bank with one of the largest banks in Canada, and Opera devs claim the problem is with the authors of the banking site, not with Opera itself.

While I am a fan of Opera, why would any bank give a flying fart if their site doesn't work with Opera? I tried to convince the Opera devs it was a problem with their browser, and they ci

Re:

[RobbieGee]

And you completely ignored Hallvors' post where he said he would patch it [opera.com] for all Opera users if you'd given him the name of the site.

Re:

[nightgeometry]

From reading the discussion it sounds like the Opera devs are actually right here and, to be honest, those disagreeing come across as a bunch of whiners.

What they are saying, in my interpretation, is that allowing a subdomain to redirect from a domain is actually an insecure thing to do, as it is not simple for the browser to determine whether a domain is actually a subdomain (i.e. example.co.uk example2.co.uk aren't both subdomains of co.uk for this purpose).

They then give a piece of javascript that

Re:

[mabhatter654]

banks will care in about 2 months that Opera doesn't work! 2 months is when PS3 and Wii come out with web access built in. Wii is already going to ship with Opera to download. PS3 may be on board shortly after because Opera is pretty much the only game in town for embedded browsers... and they're cheap too! (compared to getting MS to help you out)

Re:

[Bozdune]

Thanks, I almost believed parent. And I'm not even new here. No excuse.

Opera and bug reports

[Kelson]

Opera's bug reporting is really really obscure. They lock out the bug database and don't tell you if they fixed something, or even if it was a problem.

The way to deal with that, I've found, is to ask follow-up questions on the forums [opera.com]. If you keep track of the bug report numbers, it's even better.

I reported a couple of CSS bugs back during the betas for Opera 8. Nothing happened. So during the Opera 9 betas, I posted questions about them, asked about other bugs I encountered, and funny thing, every la

Re:

[RonnyJ]

If we look to Secunia, we see that IE has 106 advisories, 19 of which are unpatched. Firefox has 3 of 36 unpatched.

Why didn't you quote Opera 9's statistics [secunia.com] from Secunia too?

Affected By 1 Secunia advisories, Unpatched 0% (0 of 1 Secunia advisories)

Article hurts my brain

[Beryllium Sphere(tm)]

How can IE have a "nine-day window" for patching if patches only come out once a month?

Re:

[Athenais]

Routine patches come out once a month; critical updates are released as soon as a patch has been developed and tested. Often, this is less than a month. ;)

Re:

[IAmTheDave]

Not to mention a flaw discovered on Nov. 25 and patched for the Dec. 1 release plays with the "1 month" curve a little.

What do the numbers even mean?

[Chris Burke]

The article says that their numbers come from Symantec's security threat report, but where does Symantec get their numbers from? Obviously to count a vulnerability, they have to know about it. Are they only counting ones they have verified, any that have been publicly announced, do they do their own research? Are we counting all the vulnerabilities that appear in bugzilla? Are we not counting the vulnerabilities that MS knows about but hasn't made public?

I can't really say, but to me it looks like exactly what I would expect from an open source system: More publicly known bugs (not necessarily more or less actual bugs), and a faster turnaround time on bugs.

Re:What do the numbers even mean?

[this great guy]

(Here what I was about to post, but you pretty much summed up my viewpoint. Before all, here is a direct link to this Symantec Internet Security Threat Report -- Volume X: September 2006 [veritas.com] that is talked about.)

It turns out that Firefox leads the pack with 47 vulnerabilities, compared to 38 for Internet Explorer.

Totally. Pointless. Comparison.

First, as the Slashdot posting correctly points out, the window of vulnerability is much larger with IE. Microsoft is known for taking months to fix some vulns, and is taking longer and longer [washingtonpost.com] over the years.

Second, what about the importance of these vulns ? Was it 47 minor DoS for Firefox and 38 critical arbitrary code execution vulns for IE ?

Third, what about the methodology used to gather the vuln counts ? The report always says "Source: Symantec Corporation", with no more information. Did they count Firefox security related bugs or security advisories ? Did they count 1 Microsoft patch fixing N vulns as 1 or N vulns (too many studies make this mistake) ?

Fourth, what about silently fixed vulns in IE ? Microsoft is known for secretly fixing vulns that are discovered internally [eweek.com], and of course they never talk about them in public. Symantec certainly did not count these.

