Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mozilla Hits Back at Browser Security Claim

Posted by ScuttleMonkey on from the community-loves-responsive-developers dept.

UltimaGuy writes "Mozilla has reacted to the Symantec report issued on Monday which said serious vulnerabilities were being found in Mozilla's browsers faster than in Microsoft's Internet Explorer. Tristan Nitot, president of Mozilla Europe, hit back by claiming on Monday that when a vulnerability is found Mozilla's 'ability to react, find a solution and put it into the user's hands is better than Microsoft.'"

13 of 295 comments (clear)

  1. Original Symantec Article by NoInfo · · Score: 5, Informative
    The download for Symantec's actual report is here (registration required):
    https://ses.symantec.com/Content/displaypdf.cfm?SS L=YES&PDFID=2124

    But to save you some trouble, here's the excerpts about Mozilla:

    Mozilla browsers have the most vulnerabilities

    During the first half of 2005, 25 vendor confirmed vulnerabilities were disclosed for the Mozilla browsers,
    the most of any browser. 18 of these were classified as high severity. During the same period, 13 vendor
    confirmed vulnerabilities were disclosed for Microsoft Internet Explorer, eight of which were high severity.



      Mozilla browsers have the most vulnerabilities

    The Web browser is a critical and ubiquitous application that has become a frequent target for
    vulnerability researchers. In the past, the focus of security has been on the perimeter: servers, firewalls,
    and other systems with external exposure. However, a notable shift has occurred, with client-side
    systems--primarily end-user systems--becoming increasingly prominent targets of malicious activity.
    More and more, Web browser vulnerabilities are becoming a preferred entry point into systems.
    During the first half of 2005, the Mozilla browsers, including Firefox, had the most vulnerabilities of all
    browsers. During this period, 25 vendor confirmed Mozilla vulnerabilities were disclosed, compared to 32
    in the previous reporting period and two in the first half of 2004. 18 of the 25 Mozilla vulnerabilities in this
    period, or 72%, were classified as high severity. This is up from the 14 high-severity Mozilla vulnerabilities
    in the second half of 2004 and one in the first half of 2004.


    During the first six months of 2005, 13 vendor confirmed Microsoft Internet Explorer vulnerabilities were
    disclosed. This is a decrease from the 31 documented in the second half of 2004.26 During the first half of
    2004, seven Internet Explorer vulnerabilities were confirmed by Microsoft.
    The average severity rating of the vulnerabilities associated with Internet Explorer during the first six
    months of 2005 was high. Eight of the 13 Internet Explorer vulnerabilities disclosed during the current
    period, or 62%, were considered high severity. 18 Internet Explorer vulnerabilities were considered
    high-severity in the last six months of 2004, amounting to 58%. In the first half of 2004, four of the
    seven, or 57%, were rated high severity.


    [...]

    The fact that Mozilla browsers had the most vendor confirmed vulnerabilities over the past two six-month
    periods may suggest that Mozilla is currently acknowledging and fixing vulnerabilities more quickly than
    other vendors. This could be because the Mozilla browsers are open source and may be more responsive
    to reports of new vulnerabilities and subsequently developing and delivering associated patches. For
    instance, except in certain instances,60 Microsoft releases fixes on a relatively fixed schedule rather than
    as needed, potentially increasing their acknowledgement time.

    --
    bug.gd: error search engine. Humanity working together to solve all errors.
  2. Misleading numbers by GXFragger · · Score: 5, Informative

    Symantec's report is also slanted becasue it uses vendor confirmed vulnerabilities rather than both confirmed and unconfirmed ones. This leads to misleading headlines and hurts Mozilla's reputation. I am suprised that Mozilla didn't say anything about that.

  3. Re:Allegory by Raistlin77 · · Score: 4, Informative

    Microsoft (the bully) is scared of Mozilla (the other weak little kids). If Microsoft was not scared of Mozilla, it would not bother trying to tarnish Mozilla's image by using it's bully friends (Symantec).

  4. 1.0.7 is out by nonpareility · · Score: 3, Informative

    Firefox 1.0.7 Released, and the bug is fixed.

