secunia.com · Domains · Slashdot Mirror

let's see... by The+Master+Control+P · 2005-09-16 11:45 · Score: 2, Insightful · on Is The Firefox Honeymoon Over?

Rather than simply counting vulnerabilities, take at look at the reports for Firefox and Internet Explorer 6. Firefox 1.x shows 22 holes, 3 unpatched and rated 'less critical.' IE6 has 85 holes, 1/4 unpatched, and a 'highly critical' buffer overflow in ActiveX that's been open since 2003. Now, tell me, which one is more secure?

[Insert usual mantra of anyone being able to fix F/OSS but only MS being able to fix MSIE here] [Append snide remark about companies trying to hide rather than fix vulnerabilities here] [Insert random Zeeky Boogy Doog here]

Re:Apples to Apples by Derekloffin · 2005-09-16 10:03 · Score: 2, Informative · on Is The Firefox Honeymoon Over?

It might be in your interest to click a few of the links on the article, in particular

http://secunia.com/product/4227/

This shows you all the vulnerabilities they mention. The article doesn't link the exploits unfortunately.

Compare Also by xant · 2005-09-16 09:28 · Score: 1 · on Is The Firefox Honeymoon Over?

http://secunia.com/product/4227/

"Less critical". There are 18 though.

Re:Quality not Quantity by Adam+Wysokinski · 2005-09-16 08:32 · Score: 1 · on Is The Firefox Honeymoon Over?

You missed Opera (which is IMO the best browser ever made). According to Secunia (http://secunia.com/product/4932/): "0 out of 7 Secunia advisories, is marked as "Unpatched" in the Secunia database", while for Firefox there is: "3 out of 22 Secunia advisories, is marked as "Unpatched" in the Secunia database."

Author picked meaningless numbers... by jebilbrey · 2005-09-16 08:32 · Score: 3, Informative · on Is The Firefox Honeymoon Over?

This author picked a date range that favored IE on the surface, and then quoted some pretty useless numbers which were skewed toward IE for the casual observer. Better numbers would be how many vulnerabilities REMAIN OPEN and HOW LONG they took to close from report date to fix date... I went to Secunia and pulled the following statistics In 2005 -- Firefox had 18 advisories posted. 1 remains unfixed, 1 remains partially fixed, 16 are fixed. -- IE 6.x had 11 advisories posted. 5 remain unfixed, 1 remains partially fixed, and 5 are fixed. Looking from 2003-2005 -- Firefox 1.x had 22 advisories posted (1 partial fix and 3 unfixed still) -- IE 6.x had 69 advisories posted (10 partial fix and 19 unfixed still) On Criticality of any advisory ever issued -- Firefox has had 0% extremely, 23% highly and 36% moderate -- IE has had 14% extremely, 29% highly and 20% moderate If you want tons more stats and graphs, go to... http://secunia.com/product/11/ (IE stats @ Secunia http://secunia.com/product/4227/ (Firefox stats @ Secunia)

Author picked meaningless numbers... by jebilbrey · 2005-09-16 08:32 · Score: 3, Informative · on Is The Firefox Honeymoon Over?

This author picked a date range that favored IE on the surface, and then quoted some pretty useless numbers which were skewed toward IE for the casual observer. Better numbers would be how many vulnerabilities REMAIN OPEN and HOW LONG they took to close from report date to fix date... I went to Secunia and pulled the following statistics In 2005 -- Firefox had 18 advisories posted. 1 remains unfixed, 1 remains partially fixed, 16 are fixed. -- IE 6.x had 11 advisories posted. 5 remain unfixed, 1 remains partially fixed, and 5 are fixed. Looking from 2003-2005 -- Firefox 1.x had 22 advisories posted (1 partial fix and 3 unfixed still) -- IE 6.x had 69 advisories posted (10 partial fix and 19 unfixed still) On Criticality of any advisory ever issued -- Firefox has had 0% extremely, 23% highly and 36% moderate -- IE has had 14% extremely, 29% highly and 20% moderate If you want tons more stats and graphs, go to... http://secunia.com/product/11/ (IE stats @ Secunia http://secunia.com/product/4227/ (Firefox stats @ Secunia)

Re: Is the Firefox Honemoon Over? by maxpup979 · 2005-09-16 08:27 · Score: 3, Interesting · on Is The Firefox Honeymoon Over?

Just one?

How bout this one?

A vulnerability has been identified in a Microsoft ActiveX plugin called MCIWNDX.OCX, which possibly allows malicious HTML documents to execute arbitrary code on a vulnerable system.

The problem is that a property called "Filename" isn't properly verified allowing malicious websites or HTML emails to cause a buffer overflow by supplying an overly long string. This could potentially be exploited to execute arbitrary code on the system.

unpatched since: 2003-08-14

Granted, thats only a little more than 2 years...
hey...not important.

But there are oodles more at:
http://secunia.com/product/11/#advisories

Re: Is the Firefox Honemoon Over? by dmaxwell · 2005-09-16 08:19 · Score: 5, Interesting · on Is The Firefox Honeymoon Over?

