Slashdot Mirror
IE More Secure Than Mozilla?
killproc writes "Symantec has issued a report that suggests that Internet Explorer may be more secure than the open source Mozilla Foundation browsers. "According to the report, 25 vendor-confirmed vulnerabilities were disclosed for the Mozilla browsers during the first half of 2005, "the most of any browser studied," the report's authors stated. Eighteen of these flaws were classified as high severity.
"During the same period, 13 vendor-confirmed vulnerabilities were disclosed for IE, eight of which were high severity," the report noted." "
How many of these vulnerabilities were discovered or aided because of the very fact that the Mozilla family of products are open source, open to the intense peer scrutiny of the community, one of the core, fundamental facets of the Mozilla products, and open source projects in general, that will help quickly make them more secure? Do they even grasp this concept?
How quickly and effectively were the Mozilla/Firefox vulnerabilities patched in comparison to IE?
Is there any consideration given to the fact that Internet Explorer is a decade old and integral to the OS, and STILL routinely has extremely critical vulnerabilities, and may have an untold number of yet-to-be-discovered critical vulnerabilities?
Assuming customer choice is important, a customer can elect to not use Firefox and remove it from their system. Can the customer remove IE? Can the customer even elect to not use IE, or does the OS still force them to use IE for some tasks?
I could go on, but I think it goes without saying that at best this "report" uses extremely flawed logic to draw its conclusions, and at worst, Symantec is shilling for Microsoft.
Or both.
Nice to see M$ spread the wealth with other companies.
And how many years did this take them on the same version?
These guys are actually somewhat reputable and they're saying this. Worth keeping and eye on.
FP
I have yet to get a spyware infection from using Firefox...
Is this a dupe story? 'course not! (rolls eyes)
Knowledge is valuable. Ignorance is dangerous. Censorship is unacceptable. http://slashdot.org/comments.pl?sid=10
Security is a process not a state.
A browser that has 5 reported vulnerabilities is not more secure than a browser that has 30. All it takes in one vulnerability to make your browser insecure
Once any vulnerability is discovered, relative security depends upon is how many users are exposed, and for how long.
Given that vulnerabilities have been found in both, security comparisons should compare the steps taken to reduce the window of vulnerability.
A simple comparison of the number of vulnerabilities does not give much indication about how long the average user was exposed. Nor does it give an indication of how many hackers are taking advantage of the vulnerability to give you a useful security indicator: "How likely is that any given user was hacked via the product".
Currency calculator that accepts free form input such as "23 canadian dollars --> rupees"
Don't they write software for Windows, which *GASP!!* is owned by the SAME company as Internet Explorer. Woah. Now here's some news!
In other news, Hershey funded a study that eating chocolate is not only good for you, but makes you a better person.
--sig fault--
How many of those Mozilla exploits compromise the entire OS?
I like big butts and I cannot lie.
Two points to consider:
1. How many 'high severity' bugs did IE have to fix to get to that point? Remember also that IE is integrated into Windows, so any vulnerability that affects Windows affects IE in one way or another (and vice versa).
2. How many have been disclosed by Microsoft before being fixed? They are notorious for not disclosing these things until after it is fixed, and even then they don't always label it as a "IE" fix.
War isn't about who's right. It's about who's left.
Personally, I think it's stunning that a browser as old as IE6 STILL HAS CRITICAL vulnerabilities. They've had litterally YEARS to root out and discover these sorts of things. To compare that to a much newer Mozilla browser seems like apples and oranges to me.
We had a similar story a few days ago. It was not very informative, and for the same reasons this one's not very informative, e.g., IE is closed-source, so they don't disclose all the bugs.
Find free books.
Mozilla has reacted to a Symantec report issued on Monday which said serious vulnerabilities were being found in Mozilla's browsers faster than in Microsoft's Internet Explorer. The study was conducted over the first six months of 2005.1 86-39020375t-10000025c
http://www.zdnet.co.uk/print/?TYPE=story&AT=39219
My neighbours using firefox on MS windows have had zero problems due to these security flaws. The neighbours using IE under XP with service pack 2 installed and automated update on still get tons of spyware.
So the alternative conclusion of the symantec report would be: Spyware holes in MS IE are not spyware holes, but easy software installation features.
My wife's sketchblog Blob[p]: Gastrono-me
Anyone who thinks Symantec isn't acting in a *VERY* self-serving manner in the past few days worth of FUD is kidding themselves.
I kid you not, Symantec has been saying "Don't use the Mac, it's insecure! Or Linux! Or Mozilla! They're not secure, oh noes!!!"
Guess why... maybe it's because they don't have products for those operating systems... or maybe it's because there are no virii in the wild, and they haven't been able to figure out how to write good enough virii for those OS' to scare people into buying their shitty product?
You decide. I already have.
...Steve
slashdot is now part of an anti-mozilla campaign (http://it.slashdot.org/article.pl?sid=05/09/16/18 2232&tid=154&tid=172) backed by Microsoft and its main supporters (symantec, maker of anti virus which only infect windows PCs), etc.
Since Symantec is best known for their Anti-Virus products, wouldn't it make sense for them to promote IE as the more "secure" browser?
I mean, it may not be secure in the traditional sense of the word, but with all the trojans/malware/ActiveX vulnerabilities out there, surely IE is the best way to "secure" profits for themselves?
Let the open source zealots start their engines. Guys, this is just one company's opinion. BTW you are entitiled to yours as well.
IE sucks the spyware in... Anytime I fix a spyware infested PC it's for an IE user.
Seriously would it hurt anyone's feelings if the duplicate stories were just pulled off /. ?
/. look bad, but it is a known problem with an easy fix.
It not only makes
Anywho...
Cliff notes of last story:
IE's exploits would be someone taking over your computer remotely
Firefox's exploits would be malicious popups/crashing (of browser only)
So the "severity" thing doesn't really matter here.
Get paid to code OSS
Yeah but how long has IE been available in order to fix the majority of its flaws as opposed to Firefox which is relatively new. Also how long does it take for Microsoft to turn around a Fix as opposed to Mozilla?
I can't believe its not butter!
if you don't use it.
What are numbers of Developers/Hackers browsing and reporting bugs for Firefox vs. IE? Until we know _that_ this report means nothing.
839*929
I think it's going to be called "dupeware" :P
Well, perhaps Mozilla -does- have 'more' vulnerabilities than IE. Or it doesn't. But that kind of statement doesn't buy me. I've started using alternate browser (Phoenix) sometime in 2002, and I've switched to Firefox more or less fulltime well over a year ago. In all that time, I didn't have a single incident of spyware/adware infection, much less anything approaching disaster-scale events some of my friends and customers had, where ad/spyware infection rendered the computers completely useless, pending wipe & reinstall. Many of my colleagues and friends who, in most cases, started using Firefox share these same experiences. (as an example, my AdAware finds
Bottom line... it is not about -number- of vulnerabilities, in my book. It is about what -kind- of vulnerabilities. Being allergic to kryptonite is not same as being allergic to wool.
'...computers in the future may have only 1000 vacuum tubes and perhaps weigh 1.5 tons...' Popular Mechanics, 03/49'
We discussed this before on slashdot.
More found more fixed.....
Coming from Symantec, I'll take that with a grain of salt.
Hit the nail on the head there.
True genius is grasping a situation like a peice of fruit, and peircing it just right so that it drains dry.
...is an aggregate measure of vulnerability time. How many days/weeks/months of total time will I experience between a vulnerability becoming public knowledge and the patch becoming available? How many for the Mozilla browsers? Even if there are 10 times as many vulnerabilities in the Mozilla browsers, if they get patched 100 times as fast, I would think the user would still be safer with some flavor of Mozilla than with IE.
How many years has IE6 been on the market? Four, right? It's had time to mature as a product, and be patched, secured, etc. Mozilla has been on the market for far less time, so I'd expect it to have more bugs in the code. This is like comparing straight Windows XP to Windows 2K with SP4 and all patches in place.
Let's look at it in another light: IE 6 is a 4-year-old software product, and still has a boatload of security vulnerabilities. I'd be more pissed that my 4-year-old app had 13 vulnerabilities, while my 1-year-old app has 28.
These are all a bunch of horrible horrible lies of course. There is no way that Mozilla is worse than IE in any aspect.
All of those bugs reported last year for IE were well founded, with serious implications that needed to be released to the public for THEIR OWN SAFETY!
Obviously these Mozilla bugs reported this year are miniscule at best, and it does the community a great disservice to release any information about them!
Gates is the devil! Impeach Bush! Katrina is a direct result of WalMart cutting lunches! And Starbucks is lacing their coffee with microscopic beta nanomachines, built to track and report our intake of caffeinated beverages!
with firefox being open source we stand a better chance of finding most all of the vulnerabilities over a period of time. also, the people at mozilla at least patch their vulnerabilities, which is much better than IE's track record of releasing patches that don't fix all their known vulnerabilities. i'll stick with firefox because of it's features more than it's security.
For Firefox
Mozilla Firefox 1.x with all vendor patches installed and all vendor workarounds applied, is currently affected by one or more Secunia advisories rated Less critical
This is based on the most severe Secunia advisory, which is marked as "Unpatched" in the Secunia database. Go to Unpatched/Patched list below for details.
Currently, 3 out of 22 Secunia advisories, is marked as "Unpatched" in the Secunia database.
And IE
Microsoft Internet Explorer 6.x with all vendor patches installed and all vendor workarounds applied, is currently affected by one or more Secunia advisories rated Highly critical
This is based on the most severe Secunia advisory, which is marked as "Unpatched" in the Secunia database. Go to Unpatched/Patched list below for details.
Currently, 19 out of 85 Secunia advisories, is marked as "Unpatched" in the Secunia database.