  5. Symantec has no credibility on software issues by grnchile · · Score: 5, Informative

    Symantec is the (proud?) publisher of the absolutely worst piece of software that I've ever used: WinFAX Pro 10.2. Not only did every major mode fail to work in some way, but it disabled my phone system for days after it was installed on a machine on my network. This software was so flawed that it convinced me to abandon the Windows platform altogether.

    Earlier this evening I was cleaning up a friend's Windows 2000 machine. After removing a collection of obsolete software, TCP/IP no longer worked. The culprit: Symantec Antivirus. It had left invalid service dependencies in the registry. I had to remove them by hand.

    Symantec can't even understand their own software, much less someone else's. Even ignoring the obvious corporate bias, I have no faith that they can begin to understand the actual severity of defects in either IE or Firefox. It would be far better to ask "how many machines have been compromised by this fault?" than to present simple defect counts.

  6. Re:Open source wins again by CTho9305 · · Score: 4, Informative

    http://bcheck.scanit.be/bcheck/page.php?name=STATS 2004
    In 2004, there was only ONE WEEK during which there were no known remote code execution exploits for fully-patched MSIE. There were 30 days for Firefox if you don't count Mac OS (which would be fair if we're only interested in browsers for Windows users).

    --
    My server
  7. Re:Mozilla is a disaster waiting to happen by CTho9305 · · Score: 3, Informative

    Ummm... are you aware of what exactly was changed for Firefox 1.0.3 that broke extensions? Someone did find ways to do basically what you were saying, and it was all addressed. Big architectural changes were made to address the problem, making Mozilla significantly more secure.

    --
    My server
  8. Re:Symantec isint biased! by fymidos · · Score: 3, Informative

    Everybody who has used internet explorer knows that it is not secure. The don't have to tell them that. They are talking to the people who (rightfully) think they are more secure with firefox, and they are trying to pass between the lines that you still need protection, no matter what browser you use, and anyway, changing the browser will not make you safe.
    (but a good antivirus/antispam/antiinternet/antiusingyourcompu te will)

    --
    Washington bullets will simply be known as the "Bulle
  9. Re:Symantec isint biased! by aweraw · · Score: 4, Informative

    Well, with the slow assed patching cycle that IE has, you have more need for Symantec products to 'protect' you in the interim.

    While firefox may have more exploits popping up these days, fixes for it are issued in a much more timely manner than for IE.

    --
    5468652047616D65
  10. Re:Mozilla is a disaster waiting to happen by theodicey · · Score: 5, Informative
    This is FUD.

    As of Firefox 1.03, what you say is no longer correct. The Firefox team has separated the content document object model from the chrome, so that chrome functions are no longer vulnerable to being overriden by content.

    In addition, they've encapsulated chrome code even further in Firefox 1.5

    Admittedly the original design was a bit insecure, but the risks going forward have been eliminated, and the real risks are mostly the usual browser vulnerabilities in parsing, buffers, etc., all of which are present in Konqueror, Safari, and Opera, all of which have received far less security scrutiny.

  11. Re:Responsiveness is irrelevant by Kingofearth · · Score: 3, Informative

    Well, It's a good thing Firefox 1.5 will fix that with its auto updating binary diff patches. It Automaticly downloads the update and installs it the next time you start Firefox.

  12. Response time is irrelevant... by toadlife · · Score: 3, Informative

    ...when people don't bother to install the updates.

    Look at any website's detailed statistics and I guarantee you you would find a sizable portion of the Firefox visitors are not running the latest version of Firefox.

    Heck, I still get hits from "Firebird" on my site!

    --
    I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
  13. Re:first post by ArsenneLupin · · Score: 3, Informative
    Go hit the Mozilla database and check out the years old bug reports that haven't been fixed yet and there is no indication they will be fixed any time soon, including your magical one year.

    Care to back up that claim with specifics URL to the relevant bug reports? I checked their database, and couldn't find any bugs that qualified. The great majority of bugs are either minor and non-security related, or less than a month old.