Slashdot Mirror
IE More Secure Than Mozilla?
killproc writes "Symantec has issued a report that suggests that Internet Explorer may be more secure than the open source Mozilla Foundation browsers. "According to the report, 25 vendor-confirmed vulnerabilities were disclosed for the Mozilla browsers during the first half of 2005, "the most of any browser studied," the report's authors stated. Eighteen of these flaws were classified as high severity.
"During the same period, 13 vendor-confirmed vulnerabilities were disclosed for IE, eight of which were high severity," the report noted." "
How many of these vulnerabilities were discovered or aided because of the very fact that the Mozilla family of products are open source, open to the intense peer scrutiny of the community, one of the core, fundamental facets of the Mozilla products, and open source projects in general, that will help quickly make them more secure? Do they even grasp this concept?
How quickly and effectively were the Mozilla/Firefox vulnerabilities patched in comparison to IE?
Is there any consideration given to the fact that Internet Explorer is a decade old and integral to the OS, and STILL routinely has extremely critical vulnerabilities, and may have an untold number of yet-to-be-discovered critical vulnerabilities?
Assuming customer choice is important, a customer can elect to not use Firefox and remove it from their system. Can the customer remove IE? Can the customer even elect to not use IE, or does the OS still force them to use IE for some tasks?
I could go on, but I think it goes without saying that at best this "report" uses extremely flawed logic to draw its conclusions, and at worst, Symantec is shilling for Microsoft.
Or both.
These guys are actually somewhat reputable and they're saying this. Worth keeping and eye on.
FP
I have yet to get a spyware infection from using Firefox...
Security is a process not a state.
A browser that has 5 reported vulnerabilities is not more secure than a browser that has 30. All it takes in one vulnerability to make your browser insecure
Once any vulnerability is discovered, relative security depends upon is how many users are exposed, and for how long.
Given that vulnerabilities have been found in both, security comparisons should compare the steps taken to reduce the window of vulnerability.
A simple comparison of the number of vulnerabilities does not give much indication about how long the average user was exposed. Nor does it give an indication of how many hackers are taking advantage of the vulnerability to give you a useful security indicator: "How likely is that any given user was hacked via the product".
Currency calculator that accepts free form input such as "23 canadian dollars --> rupees"
Don't they write software for Windows, which *GASP!!* is owned by the SAME company as Internet Explorer. Woah. Now here's some news!
In other news, Hershey funded a study that eating chocolate is not only good for you, but makes you a better person.
--sig fault--
How many of those Mozilla exploits compromise the entire OS?
I like big butts and I cannot lie.
Two points to consider:
1. How many 'high severity' bugs did IE have to fix to get to that point? Remember also that IE is integrated into Windows, so any vulnerability that affects Windows affects IE in one way or another (and vice versa).
2. How many have been disclosed by Microsoft before being fixed? They are notorious for not disclosing these things until after it is fixed, and even then they don't always label it as a "IE" fix.
War isn't about who's right. It's about who's left.
My neighbours using firefox on MS windows have had zero problems due to these security flaws. The neighbours using IE under XP with service pack 2 installed and automated update on still get tons of spyware.
So the alternative conclusion of the symantec report would be: Spyware holes in MS IE are not spyware holes, but easy software installation features.
My wife's sketchblog Blob[p]: Gastrono-me
Let the open source zealots start their engines. Guys, this is just one company's opinion. BTW you are entitiled to yours as well.
...is an aggregate measure of vulnerability time. How many days/weeks/months of total time will I experience between a vulnerability becoming public knowledge and the patch becoming available? How many for the Mozilla browsers? Even if there are 10 times as many vulnerabilities in the Mozilla browsers, if they get patched 100 times as fast, I would think the user would still be safer with some flavor of Mozilla than with IE.
It's our duty as slashbots to point out how IE is less secure. Sure, this is a little like arguing whose head is more on fire, but we'll ignore that.
Any time someone points out that IE is insecure, we know it's a simple statement of fact. If someone does the same for Mozilla, we know it's just FUD. We won't even argue the technical merits of this article, because it's much more interesting and productive to attack Symantec or Microsoft. Anything to deflect attention from the fact that Mozilla just might be insecure.
The Firefox devs are much, much more likely to acknowledge flaws and try to fix them, while Microsoft likes to downplay such things. Notice that the article said "vendor-confirmed flaws"?
Since OSS projects have a better security track record in general, they're more likely to actively seek out bugs and try to squash them because security holes are less tolerated. Likewise, a flaw that might be considered minor in IE might be classified as severe in Firefox.
How quickly and effectively were the Mozilla/Firefox vulnerabilities patched in comparison to IE?
