Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mozilla Hits Back at Browser Security Claim

Posted by ScuttleMonkey on from the community-loves-responsive-developers dept.

UltimaGuy writes "Mozilla has reacted to the Symantec report issued on Monday which said serious vulnerabilities were being found in Mozilla's browsers faster than in Microsoft's Internet Explorer. Tristan Nitot, president of Mozilla Europe, hit back by claiming on Monday that when a vulnerability is found Mozilla's 'ability to react, find a solution and put it into the user's hands is better than Microsoft.'"

4 of 295 comments (clear)

  1. Original Symantec Article by NoInfo · · Score: 5, Informative
    The download for Symantec's actual report is here (registration required):
    https://ses.symantec.com/Content/displaypdf.cfm?SS L=YES&PDFID=2124

    But to save you some trouble, here's the excerpts about Mozilla:

    Mozilla browsers have the most vulnerabilities

    During the first half of 2005, 25 vendor confirmed vulnerabilities were disclosed for the Mozilla browsers,
    the most of any browser. 18 of these were classified as high severity. During the same period, 13 vendor
    confirmed vulnerabilities were disclosed for Microsoft Internet Explorer, eight of which were high severity.



      Mozilla browsers have the most vulnerabilities

    The Web browser is a critical and ubiquitous application that has become a frequent target for
    vulnerability researchers. In the past, the focus of security has been on the perimeter: servers, firewalls,
    and other systems with external exposure. However, a notable shift has occurred, with client-side
    systems--primarily end-user systems--becoming increasingly prominent targets of malicious activity.
    More and more, Web browser vulnerabilities are becoming a preferred entry point into systems.
    During the first half of 2005, the Mozilla browsers, including Firefox, had the most vulnerabilities of all
    browsers. During this period, 25 vendor confirmed Mozilla vulnerabilities were disclosed, compared to 32
    in the previous reporting period and two in the first half of 2004. 18 of the 25 Mozilla vulnerabilities in this
    period, or 72%, were classified as high severity. This is up from the 14 high-severity Mozilla vulnerabilities
    in the second half of 2004 and one in the first half of 2004.


    During the first six months of 2005, 13 vendor confirmed Microsoft Internet Explorer vulnerabilities were
    disclosed. This is a decrease from the 31 documented in the second half of 2004.26 During the first half of
    2004, seven Internet Explorer vulnerabilities were confirmed by Microsoft.
    The average severity rating of the vulnerabilities associated with Internet Explorer during the first six
    months of 2005 was high. Eight of the 13 Internet Explorer vulnerabilities disclosed during the current
    period, or 62%, were considered high severity. 18 Internet Explorer vulnerabilities were considered
    high-severity in the last six months of 2004, amounting to 58%. In the first half of 2004, four of the
    seven, or 57%, were rated high severity.


    [...]

    The fact that Mozilla browsers had the most vendor confirmed vulnerabilities over the past two six-month
    periods may suggest that Mozilla is currently acknowledging and fixing vulnerabilities more quickly than
    other vendors. This could be because the Mozilla browsers are open source and may be more responsive
    to reports of new vulnerabilities and subsequently developing and delivering associated patches. For
    instance, except in certain instances,60 Microsoft releases fixes on a relatively fixed schedule rather than
    as needed, potentially increasing their acknowledgement time.

    --
    bug.gd: error search engine. Humanity working together to solve all errors.
  2. Misleading numbers by GXFragger · · Score: 5, Informative

    Symantec's report is also slanted becasue it uses vendor confirmed vulnerabilities rather than both confirmed and unconfirmed ones. This leads to misleading headlines and hurts Mozilla's reputation. I am suprised that Mozilla didn't say anything about that.

  3. Symantec has no credibility on software issues by grnchile · · Score: 5, Informative

    Symantec is the (proud?) publisher of the absolutely worst piece of software that I've ever used: WinFAX Pro 10.2. Not only did every major mode fail to work in some way, but it disabled my phone system for days after it was installed on a machine on my network. This software was so flawed that it convinced me to abandon the Windows platform altogether.

    Earlier this evening I was cleaning up a friend's Windows 2000 machine. After removing a collection of obsolete software, TCP/IP no longer worked. The culprit: Symantec Antivirus. It had left invalid service dependencies in the registry. I had to remove them by hand.

    Symantec can't even understand their own software, much less someone else's. Even ignoring the obvious corporate bias, I have no faith that they can begin to understand the actual severity of defects in either IE or Firefox. It would be far better to ask "how many machines have been compromised by this fault?" than to present simple defect counts.

  4. Re:Mozilla is a disaster waiting to happen by theodicey · · Score: 5, Informative
    This is FUD.

    As of Firefox 1.03, what you say is no longer correct. The Firefox team has separated the content document object model from the chrome, so that chrome functions are no longer vulnerable to being overriden by content.

    In addition, they've encapsulated chrome code even further in Firefox 1.5

    Admittedly the original design was a bit insecure, but the risks going forward have been eliminated, and the real risks are mostly the usual browser vulnerabilities in parsing, buffers, etc., all of which are present in Konqueror, Safari, and Opera, all of which have received far less security scrutiny.