There are just too many reasons making virtually all studies comparing the number of security patches between 2 products useless. This one is no exception.

Re:

[jesterzog]

Totally. Pointless. Comparison.

I think it'd be more correct to say it's an unfair and biased comparison than a pointless one. I know I'm being cynical, but the comparison is completely logical from a Symantec marketing perspective. (Well, that's what FUD is realistically.)

In particular, Firefox is a web browser that doesn't have a reputation of needing external software to protect it. If more people use Firefox, it also increases the motivation for website developers to develop compatible websites, an

Re:

[Himring]

Like the piece symantec did last year -- I think was -- on firefox and security, it still stands. They have a vested interest in firefox NOT being a solution for computer security. I take their reviews with a grain of salt....

Re:

[molarmass192]

Though possible, it's hard to infect a Mac, Linux, HP, Solaris, AIX, or BSD box with a virus or trojan designed to infect Windows XP.

This is only theoretically possible and then really only in circumstances where the virus or trojan is not an OS specific binary but a script of some sort. It is virtually impossible to have a cross platform OS binary work on more than one OS. For this to work, the exploit would need to leverage similar flaws in both OS binary loaders such as the Windows PXE loader and the

Not so hard...

[mengel]

Assuming you have a one-each binary payload, you just put them all on the same web page.

And it's not like this is a new idea, the original Morris Worm [wikipedia.org] was cross-platform. (Solaris and BSD on DEC. hardware). That one had to actually make several network connections to a system, trying a different payload each time.

But a web browser, it will make multiple connections for you, and download multiple attack payloads for you. Isn't that convenient?

Consider this...

[KermodeBear]

FireFox is constantly adding new features. When you add new features then you open yourself up to bugs.

IE 5/6 have been stagnant for years. Of course the number of bugs isn't going to be as large.

That said, I know which one will issue a bug fix more quickly when something IS found...

And consider this, too...

[KingSkippus]

Consider this, too:

This report is put out by a company that makes its living by protecting users from software like Internet Explorer. If people stopped using Internet Explorer, how would it make its money? (Okay, that's a little tinfoil-hatish.)

But also consider this:

Those are vulnerabilities that we know of. They're pretty easy to find (oh, and fix) when people can pore over your source code. How many vulnerabilities are in Internet Explorer/Opera/Safari that we don't know of, that aren't getting fixed, and just waiting for someone to figure out to blow up?

That's when you're really thankful of this:

Firefox still leads the pack when it comes to patching though, with only a one-day window of vulnerability.

Re:And consider this, too...

[SirTalon42]

WebKit (based on KHTML, possibly going to be merged back with mainline KHTML soon) is Open Source (LGPL), which is what Safari uses for rendering.

Webkit is to Safari what Gecko is to Firefox and what KHTML is to Konqueror.

Re:Consider this...

[RonnyJ]

FireFox is constantly adding new features. When you add new features then you open yourself up to bugs.

Opera keeps having new features added too, though. Despite this, according to the article, Opera managed to have a decrease in vulnerabilities - so why not Firefox?

Re:

[KDR_11k]

I'd say this is more due to the open nature of Firefox, when FF has a vulnerability it's discussed publicly and vulnerabilities are easier to spot since it's opensource. With other browsers you don't know how many vulnerabilities are found and patched behind the scenes and they are much more difficult to find for outside observers.

User base and source control

[everphilski]

Vulnurabilities are directly proporitonal to user base and increase with access to source control.

Opera has a low user base and is closed source. Therefore, few vulnurabilities. In short, no one cares.

Firefox, on the other hand, has a moderate user base but the source code is right there, the vulnurabilities are ripe for the picking. Hence why the vulnurabilities are high but the turnaround time to fix them, also quick.

IE on the other hand, high user base closed source. High vulnurabilities because of the high user base but potential hackers have to work harder.

Really, this study is a no-brainer. The results make perfect sense.

Delicious irony!

[Kelson]

Admittedly, your comment adds a second component (source control), so it's better than some of the arguments I've seen, but...

Does anyone else appreciate the irony inherent in the fact that some Firefox users claim that Opera only appears more secure because fewer people use it, and therefore fewer users encounter problems and fewer attackers look for them?

It wasn't that long ago that IE users were making the same claim about Firefox. I seem to recall the argument wasn't terribly popular among this crowd.

