IE More Secure Than Mozilla?

killproc writes "Symantec has issued a report that suggests that Internet Explorer may be more secure than the open source Mozilla Foundation browsers. "According to the report, 25 vendor-confirmed vulnerabilities were disclosed for the Mozilla browsers during the first half of 2005, "the most of any browser studied," the report's authors stated. Eighteen of these flaws were classified as high severity. "During the same period, 13 vendor-confirmed vulnerabilities were disclosed for IE, eight of which were high severity," the report noted." "

Symantec is a scourge

[Shaman]

Anyone who thinks Symantec isn't acting in a *VERY* self-serving manner in the past few days worth of FUD is kidding themselves.

I kid you not, Symantec has been saying "Don't use the Mac, it's insecure! Or Linux! Or Mozilla! They're not secure, oh noes!!!"

Guess why... maybe it's because they don't have products for those operating systems... or maybe it's because there are no virii in the wild, and they haven't been able to figure out how to write good enough virii for those OS' to scare people into buying their shitty product?

You decide. I already have.

Symantec's Business?

[DarkBlackFox]

Since Symantec is best known for their Anti-Virus products, wouldn't it make sense for them to promote IE as the more "secure" browser?

I mean, it may not be secure in the traditional sense of the word, but with all the trojans/malware/ActiveX vulnerabilities out there, surely IE is the best way to "secure" profits for themselves?

Re:Symantec?

[FidelCatsro]

I think you may be confusing Symantec with another company . Last I heard Symantec were a menace who enjoyed spreading fear so people would buy their security products (which in a lot of cases did more harm than good) .

Re:How many?

[minginqunt]

What drivel.

There are several massive logical ballsups here, made by the linker and the linkee.

1) Not all exploits are created equal. Look at the number of those Moz exploits rated by Secunia as 'Extremely Severe' or 'Critical' compared to those for IE.

2) Mozilla Firefox is not bug free. No piece of software is bug free, and only a mentally retarded moron would believe otherwise. What is important is not that security flaws get found, but (a) how open the organisation is about the flaw [full disclosure] and (b) timeliness of fixes.

3) Mozilla believes in full disclosure, Microsoft does not.

4) The average time taken to patch a flaw in Firefox is two days. IE has unpatched vulnerabilities going back SIX YEARS.

5) Critical components of Firefox run in an sandboxed unprivileged space. When Firefox flaws are discovered, the damage done is minimised. IE runs everything with administrator privileges. When IE is exploited (regularly), a full-on system-rape inevitably follows.

6) ActiveX. The unsafe system by which 90% of spyware, adware, trojans, porn diallers etc. enter your system. Guess which browser has ActiveX turned on by default? Yes, IE. Firefox doesn't support ActiveX because it's just too bloody dangerous.

The security arguments being made about IE vs Firefox in that argument are unreconstructed luddite ballacks.

Although, honestly, we all know security is not the reason we geeks like Firefox. We like it because OMG 3XT3NSI0NZ!!!

So squish.

Martin

Re:Questions

[SpectreBinary]

Saw a great comparison on firefox and mozilla a few months ago. Looking at the age of critical vulnerabilities and the time it took to patch them, IE was safe to use for a total of seven days in 2004. All other days had an unpatched known critical vulnerability. Firefox fared better by far, being only vulnerable for small patches at a time.

If I weren't so lazy I'd find the comparison. I'll leave that as an exercise for the reader and google.

With a MAJOR Caveat

[mjh]

From TFA:

There is one caveat: Symantec counts only those security flaws that have been confirmed by the vendor. According to security monitoring company Secunia, there are 19 security issues that Microsoft still has to deal with for Internet Explorer, while there are only three for Firefox.

Interesting methodology. That means that the browser vendor is in complete control of the vulnerability counts. This is NOT the kind of reporting of vulnerabilities that I think should be encouraged. I'd rather see vulnerability reports that encourage full disclosure. This creates an incentive for the vendor to hide vulnerabilities. I think that's bad.

How about this: a report that identifies the vulnerabilities associated with a vendor, and not a product. In other words, after the initial public announcement of a vulnerability, we report how long it took the vendor to release a patch. Lower scores are better.

Anybody think that'll work? If not, why not?

Re:Security is a process!

[TheRaven64]

You are missing the most important thing:

• What is being done proactively to ensure that the system remains secure?

Once a new form of vulnerability is discovered, is the rest of the code audited to ensure that no other vulnerabilities of this nature exist? Is the vulnerability class documented, and are the coding guidelines for the project updated to ensure that people who read them (all committers, at a minimum) don't make the same mistake again?

There is a reason why I trust the security of OpenBSD more than most other projects. Security is not just a process, it's an attitude.

Bug Free

[Mark_MF-WN]

Bug free software is quite possible. It's just prohibitively expensive, because it usually requires that the developers use a mathematical validation system. Thus it's typically confined to projects where system failure would result in Human casualties. It's an irrelevant quibble though, since web browsers are far, far too complex to ever be formally validated.

Re:Questions

[pjrc]

and Symantec is just presenting the numbers.

As I explained in another post, I believe their numbers are wrong.

The simple reason is because many bugs where viewing a malicious web page could allow remote code execution (or something similarly nasty) are reported as "windows" bugs rather than "internet explorer" bugs.

If you actually read throught the microsoft bulletins, and consider anything where simply using IE allows an attack (which requires reading the vulunerability info rather than Microsoft's searchable fields of impacted software), you'll find a lot more bugs than Symantec is claiming.

But you don't need to do all that work... I did it, admittedly rather quickly, a few days ago. Just follow that link, and the one in that post, to my quick summary of "simply using IE" bugs.

While googling around, I also found several others mentioned on various security sites, which didn't seem to correspond to any of the bulletins. And complaints of known bugs still not fixed. And some microsoft "notices" which basically claim "that's not a bug, you just need to avoid doing XYZ".

My quick list alone almost puts IE to the raw number of bugs as firefox, and I'm sure if someone did all the digging needed to compile a list that also included other non-microsoft-bulletin sources, we'd see what is plainly known... that IE has a lot more bugs.

It's sad that Symantec couldn't do this. Looks like they simply using Microsoft's database, which ignores lots of bugs Microsoft doesn't "officially" consider IE bugs (even though simply viewing a page with IE is the attack vector), and all the bugs Microsoft is ignoring or denying, or has quietly fixed.

Re:Questions

[John+Whitley]

Given the topic, I'm amused that your sig is simultaneously on topic and out of date:

Keep firefox secure, vote for bug #262536

Bug 262536 "Bigger notice for updates and critical updates" has been marked resolved by Ben Goodger: "This is fixed by the new update system UI."

8-)