Slashdot Mirror
Mozilla Hits Back at Browser Security Claim
UltimaGuy writes "Mozilla has reacted to the Symantec report issued on Monday which said serious vulnerabilities were being found in Mozilla's browsers faster than in Microsoft's Internet Explorer. Tristan Nitot, president of Mozilla Europe, hit back by claiming on Monday that when a vulnerability is found Mozilla's 'ability to react, find a solution and put it into the user's hands is better than Microsoft.'"
Symantec biased? NEVER!!!
Open-source Full disclosure vs Close-source Please-wait-for-us-to-fix-the-vulnerability-before -publishing-it-else-we-sue
just because mozilla can react quicker to security flaws found in its browser, doesn't make Symantec's report that greater security flaws are being found in Firefox less valid.
it's a rarity to see ZDNet make that kind of mistake.
Martini Glasses
https://ses.symantec.com/Content/displaypdf.cfm?S
But to save you some trouble, here's the excerpts about Mozilla:
bug.gd: error search engine. Humanity working together to solve all errors.
maybe more vulnerabilities are found in mozilla because it is open-source
arguably, one could say this is better than in IE, where there may be some which are not known until some hacker exploits it.
Marge, get me your address book, 4 beers, and my conversation hat.
When other people can see the code, problems are spotted more quickly. That's probably why Mozilla seems to have more problems than IE to them--the problems in Mozilla are spotted before they can be exploited, while IE's problems are noticed when exploits are made and used in the wild. That said, good job to the Mozilla team.
US businesses that currently accept chip and PIN/signature
Symantec's report is also slanted becasue it uses vendor confirmed vulnerabilities rather than both confirmed and unconfirmed ones. This leads to misleading headlines and hurts Mozilla's reputation. I am suprised that Mozilla didn't say anything about that.
IMO, all this bandying about with numbers is next to pointless. All I know is that in my experience:
1. When I used IE, I got infected out the wazoo; colleagues I know using IE still have problems.
2. After switching to Firefox while still running Windows, I had zero infections. ZERO. Nothing else on the system changed.
3. Now I use Linux exclusively (unless doing work on a client's computer on their behalf), and I sure am not using IE.
On the one hand, it's nice to see Moz hitting back with the PR. But, I wonder if this will ultimately hurt migration away from IE. That is, I can just about hear folks saying "MS says one thing, Mozilla says another...who to believe?"
To the non-techie, MS is a known quantity and The Mozilla Foundation is not (I'm thinking along similar lines to name-recognition at the polls). At the very least, a I-say, they-say approach seems to muddle the issue more than clarify it for those not willing to do their own research.
Computational Chemistry products and services.
How about quadrupe? ...Or maybe infinupe. Seriously, this is the 4th Firefox vs. IE story in 10 days...isn't that a bit excessive?
the time-to-patch, how long it takes between the discovery of a vulnerability and its repair. Frequently with Microshaft, this can be weeks. Maybe months, even. With Mozilla, I keep seeing the patch on either the same day or the next day.
Microsoft (the bully) is scared of Mozilla (the other weak little kids). If Microsoft was not scared of Mozilla, it would not bother trying to tarnish Mozilla's image by using it's bully friends (Symantec).
Does Symantec know customers who did?
Is Ed Gibson a Firefox user?
Don't reporters do research any more? This article does nothing more than parrot what Mozilla has to say about the matter. I wonder if it would be possible for a company to completely forgo a PR departmet and just use the news media directly.
This was zdnet's first article on the recent situation, "Symantec: Mozilla browsers more vulnerable than IE". Basically, "This is what Symantec said about Mozilla". And now this article is titled, "Mozilla hits back at browser security claim". Which translates to "This is what Mozilla said back".
You could probably just take a few +5 rated comments from the first slashdot discussion about this and come up with a better article... In fact that might be a good business plan: write a script to automatically grab the highest rated comments from each story, splice them together into an article and then put on a website as original content, <msb>your articles might even be posted back to slashdot from time to time</msb>.
