Mozilla Hits Back at Browser Security Claim

UltimaGuy writes "Mozilla has reacted to the Symantec report issued on Monday which said serious vulnerabilities were being found in Mozilla's browsers faster than in Microsoft's Internet Explorer. Tristan Nitot, president of Mozilla Europe, hit back by claiming on Monday that when a vulnerability is found Mozilla's 'ability to react, find a solution and put it into the user's hands is better than Microsoft.'"

Symantec isint biased!

[W3BMAST3R101]

Symantec biased? NEVER!!!

Re:Symantec isint biased!

[digitalunity]

Bias is inescapable. You mean to tell me Symantec's stance on browser security reinforces the need for their solutions?

As a corporation, they have a sharp sense of self preservation. Shocking, I say. Dammit, just shocking.

Re:Symantec isint biased!

[theJerk242]

Symantec biased? NEVER!!!

Slashdot and a majority of its readers biased? NEVER!!!!

Re:Symantec isint biased!

[RandomPrecision]

Remember when they also claimed that Macs were dangerous?

I admit, they do seem a bit one-sidedly influenced.

Re:Symantec isint biased!

[dlichterman]

I know why they say to use IE....Cause thats where their CUSTOMER BASE is..... They dont have security stuff other than for winblows

Re:Symantec isint biased!

[nacturation]

You mean to tell me Symantec's stance on browser security reinforces the need for their solutions?

How's that? They're claiming that the browser which the vast majority of people use is *more* secure. So if you use IE, you need their products *less* than if you used Firefox.

Re:Symantec isint biased!

[fymidos]

Everybody who has used internet explorer knows that it is not secure. The don't have to tell them that. They are talking to the people who (rightfully) think they are more secure with firefox, and they are trying to pass between the lines that you still need protection, no matter what browser you use, and anyway, changing the browser will not make you safe.
(but a good antivirus/antispam/antiinternet/antiusingyourcompu te will)

Re:Symantec isint biased!

[aweraw]

Well, with the slow assed patching cycle that IE has, you have more need for Symantec products to 'protect' you in the interim.

While firefox may have more exploits popping up these days, fixes for it are issued in a much more timely manner than for IE.

Re:Symantec isint biased!

[node+3]

As a corporation, they have a sharp sense of self preservation. Shocking, I say. Dammit, just shocking.

It may not be "shocking" that they are showing preferential bias towards their own product, but it is unacceptable that they are purposefully and significantly misrepresenting the facts.

We're not talking Pepsi saying they win in a blind taste-test, or Taco Bell saying hamburgers are blase, we're talking borderline fraud.

Yeah, I know, "welcome to the real world", and all that, but maybe, just maybe, if enough people point out these negative and anti-social actions, the world will turn out a little better than it otherwise would have.

Or maybe not, but it's certainly proper to try. What I don't understand is why you'd want to, if not explicitly at least implicitly, defend and promote the sort of thing Symantec is doing? You don't have to join the "revolution", but at least be decent enough not to stand in its way.

Re:Symantec isint biased!

[zurab]

How's that? They're claiming that the browser which the vast majority of people use is *more* secure. So if you use IE, you need their products *less* than if you used Firefox.

Ahh... you started the thought but didn't finish. Imagine all those people who have switched to Firefox because of the perception of being more secure - they may have even thought that they no longer need to pay for anti-virus, anti-spyware, etc. tools after the switch. So, Symantec hits back saying to these people - you are wrong, you still need our anti-virus, in fact, you may even need it more now (after the switch) than before.

Re:Symantec isint biased!

[BetterThanCaesar]

So if you use IE, you need their products *less* than if you used Firefox.

Which means people who believe Symantec will use IE, which as we all know will lead to more infections and a larger need for - guess what - NAV.

Re:Symantec isint biased!

[Bogtha]

They're claiming that the browser which the vast majority of people use is *more* secure. So if you use IE, you need their products *less* than if you used Firefox.

Yes, but even if that were true, needing their products less than if you were using another browser doesn't mean that you need their products less. Even if Mozilla was completely insecure in every way, it doesn't mean that Internet Explorer users can suddenly switch off all their virus checkers.

Re:Symantec isint biased!

[Master+of+Transhuman]

Not at all. They would be doing that IF they were rational, and IF people listening were rational. Neither is the case.

They either can't reason like you do, or they assume (and hope) no one else will.

Their belief is quite obvious - if people use Firefox, those people won't need them. So they need to prevent DEFECTION from IE, because they KNOW people who use IE DO need them.

The obvious logic flaw - that if IE WERE secure, people using it wouldn't need them - obviously either didn't occur to them (unlikely, but possible since their marketing people are probably morons) or (more likely) they ignore it (and hope everybody listening to them will) in favor of spreading FUD to deal with their actual fear - that people actually WILL need them less by switching to Firefox.

The bias is obvious.

Also the deliberate attempt to ignore past IE flaws by comparing only vulnerabilities in the last six months, and then proclaiming that, since Firefox has vastly more uptake in the last six months, that the comparison is valid.

Plus ignoring unpatched vulnerabilities that Microsoft has been sitting on for months, according to other articles on the subject.

Makes it pretty obvious. Also makes it obvious that they're relying on the ignorance of the average user about the issues involved.

Re:Symantec isint biased!

[Stephen+Samuel]

Yep! I'll second that. Symantec doesn't have to worry about trashing their market here... I mean, can any of us think of anybody that would seriously argue that people who connect to the net with IE don't need an anti-virus solution?

I'm guessing that the best we could come out with would be someone who hasn't thought about it -- and most of those are the types that would probably just buy an anti-virus program 'because everybody else has one".

Selling anti-virus programs to IE users is like selling air-conditioners in arizona. The only question beyond if they already have one is whether they can afford yours -- and if the answer to the second question is 'no', you still have a chance....

Re:Symantec isint biased!

[Keichann]

> and they are trying to pass between the lines that you still need
> protection, no matter what browser you use, and anyway, changing the
> browser will not make you safe.

Of course it won't.

> (but a good antivirus/antispam/antiinternet/antiusingyourcompu te
> will)

Safer, at least.

Re:Symantec isint biased!

[Capt+James+McCarthy]

Slashdot and a majority of its readers biased? NEVER!!!! phew! That was close. I was worried there for a moment.

Re:Symantec isint biased!

[NickFitz]

They dont have security stuff other than for winblows

That's right, there's no Norton AntiVirus for Mac, nor is there Norton Internet Security for Mac, and there's definitely no Norton Personal Firewall for Mac.

Oh, hang on...

Re:Symantec isint biased!

[BlueMud]

How dare you!!! I am as biased as the next guy. I take insult in your acusation that all my opinions are neutral in nature!!!

Re:Symantec isint biased!

[Viper+Daimao]

I would contend that you still need an anti-virus solution even if you are using FF. Same with spyware and all that junk. Sure, you may not need it as much as you needed it with IE, but still.

Re:Symantec isint biased!

The whole let's try to track badness concept is fundementally flawed. Track goodness instead and allow "those" programs to run. It's a heck of alot easier than trying to track all the badness out there and prevent them from running. If the software isn't allowed to run... it can't damage your computer.

Symantec provides a flawed solution to a legitimate problem in order to keep in business.

Re:Symantec isint biased!

[hey!]

Sure.

Everyone has bias. If you should believe or disbelieve what somebody says based on whether they have biases, then what anyone actually says would be irrelevant. The only thing that would matter is who they were. Arguing this way is called "poisioning the well".

It is important to understnad bias -- but it isn't data, it's metadata. As such you can use it as a guide for locating flaws in their evidence, but not as evidence of flaws in their evidence.

So, of course it isn't shocking that they have bias. But to fair you still have to be substantive.

Re:Symantec isint biased!

I think that symantec doth protest to mutch. They do not exactly have the most secure product on the market either. Remember "Internet InSecurity". I perminantly switched to zone alarm a while ago.

Re:Symantec isint biased!

[fymidos]

>Safer, at least.

No, it wont. There is no real reason to have an antivirus, when you are already connected to the internet and keep your system updated. I don't understand why you believe that an AV company will succed where MS will fail. And anyway if you really feel that insecure, just go the easy way and install linux.. When you are riding a bicycle on the highway, a leather jacket won't help...

Re:Symantec isint biased!

[PeelBoy]

Uhmmm.. Think about it? They know IE is less secure but it's making them tons of money so what do they do? Tell everybody to keep using it! How do you get everybody to keep using it? By telling them it's more secure. Duh!

Re:Symantec isint biased!

[dunng808]

When you are riding a bicycle on the highway, a leather jacket won't help...

Sure it will. It's a chick magnet, and it prevents bruises from collisions with June bugs and the like. If you do get clipped by a car it prevents road rash, and it reduces damage from blood splatter on the car's paint, which the driver's insurace company will sue for. If you are extraodinarily unlucky and get hit really hard, it will keep all your body parts together for easier identification at the morgue.

As for "There is no real reason to have an antivirus, when you are already connected to the internet and keep your system updated," well, that just doesn't make sense, either. A virus arrives as payload in a horse brought in by naive Trojans -- er, I mean mail attachments and web downloads. Patching Outlook and IE will not protect you from malicious payloads. If you are on the 'net with Windows, use a NAT firewall, keep everything up-to-date, and install a good anti-virus program. Even so, plan on weekly system decontamination. Using FreeBSD, or Linux, or a Mac will help, but it's not so much a matter of what you use as what you do.

mozilla vs M$ or

[timeToy]

Open-source Full disclosure vs Close-source Please-wait-for-us-to-fix-the-vulnerability-before -publishing-it-else-we-sue

Re:mozilla vs M$ or

[Raistlin77]

Had you read the fucking article instead of trying to get first-somewhat-sensible post, you would have seen Mozilla admitted that they do try to keep vulnerabilites quiet until a patch can be found.

Re:mozilla vs M$ or

[TheCarlMau]

This is a good thing. You don't want vulnerabilities seeping out as then someone can exploit them. If they remain quiet until a patch is out, there won't be a stage of 'fear and panic'.

Re:mozilla vs M$ or

[Crunchie+Frog]

so full disclosure is good but not when its Mozilla ? no wait, maybe my sarcasm filter is broken.

Re:mozilla vs M$ or

[Raistlin77]

I wasn't saying that is a bad thing; I agree it is a good thing. However, I'd like to add that Mozilla does it for the right reasons while Microsoft does not, which I should have included in my reply.

Re:mozilla vs M$ or

[aussie_a]

So Microsoft keeping vulnerabilities quiet is a good thing too? Or is it only good when Mozilla does it?

I'll get modded down for this (I'm thinking -1 Troll), but this is pathetic. As long as a company isn't Microsoft it can do no wrong according to you people. You're a zealot.

Re:mozilla vs M$ or

[n0-0p]

The Mozilla security fixes always end up public eventually, whereas silent patching is a common practice for most software vendors (including MS). This occurs more often with internally discovered vulnerabilities of lower severity or by grouping a number issues under a single umbrella.

It's hard to blame vendors for taking this route though. I've heard from MS devs say that the best way to push a fix through these days is to label it as a security bug. I can only imagine what MS' track record would look like if all of those internal bug reports were made public.

With that in mind I expect that OSS will generally have more documented security issues than eqivalent quality closed source software. It's just a side effect of a transparent development model. Well... mostly transparent, but I'm glad they hide the security bugs until they're patched.

Re:mozilla vs M$ or

[TheCarlMau]

1) Yes
2) No

In my post, I never said wether it only applied to Mozilla or Microsoft. :-) I was talking in general - something that applies to most companies. I'm sorry if I gave the impression that it only applied to Mozilla.

Any software maker does not want to post details on how the vulnerability can be reproduced, as that's basically like waving a giant, red flag and yelling "come and get me"

Re:mozilla vs M$ or

This is a good thing. You don't want vulnerabilities seeping out as then someone can exploit them. If they remain quiet until a patch is out, there won't be a stage of 'fear and panic'.

Of course a black hat doesn't want people to 'fear and panic' and pull the plug on their internet connection until a patch is ready. They want to Pwn peoples machines in peace, while the users don't suspect anything, because M* is keeping the bug report secret.

Keeping a security hole secret only makes sense when you're the only one who knows about a bug. Assuming that you're the only one who knows about it is assuming that you are the smartes person in the world. Arrogant. Realistically, there are at least a dozen people smarter than you, and the safe assumption is that some of them *already know about the bug*. And at least one of them is a bad guy and is actively exploiting the hole.

Re:mozilla vs M$ or

[Master+of+Transhuman]

Ahem, Mozilla believes in RESPONSIBLE disclosure, i.e., shut up while we look into this and figure out how bad it is, then produce a patch before anyone gets wind of it, so we avoid an actual exploit.

Microsoft and Cisco say: shut up while we look into this and figure out how bad it is, then decide when, if ever, we produce a patch - because it costs us money to distribute these fucking patches, and Bill gets upset when things cost us money without bringing IN money...and if we decide to take six to twelve months to produce the patch, and you go public in that time, we sue you - because we've got the money to do it, and you'll end up giving us money, which will make Bill happy again.

Re:mozilla vs M$ or

[bunratty]

Full disclosure is good only when the company sits on the vulnerability so long that it may be better to disclose the vulnerability and "force" them to fix it, rather than take the risk that someone malicious will discover the vulnerability and exploit it.

Re:mozilla vs M$ or

[Blkdeath]

so full disclosure is good but not when its Mozilla ? no wait, maybe my sarcasm filter is broken.

As with any extreme, neither full or lack of disclosure is good. The better solution lies somewhere in the middle. Disclose the vulnerability to the controlling entity first, work with them to find a solution. If a temporary fix is available advise the public accordingly. Disclose the vulnerability immediately when a patch is available.

What good does it do to fully disclose the bug? Only a small percentage of users will notice the disclosure and only a percentage of them will do anything about it. That leaves the rest of the userbase in peril because every malcontent out there will be racing to exploit before a fix is issued.

first post

[ronsta]

no no no.

just because mozilla can react quicker to security flaws found in its browser, doesn't make Symantec's report that greater security flaws are being found in Firefox less valid.

it's a rarity to see ZDNet make that kind of mistake.

Re:first post

[aussie_a]

It does mean that given this particular moment, Firefox is more unsecure, however given their speedy patching time, in say one year, Firefox will be more secure. If you're after whose the most secure browser right at this particular second, then IE does appear to be the one. However if you care about long-term stability then Firefox is your browser.

Having said that, this is assuming Tristan Nitot isn't simply spreading FUD. I don't know how fast IE and Firefox do release their patches. I do know one thing, not as many people are taking advantage of Firefox's insecurities as are taking advantage of IE's. So at the moment, it's safer for me to use Firefox.

Re:first post

[Overly+Critical+Guy]

Quite true, but this is Slashdot, and whenever something Bad(tm) is posted about OSS, there needs to be a counterbalance posted later to make it Good(tm). Security flaws in Mozilla? Well, uh, they're patched faster! On with the frontpage article to make the Mozilla fans feel better again (and tons of page hits each time!). If there was an anti-Internet Explorer article, it wouldn't have a followup "Robert Scoble Hits Back At Browser Security Claim."

See my recent comment on this--How To Respond To Bad Mozilla Security News On /.+

Re:first post

[n0-0p]

That was actually only one of several points. They also brought up the severity of the vulnerabilities and transparent nature of OSS development among other things. Sorry, I would have clarified this sooner but I chose to read the article first.

Re:first post

[gordgekko]

It does mean that given this particular moment, Firefox is more unsecure, however given their speedy patching time, in say one year, Firefox will be more secure.

You pull that number from your ass? Go hit the Mozilla database and check out the years old bug reports that haven't been fixed yet and there is no indication they will be fixed any time soon, including your magical one year.

I like Firefox as much as the next man (check out my sig) but let's not make extravagent claims.

Re:first post

[aussie_a]

You pull that number from your ass?

Yup, I was speaking hypothetically and wasn't talking about the real world. My point was, given X amount of time, Firefox will eventually become more secure IF their response time is faster then IE's.