Re:

[PitaBred]

I think you meant fewer problems. It's ok. English isn't the official language in New Zealand. Oh, wait a minute... You may have fewer problems with Opera, in theory, but you're also forgoing all the nifty extensions that Firefox has, etc., as well as it being much easier for me to say to my health care company "Support Firefox, lots of people use it!" and they say "We're looking into it for our next update" rather than saying "Support Opera, I use it!" and them replying "Sorry, you don't represent enou

Re:

[Onan]

Fascinating. Isn't the most common accusation leveled at Microsoft that they always prioritize new features and bloat over making their existing stuff more stable and secure?

So, in other words, the Mozilla project has become Microsoft, but more so?

Increase in user base?

[celardore]

The pretty graph does show an increase in the number of vunerabilities found between July 05 to December 05, and January 06 to June 06, but could this be because the number of users has also increased in that time? More users finding and reporting the bugs, or even a greater number of developers writing the code making it less manageable and secure?

Best part, no rebooting for patching...

[mobiux]

Yes I use Windows.
For most of the IE vulnerabilities, I have to reboot my computer to install it.

Firefox is nice enough to download it and install it the next time I start the browser.
And it does it more than the 2nd Tuesday of each month.

Re:

[projektsilence]

Yeah! OH NO!! Tools->Options->Advanced->Update tab

It's very very hard to turn off too! /sarcasm Granted, you can look at this either way, is it good to have that off by default and not auto-update or would you leave it on by default so it saturates your pipe.

Your choice is between having a secure, patched browser and a slow internet connection for the however many minutes it takes to download the patch; or to have an unpatched, unsecure browser and all access to all the bandwidth. The one

Re:

[PitaBred]

I don't complain about Windows Update doing just that. In fact, most people don't. And it does it exactly the same way. It is in fact more annoying, because it keeps popping up that fucking window, rather than letting me just tell it to go away and I'll reboot later. I've accidentally rebooted when doing something important enough times because of that window stealing focus and defauting to "Reboot Now" that I turn the bastard off and only update manually.

Version?

[in2mind]

The ARS Technica doesnt mention the version for any of the browsers they mention.When they say 47 bugs were discovered for Firefox ,which version are they talking about? 1.5? 1.7? 2.0 Beta? Same for IE. 6 or 7?

Re:

[tabdelgawad]

Obviously not for a single version, but for the most current version when each vulnerability was discovered. Not counting betas.

So what?

[ricky-road-flats]

Comparing the "number of vulnerabilities" is irrelevant to me. How many of them have actually been exploited in the wild? How many of them have caused users to lose data or unintentionally host malware? How many have resulted in people's identities being stolen?

This study shows me nothing useful. Given the fact that all software is buggy, there are many more people looking at the source for Firefox than for IE, so it's inevitable more issues will be found. The more that are found the more that can be fixed before they're a problem.

IE has improved over the years, and will improve further with v7. Doubtless Firefox's progress is at least partially driving that. But the noddy users (hi Dad!) that I've given Firefox or Opera to have had far fewer malware problems than those who insist on sticking with IE.

Re:

[portmapper]

> Comparing the "number of vulnerabilities" is irrelevant to me. How many of them have actually been exploited in
> the wild? How many of them have caused users to lose data or unintentionally host malware? How many have resulted
> in people's identities being stolen?

The issue is that Firefox (and Thunderbird) has had many security issues, and still has many. For instance,
KDE Konquerer WWW browser has not has nearly as many security issues.

> his study shows me nothing useful. Given the fact that a

Re:

[99BottlesOfBeerInMyF]

Comparing the "number of vulnerabilities" is irrelevant to me. How many of them have actually been exploited in the wild? How many of them have caused users to lose data or unintentionally host malware? How many have resulted in people's identities being stolen?

The study does not give exact numbers for any of these things, but it does nicely summarize the state of these things by saying all the widespread exploits were for IE and none for any other browser.

This study shows me nothing useful.

The study

How Vulnerable Vs. How Dangerous

[ThinkFr33ly]

There is a big difference between how vulnerable a program is and how dangerous it is to use.

The more ubiquitous an application, the more it will be examined as a possible attack vector, and the more it will be exploited as an attack vector.

