Mozilla Hits Back at Browser Security Claim

UltimaGuy writes "Mozilla has reacted to the Symantec report issued on Monday which said serious vulnerabilities were being found in Mozilla's browsers faster than in Microsoft's Internet Explorer. Tristan Nitot, president of Mozilla Europe, hit back by claiming on Monday that when a vulnerability is found Mozilla's 'ability to react, find a solution and put it into the user's hands is better than Microsoft.'"

Original Symantec Article

[NoInfo]

The download for Symantec's actual report is here (registration required):
https://ses.symantec.com/Content/displaypdf.cfm?SS L=YES&PDFID=2124

But to save you some trouble, here's the excerpts about Mozilla:

Mozilla browsers have the most vulnerabilities

During the first half of 2005, 25 vendor confirmed vulnerabilities were disclosed for the Mozilla browsers,
the most of any browser. 18 of these were classified as high severity. During the same period, 13 vendor
confirmed vulnerabilities were disclosed for Microsoft Internet Explorer, eight of which were high severity.

  Mozilla browsers have the most vulnerabilities

The Web browser is a critical and ubiquitous application that has become a frequent target for
vulnerability researchers. In the past, the focus of security has been on the perimeter: servers, firewalls,
and other systems with external exposure. However, a notable shift has occurred, with client-side
systems--primarily end-user systems--becoming increasingly prominent targets of malicious activity.
More and more, Web browser vulnerabilities are becoming a preferred entry point into systems.
During the first half of 2005, the Mozilla browsers, including Firefox, had the most vulnerabilities of all
browsers. During this period, 25 vendor confirmed Mozilla vulnerabilities were disclosed, compared to 32
in the previous reporting period and two in the first half of 2004. 18 of the 25 Mozilla vulnerabilities in this
period, or 72%, were classified as high severity. This is up from the 14 high-severity Mozilla vulnerabilities
in the second half of 2004 and one in the first half of 2004.

During the first six months of 2005, 13 vendor confirmed Microsoft Internet Explorer vulnerabilities were
disclosed. This is a decrease from the 31 documented in the second half of 2004.26 During the first half of
2004, seven Internet Explorer vulnerabilities were confirmed by Microsoft.
The average severity rating of the vulnerabilities associated with Internet Explorer during the first six
months of 2005 was high. Eight of the 13 Internet Explorer vulnerabilities disclosed during the current
period, or 62%, were considered high severity. 18 Internet Explorer vulnerabilities were considered
high-severity in the last six months of 2004, amounting to 58%. In the first half of 2004, four of the
seven, or 57%, were rated high severity.

[...]

The fact that Mozilla browsers had the most vendor confirmed vulnerabilities over the past two six-month
periods may suggest that Mozilla is currently acknowledging and fixing vulnerabilities more quickly than
other vendors. This could be because the Mozilla browsers are open source and may be more responsive
to reports of new vulnerabilities and subsequently developing and delivering associated patches. For
instance, except in certain instances,60 Microsoft releases fixes on a relatively fixed schedule rather than
as needed, potentially increasing their acknowledgement time.

Re:mozilla vs M$ or

[Raistlin77]

Had you read the fucking article instead of trying to get first-somewhat-sensible post, you would have seen Mozilla admitted that they do try to keep vulnerabilites quiet until a patch can be found.

Misleading numbers

[GXFragger]

Symantec's report is also slanted becasue it uses vendor confirmed vulnerabilities rather than both confirmed and unconfirmed ones. This leads to misleading headlines and hurts Mozilla's reputation. I am suprised that Mozilla didn't say anything about that.

Re:Allegory

[Raistlin77]

Microsoft (the bully) is scared of Mozilla (the other weak little kids). If Microsoft was not scared of Mozilla, it would not bother trying to tarnish Mozilla's image by using it's bully friends (Symantec).

1.0.7 is out

[nonpareility]

Firefox 1.0.7 Released, and the bug is fixed.

Symantec has no credibility on software issues

[grnchile]

Symantec is the (proud?) publisher of the absolutely worst piece of software that I've ever used: WinFAX Pro 10.2. Not only did every major mode fail to work in some way, but it disabled my phone system for days after it was installed on a machine on my network. This software was so flawed that it convinced me to abandon the Windows platform altogether.

Earlier this evening I was cleaning up a friend's Windows 2000 machine. After removing a collection of obsolete software, TCP/IP no longer worked. The culprit: Symantec Antivirus. It had left invalid service dependencies in the registry. I had to remove them by hand.

Symantec can't even understand their own software, much less someone else's. Even ignoring the obvious corporate bias, I have no faith that they can begin to understand the actual severity of defects in either IE or Firefox. It would be far better to ask "how many machines have been compromised by this fault?" than to present simple defect counts.