Re:first post

Um.

IE has been around longer than Firefox.
How quickly are the flaws patched on the Firefox side v.s. the IE side?
Can enterprising users write a patch for IE?

It's bsmarketspeakfud. You and are aware of the other issues, the general public is not. If you go to my mom and tell her that more flaws are being found in product X vs product Y, she will assume that product Y is superior.

And you and I both know IE is crap.

Re:first post

[node+3]

just because mozilla can react quicker to security flaws found in its browser, doesn't make Symantec's report that greater security flaws are being found in Firefox less valid.

Yes, it does.

Symantec isn't just saying that Firefox has had a greater number of security flaws, they're saying that it means Firefox is just as insecure as IE.

This is just not true and Symantec deserves to be taken to task for this.

The lack of validity isn't in the fact itself, it's in the way the fact is being used to falsely support an incorrect conclusion.

Re:first post

If you're after whose the most secure browser right at this particular second

"who's", or, better, "what's".

Re:first post

[Lisandro]

Seriously, guys, grow up already...

Mozilla has reacted to the Symantec report issued on Monday which said serious vulnerabilities were being found in Mozilla's browsers faster than in Microsoft's Internet Explorer.

    So, the evil masterminds at Symantec are out to destroy the image of the sacred FireFox! BOOOO!
    Come on, give me a break - it's software, it will have bugs. It's never perfect, deal with it, and focus on the good points of FireFox, which does have a lot more than IE for that matter. This is downright whining.

Re:first post

[Lisandro]

This is just not true and Symantec deserves to be taken to task for this.

    Why? I mean, i agree with you, but they didn't lie. From TFA:

"According to the report, 25 vendor-confirmed vulnerabilities were disclosed for the Mozilla browsers during the first half of 2005, "the most of any browser studied". Eighteen of these were classified as high severity.

"During the same period, 13 vendor-confirmed vulnerabilities were disclosed for IE, eight of which were high severity," according to the report."

    I know IE is much a more insecure browser (mainly because of the number of ways it allows spyware to get in), but read what they said; 25 vulnerabilities is nothing to sneeze at. They found more than they did on IE, and stated that fact.

  Now, don't get me wrong; i know the Mozilla guys will have these fixed ASAP, in contrast with the way it usually is with IE, but whining to Symantec because they stated what they found is not very mature. The Firefox crew should focus on what they do best and drop the name calling.

Re:first post

[gordgekko]

That's not what you said. You said that "Firefox is more unsecure, however given their speedy patching time, in say one year, Firefox will be more secure." No "if" in there.

Re:first post

[node+3]

Why? I mean, i agree with you, but they didn't lie. From TFA:

The facts themselves are true, regarding the number of security alerts. But the facts have been misused recently by Symantec to claim that Firefox is just as insecure as IE, which is what the Firefox guy is responding to.

It's like the statement, "no one could have known the levees would break". It's factually true, but it's meant to make the listener believe a falsehood (that you can't fault someone for the abysmal response to the disaster in New Orleans). The facts Symantec have stated are true, but they've used them to try to convince the reader that switching to Firefox isn't going to help obviate the need for Norton Antivirus/Internet Security/AntiSpyware, and *that's* the lie.

Even if Symantec had added no commentary other than the numbers, it would be responsible for the Firefox team to point out why reality isn't what just those few numbers might lead the reader to assume.

Re:first post

"whenever something Bad(tm) is posted about OSS, there needs to be a counterbalance posted later to make it Good(tm)"

So, the fact that the 'counterbalancing post' is true doesn't hold any water with you?

Saying that Firefox has had more vulnerabilities than IE in the past 6 months is like saying that there's more crime in London than there is in Johannesburg: it may be true, but ask me where I'd rather walk round alone late at night, and you'll find my answer wandering round the backstreets of Brixton.

Lies, damned lies, and statistics.

Re:first post

[Fussen]

I sort of thought that was the benefit of open source.. Shouldn't flaws be uncovered? Wasn't that the objective of peer review, to make the application stronger through public trials?

Re:first post

[Master+of+Transhuman]

Statistically, there is nothing backing the claim that Firefox has more security flaws than IE based only on the last six months.

This is like saying, "I opened up three burger shops this week. I'm the fastest growing chain in the US - McDonalds must be worried."

Microsoft shills don't mind dragging out the fact that Firefox STILL has only X percent of the market vs IE's X times 10 market share.

So it doesn't surprise me that they try the same stunt in reverse by claiming that more Firefox vulnerabilities in a short period of time is more important than the tons more vulnerabilities IE has had over its lifetime (or even recent lifetime since IIRC the total is over 80 for the last three years alone for IE).

Bullshit. Wait three years, then compare Firefox's three year total with IE's total as of now.

Symantec's report is not statistically valid UNLESS you ACCEPT that the ratio of Firefox vulnerabilities to time is a CONSTANT - which is the point they're trying to prove, which makes the whole thing circular reasoning.

We KNOW IE keeps getting new flaws - albeit possibly more slowly now - over time. We know Firefox is new, so more vulnerabilities now would make sense. The only way to determine the relative rate of vulnerabilities is to wait and see. A straight-line projection based on the last six months is not valid if in fact there IS a leveling off effect as the software gets more mature.

At this point, we do not KNOW whether there will be a leveling off as Firefox gets more mature. OSS theory predicts there will be (IF you can factor out the other issue that Firefox is under heavy development vs IE which hasn't been up until IE 7.)

Re:first post

[Master+of+Transhuman]

"no one could have known the levees would break". "It's factually true"

Actually, it isn't. Bad example. It was known for years that the levees would break given an adequately severe storm. The Feds just didn't give a shit.

You're correct about the reason why this lie is being spread, however.

Re:first post

[Bert64]

Firefox has only just appeared on the radar for most security researchers.. And the sourcecode is available, so ofcourse there will be more vulnerabilities discovered for a short time..
However it will settle down after a while..
Also remember that all the beta versions of firefox are in the public eye, how many vulnerabilities did microsoft fix in beta versions of ie that the world never got to hear about?

Re:first post

[R.D.Olivaw]

I just want to point out that a bug is not a security flaw. Now I don't know how many security related bugs haven't been fixed for over a year so your post might still be valid.

Re:first post

[Aneurysm]

The article doesn't seem to take into account one other important thing. Mozilla is constantly evolving and having new features added. IE has been the same for a while now. It seems sensible that a lot of the more obvious flaws and buffer overflows in IE have already been exploited and patched. As a slightly older product this makes it seem more secure.

Re:first post

[node+3]

Actually, it isn't. Bad example. It was known for years that the levees would break given an adequately severe storm.

But no one *knew* the levees were going to break *this time*, even if you know, statistically, that it will eventually happen. That's the technicality by which the statement is true.

Something that I've seen *a lot* in the last few years (and it's really disturbing) is people in power, in the face of insurmountable facts contrary to their position, find some logically true statement which sounds like it supports their position, then use that to "dismiss" all the opposing facts (especially to avoid responding to criticism). The disturbing thing isn't that people are trying to do that (although it is disappointing), what's disturbing is that it's actually working.

Anyway, Symantec's use of this tactic is nowhere near as bad as the levee example, but it's still the same basic flaw. That's why I brought it up as a comparison, and illustrates why I think it's appropriate for the Firefox guys to respond.

Re:first post

[ArsenneLupin]

Go hit the Mozilla database and check out the years old bug reports that haven't been fixed yet and there is no indication they will be fixed any time soon, including your magical one year.

Care to back up that claim with specifics URL to the relevant bug reports? I checked their database, and couldn't find any bugs that qualified. The great majority of bugs are either minor and non-security related, or less than a month old.

Re:first post

[I_Human]

What do you mean the Feds didn't care? Who has responsibility for the levees anyway? Maybe I'm wrong but I assumed it was LA/New Orleans.

Re:first post

"just because mozilla can react quicker to security flaws found in its browser, doesn't make Symantec's report that greater security flaws are being found in Firefox less valid."

I agree, however if you read the fine print in the Symantec report, you'll find that IE really had the most flaws. I'll give you the task to figure out how they spun this, but there should be plenty of posts in this thread that state it anyway.

Re:first post

[Master+of+Transhuman]

I agree with your points, but if anybody ever manages to prove they blew up the levees at that point to spare the wealthier districts (which is entirely believable), even that technicality will be called into question.

Actually, given that you had a Cat 3-4 hurricane, it's reasonable to have expected them to break this time as well, especially given that it was predicted long ago, and funds have been slashed for rebuilding for years despite that.

I tend not to waste my time with such technicalities since it's obvious who stands to gain. It's true, though, that the tactic works time and again when it shouldn't.

It works because people who depend on the person who's lying (Symantec in this case) are afraid to believe that the person they depend on is a liar since it exposes their judgement as worthless and makes them vulnerable - the old "fear of death" mantra I bring up all the time to explain all human behavior.

Re:first post

[fatboy]

Actually, it isn't. Bad example. It was known for years that the levees would break given an adequately severe storm. The Feds just didn't give a shit.

What? "Didn't give a shit?" I suppose if they "did give a shit" they would have turned off "the hurricane machine" or something? The levee system was not designed to take a hurricane of this magnitude. The best thing to do would have been to evacuate New Orleans.

Ok, I'm going to rant. Not at you in particular, so please don't take this as a personal attack.

The primary responsibility for evacuating New Orleans was *THE MAYOR*, as witnessed by his recent statement, "There is only one Mayor of New Orleans". He had a 300+ page written document for evacuation. It was not followed.

As I said this is a rant. I am sick and tired of hearing people whine about "The Feds" not being able to handle problems that were clearly created by an incompetent Mayor's reaction to a bad situation.

Re:first post

[Master+of+Transhuman]

Well, given that the money comes from the Feds...and goes to the Army Corp of Engineers...

OTOH, apparently a lot of money going into Louisiana was siphoned off by corrupt state officials, according to one article I read.

On the second hand, that article could be just more of the Feds blaming the state, like they did with the phoney "didn't call an emergency" crap. In fact, despite the fact that Louisiana has had corrupt officials for decades, I suspect the Feds are blaming the state IN ADVANCE for stealing the billions the Bush cronies plan to steal from the reconstruction effort.

Already the White House aide in charge of drawing up policies for the disbursement of funds for the reconstruction has been indicted for being involved with Jack Abramoff, the lobbyist - and this guy's wife was in charge of the Senate investigation of what went wrong with the FEMA response.

How obvious does it have to get?

People just can't believe how deep and extensive and actually murderous the corruption in the US system actually goes. Everybody has no trouble believing it about the Iraqi government or some other tinpot dictators, but nobody can believe it about their own.

Re:first post

[bps7j]

Here's one bug that hasn't been fixed for a long time. No, it's not a security bug, but EVERY bug is a security problem. Anytime you can make something do what it's not supposed to do, it's a security problem:

https://bugzilla.mozilla.org/show_bug.cgi?id=74331

Does this mean Mozilla Firefox is less secure? No. I don't get what you people are talking about. More security fixes doesn't mean less secure. It means more secure. What are you thinking? Where is your logic? Come on. Thing about it seriously for a few minutes and you'll understend.

Re:first post

[Master+of+Transhuman]

Bullshit.

Blaming the Mayor is just the Fed excuse as to why the whole thing turned into a mess.

It's excusing Bush and his politically connected incompetent cronies running FEMA.

Nothing more.

"The levee system was not designed to take a hurricane of this magnitude."

Exactly the point - and the funds to make it so have been slashed for years (including under Democratic administrations, just so you know I'm not a Democrat, either) - and recent appropriations were diverted to Iraq.

Blaming the Mayor is like blaming Giuliani for 9/11. The casualties from failing to evacuate NO properly do not excuse the underlying problems with the levees nor does it excuse the fascist and incompetent response by FEMA.

Re:first post

[ArsenneLupin]

Anytime you...

I assume, that by you you mean a third party interested in compromising security, rather than the user himself. The user always can trivially upset his own system by doing an rm -rf /

...can make something do what it's not supposed to do, it's a security problem:

Not sure how a third party could deliberately trigger such situation, and take advantage of it. Especially since a successful exploit would rely on continued inaction by the user, which is rather unlikely. Unless there is a way to make the dialog box appear hidden behind other windows.

Does this mean Mozilla Firefox is less secure? No. I don't get what you people are talking about. More security fixes doesn't mean less secure. It means more secure. What are you thinking? Where is your logic? Come on. Thing about it seriously for a few minutes and you'll understend.

What stoopid strawman is this? Nobody claimed that a high number of fixed bugs meant an unsecure product. It was all about high numbers of unfixed old bugs.

Strangely enough, you perfectly got the point about unfixed bugs, as your example link shows, so it looks like this last paragraph was intended to be a deliberate strawman argument, rather than some misunderstanding.

Re:first post

[Phisbut]

You pull that number from your ass? Go hit the Mozilla database and check out the years old bug reports that haven't been fixed yet and there is no indication they will be fixed any time soon, including your magical one year.

Ok, let's see... searching the bugzilla database for product Firefox, bugs filed more than a year ago, with severity being either "blocker" or "critical", and a status any other than "resolved", "verified" and "closed", for all OS, sort by importance. What do we get?

7 bugs found. Ooohhh... 7, big number. Let's look at them now.

• 234141 - Firefox crashes on finding an existing profile directory from a localized version. Comment #3 says "I can no longer reproduce this with any of the current nightlies", and the rest of the comments confirm. Although it was a bug for Firefox 0.8, it isn't now. Plus, it isn't a security threat, just a crash (in beta software).
• 234598 - Firefox crashes randomly. Description of the bug is "This bug isn't really about reporting a crash." So it's not even a bug, and it's not a security threat.
• 251380 - When saving a picture, HUGE memory leak! Also slows machine down! Ok, this is a real bug. Based on the comments, they were still working on it as of last july. Although a memory leak is a nuisance, it is not a security threat.
• 251776 - Crash on form submission in pop-up search dialog in iPlanet Messaging Server. Comments 3 and 4 say "Retested on Firefox 1.0.5 for Mac. I can't reproduce the bug(s)" and "OK, I am also unable to reproduce on Windows. This seems to be fixed on my end", so it's pretty much fixed. Once again, it's a crash, not a security thing.
• 251793 - Java applets bypass "Block Pop-Up Windows". Still open. A nuisance indeed. Could be considered a security threat because of phishing, but then, phishing is mostly a bug in the user, not in the software.
• 260452 - Crash while switching to UTF-8 encoding on certain encoded pages. Last comment is about version 0.9. It's a crash in beta software.
• 236514 - Start download with same name as another (downloading or paused) deletes first one. Bummer, you lost a file you just downloaded, and need to download it again... it sucks, but it's not a security issue.

Year old bugs that go unfixed in Firefox are either not clear enough to work with (crashes randomly), or are simply still open because nobody took the time to check with the next version to close the bug. None of those bugs are security issues.

I like Firefox as much as the next man (check out my sig) but let's not make extravagent claims.

Yep... I agree... how about you stop pulling stuff from your ass too?

Re:first post

[fatboy]

Exactly what aid did FEMA deny or not produce that was requested by the Mayor or Governor?

The levee system was only recently completed. It was only designed to deal with the storm surge of a category 3 storm. One that could withstand this storm was only considered last year.

I'm not making excuses for anyone. I am sure there are foul ups all around, however, to act as if this is all the fault of the federal government is wrong.

If we really want to blame someone, let's blame the guy that thought it would be ok to build a city below sea level next to the ocean.

Re:first post

[budgenator]

They are argueing apples and oranges;
Symantec's report basicaly says the arithmatic sum of reported bugs is greater for mozilla and mozilla says the reported bugs multilpied by the time to fix raised to the power of severity is greater for mozzila.

I've found the degree of effective security for mozilla in the hands of my definition of typical user to be more than in IE, your definition of typical user will not be the same as mine. If you compare an astute, seasoned power-user using IE with a clueless arrogent fucktard on mozilla, IE will have more effective security.

