Slashdot Mirror
IE More Secure Than Mozilla?
killproc writes "Symantec has issued a report that suggests that Internet Explorer may be more secure than the open source Mozilla Foundation browsers. "According to the report, 25 vendor-confirmed vulnerabilities were disclosed for the Mozilla browsers during the first half of 2005, "the most of any browser studied," the report's authors stated. Eighteen of these flaws were classified as high severity.
"During the same period, 13 vendor-confirmed vulnerabilities were disclosed for IE, eight of which were high severity," the report noted." "
How many of these vulnerabilities were discovered or aided because of the very fact that the Mozilla family of products are open source, open to the intense peer scrutiny of the community, one of the core, fundamental facets of the Mozilla products, and open source projects in general, that will help quickly make them more secure? Do they even grasp this concept?
How quickly and effectively were the Mozilla/Firefox vulnerabilities patched in comparison to IE?
Is there any consideration given to the fact that Internet Explorer is a decade old and integral to the OS, and STILL routinely has extremely critical vulnerabilities, and may have an untold number of yet-to-be-discovered critical vulnerabilities?
Assuming customer choice is important, a customer can elect to not use Firefox and remove it from their system. Can the customer remove IE? Can the customer even elect to not use IE, or does the OS still force them to use IE for some tasks?
I could go on, but I think it goes without saying that at best this "report" uses extremely flawed logic to draw its conclusions, and at worst, Symantec is shilling for Microsoft.
Or both.
I have yet to get a spyware infection from using Firefox...
Is this a dupe story? 'course not! (rolls eyes)
Knowledge is valuable. Ignorance is dangerous. Censorship is unacceptable. http://slashdot.org/comments.pl?sid=10
Security is a process not a state.
A browser that has 5 reported vulnerabilities is not more secure than a browser that has 30. All it takes in one vulnerability to make your browser insecure
Once any vulnerability is discovered, relative security depends upon is how many users are exposed, and for how long.
Given that vulnerabilities have been found in both, security comparisons should compare the steps taken to reduce the window of vulnerability.
A simple comparison of the number of vulnerabilities does not give much indication about how long the average user was exposed. Nor does it give an indication of how many hackers are taking advantage of the vulnerability to give you a useful security indicator: "How likely is that any given user was hacked via the product".
Currency calculator that accepts free form input such as "23 canadian dollars --> rupees"
How many of those Mozilla exploits compromise the entire OS?
I like big butts and I cannot lie.
Two points to consider:
1. How many 'high severity' bugs did IE have to fix to get to that point? Remember also that IE is integrated into Windows, so any vulnerability that affects Windows affects IE in one way or another (and vice versa).
2. How many have been disclosed by Microsoft before being fixed? They are notorious for not disclosing these things until after it is fixed, and even then they don't always label it as a "IE" fix.
War isn't about who's right. It's about who's left.
Personally, I think it's stunning that a browser as old as IE6 STILL HAS CRITICAL vulnerabilities. They've had litterally YEARS to root out and discover these sorts of things. To compare that to a much newer Mozilla browser seems like apples and oranges to me.
We had a similar story a few days ago. It was not very informative, and for the same reasons this one's not very informative, e.g., IE is closed-source, so they don't disclose all the bugs.
Find free books.
Mozilla has reacted to a Symantec report issued on Monday which said serious vulnerabilities were being found in Mozilla's browsers faster than in Microsoft's Internet Explorer. The study was conducted over the first six months of 2005.1 86-39020375t-10000025c
http://www.zdnet.co.uk/print/?TYPE=story&AT=39219
My neighbours using firefox on MS windows have had zero problems due to these security flaws. The neighbours using IE under XP with service pack 2 installed and automated update on still get tons of spyware.
So the alternative conclusion of the symantec report would be: Spyware holes in MS IE are not spyware holes, but easy software installation features.
My wife's sketchblog Blob[p]: Gastrono-me
Anyone who thinks Symantec isn't acting in a *VERY* self-serving manner in the past few days worth of FUD is kidding themselves.
I kid you not, Symantec has been saying "Don't use the Mac, it's insecure! Or Linux! Or Mozilla! They're not secure, oh noes!!!"
