Slashdot Mirror
IE More Secure Than Mozilla?
killproc writes "Symantec has issued a report that suggests that Internet Explorer may be more secure than the open source Mozilla Foundation browsers. "According to the report, 25 vendor-confirmed vulnerabilities were disclosed for the Mozilla browsers during the first half of 2005, "the most of any browser studied," the report's authors stated. Eighteen of these flaws were classified as high severity.
"During the same period, 13 vendor-confirmed vulnerabilities were disclosed for IE, eight of which were high severity," the report noted." "
Anyone who thinks Symantec isn't acting in a *VERY* self-serving manner in the past few days worth of FUD is kidding themselves.
I kid you not, Symantec has been saying "Don't use the Mac, it's insecure! Or Linux! Or Mozilla! They're not secure, oh noes!!!"
Guess why... maybe it's because they don't have products for those operating systems... or maybe it's because there are no virii in the wild, and they haven't been able to figure out how to write good enough virii for those OS' to scare people into buying their shitty product?
You decide. I already have.
...Steve
Since Symantec is best known for their Anti-Virus products, wouldn't it make sense for them to promote IE as the more "secure" browser?
I mean, it may not be secure in the traditional sense of the word, but with all the trojans/malware/ActiveX vulnerabilities out there, surely IE is the best way to "secure" profits for themselves?
I think you may be confusing Symantec with another company . Last I heard Symantec were a menace who enjoyed spreading fear so people would buy their security products (which in a lot of cases did more harm than good) .
The only things certain in war are Propaganda and Death. You can never be sure which is which though
What drivel.
There are several massive logical ballsups here, made by the linker and the linkee.
1) Not all exploits are created equal. Look at the number of those Moz exploits rated by Secunia as 'Extremely Severe' or 'Critical' compared to those for IE.
2) Mozilla Firefox is not bug free. No piece of software is bug free, and only a mentally retarded moron would believe otherwise. What is important is not that security flaws get found, but (a) how open the organisation is about the flaw [full disclosure] and (b) timeliness of fixes.
3) Mozilla believes in full disclosure, Microsoft does not.
4) The average time taken to patch a flaw in Firefox is two days. IE has unpatched vulnerabilities going back SIX YEARS.
5) Critical components of Firefox run in an sandboxed unprivileged space. When Firefox flaws are discovered, the damage done is minimised. IE runs everything with administrator privileges. When IE is exploited (regularly), a full-on system-rape inevitably follows.
6) ActiveX. The unsafe system by which 90% of spyware, adware, trojans, porn diallers etc. enter your system. Guess which browser has ActiveX turned on by default? Yes, IE. Firefox doesn't support ActiveX because it's just too bloody dangerous.
The security arguments being made about IE vs Firefox in that argument are unreconstructed luddite ballacks.
Although, honestly, we all know security is not the reason we geeks like Firefox. We like it because OMG 3XT3NSI0NZ!!!
So squish.
Martin
Saw a great comparison on firefox and mozilla a few months ago. Looking at the age of critical vulnerabilities and the time it took to patch them, IE was safe to use for a total of seven days in 2004. All other days had an unpatched known critical vulnerability. Firefox fared better by far, being only vulnerable for small patches at a time.
If I weren't so lazy I'd find the comparison. I'll leave that as an exercise for the reader and google.
Thanksfully, Opera is now available as a free browser. Yes, free as in beer, but it's still good. Why? Because when you have multiple browsers, a single infection can't hit all of them.
Yay Opera for windows, and Konquerer for Linux!
--LWM
How about this: a report that identifies the vulnerabilities associated with a vendor, and not a product. In other words, after the initial public announcement of a vulnerability, we report how long it took the vendor to release a patch. Lower scores are better.
Anybody think that'll work? If not, why not?
Key to financial independence: Spend less than you earn. Save and invest the difference. Do it for a long time.
- What is being done proactively to ensure that the system remains secure?
Once a new form of vulnerability is discovered, is the rest of the code audited to ensure that no other vulnerabilities of this nature exist? Is the vulnerability class documented, and are the coding guidelines for the project updated to ensure that people who read them (all committers, at a minimum) don't make the same mistake again?There is a reason why I trust the security of OpenBSD more than most other projects. Security is not just a process, it's an attitude.
