Slashdot Mirror
IE More Secure Than Mozilla?
killproc writes "Symantec has issued a report that suggests that Internet Explorer may be more secure than the open source Mozilla Foundation browsers. "According to the report, 25 vendor-confirmed vulnerabilities were disclosed for the Mozilla browsers during the first half of 2005, "the most of any browser studied," the report's authors stated. Eighteen of these flaws were classified as high severity.
"During the same period, 13 vendor-confirmed vulnerabilities were disclosed for IE, eight of which were high severity," the report noted." "
How many of these vulnerabilities were discovered or aided because of the very fact that the Mozilla family of products are open source, open to the intense peer scrutiny of the community, one of the core, fundamental facets of the Mozilla products, and open source projects in general, that will help quickly make them more secure? Do they even grasp this concept?
How quickly and effectively were the Mozilla/Firefox vulnerabilities patched in comparison to IE?
Is there any consideration given to the fact that Internet Explorer is a decade old and integral to the OS, and STILL routinely has extremely critical vulnerabilities, and may have an untold number of yet-to-be-discovered critical vulnerabilities?
Assuming customer choice is important, a customer can elect to not use Firefox and remove it from their system. Can the customer remove IE? Can the customer even elect to not use IE, or does the OS still force them to use IE for some tasks?
I could go on, but I think it goes without saying that at best this "report" uses extremely flawed logic to draw its conclusions, and at worst, Symantec is shilling for Microsoft.
Or both.
I have yet to get a spyware infection from using Firefox...
Security is a process not a state.
A browser that has 5 reported vulnerabilities is not more secure than a browser that has 30. All it takes in one vulnerability to make your browser insecure
Once any vulnerability is discovered, relative security depends upon is how many users are exposed, and for how long.
Given that vulnerabilities have been found in both, security comparisons should compare the steps taken to reduce the window of vulnerability.
A simple comparison of the number of vulnerabilities does not give much indication about how long the average user was exposed. Nor does it give an indication of how many hackers are taking advantage of the vulnerability to give you a useful security indicator: "How likely is that any given user was hacked via the product".
Currency calculator that accepts free form input such as "23 canadian dollars --> rupees"
How many of those Mozilla exploits compromise the entire OS?
I like big butts and I cannot lie.
Two points to consider:
1. How many 'high severity' bugs did IE have to fix to get to that point? Remember also that IE is integrated into Windows, so any vulnerability that affects Windows affects IE in one way or another (and vice versa).
2. How many have been disclosed by Microsoft before being fixed? They are notorious for not disclosing these things until after it is fixed, and even then they don't always label it as a "IE" fix.
War isn't about who's right. It's about who's left.
My neighbours using firefox on MS windows have had zero problems due to these security flaws. The neighbours using IE under XP with service pack 2 installed and automated update on still get tons of spyware.
So the alternative conclusion of the symantec report would be: Spyware holes in MS IE are not spyware holes, but easy software installation features.
My wife's sketchblog Blob[p]: Gastrono-me
I'm not apologizing for IE, but...
(1) Even though IE is old, the nature of threats changes -- not all the security holes could have been predicted five years ago.
(2) Just because Mozilla is newer doesn't mean that they don't have the responsibility to have fewer holes in security. On the contrary, the Mozilla developer community has had the opportunity to learn from all the security holes of IE, and to develop the code from the ground up in such a way that limits vulnerabilities.
That said, response time to threats is better for Firefox. The total threat posed is probably less, because the time of exposure is a fraction of IE vulnerabilities.
But Mozilla faces a tough road ahead -- if they maintain or gain market share, they have to be very cautious, as their vulnerabilities will begin to be targeted seriously by malware.
Anyone who uses any browser online should still be running virus-detection software. This will never change, no matter what OS or browser you use.
"Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
Bruce
Bruce Perens.
I would agree if the app was being developed against a non-changing set of technologies. If there are not any other changes that need to be accounted for, then at some point the app should be completely secure. Unfortunately, that doesn't work when it comes to software. There will always be a new version of something that new functionality is needed for (XML, Java, CSS, etc). If a program does not keep updating and incorporating the latest technologies, especially if it's a web browser, then it would quickly become unusable. Can you use any old version of IE and still be able to do EVERYTHING on the web? No. The same way that I would guess if you keep the current version of Mozilla without ever upgrading, 10 years from now you won't be able to do 90% of what is available on the web.
A man with a gun is called a citizen. A man without a gun is called a subject.
Don't be a troll. An opinion is a statement based on subjective criteria. And yes, everyone has them, and comparisons between them are not particularly interesting.
But we're not talking about subjective matters here. Symantec has released a security analysis, whose premises and reasoning may or not be correct at various points. That's what we're discussing here. Symantec is not saying, "We think Britney Spears is cute." It's claiming that vulnerabilities have been found faster in one browser versus another over a certain period of study.
Our discussion is about the merits of that claim. It's called a rational discussion. I'm sure there will be some subjective opinions thrown in as well. After all, we're not a corporation issuing a press release on the findings of a security study, so tests of intellectual rigor are a bit different here.
Parity: What to do when the weekend comes.
This exposes the gulf between open source security and proprietary security. Ignore for a minute the fact that Symantec a) has a vested interest in you using insecure products and b) uses highly flawed methodolgy as their "count" is actually "count of vendor-admitted bugs". There's a major difference between a vulnerability in Mozilla and a vulnerability in IE.
Since we don't have the source for IE, any vulnerability found is, by definition, exploitable. Someone found a way to exploit it- you get a vulnerability.
Vulnerabilities found in Mozilla, on the other hand, are often theoretical in nature. Someone looking through the source finds the problem, but no exploit is written.
Another major problem is here:
My entire system isn't going to be compromised from me browsing with Mozilla. Period. Somebody is confused.
Do you have ESP?
I would agree if the app was being developed against a non-changing set of technologies.
Every technology IE 6 supports is older than IE 6. IE 6 was released years ago, and hasn't upgraded its support for internet technologies, nor has it added new ones. So really, the argument that "IE 6 is vulnerable because it supports changing technologies" is hogwash. IE 6 is an unchanging application with multiple years available for fixing vulnerabilities.