Slashdot Mirror

← Back to Stories (view on slashdot.org)

IE More Secure Than Mozilla?

Posted by CmdrTaco on from the now-wait-a-minute-here dept.

killproc writes "Symantec has issued a report that suggests that Internet Explorer may be more secure than the open source Mozilla Foundation browsers. "According to the report, 25 vendor-confirmed vulnerabilities were disclosed for the Mozilla browsers during the first half of 2005, "the most of any browser studied," the report's authors stated. Eighteen of these flaws were classified as high severity. "During the same period, 13 vendor-confirmed vulnerabilities were disclosed for IE, eight of which were high severity," the report noted." "

7 of 534 comments (clear)

  1. Questions by daveschroeder · · Score: 5, Insightful

    How many of these vulnerabilities were discovered or aided because of the very fact that the Mozilla family of products are open source, open to the intense peer scrutiny of the community, one of the core, fundamental facets of the Mozilla products, and open source projects in general, that will help quickly make them more secure? Do they even grasp this concept?

    How quickly and effectively were the Mozilla/Firefox vulnerabilities patched in comparison to IE?

    Is there any consideration given to the fact that Internet Explorer is a decade old and integral to the OS, and STILL routinely has extremely critical vulnerabilities, and may have an untold number of yet-to-be-discovered critical vulnerabilities?

    Assuming customer choice is important, a customer can elect to not use Firefox and remove it from their system. Can the customer remove IE? Can the customer even elect to not use IE, or does the OS still force them to use IE for some tasks?

    I could go on, but I think it goes without saying that at best this "report" uses extremely flawed logic to draw its conclusions, and at worst, Symantec is shilling for Microsoft.

    Or both.

    1. Re:Questions by TurdTapper · · Score: 5, Insightful

      I don't want to completely argue with you, I believe that most of your points are valid. But I don't agree with this one:

      Is there any consideration given to the fact that Internet Explorer is a decade old and integral to the OS, and STILL routinely has extremely critical vulnerabilities, and may have an untold number of yet-to-be-discovered critical vulnerabilities?

      10 years from now, the latest Mozilla version will probably have critical vulnerabilities. Each new version will have different technologies to deal with as well as have new developers/programmers involved. If one thing is constant in programming any app, as time goes on and new versions come out, there are always new bugs and problems. Mozilla won't be immune to those.

      --
      A man with a gun is called a citizen. A man without a gun is called a subject.
    2. Re:Questions by tchernobog · · Score: 5, Insightful

      It's Symantec, boys!

      You know what, they have large revenues from a MS Windows-related market, and they produce Norton Antivirus, Norton Utilities, and all the damn product line.

      If they start saying that a free (as in beer) OpenSource browser (maybe one that works even on GNU/Linux, sheesh!) is able to actually lower the number of virus/malware you get, people may start considering the switch.

      If people get less virii/malware, this means less revenues for them. And what if people discover things like ClamAV, which also works on GNU/Linux? What next?

      I ain't saying that Symantec is creating new virii by itself (that's an urban legend like alligators in sewers), but I ain't saying they want to lose customers too.

      I'll just wait a less biased source than Symantec, or "Microsoft Watch". It's like Microsoft saying that the TCO of Windows is less than the one of GNU/linux (or vice-versa, for what matters).

      PS: this doesn't mean that Firefox is "the most secure" thing around. It isn't. But it is free software and works really well for me. I won't switch to Opera now because of this stupid report, nor because Opera has gone free as in beer. A lot of /.-ters make a tragedy out of a rumor (speaking in general). We're a bunch of chattering mothers-in-law... :-)

      Anyway, the damage a Firefox bug can do is limited to user space; a hole in IE, which is tightly tied with Windows kernel... brrr.

      --
      42.
  2. Yea but... by P0pinjay · · Score: 5, Insightful

    I have yet to get a spyware infection from using Firefox...

  3. Security is a process! by DeadSea · · Score: 5, Insightful

    Security is a process not a state.

    A browser that has 5 reported vulnerabilities is not more secure than a browser that has 30. All it takes in one vulnerability to make your browser insecure

    Once any vulnerability is discovered, relative security depends upon is how many users are exposed, and for how long.

    Given that vulnerabilities have been found in both, security comparisons should compare the steps taken to reduce the window of vulnerability.

    • How quickly a patch is issued
    • How quickly are users notified
    • How easy it is to apply the patch or upgrade
    • What percentage of users actually apply the patch

    A simple comparison of the number of vulnerabilities does not give much indication about how long the average user was exposed. Nor does it give an indication of how many hackers are taking advantage of the vulnerability to give you a useful security indicator: "How likely is that any given user was hacked via the product".

    Currency calculator that accepts free form input such as "23 canadian dollars --> rupees"

  4. Vunerable? by rampant+mac · · Score: 5, Insightful

    How many of those Mozilla exploits compromise the entire OS?

    --
    I like big butts and I cannot lie.
  5. For those who may be fooled by this by Trailer+Trash · · Score: 5, Insightful

    This exposes the gulf between open source security and proprietary security. Ignore for a minute the fact that Symantec a) has a vested interest in you using insecure products and b) uses highly flawed methodolgy as their "count" is actually "count of vendor-admitted bugs". There's a major difference between a vulnerability in Mozilla and a vulnerability in IE.

    Since we don't have the source for IE, any vulnerability found is, by definition, exploitable. Someone found a way to exploit it- you get a vulnerability.

    Vulnerabilities found in Mozilla, on the other hand, are often theoretical in nature. Someone looking through the source finds the problem, but no exploit is written.

    Another major problem is here:

    The average severity rating of the vulnerabilities associated with both IE and Mozilla browsers in this period was classified as "high", which Symantec defined as "resulting in a compromise of the entire system if exploited."

    My entire system isn't going to be compromised from me browsing with Mozilla. Period. Somebody is confused.

    --
    Do you have ESP?