I am TheRaven on Soylent News
This is true. However IE is supposed to be a mature application. It isn't a new version that comes out every few months. At some point shouldn't a developed app reach a point that it is locked down and secure?
Slashdot, home of supporters of free software, free music, and free speech.Except for Moderators that disagree with you.
* Anyone who simply parrots "IE is tied to the OS!" without showing how this statement applies to this situation gets stabbed in the eye :) The phrase does not mean what you think it means!
Bug free software is quite possible. It's just prohibitively expensive, because it usually requires that the developers use a mathematical validation system. Thus it's typically confined to projects where system failure would result in Human casualties. It's an irrelevant quibble though, since web browsers are far, far too complex to ever be formally validated.
No, you're not a cynic. You ARE right on the money, literally. Besides, Symantec 2005 relies on ActiveX controls to run their anti-virus software! How stupid is that?! (Hint: VERY stupid when my wife's computer with SYMANTEC A/V software got a nasty little ActiveX virus which caused Symantec software to completely cease proper functioning. - no updating, no scanning, no more protection)
As I explained in another post, I believe their numbers are wrong.
The simple reason is because many bugs where viewing a malicious web page could allow remote code execution (or something similarly nasty) are reported as "windows" bugs rather than "internet explorer" bugs.
If you actually read throught the microsoft bulletins, and consider anything where simply using IE allows an attack (which requires reading the vulunerability info rather than Microsoft's searchable fields of impacted software), you'll find a lot more bugs than Symantec is claiming.
But you don't need to do all that work... I did it, admittedly rather quickly, a few days ago. Just follow that link, and the one in that post, to my quick summary of "simply using IE" bugs.
While googling around, I also found several others mentioned on various security sites, which didn't seem to correspond to any of the bulletins. And complaints of known bugs still not fixed. And some microsoft "notices" which basically claim "that's not a bug, you just need to avoid doing XYZ".
My quick list alone almost puts IE to the raw number of bugs as firefox, and I'm sure if someone did all the digging needed to compile a list that also included other non-microsoft-bulletin sources, we'd see what is plainly known... that IE has a lot more bugs.
It's sad that Symantec couldn't do this. Looks like they simply using Microsoft's database, which ignores lots of bugs Microsoft doesn't "officially" consider IE bugs (even though simply viewing a page with IE is the attack vector), and all the bugs Microsoft is ignoring or denying, or has quietly fixed.
PJRC: Electronic Projects, 8051 Microcontroller Tools
so what you're saying... is that all programs should be closed source, because then the majority of vulnerabilities would remain hidden while they are discovered and patched! It's perfect! MS has the right idea! (half kidding, half mocking the parent)
I hate to say it, but apparently you believe everything you read.
The statistic you're talking about is misleading because it only takes into account the length of time from the vulnerability being publicly disclosed and the time of the patch. Typically bug details are embargoed for weeks to months before a patch is made public and the vulnerability is publicly reported.
Don't believe me? Go ahead and look at the bugzilla database for when the vulnerabilities were created, not when the security alert was issued.
If you need web hosting, you could do worse than here
The big reason that being integral to the OS is bad is that firstly everyone knows it will be on the box which means its a good target for attack, secondly the core dll's are exposed in many applications so securing the surface of IE isn't enough to close all possible vulnerabilities (the security has to be at every single layer that any application is allowed to call into). Mozilla could get away with only securing the top levels and benefits from the fact that it is only on like what 30% of windows boxes?
"You can now flame me, I am full of love,"
You are making a completely invalid assumption. The assumption you make is that all software will always have bugs. This is provably untrue. When software is designed against such failure, then it is likely that they will accomplish that end. An example of this is QMail. (check here for the only ones I could find)
This isn't meant to bash any project in particular, but the fact remains that a program is a series of instructions and the computer folows them. It is possible to write a series of instructions that does not present vulnerabilities to attackers. If a utility or library has problems, the utility or library should either be fixed or avoided. It's POSSIBLE. It always has been and always will be. To suggest that there are impossibilities such as this would be the same as saying it's impossible to quit smoking or doing drugs -- it may be difficult or even painful to do, but it remains in the realm of possible. It them becomes a question of whether or not a programmer chooses a more difficult challenge.
What you're describing is security through obscurity. Mozilla has core libraries as well, and they are exposed to any application that wants to take advantage of them.