IE is still far more dangerous to use than Firefox thanks to the fact it is still used by far more people.

Re:

[Kaenneth]

Which means that we shouldn't want any more users of Firefox, because if it gains share, then it will become a bigger target.

Switch back to IE, you're blocking the view from my Ivory Tower.

Re:

[suv4x4]

There is a big difference between how vulnerable a program is and how dangerous it is to use.
The more ubiquitous an application, the more it will be examined as a possible attack vector, and the more it will be exploited as an attack vector.
IE is still far more dangerous to use than Firefox thanks to the fact it is still used by far more people.

So if we all want to remain safer, we should all go to Firefox..
In which case Firefox becomes the top browser, and IE will become less dangerous... You can't win, ca

Belt and suspenders

[Anonymous Coward]

I've taken to surfing from a copy of Opera running inside a VMWare virtual machine. If anything gets through (so far so good) I just go back to a clean snapshot. Nice to see my browser doing so good.

Re:

[PitaBred]

Great security and all, but it's a bitch saving something to the desktop, not to mention downloading say, an ISO or whatnot, then having to transfer it over a local loopback network connection to your "real" machine.

vulnerabilities threat level is key

[darkchubs]

Its not the number of vulnerabilities its more about the severity of them. A cookie injection , or cross site scripting is NOT the same as a buffer overflow/shell execution vulnerability. FF is by far less suseptable to the serious system risk level attack than IE; with no "known" arbitrary execution exploits at this time , IE has one outstanding right now and "drive by downloads" of scum ware is booming in the last few weeks.

Wrong Numbers

[99BottlesOfBeerInMyF]

It turns out that Firefox leads the pack with 47 vulnerabilities, compared to 38 for Internet Explorer.

This is very misleading. These are the numbers of vulnerabilities reported to Symantec and which the vendor has acknowledged to Symantec. The total number of vulnerabilities reported to Symantec are 50 for Firefox and 57 for IE.

If you add to this the quote from Symantec, "at the time of writing, no widespread exploitation of any browser except Microsoft Internet Explorer has occurred..." you start to see that this is mostly spin with little substance. Firefox is not really being attacked, and while they have bugs they fix them an order of magnitude faster and have an open process that responds to the community. This bug count includes all the bugs the Firefox team found, but who knows what percentage of bugs Microsoft and partners found that they deemed not worth fixing and which do not show up in this study? It is debatable that in theory, Firefox is more secure, but attempts like this to twist numbers to make is seem like maybe Firefox is not more secure in practice, are misleading and simply a way to get attention. I declare the summary here to be FUD.

Re:

[kfg]

Firefox is more secure, but attempts like this to twist numbers to make is seem like maybe Firefox is not more secure in practice, are misleading and simply a way to get . . .

. . .your money.

KFG

FUD

[Chanc_Gorkon]

Let's think about this.....a report from a ANTI VIRUS VENDOR!! Anyone want to make a bet when Symantec will make a Firefox Extension for scanning for malicious websites......AND make you pay for it??

Comparing Dogs and Foxes.

[140Mandak262Jamuna]

Let MSFT open its bug database open to public, the way bugzilla is open. Then we can count the vulnerability.

And dont just count the "vulnerabilities". Give some weightages. One "not critical" vulnerability in Firefox IS NOT EQUAL to one critical vulnerability in IE. Like "Not Critical" has a weight of 1, and scale it by a factor of 10 for each higher level. Then do a weighted sum.

MOD PARENT UP!

[Vellmont]

This is exactly what I thought when I read the article. Vulnerabilities aren't equal, even ignoring which browser is targeted more. Some vulnerabilities are quite difficult to exploit and might require someone to compromise the DNS lookups of a target, while other vulnerabilities you'd only have to visit a website with
malicious code on it.

It'd be like grouping all crimes together between two cities. City A might have 150 incidents of shoplifting, but only 10 murders. City B might only have 100 incidents

Re:

[legirons]

"Let MSFT open its bug database open to public, the way bugzilla is open"

Doesn't bugzilla conceal security-related vulnerabilities?

Re:

[tjwhaynes]

Doesn't bugzilla conceal security-related vulnerabilities?

Yes, but only until a fix is delivered to most users (automatic downloads, linux distros update their repositories). After that, the bugzilla entry is publicly accessible for all to see, including the original reporting date, the discussion of the problem and who reviewed the fix. This is similar to the handling for most security vulnerabilities which are dealt with privately with the original developers until either the reporter gets fed up with w

The difference is...