It's our duty as slashbots to point out how IE is less secure. Sure, this is a little like arguing whose head is more on fire, but we'll ignore that.
Any time someone points out that IE is insecure, we know it's a simple statement of fact. If someone does the same for Mozilla, we know it's just FUD. We won't even argue the technical merits of this article, because it's much more interesting and productive to attack Symantec or Microsoft. Anything to deflect attention from the fact that Mozilla just might be insecure.
'nuff said.
That which does not kill her only prolongs my agony.
New orleans is more secure from flooding than Denver! Thats because Denver has no levee system whatsoever and ehhh I'm not sure how they can relate the number of flaws found to the level of protection afforded. It's usually the flaws that arent found and that are breached that lead to disaster. These virus vendors will cook up anything weird for a bit of a story...
Of those to whom much is given, much is required.
The answer is still no.
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
No, the correct answer is, who gives a shit.
But seriously, what if we compare the same number of vulnerabilities that IE had in its first year? That would be a better comparison.
Mitchell Baker, president of the foundation, said earlier this year that its browsers were fundamentally more secure than IE.
This is misleading! Fundamentally more secure means there's something inherent in their technology that makes it more secure. There really isn't. They're both written in similar langauges, both support plugs-ins and extensions, both are susceptible to the same sort of exploits.
Best Buy can have you arrested
Thanksfully, Opera is now available as a free browser. Yes, free as in beer, but it's still good. Why? Because when you have multiple browsers, a single infection can't hit all of them.
Yay Opera for windows, and Konquerer for Linux!
--LWM
This is old stuff, as we all know. So why does a supposed authority on security not only miss the obvious analytical and statistical requirements of meaningful comparison, but go on to publish its findings?
Could there be any possibility of bias as a result of the strategic partnership between Symantec and Microsoft? Just a thought.
Parity: What to do when the weekend comes.
Not to MS bash (which I admit I do from time to time), but what about vulnerabilities that are not vendor-confirmed?
What I'm concerned about is that the "study" relies on vulnerabilities that the vendor acknowledges. If one vendor is faster at, or more accepting of those vulnerabilities, then they will be seen to be "less secure".
OTOH, if the vendor rejects them more often, regardless of their merit (which MS has been known to do) the product seems "more secure".
I'm sorry, but if I disagree with the premise, I would not trust the results.
Sig
Appended to the end of comments you post. 120 chars
Now that Opera is Free as Beer, I guess it's time to switch...again. However, I wish they would change some of the vocabulary, and lose the attitude, and make it easier to write extensions, etc. I've used Opera, but it just isn't compelling to me compared to FF, especially when I can use this boatload of extensions (like the AWESOME AdBlock), and not read ads on /.!
Friends help you move. Real friends help you move bodies.
Never forget: 2 + 2 = 5 for extremely large values of 2.
The Firefox devs are much, much more likely to acknowledge flaws and try to fix them, while Microsoft likes to downplay such things. Notice that the article said "vendor-confirmed flaws"?
Since OSS projects have a better security track record in general, they're more likely to actively seek out bugs and try to squash them because security holes are less tolerated. Likewise, a flaw that might be considered minor in IE might be classified as severe in Firefox.
How about this: a report that identifies the vulnerabilities associated with a vendor, and not a product. In other words, after the initial public announcement of a vulnerability, we report how long it took the vendor to release a patch. Lower scores are better.
Anybody think that'll work? If not, why not?
Key to financial independence: Spend less than you earn. Save and invest the difference. Do it for a long time.
How quickly and effectively were the Mozilla/Firefox vulnerabilities patched in comparison to IE?
While this is important in the grand scheme of things, ultimately, the more often vulnerabilities come out, the less likely it is that everybody is going to stay up to date consistently. Lest we forget, most attacks are exploiting publicly known and well understood software flaws. Many attackers are simply using the lists of critical bugs as specifications for their next attack.
Having said that, I think this is less a reflection on the code for Firefox and more about the development status of the two browsers. Firefox is still actively developed, getting new features on a routine basis. Invariably as new features are added, new bugs will be made and old bugs will be discovered. With IE, it is purely maintenance mode right now. The only updates it receives are bug fixes. So invariably there are less bugs to find over time if you aren't adding them with new code.
Symantec isn't shilling for Microsoft, they are just drawing a rather short sighted conclusion based on the the statistics they have. It doesn't say anything about longer term trends for the browsers, nor does it suggest anything about the innate security of their development methodologies.
This sig has been temporarily disconnected or is no longer in service
B-U-L-L-S-H-I-T:
ya' think so?
ya' really think so?
So if MS doesn't admit a bug exists (and they usually don't until right before they issue a patch), it doesn't get counted?
Let me guess - two weeks from now, we'll see a story on the main page of slashdot:
:)
"And in other news, Microsoft's initiative to enter the Antivirus market took a step forward as they announced their purchase of Symantec Corporation. Norton Antivirus will now be called, "Bob Antivirus", and there were be seven versions avaiable: Super Starter, Starter, Okay, and Super Okay. The remaining three have been promised, but were delayed. A beta will be available in two years.
A quick run of the software brought five 'potential' problems, two of which were related to Mozilla products (FireFox and Thunderbird). Comments from Microsoft about the flagging of FireFox as a 'potential threat' from Microsoft were, 'Our users expect a certain evil from us. In order to provide it, we've decided to flag popular browsers as evil. We've also decided to flag any attempts to visit websites which concern 'Linux, Google, or Apple' as a safety concern.' When asked why Internet Explorer wasn't flagged, laughing they replied, "Because, we own the software, stupid!"
I have to say that this report is really quite flawed for a couple reasons here.
1)They cover only a short period of time (6 months presumably).
2)They do not count unpatched vulnerabilities, of which IE 6 has 85 and Firefox 1.X has 22 (according to Secunia).
3)Nor do they count patch reaction time (Microsoft takes anywhere from a few hours to a couple weeks, The Firefox team usually takes from 24 hours to a week).
This doesn't say that Firefox is more secure (even though in my personal opinion it is), but it does say that Symantec's alleged study proves little by simply saying IE is more secure since it had less security exploits in a six month period.
I have never, in the course of my IT career and in my daily personal web surfing experience, been affected by security exploits aimed at Firefox or any other Mozilla-based browser.
I can say with confidence that I have laughed mightily at colleagues, friends and family members running IE who have to juggle two or three anti-malware programs and still wind up shoulder-deep in the Windows Registry or re-install because of security holes in IE.
Symantic can only blow so much smoke up my ass before reality re-asserts itself. Theoretical vulnerabilities are bad. Giant screaming voids you could drive a Peterbilt through are worse. Open Source Software frequently gives you the former. Microsoft can be counted upon, in a lead-pipe cinch, to deliver the latter.
SoupIsGood Food
well... googleBrowser Beta. Might as well.
I wouldn't care how many FF had, I'll never use IE- nor will I recommend IE to people. FF is a excellent browser and I'm sure it's only going to get better over time.
And Mozzila is ? old? I'm fairly sure that I was using a version of Mozzila at least five years ago.
thank God the internet isn't a human right.
ouch
This release coincides with a warning that Mac OSX is not as secure as many people believe. Interestingly, Symantec also just released a new security suite for the Macintosh, so it seems that to market it, they've trotted out a bunch of vulnerabilities. One of these is the existence of a root kit for OSX, which has, as far as we know, never been used successfully to compromise a system.
I expect that we'll see a bunch of extensions for Firefox coming from Symantec soon. It seems that they issue warnings like this sometimes as a way to expand their business.
It's good to use your head, but not as a battering ram.
it should count the number of bugs multiply time for the fix to be avaiable since disclosure/found.
Really, just list all the holes for alltime, not just a finite time period, I wonder who eats the crow then?
Sig Hansen?
1.) There are many vulnerabilities that Microsoft does never report. That doesn't mean they don't exist.
2.) Having Microsoft on board as one of their major investors I am not surprised if Symantec is ordered to spread FUD about a competitor's product. In fact, given Microsoft's track record, I would have almost expected such a report.
3.) Virtually all security professionals agree that Firefox is still much more secure than Internet Explorer.
Hands up anyone who has contracted spyware/adware/viruses through IE.
Ok, now hands up anyone who has contracted spyware/adware/viruses through Mozilla/Firefox.
Your honour, I rest my case.
This is true. However IE is supposed to be a mature application. It isn't a new version that comes out every few months. At some point shouldn't a developed app reach a point that it is locked down and secure?
Slashdot, home of supporters of free software, free music, and free speech.Except for Moderators that disagree with you.
In other news, analysts credit Firefox for a slow down in sales of third-party security software. According to one source, "With Firefox, you don't need some extra solution like Norton's Popup Blocker (tm)."
Symantec has expressed concerns that users may not understand the implications of such actions. "Firefox is not a silver bullet!" says VP of Marketing Strategies at Symatec's Mexico City offices. "People think that just because you don't need a popup blocker, they don't need a firewall or virus scanner either. The Mozilla people need to make it clear to their customers that this is not the case."
Officials for McAfee are considering joining Symantec in a public awareness campaign that will restore consumer trepidation and lead to better protections for all computer users.
Even symantec admits that this report is a steaming pile of crap.
From TFA:
Symantec counts only those security flaws that have been confirmed by the vendor. According to security monitoring company Secunia, there are 19 security issues that Microsoft still has to deal with for Internet Explorer, while there are only three for Firefox.
Nice. So in terms of checking off the reported vulnerabilities and counting each one equally, if the report would be honest, IE would have 32 issues and Firefox would have 29. For the sake of this report, all vulnerabilities are equally bad, right? Well, not according to TFA:
Symantec admitted that "at the time of writing, no widespread exploitation of any browser except Microsoft Internet Explorer has occurred," but added that it "expects this to change as alternative browsers become increasingly widely deployed."