(msb = mandatory slashdot bashing).We always knew Comcast was corrupt, here's the proof: http://tech.slashdot.org/comments.pl?sid=1909890&cid=34545432
Seriously, guys who make these kind of comparisons shouldnt be let out of the room; just stay inside and code. And let others do PR work.
Firefox 1.0.7 Released, and the bug is fixed.
Oh well, Symantec of course, riding on the proprietary platform of Microsloth is going to be biased.
There are many ways you can look at this..
In 2005, IE has already been around for YEARS, if you follow that perspective, it should have many less flaws...But that's not the case.
You could say FireFox is newer, so of course more flaws are expected, you could also say they should have learn from IE's mistakes, and avoided those pitfalls.
You can also say Firefox is open source, people who find the flaws don't have malicious intent, they are trying to improve the software and make it a viable option in the real world..
Those who find flaws in IE usually do it for fun and profit, spyware spam porn diallers etc, all strapped into the world of IE..there are XX number of unknown exploits in IE due to the closed source, and they are probably being exploited right now, case in point is Microsofts new Honeymonkey project discovered one in the first couple of days..
The article is basically a press release from Mozilla, but still, it's just numbers, numbers can be pulled from any generic poopshoot and manipulated anyway they want.
Share your Knowlege - Kung-Fu Geekery
"""The study was conducted over the first six months of 2005."""
... the Microsoft vulnerabilities were more critical,"""
When did the litmus test for long term security become the short term?
""" by claiming """
"""Nitot said that Mozilla's reaction"""
"""according to Nitot."""
"""He also argued that
All these quotes are from the article and in a place where they implicitly put into question what Mr. Nitot is trying to say.
But, when Mr. Whitehouse speaks even "IE is closed source, and so it's more difficult to access the code." Which implicitly says that closed source is more secure (security through obscurity - provably false). This "journalist" doesn't call him on it.
And this "journalist" continues to let this guy speak implicitly calling into question the security of and wisdom of using Firefox without making him justify the claims.
So, all in all, we have Mr. Nitot arguing a point and bringing facts to the table that support his claims and Mr. Whitehouse bringing implications and conjecture almost completely unsupported. Also, in the middle is this "journalist" who phrases things in a way that supports Mr. Whitehouse.
What happened to all the real journalists? You know, the ones that get as close to unbiased reporting as possible; the ones that report only facts leaving out editorials marked as fact.
*sigh*
... would be that of course more vulnerabilities were found for Mozilla, it's several years younger than IE. How many exploits were being found (announced or not) when IE was at roughly the same maturity? He could also go into Open Source vs. proprietary, but that's already been covered by other posters...
Flying is easy, just throw yourself at the ground and miss. -Douglas Adams
Symantec is the (proud?) publisher of the absolutely worst piece of software that I've ever used: WinFAX Pro 10.2. Not only did every major mode fail to work in some way, but it disabled my phone system for days after it was installed on a machine on my network. This software was so flawed that it convinced me to abandon the Windows platform altogether.
Earlier this evening I was cleaning up a friend's Windows 2000 machine. After removing a collection of obsolete software, TCP/IP no longer worked. The culprit: Symantec Antivirus. It had left invalid service dependencies in the registry. I had to remove them by hand.
Symantec can't even understand their own software, much less someone else's. Even ignoring the obvious corporate bias, I have no faith that they can begin to understand the actual severity of defects in either IE or Firefox. It would be far better to ask "how many machines have been compromised by this fault?" than to present simple defect counts.
I volunteer to fix PCs for a group of teachers in the US. I am not part of their official school board sanctifed tech support crew (because those guys are snowed under).
The group of teachers were given Compaq and Dell laptops a few years back... and encouraged to use them at school and at home to help them in their work.
The schools gave them Symantec free subscriptions for a year... and Windows 98.
Over this summer I have fixed five of those PCs... a lot of hours in total. They were finally slowing to a halt (it is like a plague really finally hit those old Windows 98 machines) but the hardware was still going strong for what they needed. They were hijacked, malwared, and spywared to bits.
None of those teachers had bothered to upgrade their PCs via Microsoft Update ever as they did not know they had to (all of those laptops needed an update as far back as 2001 from MS), none of the teachers were going to shell out any money personally to keep their Symantec subscription up to date, and none of them had anytime to learn how to protect their machines.