Re:Open source wins again

[CTho9305]

http://bcheck.scanit.be/bcheck/page.php?name=STATS 2004
In 2004, there was only ONE WEEK during which there were no known remote code execution exploits for fully-patched MSIE. There were 30 days for Firefox if you don't count Mac OS (which would be fair if we're only interested in browsers for Windows users).

Re:Symantec forgot one critical detail...

[aussie_a]

Are you deliberately spreading FUD? Firefox 1.0.7 is right here. (if you were going for funny, I don't see the joke)

They've been building 1.5 (Deer Park) for at least one or two months. I'm assuming they finished working on 1.0.7 before they began work on 1.5, so 1.7 isn't exactly new.

Re:the comparison is simple

[CTho9305]

http://bcheck.scanit.be/bcheck/page.php?name=STATS 2004
Your questions are addressed on pages 3 and 4.

Re:Mozilla is a disaster waiting to happen

[CTho9305]

Ummm... are you aware of what exactly was changed for Firefox 1.0.3 that broke extensions? Someone did find ways to do basically what you were saying, and it was all addressed. Big architectural changes were made to address the problem, making Mozilla significantly more secure.

Re:maybe IE has more

[n0-0p]

If you're trying to balance things evenly you also have to consider that IE 6 has undergone no significant development in the last four years. The only changes have been bugfixes and minor security adjustments, so arguably it should be extremely stable. Yet we've still seen a number of severe vulnerabilities over the last year in what should be a very mature (by software standards) product.

Re:Symantec isint biased!

[fymidos]

Everybody who has used internet explorer knows that it is not secure. The don't have to tell them that. They are talking to the people who (rightfully) think they are more secure with firefox, and they are trying to pass between the lines that you still need protection, no matter what browser you use, and anyway, changing the browser will not make you safe.
(but a good antivirus/antispam/antiinternet/antiusingyourcompu te will)

Re:Symantec isint biased!

[aweraw]

Well, with the slow assed patching cycle that IE has, you have more need for Symantec products to 'protect' you in the interim.

While firefox may have more exploits popping up these days, fixes for it are issued in a much more timely manner than for IE.

Re:Mozilla is a disaster waiting to happen

[theodicey]

This is FUD. As of Firefox 1.03, what you say is no longer correct. The Firefox team has separated the content document object model from the chrome, so that chrome functions are no longer vulnerable to being overriden by content. In addition, they've encapsulated chrome code even further in Firefox 1.5 Admittedly the original design was a bit insecure, but the risks going forward have been eliminated, and the real risks are mostly the usual browser vulnerabilities in parsing, buffers, etc.

Re:Mozilla is a disaster waiting to happen

[theodicey]

This is FUD.

As of Firefox 1.03, what you say is no longer correct. The Firefox team has separated the content document object model from the chrome, so that chrome functions are no longer vulnerable to being overriden by content.

In addition, they've encapsulated chrome code even further in Firefox 1.5

Admittedly the original design was a bit insecure, but the risks going forward have been eliminated, and the real risks are mostly the usual browser vulnerabilities in parsing, buffers, etc., all of which are present in Konqueror, Safari, and Opera, all of which have received far less security scrutiny.

Re:Responsiveness is irrelevant

[Kingofearth]

Well, It's a good thing Firefox 1.5 will fix that with its auto updating binary diff patches. It Automaticly downloads the update and installs it the next time you start Firefox.

Server statistics are telling

[lightyear4]

Here are some usage statistics from my website.

Browser/version: ---- Hits

• MSIE
  MSIE 6.0 ---- 1699
  Total: 1699
• FIREFOX
  Firefox 1.6 ---- 1
  Firefox 1.4 ---- 233
  Firefox 1.0.6 ---- 3218
  Firefox 1.0.4 ---- 1123
  Firefox 1.0.3 ---- 4
  Firefox 1.0.2 ---- 2437
  Firefox 1.0.1 ---- 130
  Firefox 1.0 ---- 31
  Firefox 0.10.1 ---- 4
  Total: 7181
• NETSCAPE ----
  Netscape 4.04 ---- 1
• OTHERS ----
  Unknown ---- 155
  Safari ---- 111
  Mozilla ---- 98
  Opera ---- 16
  Dillo ---- 12

IE = 1699 hits,
FF = 7181 hits

..out of 9273 total hits*. Hmm. Interesting.





*data via awstats 6.4

Re:Server statistics are telling

[Crayon+Kid]

Only one website's logs makes for lousy overall statistics. I have logs which show IE at 98%. So what?