Guess why... maybe it's because they don't have products for those operating systems... or maybe it's because there are no virii in the wild, and they haven't been able to figure out how to write good enough virii for those OS' to scare people into buying their shitty product?
You decide. I already have.
...Steve
Since Symantec is best known for their Anti-Virus products, wouldn't it make sense for them to promote IE as the more "secure" browser?
I mean, it may not be secure in the traditional sense of the word, but with all the trojans/malware/ActiveX vulnerabilities out there, surely IE is the best way to "secure" profits for themselves?
Let the open source zealots start their engines. Guys, this is just one company's opinion. BTW you are entitiled to yours as well.
Seriously would it hurt anyone's feelings if the duplicate stories were just pulled off /. ?
/. look bad, but it is a known problem with an easy fix.
It not only makes
Anywho...
Cliff notes of last story:
IE's exploits would be someone taking over your computer remotely
Firefox's exploits would be malicious popups/crashing (of browser only)
So the "severity" thing doesn't really matter here.
Get paid to code OSS
if you don't use it.
I think you may be confusing Symantec with another company . Last I heard Symantec were a menace who enjoyed spreading fear so people would buy their security products (which in a lot of cases did more harm than good) .
The only things certain in war are Propaganda and Death. You can never be sure which is which though
I think it's going to be called "dupeware" :P
We discussed this before on slashdot.
...is an aggregate measure of vulnerability time. How many days/weeks/months of total time will I experience between a vulnerability becoming public knowledge and the patch becoming available? How many for the Mozilla browsers? Even if there are 10 times as many vulnerabilities in the Mozilla browsers, if they get patched 100 times as fast, I would think the user would still be safer with some flavor of Mozilla than with IE.
These are all a bunch of horrible horrible lies of course. There is no way that Mozilla is worse than IE in any aspect.
All of those bugs reported last year for IE were well founded, with serious implications that needed to be released to the public for THEIR OWN SAFETY!
Obviously these Mozilla bugs reported this year are miniscule at best, and it does the community a great disservice to release any information about them!
Gates is the devil! Impeach Bush! Katrina is a direct result of WalMart cutting lunches! And Starbucks is lacing their coffee with microscopic beta nanomachines, built to track and report our intake of caffeinated beverages!
For Firefox
Mozilla Firefox 1.x with all vendor patches installed and all vendor workarounds applied, is currently affected by one or more Secunia advisories rated Less critical
This is based on the most severe Secunia advisory, which is marked as "Unpatched" in the Secunia database. Go to Unpatched/Patched list below for details.
Currently, 3 out of 22 Secunia advisories, is marked as "Unpatched" in the Secunia database.
And IE
Microsoft Internet Explorer 6.x with all vendor patches installed and all vendor workarounds applied, is currently affected by one or more Secunia advisories rated Highly critical
This is based on the most severe Secunia advisory, which is marked as "Unpatched" in the Secunia database. Go to Unpatched/Patched list below for details.
Currently, 19 out of 85 Secunia advisories, is marked as "Unpatched" in the Secunia database.
Thanksfully, Opera is now available as a free browser. Yes, free as in beer, but it's still good. Why? Because when you have multiple browsers, a single infection can't hit all of them.
Yay Opera for windows, and Konquerer for Linux!
--LWM
These guys are actually somewhat reputable and they're saying this. Worth keeping and eye on.
No - Symantec are not reputable. They are a software company making a great deal of money off a particular business model (attempting to close the gate after the horse has bolted)
Of course Firefox/Linux/Mac/anything other then a microsoft hegemony scares the crap out of them.
I will leave it to others to say how the study is flawed (hint counting vulnerabilities without taking into account seriousness!) as other people can do that.
My pics.
How about this: a report that identifies the vulnerabilities associated with a vendor, and not a product. In other words, after the initial public announcement of a vulnerability, we report how long it took the vendor to release a patch. Lower scores are better.
Anybody think that'll work? If not, why not?
Key to financial independence: Spend less than you earn. Save and invest the difference. Do it for a long time.
How quickly and effectively were the Mozilla/Firefox vulnerabilities patched in comparison to IE?
