Slashdot Mirror
IE More Secure Than Mozilla?
killproc writes "Symantec has issued a report that suggests that Internet Explorer may be more secure than the open source Mozilla Foundation browsers. "According to the report, 25 vendor-confirmed vulnerabilities were disclosed for the Mozilla browsers during the first half of 2005, "the most of any browser studied," the report's authors stated. Eighteen of these flaws were classified as high severity.
"During the same period, 13 vendor-confirmed vulnerabilities were disclosed for IE, eight of which were high severity," the report noted." "
Is this a dupe story? 'course not! (rolls eyes)
Knowledge is valuable. Ignorance is dangerous. Censorship is unacceptable. http://slashdot.org/comments.pl?sid=10
Personally, I think it's stunning that a browser as old as IE6 STILL HAS CRITICAL vulnerabilities. They've had litterally YEARS to root out and discover these sorts of things. To compare that to a much newer Mozilla browser seems like apples and oranges to me.
We had a similar story a few days ago. It was not very informative, and for the same reasons this one's not very informative, e.g., IE is closed-source, so they don't disclose all the bugs.
Find free books.
Mozilla has reacted to a Symantec report issued on Monday which said serious vulnerabilities were being found in Mozilla's browsers faster than in Microsoft's Internet Explorer. The study was conducted over the first six months of 2005.1 86-39020375t-10000025c
http://www.zdnet.co.uk/print/?TYPE=story&AT=39219
Seriously would it hurt anyone's feelings if the duplicate stories were just pulled off /. ?
/. look bad, but it is a known problem with an easy fix.
It not only makes
Anywho...
Cliff notes of last story:
IE's exploits would be someone taking over your computer remotely
Firefox's exploits would be malicious popups/crashing (of browser only)
So the "severity" thing doesn't really matter here.
Get paid to code OSS
We discussed this before on slashdot.
"Assuming customer choice is important, a customer can elect to not use Firefox and remove it from their system. Can the customer remove IE? Can the customer even elect to not use IE, or does the OS still force them to use IE for some tasks?"
I would advise not removing IE because its not just Microsoft that has issues with non-IE browsers. A few months back, I tried to pay my Cingular bill and the website would not work with Firefox (same goes for Safari, from what I've read). I had already uninstalled IE, and thus I went back to Microsoft's website to download it, but it would not let me. Nor would Windows Update allow me to download IE. I guess I could've downloaded the AOL browser, but that's going to extremes.
The first party guilty of ineptitude was Cingular for only supporting IE when other browsers in total account for 10-15% of users. The second guilty party is Microsoft for not allowing a legitimiately registered copy of WinXP to download IE. And I guess the third party would be myself for assuming that in today's tech world, you should be able to get by with just Firefox.
"Right now, somewhere in this world, Scott Baio is plowing a woman he doesn't love," - Peter Griffin, *Family Guy*
>Can the customer even elect to not use IE, or does the OS still force them to use IE for some tasks?
I have IE disabled (well as much as you can using the built in functions for disabling certain microsoft programs like outlook,IE,messenger). I wanted to print out a visio2003 page but did not have visio on my machine! So I install the Microsoft Visio Viewer and double click on the file. Does it open in its own window? NO. Does it open in firefox? NO. Does it run it in IE? YES ! So YES you still are forced by some microsoft OS extensions to use IE.
For an extra laugh do a print preview of the document. As far as I can tell the print preview suggests that once printed I can move the image around using the scrollbars or using the scroll wheel.... Only problem to solve now is how to plug my mouse into the paper!
---- There are 10 types of people in the world. Those that understand binary and those that don't
For Firefox
Mozilla Firefox 1.x with all vendor patches installed and all vendor workarounds applied, is currently affected by one or more Secunia advisories rated Less critical
This is based on the most severe Secunia advisory, which is marked as "Unpatched" in the Secunia database. Go to Unpatched/Patched list below for details.
Currently, 3 out of 22 Secunia advisories, is marked as "Unpatched" in the Secunia database.