So the IE vulnerabilities result in widespread exploitation and the Firefox ones don't, but firefox is somehow worse? I think the only way in which firefox is worse, from Symantec's perspective, is that the constantly malware-infested machines (where IE is the main infestation vector) inflate demand for the crap that Symantec peddles, and they're afraid that if people aren't constantly suffering from the pain of these infections this demand will evaporate.
Feh. Maybe I'm a cynic, but this looks like marketing poorly disguised as research to me...
.sig: file not found
The number of reported holes maybe right, but look at what IE considers a feature. It's a full featured spyware/viral install toolkit. M$ wants you to be able to use it to install anything over the web. Until those "features" are counted as holes too, this is not even a remotely fair comparison.
For my sanity I'm still switching as many users as I can to Firefox. I don't have time to clean every machine up once a week.
Yesterday there was something from them about how Firefox and Mac users are in a fantasy land for thinking they are safer for using them. Now they are asserting that within their selected window of time, more vulnerabilities were reported in FF than MSIE. How about we change the window from the beginning of their respective initial public releases until now? Would that be fair? How about if we pick a month window where no vulnerabilities had been reported in FF? Would that also be fair and balanced?
If people start jumping ship (Win+MSIE) onto another ship, Symantec will see that they will sell fewer floatation devices.
This is a pretty pathetic attempt to sway opinion by Symantec.
The highly accurate, Symantec Automated Browser Security Highlights Investigation Tool (SABSHIT) (TM), which is automatically installed and executed in your system when you follow the Symantec link, provides incontrovertable proof that the Internet Explorer Browser is more secure than its competition.
This is further corroborated by ongoing monitoring of user web click habits, statistics gathering of expenditure on security software and is correlated against the user Social Security Number and Credit Card information.
On all the data gathered, Internet Explorer was rated very highly, while the Firefox and Safari browsers did not even register, which proves the superiority of the Microsoft product.
-- Symantec.
Oh well, what the hell...
If somebody exploited firefox properly (which I am certain will occur eventually), then software installation on Windows XP will be the primary target.
Sure, FF on linux might be safe, but any application running under windows with Administrator rights has the potential to take over the entire machine.
liqbase
Security is how you feel, not an intrinsic value.
There is always some amount of risk. Knowing what you are willing to risk, and at what peril you are placing it, allows you to know where to put your effort. More importantly, you know where to stop putting resources to protecting things you don't care about losing, or where your effort pass the point of diminishing returns.
That said, you are correct that viewing security as a process is essential to avoiding that sinking feeling when you realize that you're vulnerable, or worse, that you've been owned. Correct the problem and go on, knowing that you aren't any more "secure" than before (except that you are more humble, which is half the battle anyway).
sigs, as if you care.
News flacks always are howling after the next big headline, regardless of what the data suggests. Blame News.com, who want lots of hits to help drive revenues that are charged to advertisers.
In any event, as anyone who has taken math courses more complicated than arithmetic, a properly selected sample size will return whatever result you want. If the number of vulnerabilities is considered over a span of time longer than the one in the article, IE is far less secure than Mozilla et al.
Microsoft skipped "patch Tuesday" this last month; that doesn't mean that IE is finally secure. It only means that, in Microsoft's opinion, the various bugs and flaws don't rise to the level of patchworthiness. I'd rather make the determination of what needs fixing than rely on Microsoft for that assessment. A decent reporter should also present a similar analysis, rather than leaping for the extremes.
They mention Mozilla, but not Firefox.
BTW, my friend has crap coming in through IE 6.0. About 4-6 spyware in half a year. Some really ceverly made, including a modified TCP/IP stack that sometimes redirected all requests to pr0n sites. Another one was the one that a pr0n site the default page, even if about:blank is set. To fix that, I had to go deep in the registry and modify several keys. With Firefox, you have to check not all the system's data for malicious URLS but rather only Mozilla's homedir.
Also, how many of Firefox's vulns were really critical? IE is a part of the system, so if IE is hijacked, the system is in danger.
Aside from the question raised in many posts about whether the fact that Firefox is open source leads to faster and fuller disclosure, the following is an email I sent this past weekend regarding this article.
d =11d =4227
d =11d =4227
Lots is being made the past few days about the number of security holes found in various browsers. Just to try to keep the discussion from descending to complete irrelevance, here's the stats that actually matter:
Solution Status (has it been fixed?):
http://secunia.com/graph/?type=sol&period=all&pro
http://secunia.com/graph/?type=sol&period=all&pro
Criticality (how bad is it if I get hit?):
http://secunia.com/graph/?type=cri&period=all&pro
http://secunia.com/graph/?type=cri&period=all&pro
Unpatched Criticality (what can happen to me today?) Requires a little more looking - see the list at the bottom of each page:
http://secunia.com/product/11/
http://secunia.com/product/4227/
IE: 5 unpatched moderate or greater criticality
Firefox: 0 unpatched moderate or greater criticality
Finally, and unfortunately not clearly covered in [the Secunia] report is vulnerability window - how long does a bug go without being patched. You can, however, make a fairly good estimate by looking at the patch time for highly critical or worse bugs:
MS has been making big improvements lately, so I'll only look at the MS holes from the past year (the older ones have dramatically longer vulnerability windows) (I've also left out holes which were publicly discovered as a result of a windows patch)
IE Highly+ Critical Windows (past year)
http://secunia.com/advisories/12806/ 103 days
http://secunia.com/advisories/12889/ 108 days
http://secunia.com/advisories/12959/ 29 days
http://secunia.com/advisories/13482/ 53 days
http://secunia.com/advisories/15891/ 7 days
Firefox Highly+ Critical Windows (all time)
http://secunia.com/advisories/14654/ 7 days
http://secunia.com/advisories/14938/ 24 days
http://secunia.com/advisories/15292/ 5 days
http://secunia.com/advisories/16043/ 7 days
http://secunia.com/advisories/16764/ 3 days
Keep the discussion rational - security is hard, so is assessing security. Be skeptical of anyone who has a dog in the fight (eg: Symantec). [Which is not to say that Symantec cannot be trusted for Windows security, only that their PR department's press releases regarding software security should be treated as suspect - particularly when they draw questionable conclusions from insufficient data.]
Stop-Prism.org: Opt Out of Surveillance
Bruce
Bruce Perens.
This wasn't included in the summary, but is what is really important. How many of those were FIXED in that same time period? More accurately the study would state something along these lines:
The Report:
25 vendor-confirmed vulnerabilities were disclosed for the Mozilla browsers during the first half of 2005, eighteen of these flaws were classified as high severity....
During the same period, 13 vendor-confirmed vulnerabilities were disclosed for IE, eight of which were high severity....
Okay....And now the important part.... (no, I don't have the actual data, but I'm sure it is available)
Of the 25 reported for Mozilla, 22 were fixed....
Of the 13 reported for IE, 2 were fixed....
NOTHING will ever be bug free. What's important is how long that bug remains.
- AMW
Bug free software is quite possible. It's just prohibitively expensive, because it usually requires that the developers use a mathematical validation system. Thus it's typically confined to projects where system failure would result in Human casualties. It's an irrelevant quibble though, since web browsers are far, far too complex to ever be formally validated.
Is Slashdot the most biased forum in the world?
These are the excuses which have appeared in the
first half hour of this article
1) More vulnerabilities are discovered in FF because FF is
open source & peer review found these bugs. This is good.
2) But I never got infected by FF.
3) But Mozilla issues a press release against Symantec
4) Symantec is biased
5) Symantec is doing this to increase their business
6) IE has more vulnerabilities which aren't yet discovered
7) FF has more dedicated devs hence they are more likely
to admit a vulnerability than IE
8) IE Sucks
9) Microsoft sucks
Many of these have also been modded Insightful or Interesting & these moderations will most likely be meta-moderated as fair.
"Malicious popups"?? "Crashing browler only"??
d =4227
o d=4227
Yeah right. Please! Stop! I'm laughing so hard it hurts.
2003-2005
http://secunia.com/graph/?type=imp&period=all&pro
2005 Alone
http://secunia.com/graph/?type=imp&period=2005&pr
Damn editors.
I am a believer of momentum and curves.
we all know that:
...and who never calls me with problems?- The Firefox & Eudora users!
1) M$ usually does not tell anyone of flaws (until they are found and M$ ends up with egg on thier face) whereas Mozilla does.
2) Mozilla has a much shorter "fix time".
3) Symantic is a "windows company" who bread an butter is virus infections.
You can call it an 'opinion' but, common sense would call it:
1) FUD
-or-
2) Symantic is full of morons.
It's funny, in my offices, who calls me with virus/computer problems? - The IE & Outlook users!
Your thin skin doesn't make me a troll
Speaking as (not one of the few) IT guys who reads this thing, there's an interesting point to be made about Symantec. IT DOESN'T ACTUALLY CATCH VIRUSES! In the last year I can count off the top of my head where a Symantec "protected" system came in with so many viruses, some of them I swear reproduce when you kill it, so much spyware, so much malware that I had to harvest user-entered files off the system, back them up to CD-R's and wipe the system just to get it going.
I've been using the free version of AVG Antivirus (http://free.grisoft.com/doc/1) and endorsing it to my customers along with the free version of Ad-Aware (http://www.lavasoftusa.com/) to make their system work and putting Firefox (again, free) on the system regardless.
Did I mention all of this was free?
None of those systems have come back to me with viruses and spyware/malware problems. Symantec, well you need to pay them 20 bucks a year and usually end up having to buy their software yearly as well...
Let the corporations fit the bill for corporate versions of software; it's too expensive for most average Joe's to be shelling out thousands of dollars for "security".