Why? Because they are too frigging busy doing other things!
But they were pissed that their machines were hosed and all they used them to do was write out lesson plans on MS Word and surf the net.
I did the usual Micorsoft Update (and update and restart and update), Ad-Aware install and scan, Spybot install, schedule and scan, Spyware Blaster install, uninstall Symantec, install AVG-free, schedule and scan, remove IE shortcut from the desktop, install Firefox with a shortcut on the desktop pointing to it as the "new" IE, and give a quick tutorial (with a printout) to them when they came around to pick their machines up.
A few months later after the start of the school year and no call-backs. None.
Symantec + IE vs. AVG/Spybot/Ad-Aware + Firefox? No contest.
In my mind, and the minds of the users I helped, Symantec is part of the problem.
They never got five subscriptions from those users and they never will.
Symantec are like a bunch of gangsters selling "protection". They need their own series on HBO!
For that matter, who gets to decide what a bug is, rather than a "feature"? The DRM in the current version of the Acrobat format allows you to run embedded Javascript with no access controls. This is arguably an exploit, but Adobe would doubtless classify it as a feature, as it means you cannot circumvent DRM by turning the Javascript off.
Secondly, the numbers are not directly comparable, as Mozilla is standalone whereas IE is built into the OS. (This is important, as integration means that bugs that are strictly in the OS could be exploited through the web browser, without it being a web browser bug.)
Thirdly, there are deals over the reporting of security holes in software, whereby a report can be held back until a patch has been readied. This means that even "unconfirmed" (but reported) bugs by security vendors may be capped by the manufacturer. (Not always, even with those manufacturers who do this, but it does introduce uncertainty.)
Finally, Mozilla is cross-platform but bugs may not always be. Any buggy code that is OS-specific, for example, or any bug which relies on some OS-specific or library-specific bug in order to be exploitable, may only affect certain platforms as a result.
There is a second part to this one! It is also possible to have one bug that appears in multiple forms, but only one form per OS (due to OS-specific characteristics). Does it count as one bug or as many? (Remember, it still only takes one form in a given OS, but because of dependencies, changes in some way between different operating systems.)
Now, you can argue that many of the above are very hypothetical and do not apply in this specific study. Perhaps that is true, but the point is that unless you have rigorous controls on how you produce the statistics, the uncertainties are bound to be comparable to the number of incidents, making the statistics worthless.
And that is my point. If the possible variance in the number of actual bugs (reported or otherwise) gets to be comparable to the number of bugs reported, then the reports mean nothing. The actual number of bugs encountered could range from zero to infinity and the stats would still be "correct".
Ideally, the security companies would produce sufficient additional information to demonstrate the confidence they have in the values produced as opposed to simply citing the numbers but not really backing them up with anything concrete.
Where uncertainty is required by the vendor, then publish a range or some other indicator of how many unpublishable but reported bugs are believed to exist. (Since there is no guarantee that the unpublishable data is circulated with security vendors, an accurate figure may not be producable at all.)
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
http://bcheck.scanit.be/bcheck/page.php?name=STATS 2004
Your questions are addressed on pages 3 and 4.
My server
Ummm... are you aware of what exactly was changed for Firefox 1.0.3 that broke extensions? Someone did find ways to do basically what you were saying, and it was all addressed. Big architectural changes were made to address the problem, making Mozilla significantly more secure.
My server
This is FUD. As of Firefox 1.03, what you say is no longer correct. The Firefox team has separated the content document object model from the chrome, so that chrome functions are no longer vulnerable to being overriden by content. In addition, they've encapsulated chrome code even further in Firefox 1.5 Admittedly the original design was a bit insecure, but the risks going forward have been eliminated, and the real risks are mostly the usual browser vulnerabilities in parsing, buffers, etc.
As of Firefox 1.03, what you say is no longer correct. The Firefox team has separated the content document object model from the chrome, so that chrome functions are no longer vulnerable to being overriden by content.