While this is important in the grand scheme of things, ultimately, the more often vulnerabilities come out, the less likely it is that everybody is going to stay up to date consistently. Lest we forget, most attacks are exploiting publicly known and well understood software flaws. Many attackers are simply using the lists of critical bugs as specifications for their next attack.
Having said that, I think this is less a reflection on the code for Firefox and more about the development status of the two browsers. Firefox is still actively developed, getting new features on a routine basis. Invariably as new features are added, new bugs will be made and old bugs will be discovered. With IE, it is purely maintenance mode right now. The only updates it receives are bug fixes. So invariably there are less bugs to find over time if you aren't adding them with new code.
Symantec isn't shilling for Microsoft, they are just drawing a rather short sighted conclusion based on the the statistics they have. It doesn't say anything about longer term trends for the browsers, nor does it suggest anything about the innate security of their development methodologies.
This sig has been temporarily disconnected or is no longer in service
People who have swapped [from IE to Firefox], even if this is a blip, should ask whether the assumption that Firefox is more secure than IE is valid anymore. They shouldn't just rely on changing their browser, but may think about having to look at a different configuration."
By different configuration, I think he means, "Buy our products! Or else."
Hands up anyone who has contracted spyware/adware/viruses through IE.
Ok, now hands up anyone who has contracted spyware/adware/viruses through Mozilla/Firefox.
Your honour, I rest my case.
In other news, analysts credit Firefox for a slow down in sales of third-party security software. According to one source, "With Firefox, you don't need some extra solution like Norton's Popup Blocker (tm)."
Symantec has expressed concerns that users may not understand the implications of such actions. "Firefox is not a silver bullet!" says VP of Marketing Strategies at Symatec's Mexico City offices. "People think that just because you don't need a popup blocker, they don't need a firewall or virus scanner either. The Mozilla people need to make it clear to their customers that this is not the case."
Officials for McAfee are considering joining Symantec in a public awareness campaign that will restore consumer trepidation and lead to better protections for all computer users.
Yesterday there was something from them about how Firefox and Mac users are in a fantasy land for thinking they are safer for using them. Now they are asserting that within their selected window of time, more vulnerabilities were reported in FF than MSIE. How about we change the window from the beginning of their respective initial public releases until now? Would that be fair? How about if we pick a month window where no vulnerabilities had been reported in FF? Would that also be fair and balanced?
If people start jumping ship (Win+MSIE) onto another ship, Symantec will see that they will sell fewer floatation devices.
This is a pretty pathetic attempt to sway opinion by Symantec.
I'm not apologizing for IE, but...
(1) Even though IE is old, the nature of threats changes -- not all the security holes could have been predicted five years ago.
(2) Just because Mozilla is newer doesn't mean that they don't have the responsibility to have fewer holes in security. On the contrary, the Mozilla developer community has had the opportunity to learn from all the security holes of IE, and to develop the code from the ground up in such a way that limits vulnerabilities.
That said, response time to threats is better for Firefox. The total threat posed is probably less, because the time of exposure is a fraction of IE vulnerabilities.
But Mozilla faces a tough road ahead -- if they maintain or gain market share, they have to be very cautious, as their vulnerabilities will begin to be targeted seriously by malware.
Anyone who uses any browser online should still be running virus-detection software. This will never change, no matter what OS or browser you use.
"Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
Bruce
Bruce Perens.
Is Slashdot the most biased forum in the world?
These are the excuses which have appeared in the
first half hour of this article
1) More vulnerabilities are discovered in FF because FF is
open source & peer review found these bugs. This is good.
2) But I never got infected by FF.
3) But Mozilla issues a press release against Symantec
4) Symantec is biased
5) Symantec is doing this to increase their business
6) IE has more vulnerabilities which aren't yet discovered
7) FF has more dedicated devs hence they are more likely
to admit a vulnerability than IE
8) IE Sucks
9) Microsoft sucks
Many of these have also been modded Insightful or Interesting & these moderations will most likely be meta-moderated as fair.
Symantec stopped producing effective software a long time ago. There was a time though when any self-respecting geek had a copy of Norton Utils, you know, the ones with all two-letter file names like NU.EXE.
Brand familiarity and name recognition are suitable substitutes for quality when it comes to business and profits. I wouldn't touch any of their software with a 10 foot IDE cable anymore, and haven't for the past few years.
I would agree if the app was being developed against a non-changing set of technologies. If there are not any other changes that need to be accounted for, then at some point the app should be completely secure. Unfortunately, that doesn't work when it comes to software. There will always be a new version of something that new functionality is needed for (XML, Java, CSS, etc). If a program does not keep updating and incorporating the latest technologies, especially if it's a web browser, then it would quickly become unusable. Can you use any old version of IE and still be able to do EVERYTHING on the web? No. The same way that I would guess if you keep the current version of Mozilla without ever upgrading, 10 years from now you won't be able to do 90% of what is available on the web.