"I could go on, but I think it goes without saying that at best this "report" uses extremely flawed logic to draw its conclusions,"
How so? They use a standard that is easily understood, and applied.
Just because YOU don't like it, doesn't mean their evaluation is incorrect. Hell you bring up this point
"Assuming customer choice is important, a customer can elect to not use Firefox and remove it from their system. Can the customer remove IE? Can the customer even elect to not use IE, or does the OS still force them to use IE for some tasks?"
What does that have to do with browser security?
Whenever I see a post trying to discuss weaknesses in open source products, I KNOW a fanboy screed will be the first post. EVERY TIME.
And just so you know, I use Firefox exclusively, and I hate IE. With the news about opera, I'm going to try that later today. So no, I'm no apologist for MS.
I'm just tired of people refusing to have a reasonable discussion about OSS security without incorrect, invalid, irrelevant comparisons to MS.
Reminds me of a quote
"Winners compare their performance to their goals, loser compare their performance to other's performance"
Mozilla isn't secure enough yet. That's the story. The rest is just excuses.
I don't know about your specific site, but there is an FAA website I routinely use that I can't get to work fully on Firefox, Konqueror, etc. However, I can get it to function completely with Opera.
A goal is a dream with a deadline
Most banks offer their own bill paying system for their customers. Instead of setting up Cingular's automated online payments, you could consult your bank and find out if their system would work with Cingular.
Oddly, I use Cingular myself, and have no problem using Firefox on Linux to manage my bills, but perhaps my experience isn't universal.
But within the bulletins, there are lots of bugs, like the one fixed by MS05-024 that aren't "technically" IE bugs. But the end result is that a malicious web page (or advert iframe) could do something nasty... usually execute arbritrary code (install spyware or a virus if the server is infected). If simply viewing a web page with IE allows an attack, I call that an IE bug, regardless of where the actual bug is located by Microsoft's way of thinking.
Notice how the "affected software" of MS05-024 is many versions of windows, but Internet Explorer isn't specificly mentioned. So when someone tallies IE bugs, this one probably doesn't make the list. But the "Vulnerability Details" section says:
I can see how a journalist could do such poor research. But Symantec? Come on, I found 22 nasty IE bugs by just browsing though 40-some Microsoft bulletins. That Symantec only thinks there's 13 doesn't build much confidence in the supposed "market leader" of anti-virus products!
PJRC: Electronic Projects, 8051 Microcontroller Tools
2) Mozilla Firefox is not bug free. No piece of software is bug free, and only a mentally retarded moron would believe otherwise. What is important is not that security flaws get found, but (a) how open the organisation is about the flaw [full disclosure] and (b) timeliness of fixes.
Here is 1 bug free program for free. compile using a Basic compiler. It makes sound (atleast if your hardware and OS support and enabled it)
How to respond to bad Mozilla security news on /.
1.) First, immediately dismiss the results, just like you did in the last Mozilla security story. Mozilla is flawless.
2.) Randomly reference Open Source, claiming the flaws were easier to find because of it, which has nothing to do with the report in the article and actually sounds like a criticism of Open Source, if anything.
3.) Accuse the study of bias or "shilling." ALWAYS do this when the study goes against your pre-made worldview (in this case, Mozilla being flawless). When the study gives the opposite conclusion, agree with it and praise it, often with related anecdotal stories.
4.) Reference Internet Explorer's age, which has little to do with and doesn't change Mozilla having more flaws than Internet Explorer today.
5.) Ask how quickly the Mozilla vulnerabilities were patched, ignoring that Mozilla has marked vulnerabilities "Confidential" before for them to sit for two years unfixed.
6.) Claim Internet Explorer is integral to the OS, when you argued that Internet Explorer was easily removed from Windows during the anti-trust trial.
7.) Claim matter-of-factly that, for some reason, it "goes without saying" that the study uses some sort of flawed logic, without citing the logic, giving proof, or backing the statements in any way. Simply claim it, knowing everyone will mod you up because they, too, want to believe Mozilla is flawless.
"Sufferin' succotash."
It's not about how many fires need to be put out, it's about how fast the company puts them out that makes the difference...
Business \Busi"ness\, n.;
A scam in which all people involved perceive as beneficial...
So, in Symantec logic, the way to build the most secure browser is not to have sound coding practices, but to simply refuse to confirm any flaws. Nothing to see here, just move along!
I was looking at this and a similar story in a few places today and all the headlines could have been written by Microsoft PR. Boy does the alternative movement need a single PR department that issues regular press releases (open source PR, that might be cool).
The problem I have with Symantec's headline and the regurgitation of it in the media is that Symantec actually said "Mozilla Web browsers are potentially more vulnerable to attack than Microsoft's Internet Explorer" (according to TFA). However, the headline fails to address the following point in the same article "the report also found that hackers are still focusing their efforts on IE".
If we re-spin the headline it might read "Symantec claim IE more likely to be exploited than Mozilla browsers". That is at least as substantial an element of Symantec's report as the one used for the headline.
I note also that TFA states "However, it's not clear from the report how quickly Microsoft and Mozilla released patches for their respective vulnerabilities, or how many of the vulnerabilities were targeted by hackers, though Microsoft generally releases patches only on a monthly basis". So, equally, we could make the headline: "Microsoft patches lag security exploits by weeks".
NB: The point is not whether Mozilla is better than Microsoft, it's that the headline misrepresents the report by inappropriately favouring Microsoft's position.
How many of the users of Mozilla have gotten malware/virii? I don't know any, personally. I know of an awful lot of people who have through the use of IE. Enough said. The rest is the same old, with fallacious arguments, and as someone once said (famous line): the author of this article "doesn't deserve to smell my shit". ;-)
Symantec stopped producing effective software a long time ago. There was a time though when any self-respecting geek had a copy of Norton Utils, you know, the ones with all two-letter file names like NU.EXE.
Brand familiarity and name recognition are suitable substitutes for quality when it comes to business and profits. I wouldn't touch any of their software with a 10 foot IDE cable anymore, and haven't for the past few years.
It matters because Mozilla marketed FireFox not just as "not targeted by hackers as much", but as "inherently, fundamentally more secure, and nigh-invulnerable". They didn't say that directly but certainly have suggested as much, which amounts to the same thing. That turned out to be a lie, and many around here can't stand the fact that the Emperor has no clothes. The damage control applied to this topic is just delicious! LOL
-- "I never gave these stories much credence." - HAL 9000
Symantec rarely captures any in the wild viruses any more. We leave that now to Kaspersky, NOD32, Panda, etc... Symantec never seems to be on top of the industry they claim to be 'the leader' in.
And then they release a report that deems software that has already proven its security, its stability, and its ease of use in comparison with Internet Explorer, 'lacking' in security or more prone to attack.
Entertaining even more still, is that Linux and Mac OS are 'insecure' yet again, are pieces of software that have proven themselves secure and stable. Granted, an idiot could screw up the security...
I suppose Symantec's release on this subject is to 'percieved' security. I mean, if they can't capture any viruses before the smaller, less obnoxious firms that also support Linux, Macs, and are proponents of Firefox well... then why the fuck should we listen to them anyway?
The price is always right if someone else is paying.
Mice chase cats. Drought in New Orleans. Bush is a wonderful and peaceloving president.
Sure, FF on linux might be safe, but any application running under windows with Administrator rights has the potential to take over the entire machine.
Would it not be truer to say..."application running under any OS with Administrator rights has the potential to take over the entire machine"???
Symantec has no need to worry, I'll still download their software from usenet no matter what! its a sale.. i mean... erm i obtained it anyways..
Hey dumb@$$,
You forgot the most important two steps...
8. ???
9. PROFIT!
Geez, having been on slashdot for so long, I woulda thunk you had it figured out by now!
yes, I think that Symantec is "more secure" of getting money from ie than from mozilla.
one bug, one crash
...then with the crapware that Symantec sells.
Come'on, really, my PC keeps running with 3 spyware or so but I've tryed using it with Symantec tools and it's just impossible! Bloat-crap-horse-shit-ware is how it should be printed on Symantec boxes!
I just found 12 vulnerabilities in firefox? What, they don't repro for you? Too bad.
Think of it, the mozilla process is open to public scrunity. I can go over to the bug list and look at all the documented flaws.
How many people have access to IE's bug list? Remember, if a critical bug is reported to MS, they may choose not to release it to the public. For all we know there may be 100 critical flaws documented.... but they've only admited to 8 or so publicly.
Unless the two products are compared in a like manner, (full disclosure), symantec's comparison is little more than marketing propaganda to gain attention. That is unless they have secret operatives with access to the internal MS bug DB.
BOFH, My model for being a sysadmin :)
But in particular, the most important one to consider is your first. The key statement that Symmantec states that you must read into is the number of vulnerabilities "disclosed".
With Mozilla being open source, anybody can examine the inner workings of the browser to find a vulnerability. All it takes is someone who cares about making their browser more secure to "disclose" a bug.
With IE, the only way to find a vulnerability is to poke and prod IE from the outside, rather than examining the code directly. And no vulnerabilities exist until Microsoft says they exist. Just because we can't see what's behind the curtain is no valid means of declaring IE the more secure browser.
Also, has anybody taken a tally yet about how many vulnerabilities IE has now had to fix over its 5+ years of existance at version 6?
She's FUD, She's FUD, She's FUD.
She's in my head.
My wife has gotten several, I installed Firefox immediately after setting up her computer. I don't remember all of them, the one nasty one I do recall was Aurora.
I use Firefox at home and IE at work. I don't get viruses on either. Safe browsing habits are all you need. The browser really doesn't matter. I used Firefox at home because my wife for awhile used my computer and went to lots of game websites. Firefox reduced, but DID NOT eliminate the number of infections. With the new tabbed browsing in IE, I'm not sure which browser I'll start using at home.