And IE
Microsoft Internet Explorer 6.x with all vendor patches installed and all vendor workarounds applied, is currently affected by one or more Secunia advisories rated Highly critical
This is based on the most severe Secunia advisory, which is marked as "Unpatched" in the Secunia database. Go to Unpatched/Patched list below for details.
Currently, 19 out of 85 Secunia advisories, is marked as "Unpatched" in the Secunia database.
I have Cingular. I have Firefox. I have never experienced any difficulties in paying my Cingular bill on their website.
My blog
IE can be downloaded, if you know how. One way to get all the client install files is to download and use the IE Administrators Kit.
But yeah, I can't pay my power bill unless I use IE, so I know you pain and think it's stupid, too.
-- I wanna decide who lives and who dies - Crow T. Robot, MST3K
Even symantec admits that this report is a steaming pile of crap.
From TFA:
Symantec counts only those security flaws that have been confirmed by the vendor. According to security monitoring company Secunia, there are 19 security issues that Microsoft still has to deal with for Internet Explorer, while there are only three for Firefox.
Nice. So in terms of checking off the reported vulnerabilities and counting each one equally, if the report would be honest, IE would have 32 issues and Firefox would have 29. For the sake of this report, all vulnerabilities are equally bad, right? Well, not according to TFA:
Symantec admitted that "at the time of writing, no widespread exploitation of any browser except Microsoft Internet Explorer has occurred," but added that it "expects this to change as alternative browsers become increasingly widely deployed."
So the IE vulnerabilities result in widespread exploitation and the Firefox ones don't, but firefox is somehow worse? I think the only way in which firefox is worse, from Symantec's perspective, is that the constantly malware-infested machines (where IE is the main infestation vector) inflate demand for the crap that Symantec peddles, and they're afraid that if people aren't constantly suffering from the pain of these infections this demand will evaporate.
Feh. Maybe I'm a cynic, but this looks like marketing poorly disguised as research to me...
.sig: file not found
Just to show that CNet News is not unbiased against open source. Bugs Found In Open Source AntiVirus Tool talks about a bug that was only in versions from June 23 and BEFORE. And yet it makes the headlines today. And with an advertisement for Trend Micro. How peculiar.
Occam's razor is the blind faith in the natural selection of least resistance and in universal oversimplification. -- EF
Aside from the question raised in many posts about whether the fact that Firefox is open source leads to faster and fuller disclosure, the following is an email I sent this past weekend regarding this article.
d =11d =4227
d =11d =4227
Lots is being made the past few days about the number of security holes found in various browsers. Just to try to keep the discussion from descending to complete irrelevance, here's the stats that actually matter:
Solution Status (has it been fixed?):
http://secunia.com/graph/?type=sol&period=all&pro
http://secunia.com/graph/?type=sol&period=all&pro
Criticality (how bad is it if I get hit?):
http://secunia.com/graph/?type=cri&period=all&pro
http://secunia.com/graph/?type=cri&period=all&pro
Unpatched Criticality (what can happen to me today?) Requires a little more looking - see the list at the bottom of each page:
http://secunia.com/product/11/
http://secunia.com/product/4227/
IE: 5 unpatched moderate or greater criticality
Firefox: 0 unpatched moderate or greater criticality
Finally, and unfortunately not clearly covered in [the Secunia] report is vulnerability window - how long does a bug go without being patched. You can, however, make a fairly good estimate by looking at the patch time for highly critical or worse bugs:
MS has been making big improvements lately, so I'll only look at the MS holes from the past year (the older ones have dramatically longer vulnerability windows) (I've also left out holes which were publicly discovered as a result of a windows patch)
IE Highly+ Critical Windows (past year)
http://secunia.com/advisories/12806/ 103 days
http://secunia.com/advisories/12889/ 108 days
http://secunia.com/advisories/12959/ 29 days
http://secunia.com/advisories/13482/ 53 days
http://secunia.com/advisories/15891/ 7 days
Firefox Highly+ Critical Windows (all time)
http://secunia.com/advisories/14654/ 7 days
http://secunia.com/advisories/14938/ 24 days
http://secunia.com/advisories/15292/ 5 days
http://secunia.com/advisories/16043/ 7 days
http://secunia.com/advisories/16764/ 3 days
Keep the discussion rational - security is hard, so is assessing security. Be skeptical of anyone who has a dog in the fight (eg: Symantec). [Which is not to say that Symantec cannot be trusted for Windows security, only that their PR department's press releases regarding software security should be treated as suspect - particularly when they draw questionable conclusions from insufficient data.]