In addition, they've encapsulated chrome code even further in Firefox 1.5
Admittedly the original design was a bit insecure, but the risks going forward have been eliminated, and the real risks are mostly the usual browser vulnerabilities in parsing, buffers, etc., all of which are present in Konqueror, Safari, and Opera, all of which have received far less security scrutiny.
Run IE and your machine will probalby get infected with tons of spyware which will cripple your machine if you do a lot of web browsing.
Run Mozilla and it probably won't.
That's been my experience so far.
Rating software's security as lower when they fix more bugs seems like it would motivate exactly the wrong behavior. Also, it's invalid on it's face. If IE has 1000 security flaws and fixes 10 and Mozilla has 50 and fixes 15 IE isn't more secure, before or after. There is no scientific measure of security but the bug fix count hardly seems worth looking at.
set softtabstop=4 shiftwidth=4 expandtab nocp worlddomination
Which browser is more secure?
Any vulnerablilty in IE turns out to be of the sort ' A remote attacker can gain complete control of the system'. Compare this to the flaws in Mozilla. How many bugs in Moz can take that credit?
Well, It's a good thing Firefox 1.5 will fix that with its auto updating binary diff patches. It Automaticly downloads the update and installs it the next time you start Firefox.
eEye's "upcoming advisories" page is worth a look if you're interested in just how severe microsoft's lapse in patching can be. note that this page only catalogues vulnerabilities that microsoft acknowledge and the time since such acknowledgment, not since exploit nor since they were notified.
quoth eEye's product manager: "The more critical, the more pervasive the vulnerability, the longer it takes Microsoft to patch."
Browser/version: ---- Hits
- MSIE
- FIREFOX
- NETSCAPE ----
- OTHERS ----
IE = 1699 hits,MSIE 6.0 ---- 1699
Total: 1699
Firefox 1.6 ---- 1
Firefox 1.4 ---- 233
Firefox 1.0.6 ---- 3218
Firefox 1.0.4 ---- 1123
Firefox 1.0.3 ---- 4
Firefox 1.0.2 ---- 2437
Firefox 1.0.1 ---- 130
Firefox 1.0 ---- 31
Firefox 0.10.1 ---- 4
Total: 7181
Netscape 4.04 ---- 1
Unknown ---- 155
Safari ---- 111
Mozilla ---- 98
Opera ---- 16
Dillo ---- 12
FF = 7181 hits
..out of 9273 total hits*. Hmm. Interesting.
*data via awstats 6.4
Another item is also the time it takes from a vulnerability to be publicized to the fix (or workaround). A moderate problem that isn't fixed for 6 months is more likely to be exploited than a hig-security problem fixed within days.
The real problem here is that even though both products generally are good products with some flaws (there will always be bugs, some more prominent than others) there may be need to address some of the security risks present today from a basic point of view. This may even mean sandboxing within sandboxes to control interaction between browser frames/iframes/embedding. like the effect of the following example (for Mozilla).
(Nothing ill-meant about slashdot here, just an example).
My point is that this could as well have been your bank that was framed this way, and if there was a way for the bank to indicate the framing permissions and that browsers were able to catch this a lot would have been gained in security. (OK, I haven't considered every issue arised by this, but I hope that you see my point.)
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
Symantec's business os based upon the fact that software has security issues - they sell software to fill the holes. Perhaps the fact that so many people are switching from IE to Firefox is affecting their bottom line.
Electronic Music Made Using Linux http://soundcloud.com/polyp
Companies such as Symantec are interested in blurring the line between 'faults found' and 'security'. An unfound and easily exploitable fault can make a product more prone to attack, i.e more insecure. Which is opposite to found flaws that are fixed.
So if a less skilled programmer is looking for faults, they are going to find less of them. So pretend we have two equally insecure products, by Symantec's paradigm one product would appear more secure than the other merely because less faults have been discovered. I'd trust a product created by many, rather than a product created by a recycled team.
To combat the same paradigm which Symantec promotes (i.e more flaws found = bad, instead of good.) companies such as Microsoft bundle multiple updates together(such as monthly updates) such that numerous groups of security flaws can be perceived as a lesser quantity of issues(Or in MS's case "one critical update"). The reality though is that security is based entirely on your track record, and not by how many faults you've discovered in your code. So we all know what the track record for MS products are versus Firefox.
