IE More Secure Than Mozilla?

killproc writes "Symantec has issued a report that suggests that Internet Explorer may be more secure than the open source Mozilla Foundation browsers. "According to the report, 25 vendor-confirmed vulnerabilities were disclosed for the Mozilla browsers during the first half of 2005, "the most of any browser studied," the report's authors stated. Eighteen of these flaws were classified as high severity. "During the same period, 13 vendor-confirmed vulnerabilities were disclosed for IE, eight of which were high severity," the report noted." "

Mozilla hits back at browser security claim

[anandpur]

Mozilla has reacted to a Symantec report issued on Monday which said serious vulnerabilities were being found in Mozilla's browsers faster than in Microsoft's Internet Explorer. The study was conducted over the first six months of 2005.
http://www.zdnet.co.uk/print/?TYPE=story&AT=392191 86-39020375t-10000025c

Another repost... almost word for word this time

[Beatbyte]

Seriously would it hurt anyone's feelings if the duplicate stories were just pulled off /. ?

It not only makes /. look bad, but it is a known problem with an easy fix.

Anywho...

Cliff notes of last story:
IE's exploits would be someone taking over your computer remotely
Firefox's exploits would be malicious popups/crashing (of browser only)

So the "severity" thing doesn't really matter here.

Current Secunia Ratings

[Epeeist]

For Firefox

Mozilla Firefox 1.x with all vendor patches installed and all vendor workarounds applied, is currently affected by one or more Secunia advisories rated Less critical

This is based on the most severe Secunia advisory, which is marked as "Unpatched" in the Secunia database. Go to Unpatched/Patched list below for details.

Currently, 3 out of 22 Secunia advisories, is marked as "Unpatched" in the Secunia database.

And IE

Microsoft Internet Explorer 6.x with all vendor patches installed and all vendor workarounds applied, is currently affected by one or more Secunia advisories rated Highly critical

This is based on the most severe Secunia advisory, which is marked as "Unpatched" in the Secunia database. Go to Unpatched/Patched list below for details.

Currently, 19 out of 85 Secunia advisories, is marked as "Unpatched" in the Secunia database.

Re:Questions

[morgan_greywolf]

I have Cingular. I have Firefox. I have never experienced any difficulties in paying my Cingular bill on their website.

Re:Questions

[slaker]

IE can be downloaded, if you know how. One way to get all the client install files is to download and use the IE Administrators Kit.

But yeah, I can't pay my power bill unless I use IE, so I know you pain and think it's stupid, too.

Yawn. Follow the money.

[petard]

Even symantec admits that this report is a steaming pile of crap.

From TFA:

Symantec counts only those security flaws that have been confirmed by the vendor. According to security monitoring company Secunia, there are 19 security issues that Microsoft still has to deal with for Internet Explorer, while there are only three for Firefox.

Nice. So in terms of checking off the reported vulnerabilities and counting each one equally, if the report would be honest, IE would have 32 issues and Firefox would have 29. For the sake of this report, all vulnerabilities are equally bad, right? Well, not according to TFA:

Symantec admitted that "at the time of writing, no widespread exploitation of any browser except Microsoft Internet Explorer has occurred," but added that it "expects this to change as alternative browsers become increasingly widely deployed."

So the IE vulnerabilities result in widespread exploitation and the Firefox ones don't, but firefox is somehow worse? I think the only way in which firefox is worse, from Symantec's perspective, is that the constantly malware-infested machines (where IE is the main infestation vector) inflate demand for the crap that Symantec peddles, and they're afraid that if people aren't constantly suffering from the pain of these infections this demand will evaporate.

Feh. Maybe I'm a cynic, but this looks like marketing poorly disguised as research to me...

Re:Questions

[Directrix1]

Just to show that CNet News is not unbiased against open source. Bugs Found In Open Source AntiVirus Tool talks about a bug that was only in versions from June 23 and BEFORE. And yet it makes the headlines today. And with an advertisement for Trend Micro. How peculiar.

Re:Questions

[Zeveck]

Not true. Firefox does indeed make patches available. Look at Gentoo Linux - it is currently at Firefox v1.0.6_r7. That is seven revisions (i.e. patches) since v1.0.6. It was a decision of Mozilla to only bundle prebuilt-binaries as timely groupings of these patches. This was done, as far as I know, because it seemd the most intuitive way of doing so.

IE vs Windows bugs

[pjrc]

In a previous post I found 22 IE bugs by simply looking through all the 2005 Microsoft security bulletins. These don't include bugs that Microsoft hasn't even fixed. This probably isn't a complete list either (I did it in only 10 minutes or so, plus avoiding slashdot's lame lameness filters to post a nicely formatted list). There are lots of other bugs not covered by the bulletins, where they post "notices" (like the infamous "don't click on links, type them instead"). But even if I found them all, 22 is a lot more than 13. And most on that list of 22 allow remote code execution.

But within the bulletins, there are lots of bugs, like the one fixed by MS05-024 that aren't "technically" IE bugs. But the end result is that a malicious web page (or advert iframe) could do something nasty... usually execute arbritrary code (install spyware or a virus if the server is infected). If simply viewing a web page with IE allows an attack, I call that an IE bug, regardless of where the actual bug is located by Microsoft's way of thinking.

Notice how the "affected software" of MS05-024 is many versions of windows, but Internet Explorer isn't specificly mentioned. So when someone tallies IE bugs, this one probably doesn't make the list. But the "Vulnerability Details" section says:

Web View Script Injection Vulnerability - CAN-2005-1191:

A remote code execution vulnerability exists in the way that Web View in Windows Explorer handles certain HTML characters in preview fields. By persuading a user to preview a malicious file, an attacker could execute code. However, user interaction is required to exploit this vulnerability.

I can see how a journalist could do such poor research. But Symantec? Come on, I found 22 nasty IE bugs by just browsing though 40-some Microsoft bulletins. That Symantec only thinks there's 13 doesn't build much confidence in the supposed "market leader" of anti-virus products!

Re:Questions

[man_of_mr_e]

I'm curious, but can you explain exactly what makes 'integral to the OS' inherantly insecure? Do you even know what that phrase means in regards to IE? Do you know HOW it's "integral"?

It's not running in the kernel. It doesn't run with privileges that are above the current users. In fact, there's nothing about IE's "integration" that Mozilla isn't just as vulnerable to (in effect, anything IE can do, so can Mozilla, because IE just uses userland API's the same as Mozilla does).

head-in-sand (or head-in-ass?)

[jusdisgi]

Jesus fucking Christ. This has got to be the worst number doctoring all day long. From TFA:

There is one caveat: Symantec counts only those security flaws that have been confirmed by the vendor. According to security monitoring company Secunia, there are 19 security issues that Microsoft still has to deal with for Internet Explorer, while there are only three for Firefox.

Oh, well that's just a minor fucking nuclear bomb. Doesn't that make the count 28 to 32? For fuck's sake....the 19 vulnerabilities that Microsoft simply hasn't acknowledged just don't count? This new revelation should make it much cheaper to make secure software...after all, I'm sure it takes far fewer man-hours to do nothing then it does to fix something, and according to Symantec, it produces better results, too!