While this is important in the grand scheme of things, ultimately, the more often vulnerabilities come out, the less likely it is that everybody is going to stay up to date consistently. Lest we forget, most attacks are exploiting publicly known and well understood software flaws. Many attackers are simply using the lists of critical bugs as specifications for their next attack.
Having said that, I think this is less a reflection on the code for Firefox and more about the development status of the two browsers. Firefox is still actively developed, getting new features on a routine basis. Invariably as new features are added, new bugs will be made and old bugs will be discovered. With IE, it is purely maintenance mode right now. The only updates it receives are bug fixes. So invariably there are less bugs to find over time if you aren't adding them with new code.
Symantec isn't shilling for Microsoft, they are just drawing a rather short sighted conclusion based on the the statistics they have. It doesn't say anything about longer term trends for the browsers, nor does it suggest anything about the innate security of their development methodologies.
This sig has been temporarily disconnected or is no longer in service
I have never, in the course of my IT career and in my daily personal web surfing experience, been affected by security exploits aimed at Firefox or any other Mozilla-based browser.
I can say with confidence that I have laughed mightily at colleagues, friends and family members running IE who have to juggle two or three anti-malware programs and still wind up shoulder-deep in the Windows Registry or re-install because of security holes in IE.
Symantic can only blow so much smoke up my ass before reality re-asserts itself. Theoretical vulnerabilities are bad. Giant screaming voids you could drive a Peterbilt through are worse. Open Source Software frequently gives you the former. Microsoft can be counted upon, in a lead-pipe cinch, to deliver the latter.
SoupIsGood Food
Hands up anyone who has contracted spyware/adware/viruses through IE.
Ok, now hands up anyone who has contracted spyware/adware/viruses through Mozilla/Firefox.
Your honour, I rest my case.
This is true. However IE is supposed to be a mature application. It isn't a new version that comes out every few months. At some point shouldn't a developed app reach a point that it is locked down and secure?
Slashdot, home of supporters of free software, free music, and free speech.Except for Moderators that disagree with you.
Even symantec admits that this report is a steaming pile of crap.
From TFA:
Symantec counts only those security flaws that have been confirmed by the vendor. According to security monitoring company Secunia, there are 19 security issues that Microsoft still has to deal with for Internet Explorer, while there are only three for Firefox.
Nice. So in terms of checking off the reported vulnerabilities and counting each one equally, if the report would be honest, IE would have 32 issues and Firefox would have 29. For the sake of this report, all vulnerabilities are equally bad, right? Well, not according to TFA:
Symantec admitted that "at the time of writing, no widespread exploitation of any browser except Microsoft Internet Explorer has occurred," but added that it "expects this to change as alternative browsers become increasingly widely deployed."
So the IE vulnerabilities result in widespread exploitation and the Firefox ones don't, but firefox is somehow worse? I think the only way in which firefox is worse, from Symantec's perspective, is that the constantly malware-infested machines (where IE is the main infestation vector) inflate demand for the crap that Symantec peddles, and they're afraid that if people aren't constantly suffering from the pain of these infections this demand will evaporate.
Feh. Maybe I'm a cynic, but this looks like marketing poorly disguised as research to me...
.sig: file not found
Yesterday there was something from them about how Firefox and Mac users are in a fantasy land for thinking they are safer for using them. Now they are asserting that within their selected window of time, more vulnerabilities were reported in FF than MSIE. How about we change the window from the beginning of their respective initial public releases until now? Would that be fair? How about if we pick a month window where no vulnerabilities had been reported in FF? Would that also be fair and balanced?
If people start jumping ship (Win+MSIE) onto another ship, Symantec will see that they will sell fewer floatation devices.
This is a pretty pathetic attempt to sway opinion by Symantec.