Stop-Prism.org: Opt Out of Surveillance
Not true. Firefox does indeed make patches available. Look at Gentoo Linux - it is currently at Firefox v1.0.6_r7. That is seven revisions (i.e. patches) since v1.0.6. It was a decision of Mozilla to only bundle prebuilt-binaries as timely groupings of these patches. This was done, as far as I know, because it seemd the most intuitive way of doing so.
But within the bulletins, there are lots of bugs, like the one fixed by MS05-024 that aren't "technically" IE bugs. But the end result is that a malicious web page (or advert iframe) could do something nasty... usually execute arbritrary code (install spyware or a virus if the server is infected). If simply viewing a web page with IE allows an attack, I call that an IE bug, regardless of where the actual bug is located by Microsoft's way of thinking.
Notice how the "affected software" of MS05-024 is many versions of windows, but Internet Explorer isn't specificly mentioned. So when someone tallies IE bugs, this one probably doesn't make the list. But the "Vulnerability Details" section says:
I can see how a journalist could do such poor research. But Symantec? Come on, I found 22 nasty IE bugs by just browsing though 40-some Microsoft bulletins. That Symantec only thinks there's 13 doesn't build much confidence in the supposed "market leader" of anti-virus products!
PJRC: Electronic Projects, 8051 Microcontroller Tools
And Symantec has a great reason to shill for Microsoft:
Try running IEradicator on a Win2k box (pre-SP1) and then try installing ANY of Symantec's "security" products.
Or McAfee's anti-virus or either of Intuit's Quick* financial products for that matter...
Cingular doesn't support Firefox?? That's funny, because I have been doing all of my online bills and such with Cingular for about two years now. Hmm... Maybe you have another issue. The only site that I use that I can't access with Firefox is Clark Pest Control. They require Windows, and Internet Explorer. With Clark, I get screwed, as I end up having to use my wife's machine, as their site doesn't really care for Slackware...
And, you can remove Internet Explorer, using a nifty little tool called nLite.
I'm curious, but can you explain exactly what makes 'integral to the OS' inherantly insecure? Do you even know what that phrase means in regards to IE? Do you know HOW it's "integral"?
It's not running in the kernel. It doesn't run with privileges that are above the current users. In fact, there's nothing about IE's "integration" that Mozilla isn't just as vulnerable to (in effect, anything IE can do, so can Mozilla, because IE just uses userland API's the same as Mozilla does).
If you need web hosting, you could do worse than here
The difference in the amount of bugs might just be caused because Microsoft is somewhat more reluctant than MoFo to admit its own faults.
I am not trolling, I am just stating an option.
My other post is a First.
... several Microsoft employees were found snuggling below the desks of the Symantec "experts" who recently performed a comparison between Firefox and IE security.
Even with extensive code reviews, the potential for malicious developers to submit code with hidden vulnerabilities is high. We just had the 2005 Underhanded C Contest (see link) which demonstrates the possibilities. http://developers.slashdot.org/article.pl?sid=05/0 9/18/158200&tid=156&tid=172
Parent's link to the previous post is broken. Parent's previous post.
It's also unreported and undisclosed major gaping holes, the ability to automatically run scripts that install viruses and spyware on your laptop, and the clear fact that running IE without security at top levels leads to a compromised PC within minutes on the UW campus, whereas you can run for days with Firefox.
Let's get real, and stop pushing phony statistics.
-- Tigger warning: This post may contain tiggers! --
Holy FUD, Batman. IE is not tied to the Windows kernel and I defy you to show me how it is. It's tied to the shell, which incidentally is not the kernel.