A man with a gun is called a citizen. A man without a gun is called a subject.
I think this is the kicker. The 25 vulnerabilities for Mozilla are almost certainly all the known vulnerabilities. For IE, how many vulnerabilities are there that've been reported that MS hasn't publicly acknowledged?
In addition, what's the severity? The last Mozilla vulnerability was the IDN bug, which was trivially worked-around by changing one config setting until a patch was released. Contrast that to the recent vulnerability in IE that MS won't discuss details of, other than to say that it allows total compromise of the machine and they won't be patching it until next month, and there's no workaround for the bug because nobody knows what the bug is (outside of MS, the security company that found it and the black-hats, of course).
My take on it: Mozilla may be having more vulnerabilities reported, but it's still fewer than in IE and those vulnerabilities are less severe, easier to work around without crippling your system and fixed sooner than IE's holes. From a user's viewpoint, this makes Mozilla more secure than IE.
I'm sure everyone's noticed the word "disclosed". Firefox/Mozilla are open sourced, so everyone can see potential voulnerabilities and tell the world. IE, however is generally limited to the MS developers, and it will pretty much be up to their bosses to decide whether to disclose a voulnerability.
How many IE voulnerabilities are there that we don't know about?
Comment removed based on user account deletion
There are indeed fundamental differences in the security between the two approaches. One obvious difference is modularity. A browser which is monolithically integrated with a system is a greater security risk than one which can be removed or replaced, since its risk cannot be mitigated.
Another fundamental difference is in transparency. Security fundamentally requires verification. Closed source strictly prevents verification.
Another is containment. What are the consequences to the system if the browser is compromised? If the browser is designed, say, with the intent of installing software or modifying the window system, then it fails to contain security risks compared to a browser which defers these actions to the part of the system which is nominally responsible for system configuration.
Parity: What to do when the weekend comes.
There's a problem with the point you're making:
IE6 is four years old. While SP2 was released last year, this version is applicable ONLY to WinXP SP2--all other platforms are stuck at IE6 SP1, which was released almost exactly three years ago. Everything since then has supposedly been security fixes and the like.
It's not a moving target--it really IS supposed to be mature code. There's a far cry between this and something under active development!
What part of "shall not be infringed" is so hard to understand?
This exposes the gulf between open source security and proprietary security. Ignore for a minute the fact that Symantec a) has a vested interest in you using insecure products and b) uses highly flawed methodolgy as their "count" is actually "count of vendor-admitted bugs". There's a major difference between a vulnerability in Mozilla and a vulnerability in IE.
Since we don't have the source for IE, any vulnerability found is, by definition, exploitable. Someone found a way to exploit it- you get a vulnerability.
Vulnerabilities found in Mozilla, on the other hand, are often theoretical in nature. Someone looking through the source finds the problem, but no exploit is written.
Another major problem is here:
My entire system isn't going to be compromised from me browsing with Mozilla. Period. Somebody is confused.
Do you have ESP?
If Firefox had been more popular, would it have been more exploited? Would it have been worse than IE? These are useless questions.
The point is, Firefox users are more secure than IE users. And Firefox developers are much better listeners than IE developers. People who use Firefox have a better experience with their computers. And that is why IE has lost market share.
I hope nobody takes all these B. S. articles seriously.
FireFox, by default, requires you to whitelist sites to install software from them. So, no exploits from that side.
And so on and so forth.
The key to security is to reduce the avenues of attack.
If my browser will not run any code from your site and I will not download any apps from your site, then I do not have to worry about being cracked via my browser going to your site.No. That only applies if 100% of the population (or close to it) applies those patches as soon as they're released.
You cannot depend upon the users applying patches so you must focus on removing the threat before the user is involved. That is where FireFox's whitelists beat Microsoft every time.Again, that is only the case if the vulnerabilities can be exploited. If I don't allow Java or JavaScript or installs from a website, then it is going to have to be a pretty dramatic vulnerability for me to be infected.
And until that vulnerability is shown to exist, the discussion is purely theoretical while the discussion of IE's exploits is documented fact.
I would agree if the app was being developed against a non-changing set of technologies.
Every technology IE 6 supports is older than IE 6. IE 6 was released years ago, and hasn't upgraded its support for internet technologies, nor has it added new ones. So really, the argument that "IE 6 is vulnerable because it supports changing technologies" is hogwash. IE 6 is an unchanging application with multiple years available for fixing vulnerabilities.
If these responses are so predictable should you not have had time enough to think of some actual rebuttals. I have another for your list:
8.) Pointless troll ranting against the Slashdot groupthink without adding anything to the discussion.