Aside from the question raised in many posts about whether the fact that Firefox is open source leads to faster and fuller disclosure, the following is an email I sent this past weekend regarding this article.
d =11d =4227
d =11d =4227
Lots is being made the past few days about the number of security holes found in various browsers. Just to try to keep the discussion from descending to complete irrelevance, here's the stats that actually matter:
Solution Status (has it been fixed?):
http://secunia.com/graph/?type=sol&period=all&pro
http://secunia.com/graph/?type=sol&period=all&pro
Criticality (how bad is it if I get hit?):
http://secunia.com/graph/?type=cri&period=all&pro
http://secunia.com/graph/?type=cri&period=all&pro
Unpatched Criticality (what can happen to me today?) Requires a little more looking - see the list at the bottom of each page:
http://secunia.com/product/11/
http://secunia.com/product/4227/
IE: 5 unpatched moderate or greater criticality
Firefox: 0 unpatched moderate or greater criticality
Finally, and unfortunately not clearly covered in [the Secunia] report is vulnerability window - how long does a bug go without being patched. You can, however, make a fairly good estimate by looking at the patch time for highly critical or worse bugs:
MS has been making big improvements lately, so I'll only look at the MS holes from the past year (the older ones have dramatically longer vulnerability windows) (I've also left out holes which were publicly discovered as a result of a windows patch)
IE Highly+ Critical Windows (past year)
http://secunia.com/advisories/12806/ 103 days
http://secunia.com/advisories/12889/ 108 days
http://secunia.com/advisories/12959/ 29 days
http://secunia.com/advisories/13482/ 53 days
http://secunia.com/advisories/15891/ 7 days
Firefox Highly+ Critical Windows (all time)
http://secunia.com/advisories/14654/ 7 days
http://secunia.com/advisories/14938/ 24 days
http://secunia.com/advisories/15292/ 5 days
http://secunia.com/advisories/16043/ 7 days
http://secunia.com/advisories/16764/ 3 days
Keep the discussion rational - security is hard, so is assessing security. Be skeptical of anyone who has a dog in the fight (eg: Symantec). [Which is not to say that Symantec cannot be trusted for Windows security, only that their PR department's press releases regarding software security should be treated as suspect - particularly when they draw questionable conclusions from insufficient data.]
Stop-Prism.org: Opt Out of Surveillance
Bruce
Bruce Perens.
Bug free software is quite possible. It's just prohibitively expensive, because it usually requires that the developers use a mathematical validation system. Thus it's typically confined to projects where system failure would result in Human casualties. It's an irrelevant quibble though, since web browsers are far, far too complex to ever be formally validated.
"Malicious popups"?? "Crashing browler only"??
d =4227
o d=4227
Yeah right. Please! Stop! I'm laughing so hard it hurts.
2003-2005
http://secunia.com/graph/?type=imp&period=all&pro
2005 Alone
http://secunia.com/graph/?type=imp&period=2005&pr
But within the bulletins, there are lots of bugs, like the one fixed by MS05-024 that aren't "technically" IE bugs. But the end result is that a malicious web page (or advert iframe) could do something nasty... usually execute arbritrary code (install spyware or a virus if the server is infected). If simply viewing a web page with IE allows an attack, I call that an IE bug, regardless of where the actual bug is located by Microsoft's way of thinking.
Notice how the "affected software" of MS05-024 is many versions of windows, but Internet Explorer isn't specificly mentioned. So when someone tallies IE bugs, this one probably doesn't make the list. But the "Vulnerability Details" section says:
I can see how a journalist could do such poor research. But Symantec? Come on, I found 22 nasty IE bugs by just browsing though 40-some Microsoft bulletins. That Symantec only thinks there's 13 doesn't build much confidence in the supposed "market leader" of anti-virus products!
PJRC: Electronic Projects, 8051 Microcontroller Tools
How to respond to bad Mozilla security news on /.
1.) First, immediately dismiss the results, just like you did in the last Mozilla security story. Mozilla is flawless.
2.) Randomly reference Open Source, claiming the flaws were easier to find because of it, which has nothing to do with the report in the article and actually sounds like a criticism of Open Source, if anything.
3.) Accuse the study of bias or "shilling." ALWAYS do this when the study goes against your pre-made worldview (in this case, Mozilla being flawless). When the study gives the opposite conclusion, agree with it and praise it, often with related anecdotal stories.
4.) Reference Internet Explorer's age, which has little to do with and doesn't change Mozilla having more flaws than Internet Explorer today.
5.) Ask how quickly the Mozilla vulnerabilities were patched, ignoring that Mozilla has marked vulnerabilities "Confidential" before for them to sit for two years unfixed.