Is that why TeX is so expensive? Its well over a decade since the bug in TeX was acknowledge by Knuth. Validating may be costly, but that doesn't prevent the software from being inexpensive.
Think global, act loco
Bug free software is quite possible. It's just prohibitively expensive, because it usually requires that the developers use a mathematical validation system. Thus it's typically confined to projects where system failure would result in Human casualties.
It also requires specifications to be expressed mathematically, which tends to restrict it to programs where the specifications are written by scientists or engineers.
IE is more secure... if you don't use it.
I know you're joking, but as it happens, you're actually wrong.
2/2/2004: KB832894: Security Update for IE6/Windows XP: "This affects all computers with Internet Explorer installed (even if you don't run Internet Explorer as your Web browser)."
Yes, IE is that fucking bad.
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
First I will say that I am a Mozilla user that has been considering going to other nonXUL-based brousers in order to get better security. I now regard Mozilla and Firefox design at more or less the same level of security as IE.
;-)).
IE's main problem is that you have this concept of security zones. These zones are supposed to allow one to trust intranet sites with activeX controls that might not be trusted on the internet. However, there are plenty of ways to cross this barrier so it is fairly porous. Hence the combination of ActiveX and security zones makes IE inherently insecure. Get rid of either one and things get a whole lot better.
The problem with Mozilla is that you have very expansive capabilities in the Mozilla Portable Runtime, and that these capabilities can be accessed by Javascript. How do we make it secure? We require that these are accessed via Chrome components. In other words we have a very similar set of design flaws to IE in Mozilla and Firefox. Don't believe me about the separation, try putting this into your address bar chrome://navigator/content/navigator.xul (harmless yet a good demonstration of the link between content and interface and sufficiently annoying that Slashdot won't let me add it as a link
Now, Mozilla has two advantages over IE:
1) XUL is a really great RAD tool as long as you don't use it as a general purpose browser.
2) You can get around the security border issue by running a Gecko-based non-XUL browser, such as Epiphany, Camino, etc.
LedgerSMB: Open source Accounting/ERP
Thats silly...sure if you delete iexplore.exe (note, no final "r" in "explore") it stops you from running IE. The problem /. readers have is System File Protection putting it right back into place.
/. game anyway! (;
This is bad for those who want 100% control of their computers. But for the other 99 44/100's % of the people out there who just "want it to work", this is a good thing...then when they accidentally delete "important" files, they don't blow up their PC, and have to spend WAY too much money at CompUSA to have it fixed.
For most, just installing an alternate browser is good enough though. With my Internet Explorer folder in XP being just under a meg in size, I don't feel the urge to remove it...and for those who say that MS MAKES you use it to get updates, thats wrong too...turning on Automatic Updates doesn't require you to use IE at all.
I've tried quite a few different browsers...I've just not used any of the other ones enough to be as efficient as I am with IE. Maybe I'm just super lucky, but I've never had any problems using it...no viruses, no spyware, no issues at all. But then I'm different, because I keep my patches updated, and don't goto websites that try to connect my (non-existent) modem to Jamaica for free porn.
All ranting aside, your reply didn't even come close to answering my actual question, but thanks for playing the
Yuma, AZ...You will never find a more wretched hive of scum and villainy. We must be cautious.
Jesus fucking Christ. This has got to be the worst number doctoring all day long. From TFA:
There is one caveat: Symantec counts only those security flaws that have been confirmed by the vendor. According to security monitoring company Secunia, there are 19 security issues that Microsoft still has to deal with for Internet Explorer, while there are only three for Firefox.
Oh, well that's just a minor fucking nuclear bomb. Doesn't that make the count 28 to 32? For fuck's sake....the 19 vulnerabilities that Microsoft simply hasn't acknowledged just don't count? This new revelation should make it much cheaper to make secure software...after all, I'm sure it takes far fewer man-hours to do nothing then it does to fix something, and according to Symantec, it produces better results, too!
Given a choice between free speech and free beer, most people will take the beer.
If anyone wants to have a look at the report, I think this is probably it:
http://www.techweb.com/wire/security/159906119