...when people don't bother to install the updates.
Look at any website's detailed statistics and I guarantee you you would find a sizable portion of the Firefox visitors are not running the latest version of Firefox.
Heck, I still get hits from "Firebird" on my site!
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
This entire article is about these "Mozilla browsers." But let's be real, the different "Mozilla browsers" that are out there are all patched on their own and modified and distributed on their own.
Is it really fair to charge the problems of these different browsers to one application framework? Not that many aren't core problems - I'm sure most are. But we are comparing a group of products with one. The many products being developed by people, for free, around the world - the other product is developed by a major multinational corporation with millions at their disposal.
That corporation has been trying to stop "Mozilla" for a long time too. It's just sad that we
I mean, jeez, people aren't even able to look at the source.
Get your Unix fortune now!
A better measure would be vulnerability days. The idea would be to sum up across all exploits the number of days between the vulnerability being discovered and a patch being available.
This statistic could be refined by weighting each vulnerability according to its severity.
Of course, for IE we probably won't get good info on just when the vulnerability was discovered.
Any flexible, extendable application will have some errors because of the multiple interfaces and the complexity of the system itself. Some of those errors will affect security. My argument for Mozilla/Firefox is that it is more secure at this time. My argument against M/F is that in most cases, the problems are being patched rather than designed out more quickly. Sooner or later the maintenance on the holes is going to be so massive a task that it will nearly be impossible to fix. I've been watching the boards, but it looks like a redesign is 'way overdue.
Someone should be classifying ALL the vulnerabilitites found in FF over the last 18 months, and a team should start examining the code that was stable at that time. Then, they should ask: "If we knew these vulnerabilities were going to crop up what major design changes would we have made to clean them up upstream?" Most of the vulnerabilities will fall into a few common, recurring patterns, and those can be designed against. I know this is not a popular OSS practice, but something like this will help the app evolve more securely.
"The mind works quicker than you think!"
Speaking of security, looks like Firefox 1.0.7 was just released sometime last night on Mozilla's web site.
I'm assuming you are using the 'free' versions of this software, otherwise igore the rest of this message!
Bearing in mind you are a non-commercial organization - and a worthy one - I would double check the licenses for these as far as educational and non-commercial organizational use is concerned. And perhaps a complimentary email to vendors for clarification where necessary?
SpywareBlaster looks OK for teachers.
Spybot I would confirm with author. They seem 'edu' friendly, from their tone.
AVG License is perhaps slightly ambiguous in this case. Schools are non-commercial but they are 'Organizations'.
Ad-Aware not free for educational use.
You may have omitted your firewall of choice but most of them have similar organizational clauses. I think Outpost Free may be OK.
This is actually not right at all. Exactly at the time of the symantec report, FF had ONE exploit that was more critical than IE. In general they have less severe exploits, and A LOT less unpatched exploits. Check out the following links: Secunia IE vulnerabilities Secunia FF vulnerabilities As you can see, FF has 3 unpatched vulnerabilities, while IE has 19, the highest rated of these being more severe than FFs. I would say it is quite clear that FF has less unpatched vulnerabilities.
Let's set aside the "vendor acknowledged vulnerabilites" and discuss the one cold fact that matters: we don't really know what's secure or not in IE because we cannot check the source code. That allows an exploit to exist that not even Symantec knows about.
-- $G
Symantec's report counts up only the vulnerabilities acknowledged by the vendor. If you don't want to have a vulnerability included in their study, just don't acknowledge it. If you go to Secunia and add in all the unacknowledged vulnerabilities (but that are still known to the public), you find out that Internet Explorer has had more vulnerabilities in the same amount of time than Firefox. My thanks to Bruce Perens for pointing that out.
- David A. Wheeler (see my Secure Programming HOWTO)
Symantec, as a corporate whole, did what all people who can't write software do. They switched over to making reports. Since nobody every crashed from reading a defective report, this allows them to hide their incompetence.
Honestly, I'd rather just take Ballmer's word for it rather than relying on Symantec, much like I'd rather have a virus than to let Norton do what it does to PCs its installed on.