Re:first post

[budgenator]

It's a constitional thing concerning a navigatable waterway used in insterstate transportation. Another problem is the constitional prohibition on fund the army for more than (I think) three years; if it were under the navy, or tranportation then congress could fund the 50 year project for 50 years rather than 3 year increments. Usualy it's eassier to get funded once, when the project is new and interesting and once funded it's less likely to get cut; the current system alows congress to quietly just not renew funding once the project is old and boreing.

Re:first post

[budgenator]

If memory serves me correctly Giuliani was asking the Governor to scramble F16's to patrol the airspce over the city between the first impact and the second.

The real problem was not that fascist response of FEMA, but the lack of a fascist response. They should have rolled in and said evacuate the city now or go to meet the president at gitmo, we'll escort you there now.

Re:first post

[JonJ]

"If you're after whose the most secure browser right at this particular second, then IE does appear to be the one" Someone is forgetting Opera(www.opera.com) which is secure, and follows webstandards nicely.

Re:first post

[I_Human]

As a member of the national guard that just got back from LA I agree. When I arrived at the Superdome the people there (not everyone) did not make an effort to leave. I watch the news and they report that the government wasn't letting them leave (wrong, we had busses waiting to take people). The folks just didn't want to wait in line. Some had legitimate excuses, but for most it was "I want to let the women and the children go first." These were folks with families, wives, kids - waiting for everyone else with wives and kids to go first. Ridiculous. To evacuate the Superdome we had to line up and march forward, telling people to get in line for the busses. When they listened to us everyone was out in less than a day.

I lay the blame on the people who did not evacuate in time, not the feds, not the mayor (although I do dislike the way he is slamming the federal government, when he should be slamming his governor...)

Re:first post

[budgenator]

Retired Army-National guard here, sometimes you just have to do what is right and worry about taking the burn later. Way to little can-do and way to much cover-your-ass involved with katrina. It boggles my mind that people with resources were stopped from helping, we were always taught "lead, follow or get the hell out of the way"

Re:first post

[Master+of+Transhuman]

There were busses, but nobody could leave without being ON a bus going to some place they were not informed where and not allowed to leave that bus even if it passed through a city where they had relatives they could stay with.

Earlier on, even Fox News was having a fit because they were standing at the Convention Center with people sitting on a freeway untouched by the storm, unable to get help, and not allowed to simply cross a nearby bridge into another parish where there was food, water and lights because they were being turned back by a National Guard checkpoint on that bridge. Geraldo Rivera (a major asshole I've never liked or respected) was practically in tears and Shepard Smith was totally bewildered as to why absolutely NO help was being provided to these people for three days - sitting out there in plain view on a freeway and the subject of a national news broadcast!

There are any number of reports of cops firing their guns over the heads of people trying to evacuate into nearby parishes.

There was one case where some people holed up on a freeway were literally ATTACKED by a sheriff who drew his gun, ordered them off the freeway, called in a helicopter to blow down their makeshift shelters, and CONFISCATED THEIR LITTLE FOOD AND WATER!

What the hell do you call that?

I'm not saying the National Guard or any specific unit of that force was necessarily involved in this, but something was seriously out of whack down there, and it wasn't the mayor's fault or the governor's fault alone. As of the moment the governor declared an emergency - which was the day BEFORE the hurricane hit, FEMA was in charge - and FEMA's own plans required them to be in place BEFORE the hurricane hit.

There are numerous reports that one of the FEMA holdups was because Michael Chertoff, the head of DHS, didn't designate Mike Brown, the FEMA head, in charge, as required by law when FEMA was merged with DHS.

Go back over the news reporting of the last couple weeks and see what a mess there was. No amount of excuses or finger pointing at the mayor or governor (however incompetent they may have been as well) excuses the performance of FEMA as run by a Bush-appointed political crony.

That simple.

Original Symantec Article

[NoInfo]

The download for Symantec's actual report is here (registration required):
https://ses.symantec.com/Content/displaypdf.cfm?SS L=YES&PDFID=2124

But to save you some trouble, here's the excerpts about Mozilla:

Mozilla browsers have the most vulnerabilities

During the first half of 2005, 25 vendor confirmed vulnerabilities were disclosed for the Mozilla browsers,
the most of any browser. 18 of these were classified as high severity. During the same period, 13 vendor
confirmed vulnerabilities were disclosed for Microsoft Internet Explorer, eight of which were high severity.

  Mozilla browsers have the most vulnerabilities

The Web browser is a critical and ubiquitous application that has become a frequent target for
vulnerability researchers. In the past, the focus of security has been on the perimeter: servers, firewalls,
and other systems with external exposure. However, a notable shift has occurred, with client-side
systems--primarily end-user systems--becoming increasingly prominent targets of malicious activity.
More and more, Web browser vulnerabilities are becoming a preferred entry point into systems.
During the first half of 2005, the Mozilla browsers, including Firefox, had the most vulnerabilities of all
browsers. During this period, 25 vendor confirmed Mozilla vulnerabilities were disclosed, compared to 32
in the previous reporting period and two in the first half of 2004. 18 of the 25 Mozilla vulnerabilities in this
period, or 72%, were classified as high severity. This is up from the 14 high-severity Mozilla vulnerabilities
in the second half of 2004 and one in the first half of 2004.

During the first six months of 2005, 13 vendor confirmed Microsoft Internet Explorer vulnerabilities were
disclosed. This is a decrease from the 31 documented in the second half of 2004.26 During the first half of
2004, seven Internet Explorer vulnerabilities were confirmed by Microsoft.
The average severity rating of the vulnerabilities associated with Internet Explorer during the first six
months of 2005 was high. Eight of the 13 Internet Explorer vulnerabilities disclosed during the current
period, or 62%, were considered high severity. 18 Internet Explorer vulnerabilities were considered
high-severity in the last six months of 2004, amounting to 58%. In the first half of 2004, four of the
seven, or 57%, were rated high severity.

[...]

The fact that Mozilla browsers had the most vendor confirmed vulnerabilities over the past two six-month
periods may suggest that Mozilla is currently acknowledging and fixing vulnerabilities more quickly than
other vendors. This could be because the Mozilla browsers are open source and may be more responsive
to reports of new vulnerabilities and subsequently developing and delivering associated patches. For
instance, except in certain instances,60 Microsoft releases fixes on a relatively fixed schedule rather than
as needed, potentially increasing their acknowledgement time.

Re:Original Symantec Article

Symantec seem to have been fairly un-biased about this, they even go so far as to speculate on the reasons and give some possible benifit-of-the-doubt.

I've never thought Mozilla / Firefox would prove to have less bugs - but as a programmer I appreciate the difference between a flaw (a problem with the design) and a bug (a problem with the coding). So does Mozilla have more flaws or more bugs? I've never been bothered to check.

maybe IE has more

[Coneasfast]

maybe more vulnerabilities are found in mozilla because it is open-source

arguably, one could say this is better than in IE, where there may be some which are not known until some hacker exploits it.

Re:maybe IE has more

[aussie_a]

I had that same thought, but upon further consideration I decided against that reasoning.

Firefox being open-source does give the vendors more of a chance to find holes more easily. But it also gives the hackers that same chance. So yes, IE may have 1 million holes while Firefox has 1 thousand. Vendors find 25 holes in Firefox, and only find 13 holes in IE.

Hackers are just as likely to find more holes in Firefox, then they are in IE, despite the fact there's more in IE.

However this assumes hackers will spend as much time on the two browsers as the vendors did. It's quite possible the vendors spent equal time on the browsers, while the hackers are spending much more time on IE.

So the true number of security holes and the known number might be two quite different things. Who knows. I do know, though, that more viruses and spyware are being made for IE then they are for Firefox.

Re:maybe IE has more

[muszek]

until some hacker exploits it

not until someone exploits them, but until:
-- someone exploits it
-- it's discovered (it's not immediate, right?)
-- it finds its way to MS staff
-- it goes through the whole beaurocratic monster at MS all the way from a person who receives a bug report, through god knows how many decision makers to coders.(I guess that's not so quick)

Hackers have a lot of time to play around with those vulnerabilities...

Plus, I bet that in case of proprietary soft more (percentage wise) holes are discovered by those who are ill-minded (why in the world would you look for holes in IE? I don't know how does that look in FF's case, but I can imagine people looking for such stuff because they're doing a Good Thing).

Re:maybe IE has more

[TheCarlMau]

On the flip side, it could work against Mozilla. An attacker has all the source code to find some hidden vulnerability and then not report it. In IEs case, at least exploits must be stumbled upon.

All in all, I think open source is still the way to go. If one attacker can find it, one contributor probably can too!

Re:maybe IE has more

[Hey,+Retard...]

...your couldn't be more right. What you just said might be the greatest epiphany in the history of software development. No, the history of modern times...No...Dare I say it? Yes! The history of the world!! Stop the hunt for this year's Noble Prize winner in the field of the obviousness.

Re:maybe IE has more

[aussie_a]

If you're truly interested in whether or not Firefox is faster (rather then assuming) perhaps you could do a study of all reports from 2 years ago, how many were made, how many were ranked as very very serious, and how long until each was fixed. That would be much more useful and informative then this non-article (Symantec says Firefox is unsecure with facts and figures, Firefox comes back with refute with nothing but their word to back them up).

Or if you'd like to just keep spreading FUD, go on as you were.

Re:maybe IE has more

[Breakfast+Pants]

Usually a person's epiphany which is considered great, let alone greatest ever, is at least original. This has been a common talking point for closed source advocacy for... as long as there has been an ongoing argument.

Re:maybe IE has more

[Hey,+Retard...]

...I guess we can stop the hunt for this year's winner of the Nobel Prize in the field of density too.

Re:maybe IE has more

[n0-0p]

If you're trying to balance things evenly you also have to consider that IE 6 has undergone no significant development in the last four years. The only changes have been bugfixes and minor security adjustments, so arguably it should be extremely stable. Yet we've still seen a number of severe vulnerabilities over the last year in what should be a very mature (by software standards) product.

Re:maybe IE has more

I've noticed a trend in your posts. What's with all the Mozilla animosity? Are you just trying to even out the rampant MS bashing? If so I'll let you know that swinging the FUD stick really doesn't help from either side so please stop.

As for your request, take a look at Secunia for the severity of current unpatched vulnerabilities and you'll see that MS is still in critical territory. Also, IE 6 has close to three times more reported vulnerabilities than Firefox. And none of this includes undisclosed vulnerabilites that MS has but Mozilla does not.

Cheers

Re:maybe IE has more

[fymidos]

>Firefox being open-source does give the vendors
>more of a chance to find holes more easily

you are obviously confusing "vendors" with "external security experts". IE is as open source as it can be for its "vendor" (Microsoft).

Re:maybe IE has more

[Errtu76]

"I do know, though, that more viruses and spyware are being made for IE then they are for Firefox."

But that's probably only because spyware authors want to reach as many people as possible. And like it or not, IE still has the most users.

Re:maybe IE has more

[Bert64]

Firefox being open source means hackers can LEGALLY obtain the sourcecode, as can whitehack hackers..
The malicious people who will find vulnerabilities and keep them secret while exploiting them for personal gain, clearly don`t care about legality and will likely also have a copy of the windows sourcecodes which leaked recently and are also highly likely to have illegal access to newer versions. The white hats won`t have this access, so they are more likely to find vulnerabilities in mozilla..
The black hats, are more likely to find holes in ie because the white hats will quickly find and fix the low hanging fruit from mozilla, but this does mean more publicly disclosed vulneratilities in the short term.

Re:maybe IE has more

[Bert64]

Not exactly..
Remember some windows 2000 sourcecode was leaked a while ago? IE was included in that sourcecode..
People who are planning to illegally break into people`s systems won`t care about posessing illegally obtained sourcecode aswell, and it`s also possible they might have newer versions than the one everyone knows was leaked.. After all, how many organisations signed up to shared source? what`s the chances that one of those organisations could be compromised by a determined attacker?

If i was going to break the law by breaking into peoples machines to setup zombie networks or harvest credit cards etc, i wouldn`t think twice about committing a furthur crime of stealing source code.

Re:maybe IE has more

[dmaxwell]

IE 6 is basically a collection of COM objects. Those objects have not remained static as Windows proceeds through Service Packs, 2000, XP, and now Vista. Major new developments in seemingly unrelated parts of Windows can introduce new holes to IE.

Re:maybe IE has more

[Breakfast+Pants]

That isn't even a prize category. Density related works usually go under physics. You really are ignorant.

Open source wins again

[mind21_98]

When other people can see the code, problems are spotted more quickly. That's probably why Mozilla seems to have more problems than IE to them--the problems in Mozilla are spotted before they can be exploited, while IE's problems are noticed when exploits are made and used in the wild. That said, good job to the Mozilla team.

Re:Open source wins again

[XAJIM]

Do you have figures that back up your claim that Mozilla's problems aren't found in the wild? I'd be interested in looking at those statistics.

Re:Open source wins again

You can get a good look at a T-Bone by sticking your head up a bulls ass, but wouldnt you rather take the butchers word for it?

Re:Open source wins again

[weicco]

But could that also mean that problems are exploited more quickly?

I mean with open source product you could just pick up the source code and look for problems and holes in it. After this you are ready to exploit what ever system uses that code.

With closed source you can't just look into the source, but you have to try blindly different kinds of situations and give different kinds of inputs to applications; look for problems more iterative and timeconsuming way.

Just couple of thoughts...

Re:Open source wins again

[aussie_a]

wouldnt you rather take the butchers word for it?

A butcher is somewhat of an expert in the field (I know this because presumingly I've been shopping from him for quite some time). The OP might or might not be an expert, but even if he does claim to be one, I have no way to know that for sure.

Re:Open source wins again

[CTho9305]

http://bcheck.scanit.be/bcheck/page.php?name=STATS 2004
In 2004, there was only ONE WEEK during which there were no known remote code execution exploits for fully-patched MSIE. There were 30 days for Firefox if you don't count Mac OS (which would be fair if we're only interested in browsers for Windows users).

Re:Open source wins again

Er.

When did Mohammed Saeed al-Sahaf suddenly join the Mozilla team?

Re:Open source wins again

[timbo234]

I mean with open source product you could just pick up the source code and look for problems and holes in it. After this you are ready to exploit what ever system uses that code.

The problem with your logic is that its based on the assumption that security is improved by making it difficult to find security holes. The opposite is in fact true - the easier it is to find what security holes do in fact exist the more likely those security holes will be closed.

Or to put it another way - security through obscurity provides absolutely no security at all.

Re:Open source wins again

[LnxAddct]

No, the problem is that Symantec only counted vulnerabilities that were Vendor ackowledged. That is, Symantec only counted vulnerabilities that were fixed and the report completely disregarded currently unpatched vulnerabilities (of which 19 exist for IE). How stupid is that? They just conclude that who ever fixed the least problems is more secure. If firefox just stops ackowleding security bugs, Symantec would (in theory) conclud that Firefox is perfectly secure. This whole report is baselss and designed to scare people into buying their products again.
Regards,
Steve

But was it...

[lohphat]

"faster than a dog with no legs. If the dog's up to its waist in treacle. And dead." /you'd think DOJ lawyers could tell if a newsgroup posting was a forward or not //you'd be right if you guessed "not".

Not a dupe

[steelfood]

This isn't a dupe, technically, but shouldn't this bit have gone with the dupe of the Symantec report below as an update or something? After all, someone posted the link in the comments to that (duped) story shortly after it appeared.

But if this is a dupe, what might it be called? A trupe? April-fools joke on a regular day?

Re:Not a dupe

[Raistlin77]

It should have just been posted in the original story summary as an update...

Re:Not a dupe

[op12]

How about quadrupe? ...Or maybe infinupe. Seriously, this is the 4th Firefox vs. IE story in 10 days...isn't that a bit excessive?