[finity]

Firefox is free. Not that no cost is an excuse for it to have vulnerabilities, but rather, why pay for something that's broken? Not that MS should get every bug out of IE before it ships, but it should catch more than it does now.

Re:

[gbjbaanb]

I run Firefox on Windows. Does this mean FF is not actually as free as its made out to be!?!?!

This is terrible! Now it has more bugs than IE, is less secure than IE! What next? They'll be telling me it is saturating my ISPs bandwidth causing them to throttle my connection, and downloading bittorrents bringing about the end of the Internet as we know it! Stop using Firefox everybody.

(sheesh!)

Don't care

[Odin_Tiger]

I could give a shit less about sheer number of vulnerabilities. The things that matter to me are severity of black-hat response and duration of exposure.
Firefox: Rarely targetted, even for severy evulnerabilities. Nearly always fixed in a couple days, tops. Patched as soon as fix becomes available.
IE: Always targetted, with rapid response from a variety of nefarious 'net villains. Patch released the second Tuesday of the month, unless that happens to be less than 2wks away, in which case it stands a fair chance of being the second Tuesday of next month. If no exploits gain significant media coverage, it may be over a half year. Patch is optionally downloaded / installed as soon as it becomes available, but to enable this you must also enable automatic patching of the OS, office suite, and possibly even some 3rd party software, which needless to say is a dangerous thing to do institution-wide.

ActiveX

[AnalogDiehard]

ActiveX is IE's major vulnerability to drive-by downloads, covert spyware/adware installs, and malicious attempts to take over your computer. Because IE is the dominant browser, it is the target of most malicious coders.

Firefox may have more vulnerabilities, but none of them are as dangerous as the ActiveX server in IE. The numeric comparision in TFA is not even half the truth.

M$ won't patch a vulnerability IE overnight - but look how fast they patched a hack to their WMP DRM.

Symantec Motive

[blunte]

Whether the measurements are accurate or practical, one must note that Symantec has an interest in seeing people continue to use IE because, historically, IE users are more likely to get viruses.

More risk and more problems means Symantec has an easier time selling its services.

I predict an even greater number next time.

[Dr. Manhattan]

Of course, I don't think any of the other browsers have something like this [slashdot.org] going on. Automatic code analysis will turn up bugs for anyone, but nobody else makes the code so public.

Salting the mine

[Jerry]

In order to sell worthless mines some unscrupulous agents would put gold dust into a shotgun shell and shoot it at the wall of a mine. It doesn't take much dust to sparkle a lot and fool some folks into believing that the mine is more valuable than it really is.

Symantec is doing much the same thing, for the same purpose, which is to encourage Linux/FireFox/FOSS users to buy their worthless anti-virus software.

The "study" they cite conveniently forgets that the ONLY security holes that IE users KNOW about are the ones that MICROSOFT TELLS THEM ABOUT. History has taught us that many holes were known by Micosoft for months, and in some situations years, before they were publically revealed, and many times NOT by Microsoft! The other thing that IE users DON'T KNOW is HOW LONG they have been vulnerable to those holes that Microsoft announces a patch for. FOSS applications, on the other hand, encourage PUBLIC annoucements of any security discoveries, along with any proof of concept code that can be used to test the patch. Those that use FOSS applications can then take timely and appropriate measures to protect their PCs and their data until the patch is released, which is usually within a day or two. Windows users hang, twising in the winds of vulnerability for months at a time or longer. In fact, some security holes are never patched and Microsoft serves its own bottom line by telling victims of their software to "upgrade", as if that would protect them. P.T. Barnum was right, you CAN fool some of the people ALL of the time.

it's better to have a virus than symantec on a pc

[mxprml]

come on dudes, have you seen what happens after installing some symantec so called protections? they make a super pc perform like an old wreck. They are incompetents and just fear people installing anything decently secure because they know their craps are removed immediately after.

Security Comparisons are Impossible

[RAMMS+EIN]

While the data gathered in the study will undoubtedly be used to support various "product X is more secure than product Y" claims, I believe it's fundamentally impossible to soundly arrive at such a conclusion, ever. The reason is that there may always be bias in your input, and it's impossible to know this bias.

