Slashdot Mirror
Symantec Rethinks Firefox vs IE Vulnerabilities
chill writes "Last September security software vendor Symantec issued a report claiming IE had fewer critical flaws than Firefox and thus was more secure. Well, it seem they have now rethought that position. 'How we did it before wasn't a fair comparison,' said Oliver Friedrichs, the senior manager of Symantec's security response group. 'It wasn't an apples to apples comparison.' The key was vendor acknowledged critical vulnerabilities. Thus, if Microsoft (or the Mozilla Foundation) didn't agree it was critical, then it didn't get counted."
profit motive = incentive to lie
I'm SHOCKED!
I guess the latest TCO Microsoft is great checks failed to appear this week....
37 - what does it stand for really...
Over 6 months to realise and admit that? Nice going ...
She's built like a steak house, but she handles like a bistro....
If the Dept of Justice accepts your PR crap [lies] then everyone should.
Weakest point, and amount of possible damage.
If one browser allows an attacker to read arbitrary files, and another allows an attacker to delete arbitrary files, then the one that allows the deletion is surely worse however many ways there are to read files.
If one browser can be attacked in a generic manner, and the other needs some knowledge of the victim, then the one that can be attacked in a generic manner is less secure.
Now, exactly how an easy to implement low impact and a hard to implement high impact attack compare is still going to be subjective, but wherever you draw the line, it's going to be better than simply counting the nuber of critical bugs.
I wonder if Symantec's "rethinking" of it's position has anything to do with Microsoft Announcing a Competeing offering (OneCare Live), apparently Symantec will no longer just take Microsofts word whether a suspected flaw is actually a bug/vulnerability or not, Sorry Microsoft that ole "Naw, that's not a vulnerability, it's just an undocumented feature" doesn't look like it's going to fly anymore.
:D
How can you trust these guys with your security?
They make some b.s. statements that just aren't founded in logic, or in a reasonably cynical view of how people/companies behave. The result is that they suggest you do the ridiculous, with your security (not theirs). Then they (for whatever reason) say something else.
I'm not even suggesting that they "came to their senses", but perhaps, for one reason or another, decided that Microsoft was not their friend anymore (or maybe firefox is their friend now).
http://www.thebricktestament.com/the_law/when_to_
Symantec: Internet Explorer feasted on my childs bones.
Microsoft: We don't consider that critical.
Do you see what I did there?
I like the other part of TFA better:
"Windows XP Professional, said Symantec, stays safe just one hour and 12 seconds, while the Windows 2000 Server (with SP4) made it an hour and 17 minutes. An unpatched Windows Server 2003 system lasted somewhat longer.
In contrast, unpatched Linux installations of both Red Hat Enterprise Linux 3 and SuSE Linux 9 Desktop were never compromised during their month-and-a-half exposure to attackers."
Among the other data in Symantec's report are new "time to compromise" figures that try to gauge how long an unpatched, unprotected computer would last before it has snatched by a hacker.
Windows XP Professional, said Symantec, stays safe just one hour and 12 seconds, while the Windows 2000 Server (with SP4) made it an hour and 17 minutes. An unpatched Windows Server 2003 system lasted somewhat longer.
In contrast, unpatched Linux installations of both Red Hat Enterprise Linux 3 and SuSE Linux 9 Desktop were never compromised during their month-and-a-half exposure to attackers.
My first thought was that this makes perfect sense - now that MS is a competitor of Symantec, they're going to discredit them as much as they can.
But Symantec has known for ages that MS is pushing into their space. Maybe they had a Netscape-esque agreement with Symantec and maybe Symantec found new evidence that convinced them partnering with MS isn't the best way to go?
It *could* be as simple as an upper-management type listening to the feedback the last report got, but I haven't seen an icy weather forecast for Hell today.
(For those who missed the MS Anti-trust days: it was 'alleged' that when MS decided that the 'net was not just a fad and MS needed to throw all their resources into making IE the dominant browser, MS offered not to compete in Mac-space if they left the Windows market quietly. Netscape refused, MS bundled IE with windows, and the rest is history)
No, "idiot", he said it wasn't an apples to apples comparison. Try again, Capt Pedant.
By what name do you wish to be mourned?
I believe that Firefox would have a significantly lower security breach rate than IE, but further compared with Opera or Safari?
__
Funny Adult Vids and Clips from Laugh Daily.com
StartKeyLogger
another undocmented feature...
- http://www.milkme.co.uk
It seems almost disingenuous to "rethink" this so late. Of course it's more than a little irritating, it directly impacts the perceptions and usage levels of the competing browsers. It's kind of like yelling "fire" in a crowded theater, waiting until the resultant stampede kills many in the theater and then saying, "I'm rethinking this, and it looks as if there is no fire."
RTFA....then think about it. Then ask which set of facts are they sticking too?
Maybe they should do a security software resource usage comparison!