Re:Not a dupe

[steelfood]

Well, the debate itself between whether FF or IE is more secure has been going on since forever. This Symantec article is the latest incarnation of that debate. It's sort of like the debate over whether Linux is ready for mainstream home use or not or how google continues to grow; not a week goes by without at least one. But this one article pretty much has two entries (three including this one). At the least, if this had been included in or come in the form of an update to the dupe, it would at least lend legitimacy to the dupe. But a third one? And a rehash of a comment in the dupe at that?

Disappointed, to say the least, but maybe my surprise is unjustified.

Re:Not a dupe

[op12]

And a rehash of a comment in the dupe at that?

Duplicating the comment here would have been somewhat hypocritical/ironic, so I linked to it :)

It's mostly to prove a point, which is there is no point (to this story). As you suggest, this is an update, not a story.

Misleading numbers

[GXFragger]

Symantec's report is also slanted becasue it uses vendor confirmed vulnerabilities rather than both confirmed and unconfirmed ones. This leads to misleading headlines and hurts Mozilla's reputation. I am suprised that Mozilla didn't say anything about that.

Re:Misleading numbers

I found 85,396 vendor unconfirmed Mozilla vulnerabilities today. Boy, that Mozilla sure is insecure.

Truth is in the using

I've had far fewer problems since I switched to Mozilla/Firefox, period. It operates faster than IE and is more stable. The only problem I've had is getting Flash to install properly. Small price to pay. Any site that won't play right I switch to IE then immediately go back to Firefox.

secunia

What about the Secunia Secuirty advisories.

http://secunia.com/product/4227/

Cant see them running to fix some of those issues?

It's all academic

[dsci]

IMO, all this bandying about with numbers is next to pointless. All I know is that in my experience:

1. When I used IE, I got infected out the wazoo; colleagues I know using IE still have problems.

2. After switching to Firefox while still running Windows, I had zero infections. ZERO. Nothing else on the system changed.

3. Now I use Linux exclusively (unless doing work on a client's computer on their behalf), and I sure am not using IE.

On the one hand, it's nice to see Moz hitting back with the PR. But, I wonder if this will ultimately hurt migration away from IE. That is, I can just about hear folks saying "MS says one thing, Mozilla says another...who to believe?"

To the non-techie, MS is a known quantity and The Mozilla Foundation is not (I'm thinking along similar lines to name-recognition at the polls). At the very least, a I-say, they-say approach seems to muddle the issue more than clarify it for those not willing to do their own research.

Re:It's all academic

1. When I used IE, I got infected out the wazoo; colleagues I know using IE still have problems.

This is a quite common sentiment on Slashdot, but I don't get it. I've been using IE for years and have never had a problem. It's not like every site on the web attempts to exploit browser vulnerabilities. Where are all these web sites?

Re:It's all academic

[laughingcoyote]

"The Mozilla Foundation" might not be a well-known quantity outside of tech circles, but "Firefox" most certainly is.

As to the rest...it might be anecdotal, but I've certainly not heard -one- person yet complain of MORE infections after installing Firefox, always the opposite. The proof's in use, and in that, Firefox beats IE every time.

Re:It's all academic

"Where are all these web sites?"

Porn and warez. Not that I would know anything about those...

Re:It's all academic

[aussie_a]

When was the last time you ran an adware scan and a virus scan? You may have no problems you've detected, but it's quite possible that you've been exploited quite a bit.

It's also possible you've got a more secure system. Are you using a router? Hardware firewall? A software one besides the Windows XP one? Many people run Windows XP with no security except what comes with it (which is why it has a Firewall since SP2, regardless of how bad or good it is, it's better then nothing) and a virus scanner (occassionally an adware scanner as well). These differences may be why you have a much more secure system despite using IE.

Or it could be you surf only a very few, very trustworthy websites, while other people here aren't as discriminating. In that instance, it is better to use something other then IE.

Re:It's all academic

[dsci]

When was the last time you ran an adware scan and a virus scan? You may have no problems you've detected, but it's quite possible that you've been exploited quite a bit.

Not infected means not infected. Period.

It's also possible you've got a more secure system. That's why I pointed out nothing else changed besides switching browsers.

It's anecdotal of course, but it is my own, direct experience.

Re:It's all academic

[aussie_a]

It's anecdotal of course, but it is my own, direct experience.

I wasn't responding to you, but the AC who replied to you (if you check, you'll see I'm not replying to your comment). He was claiming he hasn't ever had any problem with viruses or adware using IE, I was pointing out there's not having problems, and not noticing the fact you do have viruses and adware on your computer. While the same can be said about Firefox users, I tend to assume they're more cluey (they've discovered another browser after all) over security and DO run scans on their computer on a regular basis.

Re:It's all academic

To respond to your question...

When was the last time you ran an adware scan and a virus scan? You may have no problems you've detected, but it's quite possible that you've been exploited quite a bit.

I scan for adware and viruses frequently enough. Never found a virus, and the only hits the adware scanners find are tracking cookies.

It's also possible you've got a more secure system. Are you using a router? Hardware firewall? A software one besides the Windows XP one? ... These differences may be why you have a much more secure system despite using IE.

I'm NATed behind a wireless router and use XPSP2's firewall. But the thing is, these things don't prevent spyware infection. If a website is trying to exploit IE - say installing spyware via a buffer overrun - a router and a firewall wouldn't help a lick.

Here's my hypothesis: the users that we hear about all the friggin time on Slashdot who can't keep the spyware off their computers are the ones who click "Install" every time they're prompted about an ActiveX control. The problem with most adware scanners is that they find problems after the fact. The "user action" that caused the spyware to appear is long forgotten. All the user knows is that "somehow" spyware got on their computer and, by golly, they use IE. Post hoc ergo propter hoc.

The same users that install every ActiveX control are going to be the same users that install every Firefox extension. The "This website is trying to install an extension..." toolbar will only slow them down. Websites will helpfully offer instructions on how to install the plugin which, of course, you "must" do to view their content.

Re:It's all academic

[deaddrunk]

Just as a matter of interest, how much access to your system does a Firefox extension have as compared to an ActiveX control?

Re:It's all academic

[jred]

If they don't know Firefox, they'll almost certainly know Netscape. I just tell them Netscape became Firefox.

Not sure how technically accurate that is, but it usually alleviates any misgivings.

Re:It's all academic

It's me the AC again...

ActiveX controls are executable code. Firefox extensions can contain executable code. Once we're talking about executable code, it has full access to your system.

So to answer your question: a Firefox extension has the same amount of access to your system as an ActiveX control. Period.

If you don't believe me, check out this thread in the Mozilla support forums, which is a report of a malicious Firefox extension in the wild.

A few months back I downloaded all the Firefox extensions from addons.mozilla.org, and found Windows executables in the XPI (Firefox extension package) files for foxamp, firefoxview, mozilla_archive_format, and flashgot. You can download the packages and check them out yourself, if you want. Just rename the .XPI file to .ZIP and open them up. If memory serves, the ZIP contains JAR files, so you'll have to look in them too. (WinZip can open JAR files...) Just keep digging into those archives until you find the .EXE files. You'll find 'em!

Re:It's all academic

[aussie_a]

Here's my hypothesis: the users that we hear about all the friggin time on Slashdot who can't keep the spyware off their computers are the ones who click "Install" every time they're prompted about an ActiveX control.

Well it's wrong for me. I use Firefox but my parents use IE and I constantly have adware on my computer (an adware scan a week gets rid of it all though). My father isn't stupid enough to install anything without knowing what it is, my mother only does internet banking (and she'd freak if it came up asking her to install anything).

Now while I do have less adware then I did when my brother used the computer (he DID hit install on anything that popped up), I do still have adware.

Re:It's all academic

To respond to my own post...

One point of clarification, "Once we're talking about executable code, it has full access to your system." Obviously: it has access to your system according to the access rights of the user you're running as. If you're not running as admin/root, it wouldn't have "full" access...

To give a concrete example of a Firefox extension that contains an executable, I went ahead and downloaded the most popular extension as listed on addons.mozilla.org, which is Flashgot. You can download the XPI file from this link. Save the file to disk. Rename to .ZIP. Extract the files. In the chrome directory you'll find flashgot.jar. Extract the files in that. You'll get 3 directories - content, locale, and skin. In the content directory there's another directory called flashgot, which contains - bingo - flashgot.exe.

Re:It's all academic

[Dehumanizer]

Remember to tell them that there's still a Netscape around, but it's not the same guys, so don't use it (it's Firefox + adware).

Re:It's all academic

[deaddrunk]

That's pretty dodgy, however malicious websites will never even pop up a box asking you if you want to install said software unless you add said site to the list of sites allowed to install stuff.
I don't consider myself or my less clued-up friends and family to be 100% safe but your 'just click yes to install scenario' is a lot less likely with FF than with IE.
Only if the malware makes it onto the trusted sites, or the site manages to fool FF will unwary users be caught out in nearly all cases. That's a lot less likely than letting all sites have the potential to install stuff.

Re:It's all academic

[dsci]

I wasn't responding to you, but the AC who replied to you

Ooops. {wipes egg off face}

Re:It's all academic

[DavidTC]

I use to not like the bar either, but I realized the only solution is to disable installing software entirely. Otherwise, malware sites will just walk the user through installing their crap.

You could bury the option three deep in the menu and requiring four checks in different dialogs, and idiots would do it so they can install a 'file viewer' to see their porn.

And if no software was installable through the web browser, we'd just go back to 'manual download and install' of malware.

Re:It's all academic

XP always came with the firewall. Typically for them Microsoft didn't bother switching it on by default until SP2.

Re:It's all academic

[geekee]

"2. After switching to Firefox while still running Windows, I had zero infections. ZERO. Nothing else on the system changed."

A lot of people in New Orleans thought the same way about hurricanes until recently. It's irrational to ignore an impending problem because you haven't seen it's effect yet.

Symantec forgot one critical detail...

[Chrontius]

the time-to-patch, how long it takes between the discovery of a vulnerability and its repair. Frequently with Microshaft, this can be weeks. Maybe months, even. With Mozilla, I keep seeing the patch on either the same day or the next day.

Re:Symantec forgot one critical detail...

With Mozilla, I keep seeing the patch on either the same day or the next day.

Yeah, for the workaround, but where's Firefox 1.0.7? The amount of time they're taking with it, you'd think they were actually regression-testing this one ;)

Re:Symantec forgot one critical detail...

[aussie_a]

Well done, you just restated the point made in THIS ARTICLE. It may have been a valid point if, you know, you had posted it in one of the previous stories on this subject.

Were you trying to make a point? Or just looking for mod points (as of posting this the parent is at +2 Insightful).

Re:Symantec forgot one critical detail...

[Chrontius]

It's one fifteen A.M. Cut me some slack, it sure sounded insightful at the time.

Re:Symantec forgot one critical detail...

[aussie_a]

Are you deliberately spreading FUD? Firefox 1.0.7 is right here. (if you were going for funny, I don't see the joke)

They've been building 1.5 (Deer Park) for at least one or two months. I'm assuming they finished working on 1.0.7 before they began work on 1.5, so 1.7 isn't exactly new.

Re:Symantec forgot one critical detail...

They've been building 1.5 (Deer Park) for at least one or two months. I'm assuming they finished working on 1.0.7 before they began work on 1.5, so 1.7 isn't exactly new.

1.0.7 is a security fix for a recently discovered vulnerability or two on the 1.0 branch, whereas 1.5 is the next "major" release Mozilla Foundation are working to. Don't let the numbering system confuse you, the one does not precede the other.

Thanks for the link though. I wasn't aware 1.0.7 en-US version was out, the official build in my language should be just around the corner :)

Re:Allegory

[Raistlin77]

Microsoft (the bully) is scared of Mozilla (the other weak little kids). If Microsoft was not scared of Mozilla, it would not bother trying to tarnish Mozilla's image by using it's bully friends (Symantec).

Mozilla is a disaster waiting to happen

Mozilla is a disaster waiting to happen. It's that simple. A large portion of the browser is written in JavaScript. In fact, the browser's UI JavaScript can actually call JavaScript functions located in an HTML page.

Eventually someone is going to figure out how to reverse the process and call "chrome" JavaScript from "non-chrome" JavaScript, and then it's all over. Since JavaScript can access literally anything in Mozilla, you've got a nice cross-platform vulnerability waiting to happen.

Extensions are proof enough of this. Yes, extensions can add a lot of functionality - but there really isn't that much different between an extension and a web page.

Internet Explorer may be a security joke now, but if Mozilla ever gains any popularity, it'll be an even bigger joke than Internet Explorer. It's a disaster waiting to happen.

The Symantec report is proof that this is starting to happen. If you want to use a secure browser, they're out there, but Mozilla most certainly ISN'T one.

Re:Mozilla is a disaster waiting to happen

alert( 'You learn something every day' );

Seriously, I did not know that.

Re:Mozilla is a disaster waiting to happen

"Insert product here" is a disaster waiting to happen. It's that simple. A large portion of the program is written in executable code. Eventually someone is going to figure out how to reverse the process and call executable code from non-executable data and then it's all over. (*cough* any executable buffer overflow in any program that loads data ever)

Re:Mozilla is a disaster waiting to happen

[CTho9305]

Ummm... are you aware of what exactly was changed for Firefox 1.0.3 that broke extensions? Someone did find ways to do basically what you were saying, and it was all addressed. Big architectural changes were made to address the problem, making Mozilla significantly more secure.

Re:Mozilla is a disaster waiting to happen

[theodicey]

This is FUD. As of Firefox 1.03, what you say is no longer correct. The Firefox team has separated the content document object model from the chrome, so that chrome functions are no longer vulnerable to being overriden by content. In addition, they've encapsulated chrome code even further in Firefox 1.5 Admittedly the original design was a bit insecure, but the risks going forward have been eliminated, and the real risks are mostly the usual browser vulnerabilities in parsing, buffers, etc.

Re:Mozilla is a disaster waiting to happen

[theodicey]

This is FUD.

As of Firefox 1.03, what you say is no longer correct. The Firefox team has separated the content document object model from the chrome, so that chrome functions are no longer vulnerable to being overriden by content.

In addition, they've encapsulated chrome code even further in Firefox 1.5

Admittedly the original design was a bit insecure, but the risks going forward have been eliminated, and the real risks are mostly the usual browser vulnerabilities in parsing, buffers, etc., all of which are present in Konqueror, Safari, and Opera, all of which have received far less security scrutiny.

Re:Mozilla is a disaster waiting to happen

[Dehumanizer]

Internet Explorer may be a security joke now, but if Mozilla ever gains any popularity, it'll be an even bigger joke than Internet Explorer. It's a disaster waiting to happen.

Bzzzt. Wrong.

Re:Mozilla is a disaster waiting to happen

[meburke]

Any flexible, extendable application will have some errors because of the multiple interfaces and the complexity of the system itself. Some of those errors will affect security. My argument for Mozilla/Firefox is that it is more secure at this time. My argument against M/F is that in most cases, the problems are being patched rather than designed out more quickly. Sooner or later the maintenance on the holes is going to be so massive a task that it will nearly be impossible to fix. I've been watching the boards, but it looks like a redesign is 'way overdue.

Someone should be classifying ALL the vulnerabilitites found in FF over the last 18 months, and a team should start examining the code that was stable at that time. Then, they should ask: "If we knew these vulnerabilities were going to crop up what major design changes would we have made to clean them up upstream?" Most of the vulnerabilities will fall into a few common, recurring patterns, and those can be designed against. I know this is not a popular OSS practice, but something like this will help the app evolve more securely.

Re:Mozilla is a disaster waiting to happen

No, it isn't FUD. It's simply bad design on the behalf of Mozilla.

The fact that this has already happened once, according to you, is evidence that it's possible. And it WILL happen again. And again. And again.

It's impossible to make the model secure. Pull up the DOM inspector, and inspect a browser window. Note how the document is literally embedded INSIDE the document model of the browser document!

The "browser window" is, almost literally, an <iframe> inside the browser "chrome".