How many people were trying to find bugs in each product? How do the skills of the people looking for holes in one product compare to the skills of the people finding holes in the other products? Wh

Just a quick question...

[bronzey214]

I didn't RTFA but does the FireFox count include any of the extensions?

Not that I'm bashing FireFox at all, I love it, but I wonder how many exploitations lie within the extensions?

But...

[Klaidas]

The question is: how many people got spyware/adware/viruses while browsing with each of them?

Firefox leads the number of KNOWN vulnerabilities

[BRSloth]

People can point that Firefox, being open source, is eaiser to find vulnerabilities. But I really believe there are countless more vulnerabilities in IE and the general public doesn't know them because the "Tuesday patch": black hats know several more vulnerabilities, but no one else know them exactly because they aren't being sploited (yet). Once a new patch is unveiled, those sploits go to the wild and people would need to wait for another month to have an official patch.

both good and bad

[CAIMLAS]

What this tells us, if anything, is that software will always have vulnerabilities, and that the number of vulnerabilities found seems to be proportional to the popularity of the software amongst non-technical users (and thus, the majority of software users).

Now, it can be implied that it indicates poor software development and overall poor software quality coming out of the Mozilla Foundation. But I think this would simply be conjecture. While it is certainly statistically true, there's a larger picture to look at.

Internet Explorer has been mostly static now for years; it hasn't seen any major development until recently (and that software isn't even what's being looked at here). Firefox, on the other hand, has been improving - adding new features, fixing complaints, and generally trying to come up with a better product. This is going to result in a higher number of security-problematic pieces of code - face it, people aren't perfect, and the only way to mitigate (not eliminate!) this realistically is to slow development to a standstill. Even then there would not be a guaranteed reduction in vulnerabilities, partially due to chance and oversight, and partially due to the large repository of existing code which it would have to interact with.

Furthermore, Firefox and Mozilla are just edging into the public consciousness, whereas Internet Explorer has had a technological hedgemony on the desktop as the browser now for almost a decade (in various versions). This means it's going to start receiving more scrutiny, both from malicious, malevolent folks, as well as from the benevolent security professionals. A higher detection rate is a natural result of this.

It's a double-edged sword. More detections are being made, resulting in more vulnerable systems. This is a natural state in computing, as computing innately involves security these days. There will always be risk involved. The significant thing to look at is how quickly these problems are being resolved, and how many how resurgent problems (ie, they weren't properly resolved). I would argue that the presented statistical information is irrelevant without further, more indepth analysis in this regard.

Number of critical vulnerabilities

[Domino]

Pure numbers of vulnerabilities mean nothing. What matters is the breakdown of the vulnerabilities. For exaple, Secunia reports 21% of critical vulnerabilities on Firefox, that may allow remote access. The same number for IE is 56% (This is for 2006).

This means that IE has more than twice the number of vulnerabilities leading to a complete system compromise than Firefox.

More info here:

http://secunia.com/product/11/?task=statistics_200 6 [secunia.com]

Read the report yourself

[DaoudaW]

The report is available at http://www.symantec.com/enterprise/threatreport/in dex.jsp [symantec.com]

It never fails to amaze me that slashdotters tend to post news stories rather than the source.

They're not comparing apples to apples

[Myria]

Both Microsoft and Firefox find security bugs in their own software from time to time. However, they differ widely in what they will do once they find out this information.

Unless Microsoft sees that someone else knows the bug, they won't release a patch. They will fix it in the source tree for the next major release, but they will not release a patch for the current version. They do this because when they release a patch, security researchers, both good and bad, will do a "BinDiff" and find out what exploit they've fixed. Bad people will then use that bug on unpatched users. If a bug isn't externally rediscovered before the release of the next major version, it's kept secret forever. You can't bindiff major releases, because there's too many changes.

Firefox, in contrast, will generally release a patch for the current version, even if only the Firefox security team knew about it.

Under these circumstances, of course Firefox will have more listed exploits.

Melissa

IE, how about all those unpatched holes?

[miffo.swe]

Firefox lives out in the open, has been extensively audited by a huge number of different people, not to mention the bunch of automated bug hunt tools makers who have combed the code. Internet Explorer on the other hand is patched with hidden patches all lumped together. Ever wondered why there always seems to be more holes found by virii makers than is reported after patch tuesday? Not to mention all those unpatched holes thats dragged on for as long as possible, only to be fixed in the next version?