6.) Claim Internet Explorer is integral to the OS, when you argued that Internet Explorer was easily removed from Windows during the anti-trust trial.
7.) Claim matter-of-factly that, for some reason, it "goes without saying" that the study uses some sort of flawed logic, without citing the logic, giving proof, or backing the statements in any way. Simply claim it, knowing everyone will mod you up because they, too, want to believe Mozilla is flawless.
"Sufferin' succotash."
Symantec stopped producing effective software a long time ago. There was a time though when any self-respecting geek had a copy of Norton Utils, you know, the ones with all two-letter file names like NU.EXE.
Brand familiarity and name recognition are suitable substitutes for quality when it comes to business and profits. I wouldn't touch any of their software with a 10 foot IDE cable anymore, and haven't for the past few years.
I think this is the kicker. The 25 vulnerabilities for Mozilla are almost certainly all the known vulnerabilities. For IE, how many vulnerabilities are there that've been reported that MS hasn't publicly acknowledged?
In addition, what's the severity? The last Mozilla vulnerability was the IDN bug, which was trivially worked-around by changing one config setting until a patch was released. Contrast that to the recent vulnerability in IE that MS won't discuss details of, other than to say that it allows total compromise of the machine and they won't be patching it until next month, and there's no workaround for the bug because nobody knows what the bug is (outside of MS, the security company that found it and the black-hats, of course).
My take on it: Mozilla may be having more vulnerabilities reported, but it's still fewer than in IE and those vulnerabilities are less severe, easier to work around without crippling your system and fixed sooner than IE's holes. From a user's viewpoint, this makes Mozilla more secure than IE.
I'm sure everyone's noticed the word "disclosed". Firefox/Mozilla are open sourced, so everyone can see potential voulnerabilities and tell the world. IE, however is generally limited to the MS developers, and it will pretty much be up to their bosses to decide whether to disclose a voulnerability.
How many IE voulnerabilities are there that we don't know about?
Comment removed based on user account deletion
There are indeed fundamental differences in the security between the two approaches. One obvious difference is modularity. A browser which is monolithically integrated with a system is a greater security risk than one which can be removed or replaced, since its risk cannot be mitigated.
Another fundamental difference is in transparency. Security fundamentally requires verification. Closed source strictly prevents verification.
Another is containment. What are the consequences to the system if the browser is compromised? If the browser is designed, say, with the intent of installing software or modifying the window system, then it fails to contain security risks compared to a browser which defers these actions to the part of the system which is nominally responsible for system configuration.
Parity: What to do when the weekend comes.
The difference in the amount of bugs might just be caused because Microsoft is somewhat more reluctant than MoFo to admit its own faults.
I am not trolling, I am just stating an option.
My other post is a First.
This exposes the gulf between open source security and proprietary security. Ignore for a minute the fact that Symantec a) has a vested interest in you using insecure products and b) uses highly flawed methodolgy as their "count" is actually "count of vendor-admitted bugs". There's a major difference between a vulnerability in Mozilla and a vulnerability in IE.
Since we don't have the source for IE, any vulnerability found is, by definition, exploitable. Someone found a way to exploit it- you get a vulnerability.
Vulnerabilities found in Mozilla, on the other hand, are often theoretical in nature. Someone looking through the source finds the problem, but no exploit is written.
Another major problem is here:
My entire system isn't going to be compromised from me browsing with Mozilla. Period. Somebody is confused.
Do you have ESP?
... several Microsoft employees were found snuggling below the desks of the Symantec "experts" who recently performed a comparison between Firefox and IE security.
Even with extensive code reviews, the potential for malicious developers to submit code with hidden vulnerabilities is high. We just had the 2005 Underhanded C Contest (see link) which demonstrates the possibilities. http://developers.slashdot.org/article.pl?sid=05/0 9/18/158200&tid=156&tid=172
If Firefox had been more popular, would it have been more exploited? Would it have been worse than IE? These are useless questions.
The point is, Firefox users are more secure than IE users. And Firefox developers are much better listeners than IE developers. People who use Firefox have a better experience with their computers. And that is why IE has lost market share.
I hope nobody takes all these B. S. articles seriously.