Of course you can get around this problem by statically linking all the code together, but then you create far more maintenance work.
If you need web hosting, you could do worse than here
I suspect that MS looked jealously at the revenue stream coming from Symantec. By bundling security products into Windows, MS can now grab an increasingly large chunk for themselves . So where does that leave Symantec ?
If Windows Vista is as secure as MS says, there will be few opportunities for Symantec there. Win95, 98, ME, NT and Win2K will be around for a while but not for long. Most Unix-based OSs ( Solaris, BSD, etc ) are very secure, so probably not much opportunity there.
So, Symantec ( and similar companies ) can only hope for a mix of the following :-
- Vista is just as buggy and insecure as all previous versions of Windows.
- Linux finally arrives on the desktop full of exploitable holes.
- People keep using older versions of Windows for as long as possible.
Personally, I think option 1 is more likelyArt Makers Just an excuse to show photos of naked women !!
Given the topic, I'm amused that your sig is simultaneously on topic and out of date:
Keep firefox secure, vote for bug #262536
Bug 262536 "Bigger notice for updates and critical updates" has been marked resolved by Ben Goodger: "This is fixed by the new update system UI."
8-)
I think this speaks in favour of FF over IE.
There few publically available statistics about when IE flaws were introduced, reported or exploited however anecdotal reports suggest that MS is quite happy to sit on serious holes for as long as they can conceal them from their customers. This has admittedly gotten much better since the people reporting the vulns have laid down the 1 and 3 rule (contact me in one month, fix it in three or we go public). This hasn't stopped MS from attempting to sue or prosecute those people instead of fixing bugs: for whatever reason MS seems to think it is cheaper to throw lawyers at a problem than programmers.
Another way to look at this is that Firefox is almost a year old and up to version 1.0.6. IE is up to a qualified 6 (give or take a few "service packs"), is over ten years old and the point releases have to number in the hundreds if not thousands. Giving IE the benefit of the doubt, lets say that the two browsers are roughly equivalent from a security standpoint at this time: who's going to be more secure in a year? Is IE 7 going to be better? Maybe. It'll definitely have more features. It is almost certainly going to include tighter integration with MS's IPC-of-the-week. MS says it will be better. Historically, those three points suggest that IE7 will be less secure than IE6 not more: Using 100 pairs of eyes to catch up to 10000 is a mugs game, MSIOTW has a spectacular security track record and Gates has proven no better than Bush at keeping a promise. I believe that it is safe to say that IE7 is just another round of FUDware and that MS security will not significantly improve with IE7 or Vista.
In my experience, Firefox is more secure. I've used Firefox since nearly it came out. I was sick of IE. My wife still used IE. Guess what machines had spyware installed? My wife now uses Firefox.
Let's assume that Firefox and OSX are more secure. Would it be in the security industry's interest to trash them? Sure. Because the security industry WANTS us to be fearful of security breaches so we buy their products. If there ever was a secure system, they'd be out of business.
So basically Symantec wants to put a little fear in people who have switched and it's nothing more than that.
If someone says he and his monkey have nothing to hide, they almost certainly do.
There's one big fundamental difference between IE and mozilla. IE is so deeply integrated into the OS that the implications of a single vulnerability are far more grave.
This story is like saying "mozilla leaves it's front door open more often than IE" but failing to note that if you walk into Mozilla's door, you're in the lobby. If you walk into IE's door, you're teleported to the boiler room and given a complimentary stick of dynamite.
BIG difference. All an attacker can do if they compromise mozilla is do whatever the user could. Compromise IE and you're elbow deep in more fundamental parts of windows.
I think that everyone has for got an important factor here. Not only is Firefox open source, but Mozilla actually rewards people monetarily for bringing vulnerabilities to their attention. This is in sharp contrast to say Microsoft who has threatened legal action against these same people. So lets look at an example...
Mozilla's Bug Bounty Program will PAY you $500 and openly discloses their code and vulnerabilities (after a fix of course)
Microsoft will threaten and perhaps follow through on legal action, and certainly does not open their source code.
When Mozilla has been a real concern (for example since .9) on a big scale close tohalf the time IE has been a real concern, this will not be an issue, and in the meantime security through obscurity beats using the primary target of ever scumbag coder on the planet.