I'll give you not one but 19.

http://secunia.com/product/11/

Watch what you ask for, you just might get it.

Re:Yeah? And how many of those are still unpatched by Anonymous Coward · 2005-09-16 08:10 · Score: 0 · on Is The Firefox Honeymoon Over?

Better Links:

http://secunia.com/product/11/

http://secunia.com/product/4227/

Also note that a high number of the IE vulns are "multiple" ones grouped together.

Re:Yeah? And how many of those are still unpatched by Anonymous Coward · 2005-09-16 08:10 · Score: 0 · on Is The Firefox Honeymoon Over?

Better Links:

http://secunia.com/product/11/

http://secunia.com/product/4227/

Also note that a high number of the IE vulns are "multiple" ones grouped together.

MOD PARENT DOWN - contains unsubstantiated FUD by njyoder · 2005-09-16 08:10 · Score: 1 · on Is The Firefox Honeymoon Over?

1) The number of vulnerabilities reported has almost nothing to do with the number in the code. At most it dictates a minimum number that exist. Perhaps the firefox community is much more active at searching for bugs in the much newer firefox code.

Or perhaps you're being a hypocrite. Strange, I've never once seen this defense come up for MSIE on Slashdot. You seem to think that the number of known vulnerabilities doesn't matter, but then you go on to address the criticality of the known vulnerabilities as if that matters latter on. Make up your mind, don't contradict yourself and don't be a hypocrite.

It's funny, people always scream "ZOMG L@@K @ TEH NUMBER OF VULNERABILITIES FOR MSIE3) How effective are the fixes? MS seems to have the same recurring problems because they only do triage. They don't fix the bigger problem (VERY poor browser design).

Is that your SCIENTIFIC opinion based on a study of FACTS or just anti-MS FUD on your part? Don't bother answering that, the answer is obvious. For someone who blasts a legitimate finding for being 'bad science', you sure are fond of using bad science when it suits you. You simply ASSUME--with absolutely no factual grounding (unless you count hearsay) that it's a result of poor browser design.

The firefox team appears to address the bigger problem, not just stop the current bleeding.

Again, what are you basing this on? Your "scientific opinion"? The multiple dialog spoof and frame injection vulnerabilities? The multiple, related cross-site scripting vulnerabilities? The partial fixes? THe workarounds?

I'm sorry, but firefox isn't fixing the source, its design is flawed too. Have you even LOOKED at the design of Firefox? After all, you're the expert, surely you've seen the strides they've taken in security design. OH wait, no, just like with all browsers, security was an afterthought in design.

2) How critical are these vulnerabilities. The article makes no mention of any ranking. He lumps everything into the same category.

Interesting that at first known vulnerabilities don't matter, now they do when it comes to criticality. Way to be incosistent.

As it turns out, there are the same number of highly to extremely critical fixes according to JUST secunia statistics. Secunia only released advisories for a little under half of the Firefox vulnerabilities. Those stats are going to go up and have Firefox beat the pants off MSIE in terms of more serious vunlerabilities.

Here are the statistics:
http://secunia.com/product/4227/?period=2005#stati stics
http://secunia.com/product/11/?period=2005#statist ics

MS is known to sit on bugs as long as possible. Perhaps the Firefox team is just being more responsive to the people looking for them.

6% workarounds, 6% partial fixes as per the above statistics. Yeah, they're awesome :-) Firefox is great enough to have a simple auto-patching system, whereby you don't have to wait for an entirely new version to come out and install it over the new ones, thus not having any compatibility issues with plug-ins or the like. Doesn't happen with Firefox. Nope.

IAAITG (I am a IT guy)

But not a scientist, nor a rational thinker, apparently.

MOD PARENT DOWN - contains unsubstantiated FUD by njyoder · 2005-09-16 08:10 · Score: 1 · on Is The Firefox Honeymoon Over?

1) The number of vulnerabilities reported has almost nothing to do with the number in the code. At most it dictates a minimum number that exist. Perhaps the firefox community is much more active at searching for bugs in the much newer firefox code.

Or perhaps you're being a hypocrite. Strange, I've never once seen this defense come up for MSIE on Slashdot. You seem to think that the number of known vulnerabilities doesn't matter, but then you go on to address the criticality of the known vulnerabilities as if that matters latter on. Make up your mind, don't contradict yourself and don't be a hypocrite.

It's funny, people always scream "ZOMG L@@K @ TEH NUMBER OF VULNERABILITIES FOR MSIE3) How effective are the fixes? MS seems to have the same recurring problems because they only do triage. They don't fix the bigger problem (VERY poor browser design).

Is that your SCIENTIFIC opinion based on a study of FACTS or just anti-MS FUD on your part? Don't bother answering that, the answer is obvious. For someone who blasts a legitimate finding for being 'bad science', you sure are fond of using bad science when it suits you. You simply ASSUME--with absolutely no factual grounding (unless you count hearsay) that it's a result of poor browser design.

The firefox team appears to address the bigger problem, not just stop the current bleeding.