Parent's link to the previous post is broken. Parent's previous post.
googleBrowser development has temporarily stalled because they're having a bit of difficulty working out how to make it a web delivered app.
Blank until
FireFox, by default, requires you to whitelist sites to install software from them. So, no exploits from that side.
And so on and so forth.
The key to security is to reduce the avenues of attack.
If my browser will not run any code from your site and I will not download any apps from your site, then I do not have to worry about being cracked via my browser going to your site.No. That only applies if 100% of the population (or close to it) applies those patches as soon as they're released.
You cannot depend upon the users applying patches so you must focus on removing the threat before the user is involved. That is where FireFox's whitelists beat Microsoft every time.Again, that is only the case if the vulnerabilities can be exploited. If I don't allow Java or JavaScript or installs from a website, then it is going to have to be a pretty dramatic vulnerability for me to be infected.
And until that vulnerability is shown to exist, the discussion is purely theoretical while the discussion of IE's exploits is documented fact.
It's also unreported and undisclosed major gaping holes, the ability to automatically run scripts that install viruses and spyware on your laptop, and the clear fact that running IE without security at top levels leads to a compromised PC within minutes on the UW campus, whereas you can run for days with Firefox.
Let's get real, and stop pushing phony statistics.
-- Tigger warning: This post may contain tiggers! --
Sung to the tune of "What a Wonderful World" by Sam Cooke...
I think that everyone has for got an important factor here. Not only is Firefox open source, but Mozilla actually rewards people monetarily for bringing vulnerabilities to their attention. This is in sharp contrast to say Microsoft who has threatened legal action against these same people. So lets look at an example...
Mozilla's Bug Bounty Program will PAY you $500 and openly discloses their code and vulnerabilities (after a fix of course)
Microsoft will threaten and perhaps follow through on legal action, and certainly does not open their source code.
If these responses are so predictable should you not have had time enough to think of some actual rebuttals. I have another for your list:
8.) Pointless troll ranting against the Slashdot groupthink without adding anything to the discussion.
First I will say that I am a Mozilla user that has been considering going to other nonXUL-based brousers in order to get better security. I now regard Mozilla and Firefox design at more or less the same level of security as IE.
;-)).
IE's main problem is that you have this concept of security zones. These zones are supposed to allow one to trust intranet sites with activeX controls that might not be trusted on the internet. However, there are plenty of ways to cross this barrier so it is fairly porous. Hence the combination of ActiveX and security zones makes IE inherently insecure. Get rid of either one and things get a whole lot better.
The problem with Mozilla is that you have very expansive capabilities in the Mozilla Portable Runtime, and that these capabilities can be accessed by Javascript. How do we make it secure? We require that these are accessed via Chrome components. In other words we have a very similar set of design flaws to IE in Mozilla and Firefox. Don't believe me about the separation, try putting this into your address bar chrome://navigator/content/navigator.xul (harmless yet a good demonstration of the link between content and interface and sufficiently annoying that Slashdot won't let me add it as a link
Now, Mozilla has two advantages over IE:
1) XUL is a really great RAD tool as long as you don't use it as a general purpose browser.
2) You can get around the security border issue by running a Gecko-based non-XUL browser, such as Epiphany, Camino, etc.
LedgerSMB: Open source Accounting/ERP
When Mozilla has been a real concern (for example since .9) on a big scale close tohalf the time IE has been a real concern, this will not be an issue, and in the meantime security through obscurity beats using the primary target of ever scumbag coder on the planet.
Jesus fucking Christ. This has got to be the worst number doctoring all day long. From TFA:
There is one caveat: Symantec counts only those security flaws that have been confirmed by the vendor. According to security monitoring company Secunia, there are 19 security issues that Microsoft still has to deal with for Internet Explorer, while there are only three for Firefox.
Oh, well that's just a minor fucking nuclear bomb. Doesn't that make the count 28 to 32? For fuck's sake....the 19 vulnerabilities that Microsoft simply hasn't acknowledged just don't count? This new revelation should make it much cheaper to make secure software...after all, I'm sure it takes far fewer man-hours to do nothing then it does to fix something, and according to Symantec, it produces better results, too!
Given a choice between free speech and free beer, most people will take the beer.