-everphilski-
I think this is the kicker. The 25 vulnerabilities for Mozilla are almost certainly all the known vulnerabilities. For IE, how many vulnerabilities are there that've been reported that MS hasn't publicly acknowledged?
In addition, what's the severity? The last Mozilla vulnerability was the IDN bug, which was trivially worked-around by changing one config setting until a patch was released. Contrast that to the recent vulnerability in IE that MS won't discuss details of, other than to say that it allows total compromise of the machine and they won't be patching it until next month, and there's no workaround for the bug because nobody knows what the bug is (outside of MS, the security company that found it and the black-hats, of course).
My take on it: Mozilla may be having more vulnerabilities reported, but it's still fewer than in IE and those vulnerabilities are less severe, easier to work around without crippling your system and fixed sooner than IE's holes. From a user's viewpoint, this makes Mozilla more secure than IE.
We need to look at real world numbers here rather than vulnerability counts. How many of you have been called to friends and loved ones houses in order to clean their PCs that were infected through Firefox?
Anyone? I doubt it. So until we see massive numbers of systems getting rocked because of Firefox vulnerabilities, it's nothing but specious to claim that the security of the two are even comparible.
dmiessler.com -- grep understanding knowledge
Mozilla is actively developing a browser. Microsof's IE really hasn't seen much innovation in _years_. There tends to be more bugs in new code, however, these bugs are squashed quickly and targeting the install base is difficult. A vulnerability in a piece of software that is in maintenance-mode is a much bigger target.
I occasionally work support for our ISP section of the company and let me tell you, Nortons Internet Security is the devil! We get calls all the time that "my internet doesn't work". Can you ping google.com? What? Directions....etc...etc. Yes I can ping it. Are you running a firewall? A what? Directions to have them turn Norton Internet Security off... Internet works! Now it's partly the endusers problem for not knowing how to use the product but perhaps it's partly Norton's fault for not making it easy enough to use. As for Firefox...I never get any spyware on my system. I use the Javascript blocking extension along with others and have never had a problem.
Symantec - I only use one of their products these days. The bloated software and subscription boondoggle are what pushed me away.
But I'm much happier with Firefox than I am with IE. Why? Because things get fixed faster. And lets face facts, IE is so closely intertwined with the OS that when it has security holes the scope of vulnerability is magnified.
This positively reeks of MS trying to eliminate the competition. As we all know, press releases serve no purpose but to advertise. When you consider who would have the motivation to kill Firefox guess where the fickle finger of fate points.
I'm sure everyone's noticed the word "disclosed". Firefox/Mozilla are open sourced, so everyone can see potential voulnerabilities and tell the world. IE, however is generally limited to the MS developers, and it will pretty much be up to their bosses to decide whether to disclose a voulnerability.
How many IE voulnerabilities are there that we don't know about?
What people don't seem to realise is that this is no longer Microsoft vs. open source, the battlefield has become a lot larger and the war is now between commercial interests and open source. We know how it will turn out in the end, but that doesn't stop big companies trying to clusterfuck us all anyway.
There would be a lot of angry shareholders and out-of-work executives (Darl, anyone?) if these companies did not attempt the exercise of self-survival.
There is one caveat: Symantec counts only those security flaws that have been confirmed by the vendor. According to security monitoring company Secunia, there are 19 security issues that Microsoft still has to deal with for Internet Explorer, while there are only three for Firefox.
So I wonder if they updated their article once M$FT confirms the other 19 issues they are researching
Also wonder how much M$FT Paid them to write the article.....
Mozilla Foundation has published a statement saying that in order to increase Browser security we will not confirm any new vulnerability.
MOD THE CHILD UP!
Comment removed based on user account deletion
As most of us know, IE is core to Windows, where Firefox is a browser. This is not disputable as when you browse your harddrive, you're actually using Explorer, type a IE address in to it you're already using the internet version of Explorer. This bypasses all security set up on the IExplorer.exe file. It's a bad situation.
Firefox has one major entry point.
So here's the problem, when Firefox gets hacked, you lose firefox, and reinstall it at the worst. When IE gets hacked it makes the ENTIRE OS unsecure. 1 security flaw in IE makes the entire OS vunerable. Firefox's vunerablities should be local to Firefox. If the OS was completely secure it couldn't go farther then it.
That's the problem Windows keeps adding more functionality but that just adds more holes. Firefox is a localized project, not a piece of the actual OS and thus for any person it should be considered less critical when IE has a vunerablity.
Nitot likened the differences between Firefox and IE vulnerabilities as being like injuries: "Which would you prefer, to have a broken finger, or your head ripped off?"
Like it, Internet Explorer... its like having your head ripped off.
An Eye for an Eye will make the whole world blind - Gandhi
likewize. wish I had modpoints
By reading this, you have given me brief control of your mind.
Studies can say anything they want, but the number of viruses and spyware I have found on my computer has been reduced to almost nothing since I started using Mozilla. The facts speak for themselves.
What a dilemma. Must be important enough to warrant a slashdot discussion.
Now even Symantec has MS moles in their midst. We all know it is not possible for a MS product to be more secure than anything. It even blows my mind that companies bother publishing reviews that indicate as much. They should know that the /. crowd would never fall for biased pro-MS propiganda.
Awareness of security holes is a _must_ and
;(
publishing them is ethically correct. But
purposely sensationalizing them for the sake of
making news, or for furthering careers, or simply
to help with flogging application superiority
rights (MS IE versus Mozilla Firefox) is just a
useless slinging match.
This only gives every companys' technologically-
inept management staff some partial information
which makes them keen that they have something
newsbreaking to talk about at the water cooler.
I guess the talk of Adware and virii has worn
thin lately. (P.S. stupid water cooler located
outside my office door)
Let the security flaws be published on bugtraq,
then tell the overexaggerating tech reporters
to bugger off.
What we (fellow I.T. folks) don't need is more
half-baked fodder for our management staff
to stop-by, only to emphasize how good(or bad)
was our choice of software...according to them.
That said, Firefox is generally patched rather
quickly, and IE always takes much longer to
receive patches.
Back to work everyone. There's patching afoot.
Being open source has absolutely nothing to do
with the fact that Firefox has a few holes to
patch. Most mainstream windoze apps are busted,
especially if they rely on Explorer API's.
This was already posted yesterday. Why is it being posted again today?
I'm sorry sandwich! --Brak
Just put the four lettere, "BETA" on the product. Then everybody would just have to shut up because they shouldn't be using beta software for anything important anyways!!!
- first, the count of vulnerabilities only includes those recognized by the manufacturer; if the manufacturer chooses not to recognize them, they aren't counted
- Vulnerabilites for Internet Explorer are only the ones that could be detected by "black box" testing of attempts against the program since the source of the application is invisible;
- Vulnerabilities for Mozilla can also include those that are discovered by someone examining the code of the product, which is, basically, anyone who wants to bother to do so.
Does it not stand to reason that if the source code is available there is a higher probability of finding errors and spoilage over a binary application to which source code is not available?In which type of package are you more likely to be able to detect spoilage, an opened tube of hamburger or one wrapped in a sealed, opaque tube?
IE is shipped in an opaque tube, mozilla is always open for examination any time you choose to look at it. It's even more open than hamburger that was shipped in a transparent tube since you can see even inside the package. (I know the analogy is kind of greasy (pun intentional) since hamburger is at best shipped in transparent wrap over an opaque plate, and is never shipped in fully transparent materials, but I think the point is fairly clear.)
The lessons of history teach us - if they teach us anything - that nobody learns the lessons that history teaches us.
The difference in the amount of bugs might just be caused because Microsoft is somewhat more reluctant than MoFo to admit its own faults.
I am not trolling, I am just stating an option.
My other post is a First.
Symantec makes anti-virus software for for finding viruses that effect Microsoft products. This is a lucrative business indeed. Symantec depends on the flaws in Microsoft products for their very survival (and they seem to be thriving, not just surviving).
Now, if people start using more secure options like FireFox wouldn't that worry not only Microsoft, but also Symantec?
Think about it.
How about an article on how /. is beoming more stagnant and repeating the same stories ad nausea.
7 251&tid=172&tid=95
http://it.slashdot.org/article.pl?sid=05/09/19/22
maybe this should wait for IE 7.
6 hasn't had any new features added in a while and need to play catch up.
This exposes the gulf between open source security and proprietary security. Ignore for a minute the fact that Symantec a) has a vested interest in you using insecure products and b) uses highly flawed methodolgy as their "count" is actually "count of vendor-admitted bugs". There's a major difference between a vulnerability in Mozilla and a vulnerability in IE.
Since we don't have the source for IE, any vulnerability found is, by definition, exploitable. Someone found a way to exploit it- you get a vulnerability.
Vulnerabilities found in Mozilla, on the other hand, are often theoretical in nature. Someone looking through the source finds the problem, but no exploit is written.
Another major problem is here:
My entire system isn't going to be compromised from me browsing with Mozilla. Period. Somebody is confused.
Do you have ESP?
Why is no one asking the question whether Microsoft and Symantec colluded to divide the software market. It looks to me like Microsoft chose not to compete with Symantec in certain critical markets. For example, until recently there was no Microsoft product which competes with Norton Anti-virus or Norton Utilities. That in itself is very much out of character for Microsoft to not want to "own" every element of the end user "experience."
Here is a plank to support my theory: Microsoft had leverage to use against Symantec. Symantec relies on the release critical internal details of the OS and disk formats which enables Norton Utilities to work as advertised. Did Microsoft weild that leverage in some way? For example, what happened to Symantec's product which competed directly with Window's File Manager, Norton File Manager?
We'll never know with this DOJ.
The clincher (for me) was when Symantec CEO Gordon Eubanks testified in US DOJ vs. Microsoft. He said that a break up of Microsoft would be a bad idea.