A good example of this is the "autoscroll" feature, that actually alters the document's DOM. Pull up the DOM Inspector, and expand the HTML node. Middle click on the document, and watch an "img" element appear.

That which can go in, eventually can go out.

Re:Mozilla is a disaster waiting to happen

[dr_skipper]

I doubt it!

Re:Mozilla is a disaster waiting to happen

This is FUD. As of Firefox 1.03, what you say is no longer correct. The Firefox team has separated the content document object model from the chrome, so that chrome functions are no longer vulnerable to being overriden by content. In addition, they've encapsulated chrome code even further in [mozilla.org]Firefox 1.5 [mozilla.org] Admittedly the original design was a bit insecure, but the risks going forward have been eliminated, and the real risks are mostly the usual browser vulnerabilities in parsing, buffers, etc.

This is FUD.
As of Firefox 1.03 [mozilla.org], what you say is no longer correct. The Firefox team has separated the content document object model from the chrome, so that chrome functions are no longer vulnerable to being overriden by content.

In addition, they've encapsulated chrome code even further in Firefox 1.5 [mozilla.org]

Admittedly the original design was a bit insecure, but the risks going forward have been eliminated, and the real risks are mostly the usual browser vulnerabilities in parsing, buffers, etc., all of which are present in Konqueror, Safari, and Opera, all of which have received far less security scrutiny.

sweet move, mess up, do it again right, and get modded up by 5 people!

Credibility

[RandomPrecision]

Symantec programs try to block Trillian every time I used my internet security suite and instant messenger at the same time. Of course, I gave up Symantec. Additionally, I wish I would have taken a screenshot when it tried to block the command-line ftp program. I also conjecture that they have some bias in favor of IE, since my default browser is set to Firefox, but webpages launched from Symantec anti-virus programs always launch in Internet Explorer anyway. That being said, I'm no expert in internet security, but when I used IE, I very rarely had to opportunity to close it myself - it was always ended by an illegal operation, and I often had my homepage hijacked and search bars added. Neither has ever happened to me since I switched to Firefox. While that doesn't necessarily prove anything, I feel that Firefox is more secure.

Re:Credibility

Symantec needs to die. I have on many occasions seen clients buy a new machine, plug it in, and right away it's running slower than my 466 Mhz Celeron laptop. Why? Because Dell/HP felt that the Norton Internet Security suite would be a good thing to put on there. I uninstall it and replace it with McAfee (Enterprise, through the University), and it's like a whole new machine.

Not to mention that the "Internet Security" part is absolutely worthless. I once had a client whose machine refused to get an IP address through DHCP. He finally got to the bottom of the problem by calling Dell, who told him that he needed to disable his Norton firewall. Brilliant. Then there was my roommate, who would reset our router 5 times a day (it's a Linksys, and it does lock up occasionally, but not 5 times a day) to clear up his network problems. Then I got to the bottom of it: one night it popped up a warning about some bogus intrusion attempt (offending IP? our ISP's DNS server!). Then he got timeouts trying to resolve DNS names. But whaddya know, he disabled Norton Internet Security, and it worked just fine.

Symantec. Complete Crap.

It did not take too long.

[DeckerDel]

or did it, I mean to say.. It did not take ohh whatever! who cares as long as I don't have to tell people to start using IE!

I feel safe swimming in Firefox pool for a reason.

[Maxhrk]

i dont care about which broswer has the most Vulnerabilities. I only care when it come down to broswer which has its the most infectious. So if Firefox has very far fewer infection, then I favour it over Internet Explorer anytime.

I dont know whatever i make is the valid points, but to be said because i hate spywares in IE anyway... My common belief that internet Explorer should be seperated from OS, otherwise It remain untouchable. So that is reason why I browsering Firefox than I use Internet Explorer. (imagine pop-up showup while i search the files on my harddrive!)

The interesting questions

[tmk]

Do you know someone who has got compromised through Firefox vulnarabilities?

Does Symantec know customers who did?

Is Ed Gibson a Firefox user?

Re:The interesting questions

[SnowZero]

Does Symantec know customers who did?

Of course not, as that would be admitting their products aren't perfect.

Re:The interesting questions

Yes, I have been compromised through Mozilla vulnerabilities. About a week and a half ago.

I use Mozilla as opposed to Firefox (FF has a few small issues that keep me with Mozilla), and since I stopped using IE, Adaware has found nothing on my system. Zero. Zip. Nada. Not a sausage.

But the other day, I noticed AVG was checking an out-bound email, from "AutoPOP", even when I had no mail client open. This happened regularly, upto a few times an hour.

That had me worried. My Windows machine is fully patched, behind a router firewall.

Adaware couldn't find anything, Spybot couldn't find anything, and AVG found nothing. But it appeared I was being used as a relay for Nigerian scam emails. The "AutoPOP" message had an IP attached to it (I'm at work now, and don't know it off hand), and that IP's website was full of wavy US dollar banners, followed by a few Nigerian emails.

Now, I got cocky, and thought I was safe because I was using Mozilla (I should have know better since the popup blocker stopped working on my favourite sites). I was still using 1.7.4, as opposed to the latest 1.7.11. I had to completely uninstall Mozilla, delete the residual stuff out of my "Documents and settings" directory, clear the crap out of the "run" key of the registry, and reinstall the current Mozilla to get rid of it.

I know it was my own fault for not updating, but I get annoyed when people pretend Mozilla/FF security flaws aren't critical, because they don't like the person delivering the message.

Symantec might be wankers, but Mozilla is still a risk if not patched.

Re:The interesting questions

[tmk]

Your description lacks on one fact: How did you find out you got infected through a mozilla vulnarability?

Hitting back... with patches!

[strredwolf]

Symantec may be right in saying "Mozilla gets more critial holes reported," but it forgets that Mozilla is open source, and that the bug reporters can send in a patch to Mozilla.

So, Symantec? How many critical holes are there, that are reported to Mozilla are fully ID'ed down to the lines of source code and have patches to fix them? Mozilla is right in this reguard: Being open source means you get a faster responce time, as the folks who are finding out about these bugs can (and probably are) the ones that are fixing them.

Research... Reporting...

[Wannabe+Code+Monkey]

Don't reporters do research any more? This article does nothing more than parrot what Mozilla has to say about the matter. I wonder if it would be possible for a company to completely forgo a PR departmet and just use the news media directly.

This was zdnet's first article on the recent situation, "Symantec: Mozilla browsers more vulnerable than IE". Basically, "This is what Symantec said about Mozilla". And now this article is titled, "Mozilla hits back at browser security claim". Which translates to "This is what Mozilla said back".

You could probably just take a few +5 rated comments from the first slashdot discussion about this and come up with a better article... In fact that might be a good business plan: write a script to automatically grab the highest rated comments from each story, splice them together into an article and then put on a website as original content, <msb>your articles might even be posted back to slashdot from time to time</msb>.

(msb = mandatory slashdot bashing).

Re:Research... Reporting...

[Ieshan]

This is a typical bias in journalism that can be reduced to being called "each side is equal". The idea is, each party has their own opinion with equal likelihood of being right, even when they are speaking about factual things.

Of course, this is an absurd assumption. I know next to nothing about particle physics, if I published a book about particle physics being caused by little ghosts, I would be laughed at by the scientific community. But if this journalist wrote an article, the headline would say something like, "Debate Rages on About Particle Physics", with equal weight being placed on my ideas and the consensus ideas.

This is extremely common in things like the Intelligent Design debate, where people claim things like "But Evolution is a testable theory!" Guys. Theories aren't testable. Predictions they make are. Evolution makes plenty of testable predictions. For the love of god, stop printing that already. It's not okay to print that, just because someone else thinks its the right thing.

Mozilla vs. Symantec is going to be a comparable article. There's going to be no research into who's opinion makes more sense. If Mozilla says "Yeah, sure IE will have fewer bugs for a month or so, since a) we've just been exposed to millions of more customers, and b) we're open source. But because we're open source, we have the protection of a userbase of thousands with the ability to modify the program for the better, and this is why our bugs vanish within hours, while MSFT takes months.", the journalist will write "Mozilla says they're better than IE because IE is closed. Symantec says that closed means your source is more secure."

Nevermind that security by obscurity is stupid, nevermind that the whole idea of rating Mozilla lower on a scale of security than IE because in the last whatever amount of time they've had more vulnerabilities of a less critical nature (that would be like being rushed into the emergency room ahead of someone with his leg torn off because you had six bruises, and six bruises are bigger than one leg). Everyone's opinion is just as good as everyone else's, so we're going to publish them! //sight

Ability to respond

[Noose+For+A+Neck]

I can't imagine it takes the Mozilla team that long to select the "Confidential" classification for critical security vulnerabilities submitted to Bugzilla and hit 'Enter'.

Who let the dogs out?

[vrv1]

"Which would you prefer, to have a broken finger, or your head ripped off?"

Seriously, guys who make these kind of comparisons shouldnt be let out of the room; just stay inside and code. And let others do PR work.

Re:Who let the dogs out?

[Dehumanizer]

Even though it's a pretty good comparison of the relative seriousness of Firefox and IE vulnerabilities? Does PR work have to be done by slick marketing liars who are simply unable to state things as they are?

Re:Who let the dogs out?

[vrv1]

When you want to win someone over you dont use shock and awe. After all, he is trying to convince a general audience here: managers, moms, etc. etc. You try and use coercive arguments that they can agree to. In this case, you maybe want to compare between bumping your toes to a root canal. Things that, you know, people can relate to.

Disclaimer: IANAM (I Am Not A Marketeer (sp?)), but I think I have a convincing argument.

Re:Who let the dogs out?

I have a better idea. How about we not use personal injuries as analogies for security holes?

Re:Who let the dogs out?

How about we not use personal injuries as analogies for security holes?

That'd be like cutting off your nose to spite your face!

And...

[NcF]

And Firefox is in version 1.0.6 and IE is in version 6.x... Need I elaborate on this subject? :roll:

1.0.7 is out

[nonpareility]

Firefox 1.0.7 Released, and the bug is fixed.

Re:1.0.7 is out

In your language maybe...

Re:1.0.7 is out

[theshowmecanuck]

When I try the 'software updates' in the options/advanced menu, Firefox says it cannot find any available updates. I am running 1.06. I find this feature only works sporadically. That is, when I know there is an update on the web site and try the update feature, sometimes it works, and sometimes is doesn't. Anyway, until it works reliably, I think this feature can give a user a false sense of security. Anyone else have this issue?

Re:1.0.7 is out

[jesser]

That's probably just because 1.0.7 isn't being pushed to automatic update users yet. It was only released a few hours ago, so that shouldn't be surprising.

Bias again..

[ShaolinTiger]

Oh well, Symantec of course, riding on the proprietary platform of Microsloth is going to be biased.

There are many ways you can look at this..

In 2005, IE has already been around for YEARS, if you follow that perspective, it should have many less flaws...But that's not the case.

You could say FireFox is newer, so of course more flaws are expected, you could also say they should have learn from IE's mistakes, and avoided those pitfalls.

You can also say Firefox is open source, people who find the flaws don't have malicious intent, they are trying to improve the software and make it a viable option in the real world..

Those who find flaws in IE usually do it for fun and profit, spyware spam porn diallers etc, all strapped into the world of IE..there are XX number of unknown exploits in IE due to the closed source, and they are probably being exploited right now, case in point is Microsofts new Honeymonkey project discovered one in the first couple of days..

The article is basically a press release from Mozilla, but still, it's just numbers, numbers can be pulled from any generic poopshoot and manipulated anyway they want.

Re:Bias again..

[webhead74]

Oh well, Symantec of course, riding on the proprietary platform of Microsloth is going to be biased.

I'm not trying to be a Symantec apologist, but they actually do use Open Source... For instance, their firewall appliance - Symantec Gateway Security (http://enterprisesecurity.symantec.com/products/p roducts.cfm?ProductID=133) is built on RedHat. As best I remember, a few of their other products are built on Linux too - but I can't be assed to go look at the moment. I only point this out for the sake of a complete argument.

Re:Allegory

[rtb61]

I wonder who is being bullied. I seem to remember microsoft has bought a series of companies that compete with Symantec hmm. Do what we say or else. At the moment symantecs only real hope for a long term future is Linux, perhaps they just don't believe they have a future in either direction and management are just doing what management does (covering their own arse first).

What happened to real journalism?

[Secret+Rabbit]

"""The study was conducted over the first six months of 2005."""

When did the litmus test for long term security become the short term?

""" by claiming """
"""Nitot said that Mozilla's reaction"""
"""according to Nitot."""
"""He also argued that ... the Microsoft vulnerabilities were more critical,"""

All these quotes are from the article and in a place where they implicitly put into question what Mr. Nitot is trying to say.

But, when Mr. Whitehouse speaks even "IE is closed source, and so it's more difficult to access the code." Which implicitly says that closed source is more secure (security through obscurity - provably false). This "journalist" doesn't call him on it.

And this "journalist" continues to let this guy speak implicitly calling into question the security of and wisdom of using Firefox without making him justify the claims.

So, all in all, we have Mr. Nitot arguing a point and bringing facts to the table that support his claims and Mr. Whitehouse bringing implications and conjecture almost completely unsupported. Also, in the middle is this "journalist" who phrases things in a way that supports Mr. Whitehouse.

What happened to all the real journalists? You know, the ones that get as close to unbiased reporting as possible; the ones that report only facts leaving out editorials marked as fact.

*sigh*

Re:What happened to real journalism?

[zippthorne]

I don't think that kind of journalist ever existed. Keep in mind that the highest award in journalism is the Pulitzer prize.

Re:What happened to real journalism?

[Secret+Rabbit]

You haven't ever watched/read the BBC/Independent/etc have you?

A better response...

[fbg111]

... would be that of course more vulnerabilities were found for Mozilla, it's several years younger than IE. How many exploits were being found (announced or not) when IE was at roughly the same maturity? He could also go into Open Source vs. proprietary, but that's already been covered by other posters...

Re:A better response...

[ZenShadow]

That doesn't work either, as the web was far, FAR less popular when IE was initially introduced.

-S

Re:A better response...

[fbg111]

Start in 1999 or 2000, the web was popular enough then. Can't remember exactly when IE 5 came out, but it was around then I think...

Responsiveness is irrelevant

The big issue is that 99% of all users never update their software, so they won't have their system patched against the spl0itz.

Thus, the system that is best protected is the one that has fewer critical vulnerabilities, not the one that gets patched soonest. What good is a quick patch when exploits usually don't occur until the patch comes out anyway!

I can make sure that I patch my own system as soon as possible, but what about my mother? I can easily just turn on auto-update in Windows and know that she is always within a few days of having the latest patches. I just did an auto-update of FireFox yesterday, and it wanted me to close windows, blah, blah, blah. It needs to happen when the software is NOT running, not when you start it up!

dom

Re:Responsiveness is irrelevant

[Kingofearth]

Well, It's a good thing Firefox 1.5 will fix that with its auto updating binary diff patches. It Automaticly downloads the update and installs it the next time you start Firefox.

Re:Responsiveness is irrelevant

So you're saying WinXP should update while i have my machine off?

yea mod that up

Same here. I've been using browsers for over 10 years and I can say I've never been "infected" with anyting by going to a website.

My diagnosis on Mr Wazoo infection is: user probably doesn't know the difference between IE and the Explorer.

I guess there's just no patch for dumbass.

The reason why...

Microsoft has less (this year) is because they've gone through 6 versions. Someone oughta write a report of all of the IE bugs, and then compare it Firefox.

the comparison is simple

[ChipMonk]

On average, for the first 182 days of 2005:

How many security alerts were open for Microsoft Internet Explorer?

What was the average severity of those alerts?

How many security alerts were open for Mozilla Firefox?

What was the average severity of those alerts?

The less severe the alert, and the faster it is resolved, the better the support behind the browser. It's that simple.

Re:the comparison is simple

[CTho9305]

http://bcheck.scanit.be/bcheck/page.php?name=STATS 2004
Your questions are addressed on pages 3 and 4.