Again, what are you basing this on? Your "scientific opinion"? The multiple dialog spoof and frame injection vulnerabilities? The multiple, related cross-site scripting vulnerabilities? The partial fixes? THe workarounds?

I'm sorry, but firefox isn't fixing the source, its design is flawed too. Have you even LOOKED at the design of Firefox? After all, you're the expert, surely you've seen the strides they've taken in security design. OH wait, no, just like with all browsers, security was an afterthought in design.

2) How critical are these vulnerabilities. The article makes no mention of any ranking. He lumps everything into the same category.

Interesting that at first known vulnerabilities don't matter, now they do when it comes to criticality. Way to be incosistent.

As it turns out, there are the same number of highly to extremely critical fixes according to JUST secunia statistics. Secunia only released advisories for a little under half of the Firefox vulnerabilities. Those stats are going to go up and have Firefox beat the pants off MSIE in terms of more serious vunlerabilities.

Here are the statistics:
http://secunia.com/product/4227/?period=2005#stati stics
http://secunia.com/product/11/?period=2005#statist ics

MS is known to sit on bugs as long as possible. Perhaps the Firefox team is just being more responsive to the people looking for them.

6% workarounds, 6% partial fixes as per the above statistics. Yeah, they're awesome :-) Firefox is great enough to have a simple auto-patching system, whereby you don't have to wait for an entirely new version to come out and install it over the new ones, thus not having any compatibility issues with plug-ins or the like. Doesn't happen with Firefox. Nope.

IAAITG (I am a IT guy)

But not a scientist, nor a rational thinker, apparently.

They Always Use One Side of the Stats by Anonymous Coward · 2005-09-16 07:50 · Score: 0 · on Is The Firefox Honeymoon Over?

This is such a ridiculous use of statistics. These were all pulled from the Secunia website. Using the same stats from the website you'll see that:

http://secunia.com/product/11/?period=2005#statist ics Secunia Stats for IE

http://secunia.com/product/4227/?period=2005#stati stics Secunia Stats for Firefox

While IE has less advisories, they also have a higher unpatched percentage as well as a higher severity of exploits percentage.

What is even more funny is that a co-worker of mine always uses the number of advisories to indicate how much better IE is over Firefox, but never mentions that most of the advisories remain unpatched as well as more critical from the same website.

Apples to Oranges indeed.

They Always Use One Side of the Stats by Anonymous Coward · 2005-09-16 07:50 · Score: 0 · on Is The Firefox Honeymoon Over?

This is such a ridiculous use of statistics. These were all pulled from the Secunia website. Using the same stats from the website you'll see that:

http://secunia.com/product/11/?period=2005#statist ics Secunia Stats for IE

http://secunia.com/product/4227/?period=2005#stati stics Secunia Stats for Firefox

While IE has less advisories, they also have a higher unpatched percentage as well as a higher severity of exploits percentage.

What is even more funny is that a co-worker of mine always uses the number of advisories to indicate how much better IE is over Firefox, but never mentions that most of the advisories remain unpatched as well as more critical from the same website.

Apples to Oranges indeed.

Re:Quality not Quantity by Stack_13 · 2005-09-16 07:42 · Score: 5, Informative · on Is The Firefox Honeymoon Over?

Criticality of vulnerabilities is quite clearly determined in the Secunia reports.

For Mozilla, there has been 0% of extremely critical vulnerabilities and 23% of highly critical in 2003-2005, whereas for IE 14% were extremely critical and 29% highly critical in the same time period.

Furthermore, a total of 31% (out of of 69 advisories, or 21 individual cases) of IE vulnerabilities may result in system access. In Mozilla, the corresponding numbers are 18% and 4 advisories.

Re:Quality not Quantity by Stack_13 · 2005-09-16 07:42 · Score: 5, Informative · on Is The Firefox Honeymoon Over?

Criticality of vulnerabilities is quite clearly determined in the Secunia reports.

For Mozilla, there has been 0% of extremely critical vulnerabilities and 23% of highly critical in 2003-2005, whereas for IE 14% were extremely critical and 29% highly critical in the same time period.

Furthermore, a total of 31% (out of of 69 advisories, or 21 individual cases) of IE vulnerabilities may result in system access. In Mozilla, the corresponding numbers are 18% and 4 advisories.

Yeah? And how many of those are still unpatched? by raddan · 2005-09-16 07:36 · Score: 2, Interesting · on Is The Firefox Honeymoon Over?

According to Secunia (the same source of this author's data, BTW), there are still 19 of 85 reported vulnerabilities unpatched for IE 6.x. Contrast that to the 3 of 22 unpatched vulnerabilities in Firefox. This is a much more important figure to me. The Mozilla crew gets their fixes out faster, and this is why FF is deployed company-wide for us.

The most important thing this author should have asked is: what is the severity of these vulnerabilities? Something like a DoS is a PITA, but compared to a vulerability that opens a machine to remote system access-- come on! Let's compare: IE Firefox

IE integrated into the base OS gives a lot of those buffer overflows much more destructive potential than some regular old program. I'm not ruling FF out as a potential threat, but so far, it has shown itself to be far less dangerous than IE.