It also appears to me that Ballmer's fingerprints were all over AMD's CEO Jerry Sanders neck. Why else would he have given similar testimony as Eubanks?
The keyword in the article is "disclosed", which means the ostrich strategy of pushing your head deep into the sand.
There were only few bugs "disclosed" for IE, so it is secure. In reality many dozens of "undisclosed" (i.e. not reported in a Microsoft dictated restrictive manner) bugs are being actively and daily used by black hat people and adware makers to attack Windows PCs all around the world.
In contrast the Mozilla family has three dozen bugs, because developers accept bug reports in whatever form it comes and fix them, making the bug "official".
I'd recommend Microsoft to augment their ostrich department with the legendary three monkeys, which do not see, hear or talk, so IE stays even more secure. Or even more, let's make that 12 monkeys.
So...if Microsoft won't confirm that a bug exists, it does not get into Symantec's formula, right? It seems that if Microsoft stops confirming the bugs, Symantec will think IE is *completely* secure!
:-(
This should give us great confidence in Symantec as a security vendor.
... several Microsoft employees were found snuggling below the desks of the Symantec "experts" who recently performed a comparison between Firefox and IE security.
I'd like to see:
(average severity)(number of bugs)(time to fix) / month
That's about it.
... testing says, IE is crap, FF is not. That and FF actually fixes its bugs.
Test:
Run IE For One Week, With Virus Detection of your choice.
Run Firefox for One Week, With Same Virus Protection.
End of Each Week, run adaware and spybot. Which browser has more cruft built up in a week?
IE. Everytime.
Shadus
A slightly agitated Tristan Nitot, on suggestion that Microsoft IE is more secure than Mozilla-based browsers:
"Which would you prefer, to have a broken finger, or your head ripped off?"
I think this should have been integrated into the story summary somehow.
"Security is a process, not a product."
You simply cannot count vulnerabilities and conclude which application is more secure. You must take into account the history of the vendor, how they respond to security vulnerabilities, how the application is designed, how it is implemented, and whether you trust the vendor to have enough interest in the product that, in five years time, they will fix the inevitable security flaws.
On those terms, Microsoft falls flat.
Even with extensive code reviews, the potential for malicious developers to submit code with hidden vulnerabilities is high. We just had the 2005 Underhanded C Contest (see link) which demonstrates the possibilities. http://developers.slashdot.org/article.pl?sid=05/0 9/18/158200&tid=156&tid=172
I installed FireFox before its first release, and have kept it up to date. My intention was to abandon IE and all it's security problems. However, I had so many problems with so many different sites (OK, I know - blame MS, not FireFox, but that doesn't matter to me nor to most users who just want things to work) that I reverted to IE. I do use FireFox however when I am "venturing into the vast unknown" but for most of my browsing, when going to sites I know and trust, I use IE. This has worked out nicely for me as I suffer a minimum of frustrations and an minimum of "contaminations". This is kind of like driving along with your doors unlocked and your windows open (pun intended) and then, when you enter a neighborhood that doesn't look so friendly, rolling up the windows and locking the doors. If FireFox always worked well with all the web sites I visited I would switch over to it - but so far I have not found that to be the case.
The more you regulate a company, the worse its products become.
It doesn't matter how much more open Mozilla is, or how much more often they release patches, the problem Microsoft has always had is that people don't patch their software. Two of the biggest worms to affect Microsoft products a few year back, slammer and code red both exploited a vulnerability for which a patch was released months before the viruses. I've said it from the beginning, there is no program as complex as web browsers these days that are immune to viruses and worms. If you want to really "stay safe" just keep updated or use an obscure browser, like say, lynx hehe.
Comment removed based on user account deletion
If Firefox had been more popular, would it have been more exploited? Would it have been worse than IE? These are useless questions.
The point is, Firefox users are more secure than IE users. And Firefox developers are much better listeners than IE developers. People who use Firefox have a better experience with their computers. And that is why IE has lost market share.
I hope nobody takes all these B. S. articles seriously.
It only makes sense that as a piece of software becomes more popular, it becomes a bigger target. It doesn't matter who makes the software, if it can be exploited, and it can affect a large number of users, it's only a matter of time. This just shows that OSS can be just as bad as everything else.
Funny, given only the statistics mentioned on the slashdot front page, I come to the opposite conclusion they do: firefox/mozilla is more secure.
Why? There will always be insecurities in code. The more insecurities that are both found and patched, the less there are to be exploited. As the very nature of software prevents there to ever be a complete lack of possible exploits (within reason), the more vulnerabilities found actually indicates a lower likelyhood of future vulnerability.
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
I suspect that MS looked jealously at the revenue stream coming from Symantec. By bundling security products into Windows, MS can now grab an increasingly large chunk for themselves . So where does that leave Symantec ?
If Windows Vista is as secure as MS says, there will be few opportunities for Symantec there. Win95, 98, ME, NT and Win2K will be around for a while but not for long. Most Unix-based OSs ( Solaris, BSD, etc ) are very secure, so probably not much opportunity there.
So, Symantec ( and similar companies ) can only hope for a mix of the following :-
- Vista is just as buggy and insecure as all previous versions of Windows.
- Linux finally arrives on the desktop full of exploitable holes.
- People keep using older versions of Windows for as long as possible.
Personally, I think option 1 is more likelyArt Makers Just an excuse to show photos of naked women !!
Parent's link to the previous post is broken. Parent's previous post.
Now I'm totally confuzed. The previous post links to a previous post where the data is actually shown. GP's original post.
Because the TurdTapper is always Insightful
BenCurry.net
How to be a Slashdot troll like Overly Critical Guy
1.) Always make a list of bogus claims, lies, and half-truths that tries to tie a particular point of view to everyone who reads Slashdot.
2.) Be sure to have a holier-than-thou attitude, and act like you speak from authority when you don't have the slightest clue as to what you're talking about.
3.) Make sure that your list is long. Long lists == +1 Insightful!
4.) Always use the following words: groupthink, hive mind, college student, hypocritical, zealots. Make sure that you combine them in such a way as to make them perjorative terms.
5.) Did I mention that you should make sure that your list is long? This is very important, since lots of words makes you sound like you know what you're talking about.
6.) Repetition and circular arguments, straw men and other logical fallicies are key. Nobody will bother to check up on them, and most everybody else doesn't care.
7.) Mod yourself up from other accounts. Be sure that your zombie account farm has plenty of mod points so that you can mod yourself up as +Insightful or +Interesting, ensuring that other moderators who haven't bothered to read the post or do any fact checking will mod it up by assuming that the upmod is a correct one.
8.) Did I mention long lists are very important? Restating points that you already made is very important, since it makes your puny, worthless argument look like it has any meat on it.
9.) Repeat it over and over again, ad naseum, to every story that is even tangentially related to the point at hand. Repeat, then repeat again. If you're downmodded in one story, some lazy moderator will eventually toss you mod points.
For me it seems that the biggest problem with IE is that it makes it easy for users to screw themselves over, regardless of security exploits. Something will pop-up and an user will click it (maybe just trying to hide it) then get ad-ware all over the place. The most likely is the cause of the notorious pop-ups when nothing is running. It's not quite as easy for FireFox users. IE can be setup to be similar in vulnerability as FireFox, but FireFox just has better defaults. There is also the standards issues but thats not really the point here. Just my 2 cents.
Like how the CVS Double-free flaw was discovered a year after it was patched?
Get your Unix fortune now!
Good grief, every other article is about how Google is now evil or about how insecure Firefox is and that we should all switch back to IE.
How much did Bill offer you Taco? Was it a lump sum or is he putting you on the payroll to keep spreading the FUD.
The Anti-Blog
I've been hearing about how grate it is and how is trumps Mozilla in every way. So I would like to install it on my Linux box. Ware do I get teh source?
Signed,
1337 h4x0rz
-"...bad old ideas look confusingly fresh when they are packaged as technology" - Jaron Lanier (Digital Maoism on Edge.o
...on a PC without Internet connection...
"Since Microsoft is pretty much the largest source of vulnerabilities on desktop PCs,"
I find it difficult to see how anyone can claim IE is more secure than any other browser, unless there is one that purposely downloads malware, of which I am unaware. I'm not going to dupe all of the other comments about the design issues in IE, but it will be a frosty day on the sun when I browse with IE without some protection.
.. paranoid crackpot leftover from the days of Amiga.
how many vendor-confirmed issues have had IE and Firefox during all his life. I can bet Firefox wins (I know that it got to version 1.0 this year, and is younger than IE).
Or even better, I'd like to know which one had more issues on its first year. Again, I can bet Firefox wins
Absence of evidence is not evidence of absence.
Comment removed based on user account deletion
nuf said
Could all of this "firefox not secure" buzz more obviously be sensational garbage? It's like people hear that more popular products = more discovered security vulnerabilities and then fail to see all of the other variables at play here. Fucking ridiculous.
Off-topic, I know, but please, if you're going to go latin on us: the plural of virus would be viri, not virii...
t ml
I hate to disappoint you, but having "enjoyed" 6 years of Latin in school, let me point you to: http://linuxmafia.com/~rick/faq/plural-of-virus.h
one of the best articles i have read in slashdot. it has to be moderated 5 funny!
I used a mix of Internet Explorer and Firefox for 6 months. I did my usual "Surfing". My Surfing is NOTHING compared to what some people do. My surfing includes Slashdot, Experts-Exchange, and a few WoW guild webpages. In the period of 6 months, i did NOT run Spybot or Adaware (did not even have then installed). My findings: No spyware. (except a few dataminer cookies for displaying adds) Summary: Dont go to stupid sites, and you wont get stupid spyware. Simple as that.
You fall and receive 6334 damage.
You die.