Symantec has no credibility on software issues

[grnchile]

Symantec is the (proud?) publisher of the absolutely worst piece of software that I've ever used: WinFAX Pro 10.2. Not only did every major mode fail to work in some way, but it disabled my phone system for days after it was installed on a machine on my network. This software was so flawed that it convinced me to abandon the Windows platform altogether.

Earlier this evening I was cleaning up a friend's Windows 2000 machine. After removing a collection of obsolete software, TCP/IP no longer worked. The culprit: Symantec Antivirus. It had left invalid service dependencies in the registry. I had to remove them by hand.

Symantec can't even understand their own software, much less someone else's. Even ignoring the obvious corporate bias, I have no faith that they can begin to understand the actual severity of defects in either IE or Firefox. It would be far better to ask "how many machines have been compromised by this fault?" than to present simple defect counts.

Re:Symantec has no credibility on software issues

Heh that reminds me of wondefull S.AV - it was deteting .dll responsible for DHCPclient :) amazing.

This software was so flawed that it convinced me to abandon the Windows platform altogether.

Heh. That was the best thing i've heard 'bout them..

Re:Allegory

Boy, you might be mentally retarded.

Symantec's so-called "findings" are irrelevant

[matt72186]

This data doesn't seem like a relevant comparison considering IE has been considered a full version for years now, and Firefox has only recently hit 1.0.

I call shennanigans

[TheCabal]

Nevermind the trash can fire over there, look at this shiny object!

I call shennigans on Mozilla, and I'm not falling for their sleight-of-hand bullshit. They get patches in user's hands faster? Whoop de freaking do. Whatever happened to Mozilla writing superior code? The "tens of thousands of eyes makes flaws shallow"? Microsoft isn't innocent, but shame on Mozilla for stooping to the same tactics.

Slashdot isint biased!

[3770]

Slashdot biased? NEVER!!!

OPERA v8.5

[cpangelich]

The OPERA browser is now freeware. No advertisements, no nag screens.

Security by obscurity?

Re:OPERA v8.5

[Dehumanizer]

Indeed. I still prefer Firefox, but Opera is a fantastic browser, stable, secure, blindingly fast, with a great interface, and probably a better option than Firefox for slower computers. Between the two, it's mostly a matter of preference.

Real world example vis Symantec vs. Mozilla

I volunteer to fix PCs for a group of teachers in the US. I am not part of their official school board sanctifed tech support crew (because those guys are snowed under).

The group of teachers were given Compaq and Dell laptops a few years back... and encouraged to use them at school and at home to help them in their work.

The schools gave them Symantec free subscriptions for a year... and Windows 98.

Over this summer I have fixed five of those PCs... a lot of hours in total. They were finally slowing to a halt (it is like a plague really finally hit those old Windows 98 machines) but the hardware was still going strong for what they needed. They were hijacked, malwared, and spywared to bits.

None of those teachers had bothered to upgrade their PCs via Microsoft Update ever as they did not know they had to (all of those laptops needed an update as far back as 2001 from MS), none of the teachers were going to shell out any money personally to keep their Symantec subscription up to date, and none of them had anytime to learn how to protect their machines.

Why? Because they are too frigging busy doing other things!

But they were pissed that their machines were hosed and all they used them to do was write out lesson plans on MS Word and surf the net.

I did the usual Micorsoft Update (and update and restart and update), Ad-Aware install and scan, Spybot install, schedule and scan, Spyware Blaster install, uninstall Symantec, install AVG-free, schedule and scan, remove IE shortcut from the desktop, install Firefox with a shortcut on the desktop pointing to it as the "new" IE, and give a quick tutorial (with a printout) to them when they came around to pick their machines up.

A few months later after the start of the school year and no call-backs. None.

Symantec + IE vs. AVG/Spybot/Ad-Aware + Firefox? No contest.

In my mind, and the minds of the users I helped, Symantec is part of the problem.

They never got five subscriptions from those users and they never will.

Symantec are like a bunch of gangsters selling "protection". They need their own series on HBO!

Re:Real world example vis Symantec vs. Mozilla

while I think ie and symantec stuff is crap your comparison is far from fair. you claim no contest between ie+symantec when it was incorrectly setup, not updated and poorly managed vs a well setup and well configured firefox/AVG/antispyware setup (if somewhat illegal unless you are licensing some of those as I believe not all are free for educational use). ummmmm DUH!, people could say the same about a badly configured firefox and AVG setup that doesn't auto update vs a properly configured ie system.

Oh, I could add a few more to the list

[jd]

First, who decides how critical a bug is? And how do they make that decision? The more wiggle-room there is, the easier it is to adjust the number of critical bugs in your favour and likewise in the opposite direction of competitors.

For that matter, who gets to decide what a bug is, rather than a "feature"? The DRM in the current version of the Acrobat format allows you to run embedded Javascript with no access controls. This is arguably an exploit, but Adobe would doubtless classify it as a feature, as it means you cannot circumvent DRM by turning the Javascript off.

Secondly, the numbers are not directly comparable, as Mozilla is standalone whereas IE is built into the OS. (This is important, as integration means that bugs that are strictly in the OS could be exploited through the web browser, without it being a web browser bug.)

Thirdly, there are deals over the reporting of security holes in software, whereby a report can be held back until a patch has been readied. This means that even "unconfirmed" (but reported) bugs by security vendors may be capped by the manufacturer. (Not always, even with those manufacturers who do this, but it does introduce uncertainty.)

Finally, Mozilla is cross-platform but bugs may not always be. Any buggy code that is OS-specific, for example, or any bug which relies on some OS-specific or library-specific bug in order to be exploitable, may only affect certain platforms as a result.

There is a second part to this one! It is also possible to have one bug that appears in multiple forms, but only one form per OS (due to OS-specific characteristics). Does it count as one bug or as many? (Remember, it still only takes one form in a given OS, but because of dependencies, changes in some way between different operating systems.)

Now, you can argue that many of the above are very hypothetical and do not apply in this specific study. Perhaps that is true, but the point is that unless you have rigorous controls on how you produce the statistics, the uncertainties are bound to be comparable to the number of incidents, making the statistics worthless.

And that is my point. If the possible variance in the number of actual bugs (reported or otherwise) gets to be comparable to the number of bugs reported, then the reports mean nothing. The actual number of bugs encountered could range from zero to infinity and the stats would still be "correct".

Ideally, the security companies would produce sufficient additional information to demonstrate the confidence they have in the values produced as opposed to simply citing the numbers but not really backing them up with anything concrete.

Where uncertainty is required by the vendor, then publish a range or some other indicator of how many unpublishable but reported bugs are believed to exist. (Since there is no guarantee that the unpublishable data is circulated with security vendors, an accurate figure may not be producable at all.)

Re:Oh, I could add a few more to the list

Firstly and secondly, that's what Secunia is for.

Thirdly, it is highly unlikely that MS wants to leave bugs unconfirmed because it may make the person who discovered it feel ignored and release the exact details to the public without MS having a patch ready.

Next paragraph, so what? IE's bugs are also non-cross-platform (if they're running under WINE, your computer's pretty safe, and I don't remember seeing IE for MAC listed as one of the vulnerable versions of IE in recent memory.

Again, I point you to Secunia which provides pretty reliable and independant data on the severity and amount of bugs in different applications (not just browsers). The statistics are fine if they are done properly, it's just Symantec spreading FUD.

And that is my point. If the possible variance in the number of actual bugs (reported or otherwise) gets to be comparable to the number of bugs reported, then the reports mean nothing. The actual number of bugs encountered could range from zero to infinity and the stats would still be "correct".

Huh? If the variance, which means spread in the context you used it, in case you didn't know, is the same as number of bugs reported, then the possible values are from 0 to 2 times the number of bugs reported. Also the numbers still do mean something, but again. - your confusing Mozilla/MS acknowledged issues with issues that have been presented and then independantly verified.

That's the only statistic you can really have about software vulnerabilities. You can only compare how many (and their severities) have been discovered (regardless of whether or not the vendor acknowledges it, but if an independant third-party acknowledges it).

Why should the vendor care how many bugs may exist that it hasn't acknowledged? It only makes them look bad.

Re:Oh, I could add a few more to the list

[DavidTC]

Thirdly, it is highly unlikely that MS wants to leave bugs unconfirmed because it may make the person who discovered it feel ignored and release the exact details to the public without MS having a patch ready.

What the fuck is wrong with people? Do you just not read the comments? There are tons of currently unconfirmed by MS security issues in IE.

Re:Oh, I could add a few more to the list

[DavidTC]

And, lastly, what the hell does 'Mozilla' mean? Are they counting bugs in just FF or Mozilla?

If so, taht's pretty much automatically flawed, comparing the numbers of one product to the numbers of two.

MOD PARENT DOWN! OFFTOPIC

Yeah but who gives a shit? Opera sucks monkey balls.

Porting the beast

[Boomshanka]

Would porting IE to Linux be considered an infection?

Re:Porting the beast

[HermanAB]

Hmm, I have IE on my Linux desktop, just for shits and giggles really, but it works on CxOffice.

Let's put it another way:

[SolitaryMan]

25 serious bugfixes for Mozilla, while only 13 (for the same period) for IE. So who does better job finding and fixing bugs?

Of course he's going to say something like that

[Jarlsberg]

'Mozilla's 'ability to react, find a solution and put it into the user's hands is better than Microsoft.'

When an update for IE is available, it is automatically installed. When an updat for Firefox is ready, I have to download the browser itself and install it on top of the existing. (No, the auto-updates in Firefox doesn't work very well).

He may be right about the other points, though I doubt it, but it's far easier to update IE than Firefox.

Re:Of course he's going to say something like that

[geo_2677]

What!! You forgot to mention the mandatory reboots!!

Re:Of course he's going to say something like that

[Jarlsberg]

Hehe. True, this is a big big flaw that needs to rectified, especially since Windows doesn't re-open apps on reboot.

Re:Of course he's going to say something like that

When an update for IE is available, it is automatically installed.

BZZZT ! Wrong, but thanks for playing.
A large proportion of home users still use Windows 9x or ME, which doesn't have automatic updates.

Re:Of course he's going to say something like that

[Jarlsberg]

Eh, so. They don't get even get updates, because update are only available for XP. So BZZT yourself.

Wrong reaction

[halleluja]

It makes me suspicious when some org starts throwing mud and strides away from the issue.

A more adult -- probably truthfull also -- response to the number of vulnerabilities would be:

We are working very hard to improve 'zilla and filter out the bugs.

Depends on what you count as security

[egarland]

Run IE and your machine will probalby get infected with tons of spyware which will cripple your machine if you do a lot of web browsing.

Run Mozilla and it probably won't.

That's been my experience so far.

Rating software's security as lower when they fix more bugs seems like it would motivate exactly the wrong behavior. Also, it's invalid on it's face. If IE has 1000 security flaws and fixes 10 and Mozilla has 50 and fixes 15 IE isn't more secure, before or after. There is no scientific measure of security but the bug fix count hardly seems worth looking at.

What is Symantec's definition of critical flaws?

[geo_2677]

Which browser is more secure?
Any vulnerablilty in IE turns out to be of the sort ' A remote attacker can gain complete control of the system'. Compare this to the flaws in Mozilla. How many bugs in Moz can take that credit?

gotta love it

IT security is in such a fucking sad state. Is this the best we can do? Patch, patch, patch?

...ability to react, find a solution and put it into the user's hands is better..

What, it's some kind of tornado or hurricane that came through your software and made it buggy?? NO, you guys WROTE IT WITH BUGS! You put buggy software into our hands already!

Instead of playing this ridiculous game of "write crap, patch it when we get free security audits, lather, rinse, repeat", can we try "write simple, secure software"?

How about releasing something that isn't "extensible" and supports "plugins" and all this other junk? Some of us just want to render HTML and graphics and that's it. Is the choice really just Lynx and bloatware? How about running each component of your app in a chroot jail? How about we come up with some simple OS extensions to partition software better?

I can't believe that this is the best we can do.

Re:gotta love it

How about releasing something that isn't "extensible" and supports "plugins" and all this other junk? Some of us just want to render HTML and graphics and that's it. Is the choice really just Lynx and bloatware? How about running each component of your app in a chroot jail? How about we come up with some simple OS extensions to partition software better?

Write your own browser.

Re:gotta love it

[POds]

When studying, software engineering was commonly compared to other engineering disiplins, such as civil, to show the contrasts.

Software engineering faces many more problems. When a bridge or building is build, it is rarley attacked or vandalised. When it is it falls. Just like software. The problem is, software is targeted much much more then any other engineering feat.

*ahem*

[vena]

eEye's "upcoming advisories" page is worth a look if you're interested in just how severe microsoft's lapse in patching can be. note that this page only catalogues vulnerabilities that microsoft acknowledge and the time since such acknowledgment, not since exploit nor since they were notified.

quoth eEye's product manager: "The more critical, the more pervasive the vulnerability, the longer it takes Microsoft to patch."

VENDOR DISCLOSED is the key

[Xaria]

So maybe Microsoft's not telling? :)

Server statistics are telling

[lightyear4]

Here are some usage statistics from my website.

Browser/version: ---- Hits

• MSIE
  MSIE 6.0 ---- 1699
  Total: 1699
• FIREFOX
  Firefox 1.6 ---- 1
  Firefox 1.4 ---- 233
  Firefox 1.0.6 ---- 3218
  Firefox 1.0.4 ---- 1123
  Firefox 1.0.3 ---- 4
  Firefox 1.0.2 ---- 2437
  Firefox 1.0.1 ---- 130
  Firefox 1.0 ---- 31
  Firefox 0.10.1 ---- 4
  Total: 7181
• NETSCAPE ----
  Netscape 4.04 ---- 1
• OTHERS ----
  Unknown ---- 155
  Safari ---- 111
  Mozilla ---- 98
  Opera ---- 16
  Dillo ---- 12

IE = 1699 hits,
FF = 7181 hits

..out of 9273 total hits*. Hmm. Interesting.





*data via awstats 6.4

Re:Server statistics are telling

[Crayon+Kid]

Only one website's logs makes for lousy overall statistics. I have logs which show IE at 98%. So what?

Re:Server statistics are telling

[Dehumanizer]

What do you have, a horoscope site? :)

Re:Server statistics are telling

[Fussen]

woOt go Netscape 4.04! 486SX 33Mhz Burning up that highway. Probably has one of those fancy Compact Laser drives too.

Re:Server statistics are telling

Nah, just a website to download "free" cursors! ;)

Re:Server statistics are telling

[cloudmaster]

And here are some stats from mine:

1 12030 30.70% Googlebot/2.1
2 3352 8.55% msnbot/1.0 (+http://search.msn.com/msnbot.htm)
3 3124 7.97% MSIE 6.0
4 3038 7.75% Yahoo! Slurp
5 1494 3.81% Mozilla/5.0 (Windows)
6 1351 3.45% psbot/0.1 (+http://www.picsearch.com/bot.html)
7 1111 2.84% Wget/1.5.3
8 733 1.87% Mozilla/5.0 (X11)
9 678 1.73% MSIE 6.0 (SV1)
10 395 1.01% ConveraCrawler/0.9d (+http://www.authoritativeweb.com/crawl)
11 385 0.98% Googlebot-Image/1.0
12 369 0.94% MSIE 6.0 (Windows NT 5.1)
13 348 0.89% ConveraCrawler/0.9c (+http://www.authoritativeweb.com/crawl)
14 335 0.85% Googlebot/2.1 (+http://www.google.com/bot.html)
15 328 0.84% MSIE 6.0 (Windows 98)

Out of 39187 hits last month excluding the first 5 days when the log partition filled up; whoops). Lots more MSIE than Mozilla 'n friends - and more googlebot than anything. The most popular parts of that site are my *Linux* projects and some *Linux* documentation, BTW.

Re:Server statistics are telling

[jatyln]

Interesting stats, would be more valid if you had included ALL the versions of IE accessing your site just like you included all versions of Firefox. I dont believe, that there isn't anyone using a version lower than IE6.0 accessing your site.