There is a difference between "truth" and "honesty" where truth is about "a point truths" where you can be selective and deceptive. But "Honesty", thats full scope.
They are not very honest.
It does seem that one of teh things they do to help secure your system is to be having your system so busy running their software that it doesn't have time to run anything else. There is a less expensive way to do this. Just unplug your system. Hell you'll even save electricity, while being absolutely secure.
With VISTA coming out, Symantec is going to
obviously be pushing its own products for that
platform.
However, to give the semblence of non-preferance
they will side with the better product for the
term being.
However, expect them to do a 360 in six months again
citing VISTA the most secure product ever, bar none.
I'm working in the IT industry myself, and one of the well-known problems with bug-counting is... well, counting bugs.
I have seen IT managers getting upset because there were 100's og bugs*.
Turned out all of them were because of ONE faulty thing.
I have seen bug reports of the form
1. pressing button A and then pressing button Y gets critical error.
2. pressing button B and then pressing button Y gets critical error.
3. pressing button C and then pressing button Y gets critical error.
etc etc
In other situations a manager was not upset, "there were only a few bugs*".
Later, this same manager became upset at a time that there were on the order of 50 or so "bugs*".
Turned out fixing those few bugs took more than o month, while those 50 were 'fixed' within a week.
So my professional view is that bug-counting doesn't count, the correct question is:
how sick did you get? (Compare getting bitten by a tsetse fly to getting bitten by a red ant...)
* To be honest: I am referring to a non-English term which is NOT equivalent to a bug, but more to 'a problem'.
Welcome to 2 years ago. This new Firefox browser is pretty cool, eh?
I wonder if anyone ever took Symantec seriously when they made this claim. Most computer illiterate users wouldn't have even heard about Symantec saying this, and those that did (eg. Slashdot readers) would already know better. It's as if Symantec is in their own little universe where it seems as thought everything incorrect is actually correct.
FTFS:
Mozilla has Bugzilla to keep track of it's issues, MS is notorious for claiming bugs are in fact features.
Also, IMHO any security issue is 'critical'. Someone once said that MS's 'critical vulnerabilities' are security flaws that should never have made it past design stage.
Don't you just hate it when people reply to your signature?
They make BS statements, and use more system resources than the spyware they're trying to clean up!
"We have substatially tested Windows XP and have found the operating system to be completely bug free. Out tests were conducted in a time period of 1 minute, which contains 60 seconds. As all seconds are effectively the same, we can safely say that Windows XP will be safe for all future occurances of seconds."
Task Mangler
I guess I'll have to "rethink" my reliance on any Symantec security program.
Whose company products in all my years of computer maintenance have overall caused me more problems than all the malware/viruses they were supposed to be fighting. Thanks for the heads up!
You're seriously telling me that Symantec just added up the number of times a flaw was labelled "critical" by the owning company of the product, and based their 'report' on that - wtf?
I mean, *I* could have done that. When I hear that one of the leading security companies has issued a report on the security of two competing products, I assume that they've actually evaluated those products, rather than just spat back the company literature.
My already little faith in the company that brought us Norton has sunk lower still.
Oh shit I'm going to have to switch back now! Do you have any idea how long it took to get IE running on Linux?
Just use Konqueror. I'm sure 99.9% of malicious hackers haven't even heard of it!
Symantec used to make top notch products. When I recently was exposed to their client software again assisting friends, I was shocked to see that they now make the worst security suite. It is just completely unsuable for customers. Their failure to even have their software work with Windows XP SP2 (and letting their customers take the problems such as all programs stop having internet connectivity but their own ...) is evidence that they with their "platform play" is becoming increasingly at odds with Microsoft. If they were able to understand that at least until recently Microsoft have only provided basic functionality to help protect customers (such as the basic firewall and a central place to see security status) and that there is considerable space in which to provide superior technology, I might have believed some of their comments.
The way it stands now, I cannot possibly recommend their products nor their "advice".
Let's say that I wrote the world's most flawed web browser (Anger Browser 1.0), with several hidden RC function and a welcome mat for specially scripted spyware installers. Yes, it has 500 more flaws than IE, but I only have an installed user base of two. Does this mean that my browser presents a higher risk than a browser with 100,000,000 users and one flaw?
All things the same, a flaw in IE presents a higher weighted risk than a browser with a fraction of the user base. Combining that with the relative ignorance of the average IE user, I say that a flaw in IE presents a much higher return to the bad guys than any other browser out there.
From the article:
:P
"In the last six months of 2005, Microsoft confirmed 12 vulnerabilities in Internet Explorer, down slightly from the 14 in the first half of last year. Firefox, however, sported 13 vendor-confirmed flaws, one more than IE, but also down from the 27 in the previous period."
Even in the revised count it was 17 Firefox, 24 Internet Explorer...
And that doesn't account for the vulnerabilities within embedded tech like Java, Flash, Quictime, Windows Media, et al... that'll affect EVERY (modern) browser.