Seriously...would a security/privacy company *ever* claim their products were'nt needed?
Give me a break. this is just an ad for their products and nothing more.
But there aren't a lot of client-side technologies to deal with--just JavaScript, HTML, CSS, and language support. Considering how long it's taken for IE to get decent CSS support, we might as well consider it to be static as far as features go--at least with the exception of IE7.
And in that time, it hasn't had many improvements in stability or security. If Mozilla had little improvement in features over the next four years, I'd expect it to be stable as hell and secure.
FireFox, by default, requires you to whitelist sites to install software from them. So, no exploits from that side.
And so on and so forth.
The key to security is to reduce the avenues of attack.
If my browser will not run any code from your site and I will not download any apps from your site, then I do not have to worry about being cracked via my browser going to your site.No. That only applies if 100% of the population (or close to it) applies those patches as soon as they're released.
You cannot depend upon the users applying patches so you must focus on removing the threat before the user is involved. That is where FireFox's whitelists beat Microsoft every time.Again, that is only the case if the vulnerabilities can be exploited. If I don't allow Java or JavaScript or installs from a website, then it is going to have to be a pretty dramatic vulnerability for me to be infected.
And until that vulnerability is shown to exist, the discussion is purely theoretical while the discussion of IE's exploits is documented fact.
In my experience, Firefox is more secure. I've used Firefox since nearly it came out. I was sick of IE. My wife still used IE. Guess what machines had spyware installed? My wife now uses Firefox.
Let's assume that Firefox and OSX are more secure. Would it be in the security industry's interest to trash them? Sure. Because the security industry WANTS us to be fearful of security breaches so we buy their products. If there ever was a secure system, they'd be out of business.
So basically Symantec wants to put a little fear in people who have switched and it's nothing more than that.
If someone says he and his monkey have nothing to hide, they almost certainly do.
Isn't that a little like "Nagin on distaster response?"
It's also unreported and undisclosed major gaping holes, the ability to automatically run scripts that install viruses and spyware on your laptop, and the clear fact that running IE without security at top levels leads to a compromised PC within minutes on the UW campus, whereas you can run for days with Firefox.
Let's get real, and stop pushing phony statistics.
-- Tigger warning: This post may contain tiggers! --
Isn't that a little like "Nagin on disaster response?"
Sung to the tune of "What a Wonderful World" by Sam Cooke...
Just another point of view. You can't compare directly, you have to take in account that in theory IE is a most "mature" piece of software.
There's one big fundamental difference between IE and mozilla. IE is so deeply integrated into the OS that the implications of a single vulnerability are far more grave.
This story is like saying "mozilla leaves it's front door open more often than IE" but failing to note that if you walk into Mozilla's door, you're in the lobby. If you walk into IE's door, you're teleported to the boiler room and given a complimentary stick of dynamite.
BIG difference. All an attacker can do if they compromise mozilla is do whatever the user could. Compromise IE and you're elbow deep in more fundamental parts of windows.
When I use IE, it's a matter of days or hours before I have extra toolbars taking up real estate on my browser. If I leave them alone, It's only a matter of a couple of weeks before I have less than two inches of actual browser window left.
Now, Firefox, on the other hand, does not have this problem. I've seen ONE thing add itself to my firefox browser without my putting it there. Since 2002. That makes Firefox the more pleasant experience, IMHO. Ok, so there are a few a**holes who program thier websites to only work with IE or maybe the now no longer developed Mozilla,(Yahoo Lauch/Music, I'm talking about you!), but there are relatively few. Most businesses "get it" that if they don't develop for Firefox they lose potential clients. So I'll stick with Firefox until it becomes unpleasant, thank you very much.
Drop me a line at:
Key ID: 0x54D1D809
Nothing is secure anymore. Nothing. If you are on the net, at some point you are always vulnerable. The protocal is obsolete as well as if there is money to be made, someone will try to make it unsecure.
I am sick of hearing if something is more secure or not. Who cares.
1) How many "browsers" does Mozilla-family browsers represent? How many browsers does IE represent? I'm thinking 2-3 for Mozilla (Suite, Firefox, and possibly Camino) and 1 for IE (just 6.0).
2) Why is the "One caveat" buried at the end?
A great many people think they are thinking when they are merely rearranging their prejudices. -- William James
I think that everyone has for got an important factor here. Not only is Firefox open source, but Mozilla actually rewards people monetarily for bringing vulnerabilities to their attention. This is in sharp contrast to say Microsoft who has threatened legal action against these same people. So lets look at an example...
Mozilla's Bug Bounty Program will PAY you $500 and openly discloses their code and vulnerabilities (after a fix of course)
Microsoft will threaten and perhaps follow through on legal action, and certainly does not open their source code.
If these responses are so predictable should you not have had time enough to think of some actual rebuttals. I have another for your list:
8.) Pointless troll ranting against the Slashdot groupthink without adding anything to the discussion.
using IE6 will never ever lock you and or your company into one single software company.
The 23rd century. He uses the builtin teleporter to come to your house and check your holographic photo ID.
It's rare that you're presented with a knob whose only two positions are Make History and Flee Your Glorious Destiny.
It also says that Macs and Linux boxes are as insecure as Windows boxes.
Considering that their entire business model revolves around fixing problems with Windows, this is some incredibly self-serving bullshit.
BTW, the Register had a better article with links to the actual report.
First I will say that I am a Mozilla user that has been considering going to other nonXUL-based brousers in order to get better security. I now regard Mozilla and Firefox design at more or less the same level of security as IE.
;-)).
IE's main problem is that you have this concept of security zones. These zones are supposed to allow one to trust intranet sites with activeX controls that might not be trusted on the internet. However, there are plenty of ways to cross this barrier so it is fairly porous. Hence the combination of ActiveX and security zones makes IE inherently insecure. Get rid of either one and things get a whole lot better.
The problem with Mozilla is that you have very expansive capabilities in the Mozilla Portable Runtime, and that these capabilities can be accessed by Javascript. How do we make it secure? We require that these are accessed via Chrome components. In other words we have a very similar set of design flaws to IE in Mozilla and Firefox. Don't believe me about the separation, try putting this into your address bar chrome://navigator/content/navigator.xul (harmless yet a good demonstration of the link between content and interface and sufficiently annoying that Slashdot won't let me add it as a link
Now, Mozilla has two advantages over IE:
1) XUL is a really great RAD tool as long as you don't use it as a general purpose browser.
2) You can get around the security border issue by running a Gecko-based non-XUL browser, such as Epiphany, Camino, etc.
LedgerSMB: Open source Accounting/ERP
I sure now that if i read another piece like this I'll stop reading /.!!! Ok everybody has the right to publish his thoughts-ideas but in a corporate warfare i don't want information to be a casualty!
I may well be incorrect so bear with me, but doesn't the maturity of the codebase for IE vs FireFox / Mozilla mean anything?
To rephrase that, isn't it more accurate to compare flaw discovery in a 2 year old FireFox against that of a 2 year old IE? I guess you could factor in that the Mozilla foundation have the benefit of knowing about past IE flaws already but am not sure.
ps. I don't know how old the codebases are so I'm using 2 years as an example.
/. proves once more its sliding down the relevance scale :(
Anyway:
Firefox: Compartively new browser and gaining wider and wider useage. Hence an initial low number of holes which is now ramping up as people use it more and it gets on to hackers radar.
IE: Rather long in the tooth and has been around for a while as the most popular browser. Almost continual flurry of holes for the last few years which is now slowing down as all the easy (and most of the not so easy) holes are found.
Any product will have a bell curve distribution of holes...
It would be more relevant to compare the number of holes discovered since release. OR even better track the faults as a metric based on the lines of code affected vs the total lines of code contained in the product. Might be awkward with IE given its dependencies on other M$ dll's etc... but would alot fairer.
--- Users are like bacteria -> Each one causing a thousand tiny crises until the host finally gives up and dies.
What intrigues me is that, in the report, they specifically state, "VENDOR confirmed." Don't we all understand by now that MicroSoft is more than a little week on confirming, let alone reporting, security issues?!? On the other hand, the open source community thrives on reporting, confirming, and repairing problems. This automatically raises the, "vendor confirmed," issues for Mozilla/Firefox while artificially lowering the count for IE.
When Mozilla has been a real concern (for example since .9) on a big scale close tohalf the time IE has been a real concern, this will not be an issue, and in the meantime security through obscurity beats using the primary target of ever scumbag coder on the planet.
Jesus fucking Christ. This has got to be the worst number doctoring all day long. From TFA:
There is one caveat: Symantec counts only those security flaws that have been confirmed by the vendor. According to security monitoring company Secunia, there are 19 security issues that Microsoft still has to deal with for Internet Explorer, while there are only three for Firefox.
Oh, well that's just a minor fucking nuclear bomb. Doesn't that make the count 28 to 32? For fuck's sake....the 19 vulnerabilities that Microsoft simply hasn't acknowledged just don't count? This new revelation should make it much cheaper to make secure software...after all, I'm sure it takes far fewer man-hours to do nothing then it does to fix something, and according to Symantec, it produces better results, too!
Given a choice between free speech and free beer, most people will take the beer.
firefox nerds what the hell
I just wasted 3 hours fixing my standards-compliant stylesheets so they would work in Internet Explorer, which had added phantom padding, doubled margins, and bizarre rollover implementations. I feel like I just got done digging a grave - I'm satisfied with my work, but I feel dirty and defeated.
I don't care if Mozilla allowed hackers to send Polar Bears & diseased hookers into my living room, I'd use it in a heartbeat over Microsoft's Spaghetti Wearhouse attempt at a browser
And the worst part is - when IE 7 comes out it will read all my fixes and re-break my pages.
we had a very similar article a couple weeks ago (comparing the amount of FF bugs vs ie bugs discovered), and both articles are bullshit.