Re:Server statistics are telling

[lightyear4]

That surprised me too. its a very small and very new site though, so its not too surprising that a small segment is using IE. last month, i had 928 hits from IE users, including: 1 person using ie6.1, 905 using ie6.0, 3 using ie5.5, and 19 using ie5. (oddly enough i also got hits from pretty much every version of netscape ever published.) The month prior, ie stats were about the same, with about 1200 more hits overall with a similar distribution. i was amazed to find several people using lynx and galeon. I'm not in any particular IE or FF camp, just showing an interesting trend.

Re:Server statistics are telling

[Crayon+Kid]

What do you have, a horoscope site? :)

It's a corporate site, actually, for a company selling ERP software. I repeat, 98% IE usage. Worried yet?

There are actually two issues here.

[Z00L00K]

Mozilla is creating a product that is add-on to the operating system, and that with reasonable means can act with limited operating system rights. This means that it is possible to sandbox Mozilla better than it is possible to sandbox IE that is closely integrated with the OS.

Another item is also the time it takes from a vulnerability to be publicized to the fix (or workaround). A moderate problem that isn't fixed for 6 months is more likely to be exploited than a hig-security problem fixed within days.

The real problem here is that even though both products generally are good products with some flaws (there will always be bugs, some more prominent than others) there may be need to address some of the security risks present today from a basic point of view. This may even mean sandboxing within sandboxes to control interaction between browser frames/iframes/embedding. like the effect of the following example (for Mozilla).

<?xml version="1.0" encoding="ISO-8859-1" ?>
<!DOCTYPE html PUBLIC
"-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/2002/REC-xhtml1-20020801/DTD /xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
<meta http-equiv="Content-Style-Type" content="text/css" />
<title>Main</title>
<script language="JavaScript1.2" type="text/javascript">
function f1()
{
var element=document.getElementById("embedded");
element.width=window.innerWidth-5;
element.height=window.innerHeight-5;
}
</script>
</head>
<body style="border-style: none; margin: 0px;" onload="f1();">
<iframe id="embedded" src="http://slashdot.org"></iframe>
</body>
</ht ml>

(Nothing ill-meant about slashdot here, just an example).

My point is that this could as well have been your bank that was framed this way, and if there was a way for the bank to indicate the framing permissions and that browsers were able to catch this a lot would have been gained in security. (OK, I haven't considered every issue arised by this, but I hope that you see my point.)

unconfirmed numbers would also be misleading...

[YesIAmAScript]

Otherwise, anyone can skew the outcome.

For example, I assert that Mozilla has 300 vulnerabilities. Mozilla hasn't confirmed them, but you count them. So now the numbers are skewed in IE's favor. Yes, this is a somewhat forced example, but it shows how you can't just go counting all accusations.

I know there are problems with letting the fox guard the henhouse (in the case of Mozilla or IE), but really it is the writer(s)/manager(s) of the respective browsers who best know the code and behavior of the app, and before they confirm something you just don't have any real idea whether it is truly as the accuser says. Even if people can reproduce it, so you know it can happen, the people who made the app can best determine the scope of the problem, that is, what percentage of people are likely to be at risk.

I find it odd that people say the good part of open source is that lots of eyes look at it and find the problems and presumably they get fixed (see hidden bugs in Mozilla database right now). Yet when problems are found (and usually fixed) in IE, it's seen as showing IE is junk. If going over something with a fine tooth comb helps you improve something, then both Firefox and IE are being improved right now.

Anyway. I do know the hackers go after IE primarily. So it'll be tough for IE to come out as the more secure browser (that and it running ActiveX controls at the drop of a hat), but I am also not conviced the people at Mozilla really know all the ins and outs of security either.

I'll also say that the level of vulnerability being found in IE now is pretty fine-grained. There are plenty of programs of the complexity of IE that have never reached this level of security such that we need to look this far into the cracks to find the problems. When I started using UNIX back in 1987, it had holes far larger than IE currently has in many many tasks, many of which ran as root (think of the original sendmail internet worm). So things are not as bad as people make it seem right now.

Finally, having worked at a company that releases major software products that many many people use, I agree that if possible it is best to release patches on a schedule so that users have some time to keep up. If a user has to patch and reboot every couple days, it gets annoying. Eventually, they'll just stop patching due to the annoyance of it. Out of phase patches should only be used in emergencies.

For the record, I use IE (I'm using it right now). But I recently changed the security settings so that only specially selected sites (of which I have none right now) can use ActiveX controls.

Business

[polyp2000]

Symantec's business os based upon the fact that software has security issues - they sell software to fill the holes. Perhaps the fact that so many people are switching from IE to Firefox is affecting their bottom line.

bugs found = safer product, not opposite.

[catwh0re]

I don't really see the salt in arguments like Symantecs(and many previous arguments from different companies), simply because more faults are found in a product, whether severe or not, only indicates that there are people looking for faults.
Companies such as Symantec are interested in blurring the line between 'faults found' and 'security'. An unfound and easily exploitable fault can make a product more prone to attack, i.e more insecure. Which is opposite to found flaws that are fixed.

So if a less skilled programmer is looking for faults, they are going to find less of them. So pretend we have two equally insecure products, by Symantec's paradigm one product would appear more secure than the other merely because less faults have been discovered. I'd trust a product created by many, rather than a product created by a recycled team.

To combat the same paradigm which Symantec promotes (i.e more flaws found = bad, instead of good.) companies such as Microsoft bundle multiple updates together(such as monthly updates) such that numerous groups of security flaws can be perceived as a lesser quantity of issues(Or in MS's case "one critical update"). The reality though is that security is based entirely on your track record, and not by how many faults you've discovered in your code. So we all know what the track record for MS products are versus Firefox.

awesome

[DeathBert*]

The only thing this report lets people know ist, that they need Symantec protection/products whether they use IE or Mozilla.

Response time is irrelevant...

[toadlife]

...when people don't bother to install the updates.

Look at any website's detailed statistics and I guarantee you you would find a sizable portion of the Firefox visitors are not running the latest version of Firefox.

Heck, I still get hits from "Firebird" on my site!

Re:Response time is irrelevant...

[Dehumanizer]

Firebird? I've just checked my statistics, and I have, for this month, 4 hits from "Phoenix"! :)

Lots of Netscape 4.x versions, and Firefox 0.8, 0.9, 0.10 and others, as well.

Re:Response time is irrelevant...

[Sigma+7]

Lots of Netscape 4.x versions, and Firefox 0.8, 0.9, 0.10 and others, as well.

I can explain Netscape 4.x - I've still seen them used at the local colleges because they were excellent browsers at the time (and could disable JavaScript) alongside image loading (allowing for pretty safe and fast browsing, provided you don't encounter the table rendering bugs that slow down Netscape.) Should the user desire, the images can be loaded on a click of a button (although scriptes require going into options.)

The only problem is that there is no newer version of "Netscape" available. The replacement Netscape 6 defeats the purpose of using Netscape in the first place (disabling image loading), as does FireFox. While there are extensions for FireFox that help fix these problems, these are extensions (and would be insane for any IT department to consider supporting - if one gets included, why can't another?)

Keep in mind

...Firefox runs on far more operating systems than IE.

What people are missing:

[ImaLamer]

Mozilla browsers

This entire article is about these "Mozilla browsers." But let's be real, the different "Mozilla browsers" that are out there are all patched on their own and modified and distributed on their own.

Is it really fair to charge the problems of these different browsers to one application framework? Not that many aren't core problems - I'm sure most are. But we are comparing a group of products with one. The many products being developed by people, for free, around the world - the other product is developed by a major multinational corporation with millions at their disposal.

That corporation has been trying to stop "Mozilla" for a long time too. It's just sad that we /can't/don't/ever will/ just assume that IE is the best and most secure. Shouldn't it be? If Microsofties are right then it should be the best piece of software available today. It's been worked on forever and has the support of the great Microsoft. Shouldn't it have one security flaw discovered a year?

I mean, jeez, people aren't even able to look at the source.

Re:Allegory

Yeah... its 'friends' like Symantec, who Microsoft is pushing out of the industry with Microsoft AntiVirus, Microsoft AntiSpyware and Microsoft AntiCompetitor

It's clear...

It's clear that Mozilla ACCEPTED that FireFox has MORE security bugs than IE...

You know what? Many people with unpatched systems are due to the fact that they don't have Windows Update activated at all, otherwise another story will be here.

Anyway, I have my XP system patched and after reading this crap I'll stay FAR AWAY from Mozilla shit.

A better measure of browser security

[Eric+MB+Lard+MD]

A simple count of the number of vulnerabilities does not really tell the whole story.

A better measure would be vulnerability days. The idea would be to sum up across all exploits the number of days between the vulnerability being discovered and a patch being available.

This statistic could be refined by weighting each vulnerability according to its severity.

Of course, for IE we probably won't get good info on just when the vulnerability was discovered.

Finding updates is a big issue.

[adamh]

Yes I find this a huge issue, apparently there's a patch for the IDN issue but is it easy to find? No. Does "check for updates" find it? - No. The security updates link is a tiny link hidden in the footer on the default Firefox page. (http://www.mozilla.org/products/firefox/central.h tml) Until Mozilla make it extremely easy for the user to update, or discover updates then your average user is never going to update. Figures (admitted a small sample) from a site I run, but they're a good indicator of your average home user.

77.00% MSIE 6.0
11.00% Firefox 1.0.4
4.00% Firefox 1.0
2.00% Mozilla 5.0
2.00% Safari 1.2
2.00% Firefox 1.0.6

Not true..

[d_jedi]

Mozilla's 'ability to react, find a solution and put it into the user's hands is better than Microsoft.'

Mozilla's ability to "put it into the user's hands" is NOT better than Microsoft's. For IE, all you have to do is go to Windows Update, and select the patch.. and it will automagically do everything for you (even more automatic if you have automatic updates turned on). With Mozilla, you must download the latest version of the browser (which usually has more stuff than just the bug fix you're interested in), uninstall the old one, and install the new one from scratch (including specifying options like install directory and other preferences Mozilla *should* already know and use).

Patches from Microsoft take more time (amongst other reasons) because they do more extensive regression testing than Mozilla.. how many times have I downloaded the latest FF only to find several things broken (especially extensions)?

To be sure, Microsoft's response time leaves much to be desired (I'd personally rather receive a fix as soon as it's available, rather than waiting for a once-a-month patch, for one), but Mozilla's process leaves much to be desired as well.

Re:Not true..

"Mozilla's ability to "put it into the user's hands" is NOT better than Microsoft's. For IE, all you have to do is go to Windows Update, and select the patch.. "

That's funny, my firefox just asked me if I want to check for updates, and merrily went away and downloaded the newest version. (This is with default settings).

Have you actually ever used it?

"how many times have I downloaded the latest FF only to find several things broken (especially extensions)?"

Assuming you aren't stupid enough to be downloading nightly builds and expecting them to be 100% OK. Blaming the vendor for third party extensions being behind the times is rather childish.

I could say the same thing about Microsoft. That's why it is necessary to test Microsoft patches before deploying them. Obviously not someone who's ever attempted to keep SQL server updated...troll elsewhere.

Re:Not true..

[Sigma+7]

For IE, all you have to do is go to Windows Update, and select the patch.. and it will automagically do everything for you (even more automatic if you have automatic updates turned on). With Mozilla, you must download the latest version of the browser (which usually has more stuff than just the bug fix you're interested in),

Mozilla now has the ability to check for updates, and has had that for quite a while. The only updates it takes would be ones that fully pass regression tests and are good enough to be treated as an official release.

As of this writing, Firefox 1.0.7 is available for download but isn't found in the auto-update for some users. This is not an issue unless you are being impacted by existing flaws.

uninstall the old one, and install the new one from scratch (including specifying options like install directory and other preferences Mozilla *should* already know and use).

I also have no problem installing Mozilla in the same directory as the previous installation - the worst case being that I need to reinstall all the plugins.

Perhaps you are using some extremely old version? (e.g. Netscape 1.0)

how many times have I downloaded the latest FF only to find several things broken (especially extensions)?

Most of the extensions expire past the current version, to help ensure that the extensions are kept up to date as well. If it weren't for that, then the extensions would eventually become useless because of minor and gradual changes in the API (in addition to lack of use.)

While there are plenty of issues with the Mozilla's development cycle, those issues are not one of them. A better example would be the fact that it still suffers from the auto-execute paradigm (where it reactionairly fixes security holes rather than preventing them from occurring in the first place.) Then again, IE suffers from the same problem.

Re:Not true..

[OneFix+at+Work]

Umh, you ever seen the little green/red/blue "upgrade" arrow in Firefox? It tells you when you should upgrade Firefox or your installed components...

Re:Not true..

[LinuxPoultergist]

This type of thinking is fundamentally flawed.

It's the same type of thinking that produces the argument that we need big government.

<sarcasm>Since Microsoft is obviously so big, and filled with so many professionals they obviously know how to handle security patches and upgrades better than a common user.</sarcasm>

Sure users may not be able to do a good job of keeping their apps patched, but Microsoft doesn't do much better.

Just look how many things Windows XP SP2 broke.

I rest my case.

Re:Not true..

Posted anonymously, because of unfair Slashdot moderation system (OMFG! He said something negative about Mozilla! Quick! Mod as troll, mod as troll! Code red!!).

That's funny, my firefox just asked me if I want to check for updates, and merrily went away and downloaded the newest version. (This is with default settings).
Point being? I even said that myself. The point is, when you're done downloading the patch for IE, you're *done*.. it automatically takes care of everything else. For FF, you've got to choose the install directory, set some preferences (if I didn't want an icon on my desktop BEFORE, why would I want one NOW??!).. and if you're lucky, everything will work as intended. I have not been so lucky.

Have you actually ever used it?
Using it now. But not using 1.07, because patching is too much of a pain in the ass.

Assuming you aren't stupid enough to be downloading nightly builds and expecting them to be 100% OK
And I would use prerelease software because.. why?

Blaming the vendor for third party extensions being behind the times is rather childish.
No, it's not. Unless the security patch specifically changed something that the extension relied on, then I would expect that the security patch would have no impact on my ability to use the extension.. this has NOT been the case.

I could say the same thing about Microsoft. That's why it is necessary to test Microsoft patches before deploying them. Obviously not someone who's ever attempted to keep SQL server updated...troll elsewhere.
Apples to apples, please. Security updates to IE that break functionality are, in my experience, the exception and not the rule.. not so with Firefox.

Re:Not true..

Posted anonymously, because of unfair Slashdot moderation system (OMFG! He said something negative about Mozilla! Quick! Mod as troll, mod as troll! Code red!!).

Mozilla now has the ability to check for updates, and has had that for quite a while. The only updates it takes would be ones that fully pass regression tests and are good enough to be treated as an official release.

As of this writing, Firefox 1.0.7 is available for download but isn't found in the auto-update for some users. This is not an issue unless you are being impacted by existing flaws.
The regression tests obviously aren't complete.. because with each upgrade (0.91->1.0PR->1.0->1.01->1.04) I've done, things have broken (particularily extensions).. this was excusable when FF was in beta, but not now. The upgrade from 1.0->1.01 when so poorly on one machine I use (even the people at mozillazine.org said there were issues in the process) that I decided to start ignoring the new security patches (this from a guy who dutifully updates Windows whenever MS releases a patch). Only reason I upgraded to 1.04 was because I was forced to - they *blocked access* to the extensions site for people running older versions of the browser.. and that upgrade did not go smoothly either (although better than the 1.0->1.01 one).

I also have no problem installing Mozilla in the same directory as the previous installation - the worst case being that I need to reinstall all the plugins.
I would consider that a serious problem.

