Slashdot Mirror
IE More Secure Than Mozilla?
killproc writes "Symantec has issued a report that suggests that Internet Explorer may be more secure than the open source Mozilla Foundation browsers. "According to the report, 25 vendor-confirmed vulnerabilities were disclosed for the Mozilla browsers during the first half of 2005, "the most of any browser studied," the report's authors stated. Eighteen of these flaws were classified as high severity.
"During the same period, 13 vendor-confirmed vulnerabilities were disclosed for IE, eight of which were high severity," the report noted." "
Anyone who thinks Symantec isn't acting in a *VERY* self-serving manner in the past few days worth of FUD is kidding themselves.
I kid you not, Symantec has been saying "Don't use the Mac, it's insecure! Or Linux! Or Mozilla! They're not secure, oh noes!!!"
Guess why... maybe it's because they don't have products for those operating systems... or maybe it's because there are no virii in the wild, and they haven't been able to figure out how to write good enough virii for those OS' to scare people into buying their shitty product?
You decide. I already have.
...Steve
Since Symantec is best known for their Anti-Virus products, wouldn't it make sense for them to promote IE as the more "secure" browser?
I mean, it may not be secure in the traditional sense of the word, but with all the trojans/malware/ActiveX vulnerabilities out there, surely IE is the best way to "secure" profits for themselves?
I think you may be confusing Symantec with another company . Last I heard Symantec were a menace who enjoyed spreading fear so people would buy their security products (which in a lot of cases did more harm than good) .
The only things certain in war are Propaganda and Death. You can never be sure which is which though
What drivel.
There are several massive logical ballsups here, made by the linker and the linkee.
1) Not all exploits are created equal. Look at the number of those Moz exploits rated by Secunia as 'Extremely Severe' or 'Critical' compared to those for IE.
2) Mozilla Firefox is not bug free. No piece of software is bug free, and only a mentally retarded moron would believe otherwise. What is important is not that security flaws get found, but (a) how open the organisation is about the flaw [full disclosure] and (b) timeliness of fixes.
3) Mozilla believes in full disclosure, Microsoft does not.
4) The average time taken to patch a flaw in Firefox is two days. IE has unpatched vulnerabilities going back SIX YEARS.
5) Critical components of Firefox run in an sandboxed unprivileged space. When Firefox flaws are discovered, the damage done is minimised. IE runs everything with administrator privileges. When IE is exploited (regularly), a full-on system-rape inevitably follows.
6) ActiveX. The unsafe system by which 90% of spyware, adware, trojans, porn diallers etc. enter your system. Guess which browser has ActiveX turned on by default? Yes, IE. Firefox doesn't support ActiveX because it's just too bloody dangerous.
The security arguments being made about IE vs Firefox in that argument are unreconstructed luddite ballacks.
Although, honestly, we all know security is not the reason we geeks like Firefox. We like it because OMG 3XT3NSI0NZ!!!
So squish.
Martin
Saw a great comparison on firefox and mozilla a few months ago. Looking at the age of critical vulnerabilities and the time it took to patch them, IE was safe to use for a total of seven days in 2004. All other days had an unpatched known critical vulnerability. Firefox fared better by far, being only vulnerable for small patches at a time.
If I weren't so lazy I'd find the comparison. I'll leave that as an exercise for the reader and google.
How about this: a report that identifies the vulnerabilities associated with a vendor, and not a product. In other words, after the initial public announcement of a vulnerability, we report how long it took the vendor to release a patch. Lower scores are better.
Anybody think that'll work? If not, why not?
Key to financial independence: Spend less than you earn. Save and invest the difference. Do it for a long time.
- What is being done proactively to ensure that the system remains secure?
Once a new form of vulnerability is discovered, is the rest of the code audited to ensure that no other vulnerabilities of this nature exist? Is the vulnerability class documented, and are the coding guidelines for the project updated to ensure that people who read them (all committers, at a minimum) don't make the same mistake again?There is a reason why I trust the security of OpenBSD more than most other projects. Security is not just a process, it's an attitude.
I am TheRaven on Soylent News
This is true. However IE is supposed to be a mature application. It isn't a new version that comes out every few months. At some point shouldn't a developed app reach a point that it is locked down and secure?
Slashdot, home of supporters of free software, free music, and free speech.Except for Moderators that disagree with you.
Bug free software is quite possible. It's just prohibitively expensive, because it usually requires that the developers use a mathematical validation system. Thus it's typically confined to projects where system failure would result in Human casualties. It's an irrelevant quibble though, since web browsers are far, far too complex to ever be formally validated.
As I explained in another post, I believe their numbers are wrong.
The simple reason is because many bugs where viewing a malicious web page could allow remote code execution (or something similarly nasty) are reported as "windows" bugs rather than "internet explorer" bugs.
If you actually read throught the microsoft bulletins, and consider anything where simply using IE allows an attack (which requires reading the vulunerability info rather than Microsoft's searchable fields of impacted software), you'll find a lot more bugs than Symantec is claiming.
But you don't need to do all that work... I did it, admittedly rather quickly, a few days ago. Just follow that link, and the one in that post, to my quick summary of "simply using IE" bugs.
While googling around, I also found several others mentioned on various security sites, which didn't seem to correspond to any of the bulletins. And complaints of known bugs still not fixed. And some microsoft "notices" which basically claim "that's not a bug, you just need to avoid doing XYZ".
My quick list alone almost puts IE to the raw number of bugs as firefox, and I'm sure if someone did all the digging needed to compile a list that also included other non-microsoft-bulletin sources, we'd see what is plainly known... that IE has a lot more bugs.
It's sad that Symantec couldn't do this. Looks like they simply using Microsoft's database, which ignores lots of bugs Microsoft doesn't "officially" consider IE bugs (even though simply viewing a page with IE is the attack vector), and all the bugs Microsoft is ignoring or denying, or has quietly fixed.
PJRC: Electronic Projects, 8051 Microcontroller Tools
The big reason that being integral to the OS is bad is that firstly everyone knows it will be on the box which means its a good target for attack, secondly the core dll's are exposed in many applications so securing the surface of IE isn't enough to close all possible vulnerabilities (the security has to be at every single layer that any application is allowed to call into). Mozilla could get away with only securing the top levels and benefits from the fact that it is only on like what 30% of windows boxes?
"You can now flame me, I am full of love,"
Given the topic, I'm amused that your sig is simultaneously on topic and out of date:
Keep firefox secure, vote for bug #262536
Bug 262536 "Bigger notice for updates and critical updates" has been marked resolved by Ben Goodger: "This is fixed by the new update system UI."
8-)