/ \
first, it doesn't matter how many bugs are discovered, since there are key differences in how the bugs are managed.
microsoft:
bug discovered
|
/ \
/ \
who don't
cares tell
| anyone
| |
fixed |
next crappy
year workarounds
Mozilla:
bug discovered
|
bug confirmed
|
/ \
/ \
fixed \
next fixed
day the day
after
tomorrow
...do you see the difference?
bugs in FF are discovered, reported, confirmed and then fixed.
bugs in ie are discovered, exploied, eventually reported, sometimes confirmed, and maybe fixed.
[SHOW SOME LENIENCY TOWARDS
Mod parent +1 Flaimbait
Didn't we just have a discussion of these things some days ago???
And wasn't the result that 1. of course there were more vulnerabilities *detected* for mozilla because is's open source and that 2. they were closed *faster* wich in fact 3. makes mozilla *more* secure, not less? (While there still are many open holes in the IE where microsoft even forces sites that list them to take the lists down!)
And now everything starts again because of some company called "Symantec" that has the worst anti-virus solution on the market is telling crap? Come on! This isn't funny anymore!
Any sufficiently advanced intelligence is indistinguishable from stupidity.
From Linus' email:
Huh. Sounds like he likes Slashdot to me.
It also seems like he's on to posts like yours.
Bobby has ten animals in his farmyard, Jimmy has sixteen. Who will get the best price at market? It really depends on what the animals are - and it's the same with these incredibly simplistic bug comparisons. We need better tech journalists, or need to send some of the ones we have back to first grade.
I am not going to try to convice you that Firefox is better than IE, but here is an article that bolds some of the intresting parts of this article which was posted on Slashdot earlier today.
Feh. I wouldn't stand up and say that any Mozilla product is "flawless" by any stretch. We're talking, though, about relative security. There are a few things to consider in the equation:
Keep in mind that when I say "bug" above, I'm referring to security-related problems only.
Now, I'm not paid enough to do a detailed analysis of all of these factors, and so I will admit that I'm at least partly speculating. However, I'd say that even though Firefox falls short of IE on the first 3, it tends to outperform IE on the last few.
Add to that pretty decent stacks of anecdotal evidence; I have family members that had malware issues that disappeared after converting to Firefox, and reappeared when returning to IE. I read and hear many such stories on a regular basis. Granted, anecdotal evidence is not hard evidence, but it give me a "gut feeling".
This "gut feeling" that Firefox is more secure is shared by many knowledgeable people. Because of this, any report that suggests the opposite should be rigorous in presenting evidence. The core issue here is that Symantec and News.com failed to provide compelling evidence to counter the prevailing opinion. Firefox gets the benefit of the doubt until someone can present a clear argument why it shouldn't.
Attacking accepted wisdom is a wonderful thing -- but doing so in such a shoddy manner gives it the stink of "spin", or "hype reporting" at best.
We may not imagine how our lives could be more frustrating and complex—but Congress can. – Cullen Hightower
Sorry, links to Bugzilla from Slashdot are disabled.
Karma: It's all a bunch of tree-huggin' hippy crap!
Turn off ActiveX, JavaScript and images in IE, and it becomes just as safe as Firefox with everything enabled. So I don't see a problem with IE at all.
Karma: It's all a bunch of tree-huggin' hippy crap!
Flawed comparisons like this one are worthless.
When is someone going to write a story about the curious pattern of published flawed/fatally-simplified comparisons that are inevitably pro-MS? I see a lot of people starting to "follow the money" already...it'd make a great term paper, kids.
Slashdot? Oh, I just read it for the articles.
Reports like this make me lose respect for the author(s).
When you compare Firefox to IE, you are comparing two unlike products. They are unlike in the sense that IE is on version 6.x, and Firefox just recently broke 1.x. Also, they are unlike in the sense that a vulnerability in Firefox isn't as "major" as a vulnerability in Internet Explorer, simply because Firefox is not a core OS component, as IE is.
Now, think about it: How long has Firefox been around? How much does it integrate with Windows, Mac OS, Linux, and all the others, on the OS level? How long did it take for the flaws to be patched?
I am far from a Microsoft-basher, but seriously, these reports are crap.
basically you have just proved the previous poster right. Your come back on him is anecodotal evidence, with no proof or evidence. symantec provided numbers, facts and figures. If you want to rebutt there evidence then provide some of your own. Your post is nothing but heresay and what you would like to believe true.
where can i get this 10 foot IDE cable? PLEASE! :-)
I think now that Opera is free, Microsoft will buy it just to compete with Firefox. Don't laugh. Some say I'm psychic because I've been able to predict quite a few things. --nice tactic I learned from Fox news. :-)
"Shill" has become a popular word in /. recently. I'm not familiar with it, but from context I've taken to mean "Someone who is biased towards, and promotes, product A. The bias might be the result of ill-informed personal preference, or commercial interests."
This is not what "shill" means!!!!!
A shill is someone who is paid to pretend to be a satisfied customer. ie. the are a paid fake. There's a big difference between that and bias.
Any company will bias its reports in favour of the hand that feeds it. FOSS companies do the same. It doesn't make them all "shills".
http://www.thefreedictionary.com/shill
I'm a software visionary. I don't code.
How many times I said this here on Slashdot and no one believes.
It's ridiculous to see all your comments giving away excuses and nonsense justifications.
Face it! FireFox is FULL OF SECURITY HOLES all over the place, MORE THAN IE.
I laugh without been able to stop! hahahaha! This is a wonderful world!
1.) First, immediately dismiss the results, just like you did in the last Mozilla security story. Mozilla is flawless.
/. automatically do this. However at least in this case they've got a point - the conclusion that Mozilla has more security problems than IE is very shaky at best. Its not even supported by the evidence in the story.
No one said Mozilla is flawless, nice straw man there.
2.) Randomly reference Open Source, claiming the flaws were easier to find because of it, which has nothing to do with the report in the article and actually sounds like a criticism of Open Source, if anything.
So its better that the security bugs be harder to find? Huh? Maybe you need to think that through.
3.) Accuse the study of bias or "shilling." ALWAYS do this when the study goes against your pre-made worldview (in this case, Mozilla being flawless). When the study gives the opposite conclusion, agree with it and praise it, often with related anecdotal stories.
True, a lot of people on
4.) Reference Internet Explorer's age, which has little to do with and doesn't change Mozilla having more flaws than Internet Explorer today.
Who said Mozilla had more flaws than IE? Did you RTFA - ie. the bit about the 19 vulnerabilities in IE that MS has yet to confirm?
5.) Ask how quickly the Mozilla vulnerabilities were patched, ignoring that Mozilla has marked vulnerabilities "Confidential" before for them to sit for two years unfixed.
Mozilla does generally have a quick patching record I have heard of some bug reports being open for years. But could you provide an example? Are you sure these are actual security problems and not other bugs?
6.) Claim Internet Explorer is integral to the OS, when you argued that Internet Explorer was easily removed from Windows during the anti-trust trial.
Microsoft was the one that insisted that IE was integral while probably most of the the slashdot crowd were urging them to de-integrate it. Microsoft refused to do that so it remains integral to the OS. No hypocrisy there.
7.) Claim matter-of-factly that, for some reason, it "goes without saying" that the study uses some sort of flawed logic, without citing the logic, giving proof, or backing the statements in any way. Simply claim it, knowing everyone will mod you up because they, too, want to believe Mozilla is flawless.
More straw-men. No one thinks Mozilla is flawless nor do the (modded up at least) posts on this thread claim the article is flawed without giving a reason. Actually read them and you'll see people have made some good points about why the initial data in the article doesn't present the full picture.
Pre-canned Evolution Links for all those Slashdot holy wars.
because MS only verified 13 bugs that means there were only 13 bugs??? how many of the 13 ms bugs have been fixed? i would bet maybe 5 or so.
http://www.npcgaming.com Dedicated Gaming Servers
So basically, all microsoft has to do is confirm less of its vulnerabilities than its competitors to appear safer.
Non sequitur: Your facts are uncoordinated.
Yeah, yeah, we all know Slashdot is a big kettle of ignorant people, who back each other up, so their ignorance cycles round and round until they all believe it is fact. If we ignore the fact that most modern news services do exactly the same thing, and focus on Slashdot, I feel there is still one fresh conclusion we can draw from this thread. And that is: "You are clearly an attention-seeking, I'm-holier-than-thou tosser!"
I use linux - and the biggest advantage is - no IE.
Binny V A
Must be part of a broader strategy. This sort of misinformation is being used also in FUD campaigns against Mac OS X. For example, "Mac is less secure than Win. Apple has released more security patches in the last year than Microsoft."
Ah well, it doesn't take much to convince some people...
I'm not rebutting anything, I'm explaining why people feel the way they do. You say "symantec provided numbers, facts and figures", but my point is that they didn't. They pointed to a single metric which does not provide a compelling or complete picture. I'm not rebutting their report, I'm dismissing it for its poor quality; and, I would do so regardless of what their findings had been.
Your post is nothing but heresay and what you would like to believe true.
My post is what I believe to be true based on my experience. It is not what I'd like to believe to be true -- the simple fact is that Symantec/news.com are merely hyping a finding without supporting it. Their report was simply devoid of any information that would allow anyone to make a reasoable choice. It's bad reporting, therefore I distrust their conclusion.
My ultimate point, which you seem to be missing, is that people who want to make a decision should consider all the factors. If someone considers all of them and IE turns out to be more secure, great! I'd re-evaluate using it. There's a far cry between the pipe dreams that the OP is spouting and people, like me, who are skeptical of a report that contains no evidence or useful information.
We may not imagine how our lives could be more frustrating and complex—but Congress can. – Cullen Hightower