Most of the extensions expire past the current version, to help ensure that the extensions are kept up to date as well. If it weren't for that, then the extensions would eventually become useless because of minor and gradual changes in the API (in addition to lack of use.)
That's all well and good from a certain point of view (actually, though, from a software engineering point of view, point releases like that should *not* be changing the API unless of a security vulnerability caused by the API). But from a user's point of view, all I see is that s**t that worked before doesn't work after patching.. and there's no way to tell what stuff will work after the upgrade, and what will not. Even if they just popped up a warning message "the following plugins/extensions/themes installed are not compatible with the new version. Do you wish to continue with the upgrade?" it would be a huge improvement.

Re:Not true..

Posted anonymously, because of unfair Slashdot moderation system (OMFG! He said something negative about Mozilla! Quick! Mod as troll, mod as troll! Code red!!).

Umh, you ever seen the little green/red/blue "upgrade" arrow in Firefox? It tells you when you should upgrade Firefox or your installed components...
Umh.. yes?

As I said:
With Mozilla, you must download the latest version of the browser (which usually has more stuff than just the bug fix you're interested in), uninstall the old one, and install the new one from scratch (including specifying options like install directory and other preferences Mozilla *should* already know and use).

The problem is not with the upgrade icon.. it's with what happens after you click it. You don't download a patch, you download an entirely new version of the browser (all I want are the frickin' security updates!). And you're not done - you've got to choose an install directory, some other options (why would I want to put an icon on the desktop NOW, if I didn't BEFORE??! WHY ASK ME AGAIN??!) and then hopefully everything will work. With IE, once you click the button to download the patch, you're DONE.

Re:Not true..

[d_jedi]

Posted anonymously, because of unfair Slashdot moderation system (OMFG! He said something negative about Mozilla! Quick! Mod as troll, mod as troll! Code red!!).

Since Microsoft is obviously so big, and filled with so many professionals they obviously know how to handle security patches and upgrades better than a common user.
That wasn't my argument in the least. All I'm saying is that patching FF is more time consuming and difficult than patching IE.. and it does not need to be that way.

I use Firefox, and for the most part I like it (adblock - which is something MS is likely to NEVER implement.. just look at how much they resisted popup blocking! - and a few other extensions are really the "killer app" for it..). It is not perfect, however.. and although, on the whole, I consider it a better browser than IE (that's why I'm using it) there is still a lot of room for improvement.

Vendor Confirmed

[HaydnH]

From yesterdays article re: IE more secure blah blah

"There is one caveat: Symantec counts only those security flaws that have been confirmed by the vendor. According to security monitoring company Secunia, there are 19 security issues that Microsoft still has to deal with for Internet Explorer, while there are only three for Firefox.

Secunia: Errr MS, you have another security flaw in IE.
MS Employee: Really? OK, let me test the problem and get back to you with confirmation.
MS Employee to boss: We have another security flaw in IE.
MS Boss: Can we fix it??
MS Employee: It'll take a *insert long period here*
MS Boss to Secunia: Are you sure theres a flaw? We can't find a problem.

Haydn.

Mozilla security

[cocrane]

Ive read thatr article yesterday, (MEZ) and was shocked. IE more secure than firefox (which i use myself) ore mozilla? NO WAY. If you look closeley, the funding of that survey came out of a certain company in redmond.

Firefox 1.0.7

[undauntedspirit]

Speaking of security, looks like Firefox 1.0.7 was just released sometime last night on Mozilla's web site.

Isn't that a good thing ?

[da.phreak]

If security problems are found faster, they can be fixed faster. We should get suspicious if no security problems are found any more. Then someone maybe tries to hide them, doesn't care, or development on the software just has stopped (the latter case would be obvious though).

So maybe we could use the time after a release until a security problem is found, and the number of security problems found as an indicator how good the security of the software is: The faster problems are found and the more problems are found the better the security. This might sound counter-intuitive, but not if you think about it. It shows that the _process_ of security is doing well.

Re:Isn't that a good thing ?

[da.phreak]

What a sophisticated answer. I did not say it's the ultimate truth. Keep it easy. I'm not sure if you understood what I tried to say.

I don't have numbers, so I can't say how many security holes are found in IE compared to other browsers (take into account that IE is much longer there than for example Firefox).

On the other hand, ask Diebold how many security problems there are in their voting machines: None. We know there are severe problems, yet they claim there are none. Do you still trust software which doesn't have security problems ? Maybe I didn't express it clear enough: Those indicators don't show how good the security itself is, but how good the process of improving security works. In the end, a software which gets faster and better improved will be more secure.

Non Commercial Licences for 'Freeware'

[ydrol]

I did the usual Micorsoft Update (and update and restart and update), Ad-Aware install and scan, Spybot install, schedule and scan, Spyware Blaster install, uninstall Symantec, install AVG-free, schedule and scan, remove IE shortcut from the desktop, install Firefox with a shortcut on the desktop pointing to it as the "new" IE, and give a quick tutorial (with a printout) to them when they came around to pick their machines up.

I'm assuming you are using the 'free' versions of this software, otherwise igore the rest of this message!

Bearing in mind you are a non-commercial organization - and a worthy one - I would double check the licenses for these as far as educational and non-commercial organizational use is concerned. And perhaps a complimentary email to vendors for clarification where necessary?

SpywareBlaster looks OK for teachers.

Spybot I would confirm with author. They seem 'edu' friendly, from their tone.

AVG License is perhaps slightly ambiguous in this case. Schools are non-commercial but they are 'Organizations'.

Ad-Aware not free for educational use.

You may have omitted your firewall of choice but most of them have similar organizational clauses. I think Outpost Free may be OK.

Re:fp

[Kickersny.com]

You're aware that they freed it earlier in the week, right? http://opera.com/free/

And when our product crashes...

[mi]

It reboots much quicker.

Sounds familiar...

Not to say, Mozilla is wrong, but the point they are bringing up would've been better left "understated".

MOD PARENT DOWN: MISINFORMATIVE NOT INSIGHT

he's spreading FUD. As other responders have pointed out, there are simply NO security-related bugs older than a couple of weeks in the mozilla bug database.

Why such tripe is modded insightful is beyond me. Inciteful, maybe, but certainly not insightful.

Sex sells.

We all know that sex sells.

So try to look at this site www.thelovesearch.com using Microsoft
Internet Explore. It will try to convince your to use Firefox using
sex appeal.

If we could convince all porn sites to only support Firefox the battle
would be won in a few weeks.

Or am I dreaming now ??

Wrong

[Tharald]

This is actually not right at all. Exactly at the time of the symantec report, FF had ONE exploit that was more critical than IE. In general they have less severe exploits, and A LOT less unpatched exploits. Check out the following links: Secunia IE vulnerabilities Secunia FF vulnerabilities As you can see, FF has 3 unpatched vulnerabilities, while IE has 19, the highest rated of these being more severe than FFs. I would say it is quite clear that FF has less unpatched vulnerabilities.

Cold Fact

[salesgeek]

Let's set aside the "vendor acknowledged vulnerabilites" and discuss the one cold fact that matters: we don't really know what's secure or not in IE because we cannot check the source code. That allows an exploit to exist that not even Symantec knows about.

obvious what Symantec's motivation is

[ajs318]

It's not hard to see where Symantec's motivation is coming from. But in any discussion of computer topics, the mere fact of there being computers involved seems to make people say stupid things. So let's look at a simple non-computer-based analogy.

Bloggs Builders Ltd. build new houses with wooden window frames and doors and cheap, easily-picked rim locks. Fred Bloggs, the owner of Bloggs Builders, also happens to have a not insubstantial stake in Bettavue PVCu Ltd., manufacturers of a range of high-security PVCu replacement windows and doors.

Jones Family Homes Ltd. build new houses with PVCu windows and doors with multipoint locking as standard from day one.

When Bettavue produce a long list of statistics, comparing the relative security of Bloggs' and Jones' houses, who do you think they are going to favour?

However, one thing for everyone to remember...

[Pichu0102]

...Is that the average person uses Internet Explorer. The reason why there aren't as many holes in IE discovered could also be that some of the average users send in many more bug reports to Microsoft. When a userbase such as IE's is so huge, there is a great possibility that when an exploit is discovered, a large amount of users will come across the flaw, and at least one person will send in a report. But with Mozilla's Firefox, there is lower userbase, which also means there's a change only a few people will come across a flaw, but not report it. And on another note, I noticed any site can install themes to Firefox. Personally, I think it's a disaster waiting to happen there.

"It just works"

[porkThreeWays]

All these predictions about firefox and open source about security blah blah blah blah blah blah...

All the reports and studies and bickering don't matter much to me because firefox JUST WORKS.

When I start getting so much spyware and pop ups via firefox that my system is almost unbootable, I'll look for an alternative. For now, I have a browser that works reliably out of the box.

People make a million arguments that it's only seemingly safer because it's less popular. Well fine, until the day comes that it's so popular your predictions come true, I'm going to keep using it. And if your predictions do come true, people will either find another alternative, or force firefox to clean up it's act. Until that day...

Who am I going to trust, a browser that has proven itself historically to be a secure broswer, or one that tells me it is a secure broswer?

Something to remember.

[CAIMLAS]

Something to remember about the original report: Symantec has a vested interest in seeing Mozilla/Firefox fail.

Why? Because their line of products depends on Windows getting exploited and compromised. Firefox reduces the number of vectors through which that can (easily) happen.

Semantics

[TheSkepticalOptimist]

I mean, fine, Mozilla may be able to quickly patch a sever security hole, but the fact remains that the severe security hole exists, AND as we have found among MS users, a patch does not necessarily make the platform secure, especially with the general apathy users have towards PC security and applying patches.

This is splitting hairs, Mozilla is on the defence and trying to diffuse this will bomb before it gets out of hand, by saing "Yeah, we have greater security flaws, but we can fix them faster". Don't cry about it, simply admit that your going through growing pains and will work hard to fix these issues as quickly as possible and prevent them in the future. Admit to your mistakes.

I don't believe that FireFox is less of a product then IE. Remember that IE has had a LONG history of security flaws, by now MS should have made IE bullet-proof, instead you still get a number of big security holes in IE, even if it is less then FireFox. The bottom line is, given the same amount of time for FireFox to mature, FireFox will be bulit-proof while IE still has major security issues 5 years from now.

Hmm

If saying that you patch faster is the only thing you have going for you then you have a problem, this may be the case for a while but Microsoft is making improvements here. It's not one of those excuses that makes you any better, just better than the next person, perception...

Why should I care?

[Unhappy+Windows+User]

I'm using Opera anyway ;)

Coercive?

[colinrichardday]

What is a coercive argument? Is it when Don Corleone claims to have a syllogism that you can't refute?

Reporting...

[OneFix+at+Work]

I think it's been mentioned before, but it bares repeating...

Mozilla's reporting system is completely open to the public...nothing is really kept "under wraps" when it comes to reported bugs...

Microsoft's reporting system is closed...they sit on exploits that are not "in the wild"...

From Microsoft's own mouth...

In early July 2005, the project discovered its first exploit for a vulnerability that had not been publicly disclosed, the researchers said in the paper. The attack used the JView profiler vulnerability that Microsoft announced later in July.

...Translation...M$ sits on exploits until they know they are in the wild...this we have pretty much expected, but this time we hear it from the horse's mouth so to speak...

READ CAREFULLY. It says FIREFOX HAS FEWER BUGS

[dwheeler]

The headline from the original article should win the "War is Peace" award for misleading the reader.

Symantec's report counts up only the vulnerabilities acknowledged by the vendor. If you don't want to have a vulnerability included in their study, just don't acknowledge it. If you go to Secunia and add in all the unacknowledged vulnerabilities (but that are still known to the public), you find out that Internet Explorer has had more vulnerabilities in the same amount of time than Firefox. My thanks to Bruce Perens for pointing that out.

Yeah, yeah...join the rat-race loser

[ShoobieRat]

"Mozilla's ability to react, find a solution and put it into the user's hands is better than Microsoft."

This from the folks who wanted us all to "run to FireFox" because it was safer than IE. Well guess what, it doesn't matter how fast you fix'em. If you have a vulnerability, you are at risk. Whether it takes a week or three months, yer still vulnerable and attacks are still happening.

Joint the rat-race, FireFox.

Sometimes having a bias is a good thing.

[Richard+Steiner]

It's called "learning from experience". :-)

You kids are so naive...

Troll through ZD's (and other cnet) pages and see who's buying their ads. Microsoft, Symantic, Vonage... see any Mozilla ads anywhere?

Follow the money. There is no longer any such thing as "journalistic integrity," if there ever was such a thing.

Symantec

[TampaDeveloper]

Symantec, as a corporate whole, did what all people who can't write software do. They switched over to making reports. Since nobody every crashed from reading a defective report, this allows them to hide their incompetence.

Honestly, I'd rather just take Ballmer's word for it rather than relying on Symantec, much like I'd rather have a virus than to let Norton do what it does to PCs its installed on.

communism vs libertarianism

[willCode4Beer.com]

MS is like communism, if there is a problem, we suppress it, and the central planner will let you know when an update is released.
Mozilla is like libertarianism. There's a problem, YOU are free to fix it. Someone else may fix it and share their solution.

Unfortunately, your comment is very true, and becoming more so with the current political environment.
I'm all for closed software but, I think it should be on open footing with open source. Full disclosure provides the only long term protection.

My practical experience

[cmosses]

... is that after I switched to Firefox, Ad-aware started finding a lot less malware when I scanned the system, compared to when I was running IE. It seems to me that all the security holes that are found and reported seldom have any impact on my system at all.

Re:My practical experience

[ShoobieRat]

Your results don't really mean anything, though. No one knows your traffic history. I run IE and the SP2 firewall...I get 2 malware hits from Ad-Aware a week.

I don't get it.

What site do you guys go to get infected by just browsing? I've used Netscape 0.97 to the latest browsers and in all my years of using a web browser, I have never had a virus infection. Now I have used KAZAA, BitTorrent and the files you download are often infected with malware. So my guess is if you ever did manage to get infected by simply browsing it's probably your fault and no matter what browser you were using you would have gotten infected anyway by going to www.hackmydumbass.com.

Next, Firefox *is* IE

So first it was "Firefox is secure", then "Firefox is more secure than IE", and now finally "Firefox patches come out faster than IE". Nice slippery slope the Mozilla fanboys have going there.

I don't really care who wins the browser wars but the events of recent months have only gone to show that it is market share, not software engineering, that is the deciding factor in browser vulnerability.

Mozilla programmers == M$ PR

If it is so swift at responding to security, then why did it take 7 years to notice and fix a critical vulnerability? Furthermore, if the developers care so much about security, then why the organization allows certain people in the bug group to censor security flaws within Mozilla's projects, thus making users vulnerable to browser bugs for YEARS? Is it one of those M$ scheme designed to destroy the hard-earned reputations of the browser?

It is one thing to have old bugs, but it is another matter when Mozilla developers being hypocritical when they allow such moronic security practice to take place. Long live IE!!!

firefox isn't worth hacking?

[geekee]

"The facts Symantec have stated are true, but they've used them to try to convince the reader that switching to Firefox isn't going to help obviate the need for Norton Antivirus/Internet Security/AntiSpyware, and *that's* the lie."

I guess you're trying to say that Symantec hasn't provided any data that shows anybody cares enough about firefox to exploit the security holes in the code. This is the only logical conclusion I can reach based on your comments anyway. Data clearly shows that firefox has exploits. You say there is no need for countermeasures. Therefore, no one cares enough about firefox to exploit its bugs.

Here is a thought.

[StealthEMD]

Fire Fox is more secure because it is more restricted. By this I mean that I have set up FireFox to prompt me on every cookie that a website tries to set. and I have used this to deny Mediaclick and adserve. I also use extentions like adblock and a few others to tell me where I am and to block Ads that I do not want to see. With Internet Poopyplorer I have to spent more money that is worth it to secure it to the same level that the Default install for win FireFox is without being sued. So I feel that Symantic is just working on FUD because Spybot and AdAware Personal are phaseing it out. Heck the only thing I would even think about using is System Works and mabey a new version of Ghost... But 5.1c still works beter than 2005