Response time is irrelevant...

[toadlife]

...when people don't bother to install the updates.

Look at any website's detailed statistics and I guarantee you you would find a sizable portion of the Firefox visitors are not running the latest version of Firefox.

Heck, I still get hits from "Firebird" on my site!

Re:first post

[ArsenneLupin]

Go hit the Mozilla database and check out the years old bug reports that haven't been fixed yet and there is no indication they will be fixed any time soon, including your magical one year.

Care to back up that claim with specifics URL to the relevant bug reports? I checked their database, and couldn't find any bugs that qualified. The great majority of bugs are either minor and non-security related, or less than a month old.

Non Commercial Licences for 'Freeware'

[ydrol]

I did the usual Micorsoft Update (and update and restart and update), Ad-Aware install and scan, Spybot install, schedule and scan, Spyware Blaster install, uninstall Symantec, install AVG-free, schedule and scan, remove IE shortcut from the desktop, install Firefox with a shortcut on the desktop pointing to it as the "new" IE, and give a quick tutorial (with a printout) to them when they came around to pick their machines up.

I'm assuming you are using the 'free' versions of this software, otherwise igore the rest of this message!

Bearing in mind you are a non-commercial organization - and a worthy one - I would double check the licenses for these as far as educational and non-commercial organizational use is concerned. And perhaps a complimentary email to vendors for clarification where necessary?

SpywareBlaster looks OK for teachers.

Spybot I would confirm with author. They seem 'edu' friendly, from their tone.

AVG License is perhaps slightly ambiguous in this case. Schools are non-commercial but they are 'Organizations'.

Ad-Aware not free for educational use.

You may have omitted your firewall of choice but most of them have similar organizational clauses. I think Outpost Free may be OK.

Re:fp

[Kickersny.com]

You're aware that they freed it earlier in the week, right? http://opera.com/free/

Wrong

[Tharald]

This is actually not right at all. Exactly at the time of the symantec report, FF had ONE exploit that was more critical than IE. In general they have less severe exploits, and A LOT less unpatched exploits. Check out the following links: Secunia IE vulnerabilities Secunia FF vulnerabilities As you can see, FF has 3 unpatched vulnerabilities, while IE has 19, the highest rated of these being more severe than FFs. I would say it is quite clear that FF has less unpatched vulnerabilities.

Re:first post

[Phisbut]

You pull that number from your ass? Go hit the Mozilla database and check out the years old bug reports that haven't been fixed yet and there is no indication they will be fixed any time soon, including your magical one year.

Ok, let's see... searching the bugzilla database for product Firefox, bugs filed more than a year ago, with severity being either "blocker" or "critical", and a status any other than "resolved", "verified" and "closed", for all OS, sort by importance. What do we get?

7 bugs found. Ooohhh... 7, big number. Let's look at them now.

• 234141 - Firefox crashes on finding an existing profile directory from a localized version. Comment #3 says "I can no longer reproduce this with any of the current nightlies", and the rest of the comments confirm. Although it was a bug for Firefox 0.8, it isn't now. Plus, it isn't a security threat, just a crash (in beta software).
• 234598 - Firefox crashes randomly. Description of the bug is "This bug isn't really about reporting a crash." So it's not even a bug, and it's not a security threat.
• 251380 - When saving a picture, HUGE memory leak! Also slows machine down! Ok, this is a real bug. Based on the comments, they were still working on it as of last july. Although a memory leak is a nuisance, it is not a security threat.
• 251776 - Crash on form submission in pop-up search dialog in iPlanet Messaging Server. Comments 3 and 4 say "Retested on Firefox 1.0.5 for Mac. I can't reproduce the bug(s)" and "OK, I am also unable to reproduce on Windows. This seems to be fixed on my end", so it's pretty much fixed. Once again, it's a crash, not a security thing.
• 251793 - Java applets bypass "Block Pop-Up Windows". Still open. A nuisance indeed. Could be considered a security threat because of phishing, but then, phishing is mostly a bug in the user, not in the software.
• 260452 - Crash while switching to UTF-8 encoding on certain encoded pages. Last comment is about version 0.9. It's a crash in beta software.
• 236514 - Start download with same name as another (downloading or paused) deletes first one. Bummer, you lost a file you just downloaded, and need to download it again... it sucks, but it's not a security issue.

Year old bugs that go unfixed in Firefox are either not clear enough to work with (crashes randomly), or are simply still open because nobody took the time to check with the next version to close the bug. None of those bugs are security issues.

I like Firefox as much as the next man (check out my sig) but let's not make extravagent claims.

Yep... I agree... how about you stop pulling stuff from your ass too?