All MS

Re:

[Trillan]

It looks like the Internet Explorer window will probably increase for next year; the latest exploits are being released following patch day.

As much as I like Safari, the a zero day exposure just means they got the reports earlier. As much luck as anything else, really.

Re:

[portmapper]

> Newsflash: Browsers that are actually used by large numbers of people have larger numbers of bugs found and exploited than browsers that are mostly ignored.

Newsflash: Bloated applications with developers more interested in adding features than fixing bugs are more easily exploitable.

Re:

[bunratty]

From The Ars Technica article:

When it comes to patching, all of the browsers are improving. Firefox is the fastest to get its patches out, with a one-day window of exposure. Opera had a two-day window of exposure, down from 18 days during the last half of 2005. The window of exposure for Safari is up to five days (from zero), while Internet Explorer typically has a nine-day window, down from 25 days in the previous study.

It seems like Mozilla developers are quite interested and skilled in fixing bugs to

Re:

[SirTalon42]

Use a security model like SELinux (or maybe AppArmour, not sure what its capable of though), and make it so your browser is only able to write to areas it needs to (say ~/.$browser and /tmp/$user/$browser), and doesn't have permission to execute any other programs (or make a whitelist of what it can). It could also be setup so that the browser doesn't have permission to read any files except stuff in the directories its allowed to write in. Pretty much the worst case scenarios that could happen then are:
1

Re:

[Mistshadow2k4]

Oh, no, the "security through obscurity" argument again on *nix and Windows. May I ask what OS you think is most popular for servers? What OS was the internet built on? By your logic, there would be as many viruses attacking *nix-type OSes because most servers are running thoses OSes. But there's not. If you were right, sites would be going down all the time, since *nix is supposed to be as vulnerable to malware as Windows. Imagine Google going down at least once a week! Or Slashdot, for that matter. But th

Re:

[99BottlesOfBeerInMyF]

This is like Linux vs. Windows. Open Sorce[sic] vs closed sorce[sic].

Not really. This is a study of the state of the industry across a variety of open, closed and mixed open and closed source development processes. It is a bit disorganized, but it shows number of publicly known bugs and bugs speed of fixing bugs once they are public. We can speculate as to how much the popularity of a browser contributes to said, number of bugs, but the speed to fix is a lot more interesting, especially in this case.

Pe

Re:

[99BottlesOfBeerInMyF]

Yeah...find me support for all that hardware.

Umm, we sell servers on 8 different server platforms and have never had a problem with Linux supporting it. Nor have we had any problem with the Thinkpads, powerbooks, and towers we buy. Obviously you've never tried using Linux in a business environment.

I take it you mean you admit your sig is wrong, in that you can't find me a way MS does what I need 20 times better. Gee, what a surprise.

Also show me what Linux can do over Sharepoint, CRM, Portal server, G

Re:

[Mistshadow2k4]

There was a time when I would've agreed that was a possibility but I think those days are over. There's a great deal of tension between MS and Symantec right now, with Symantec being in a tizzy over Vista's security center. No, this is just self-serving; IE has more critical vulnerabilities than any other browser, yet they publish a misleading lower number of known vulnerabilities to get people to use it instead.

Re:

[bronzey214]

I told them, "it doesn't matter, one is as secure as the other".

You're kidding, right? IE = Firefox?

Not-Microsoft doesn't make software secure.

No, non-one patch day a month makes it secure.

Only competent programmers and a ruthless ability to say 'no' to new features will even begin to make Firefox secure.

I've never had Firefox crap out on me like IE.

There's nothing that indicates the pool of programmers who contribute to firefox is any better than any other group of programmers.

No, but ther

Re:

[BCW2]

Not only fast, but correctly fixed without creating more problems. How does that compare with IE? How about comparing the total number for both since Firefox 1.0 came out? Then compare how long it took to patch each one, IE will always look worse than Firefox because it is.

Yummy

[ichigo 2.0]

Indeed, and to make things worse, all four of them were displayed simultaneously. This caused me high levels of mental anxiety as I was unable to decipher what I'm supposed to think of TFA, so I tagged it fudge.

Mmmmmm, fudge...