NONE of this is particularly great if you're a consumer. If you're Symantec of another Security vendor though - weel, life is OK.
graphically speaking
Since arguing the merits of one browser over another leads to no end, I hope this post would be somewhat refreshing to read.
Assuming a security measurement can sway users for switching from one browser to another, I propose the following measurement: multiply the number of vulnerabilities by market share, and call this the impact. At first glance, this is brutally unfair for IE, which continues to have the majority market share, but hear me explain.
Let's make another assumption. Suppose all competing browsers have vulnerabilities that lead to the same outcome, then the likelihood that script kiddies choose one browser over another to exploit is more or less determined by the browser's market share. Every vulnerability adds to this likelihood. Therefore, in the end, we end up summing a browser's market share a number of times that is the number of vulnerabilities for that browser. This is the same as multiplying number of vulnerabilities by market share. The result is a measurement of insecurity impact.
What happens if we adopt measuring impact for insecurity?
Since Firefox is a minority in browser market share, it can afford to have more bugs and be relatively secure. Its most critical vulnerabilities have lower impact than IE's equivalent. Suppose users then decide to switch to Firefox. The increase in Firefox market share means its vulnerabilities have higher impact. At one point, it becomes less secure than IE, and users start to switch back. We go back and forth and eventually reach an equilibrium. If users are perfectly "browser elastic" (have no resistence to switch browsers), then at the equilibrium, market share is inversely proportional to the number of vulnerabilities for all browsers. Of course, in the real life, things are never that simple, but let's keep things simple. It is good enough to point out that letting impact determine market share is more desirable than letting vulnerability count to determine market share.
How can the impact score improve current measurement of security?
We all know that some vendors like to play the optimist game by purposely reducing the severity of a vulnerability or even hiding it. If a certain highly popular browser vendor wants to manipulate the impact score, it has to to cheat a lot, and at one point this cheating will become painfully obvious. Hopefully, the risk of causing a scandal would limit the vendor's cheating to a degree that does not significantly variate the impact score.
I once had a signature.
Well surprise surprise, Symantec demonstrates themselves to be of the calibre of Wall Street "analysts": regurgitating things that other people tell them, and passing it off as insight. How about doing some critical thinking of their own?
..." The news media certainly don't paint "analysts" as being anything more than sock puppet mouthpieces without any independent skills.
Why do we keep reading about opinions of "analysts" everywhere? I guess I need to stop reading the Mac rumor sites so regularly; their "news" are often just "analyst predicts
-b
myselfmusic
"Thus, if Microsoft (or the Mozilla Foundation) didn't agree it was critical, then it didn't get counted."
That's it! That's the secret to making bug-free software! Not fix anything then deny it's a bug! That's what I'm gonna do!
"Hey, this is a critical exploit!"
"No, it's not."
"Okay."
BRILLIANT!
But even with Symantec counting it "The Firefox Way" Firefox is still not looking "secure", just "slightly more secure".
Sure they have, it is called Safari.
On the Internet, it is possible to scan whole ranges of addresses looking for vulnerabilities. Automatically. 24/7. And exploit them automatically, 24/7.
What matters is whether the box has open ports or not.The system's security should be configured to account for the home user's non-patching.
Apple has. Their boxes, by default, have no open ports.
Ubuntu has. Their default install has no open ports.
No matter how many worms and infected machines are out there, a default Ubuntu box will never be infected by them.
The first step in security is to reduce the avenues of attack.
that stated:
Patched Windows systems, however, remained untouched throughout the test, backing both its and Microsoft's advice to patch regularly, and patch promptly. "Applying patches in a timely manner is an important component of an effective security strategy," the report read.
Or is this just convenient editing to bash Microsoft. Oh wait sorry, I forgot this is Slashdot.
Sorry, Unable to process request at this time -- error 999.
Yahoo!
Unfortunately we are unable to process your request at this time. This error is usually temporary. Please try again later.
If you continue to experience this error, it may be caused by one of the following:
* You may want to scan your system for spyware and viruses, as they may interfere with your ability to connect to Yahoo!. For detailed information on spyware and virus protection, please visit the Yahoo! Security Center.
* This problem may be due to unusual network activity coming from your Internet Service Provider. We recommend that you report this problem to them.
Common sense is not so common
A trusted source would say:
But if Symantec said do these 5 simple things, and make sure your kids can do these 5 simple things (or keep them off computer), then they'd be undermining the fear factor they count on to sell their bloated POS products (their corp. products don't seem that bad though.) Symantecs software will NOT keep a computer clean if the people using it don't use safe computing practices. At least Dell stopped bundling exclusively Symantec and McAfee products, should save people some grief from having their security software breaking their computers.
"Too lazy to fail." - Heinlein
Since when does Symantec have any credibility relating to computer security issues?
Now when there's a report on the most efficient way to waste CPU time, memory and disk space, making computers slow down to a crawl, their commentary will be respected.
I spent two days removing thos POS from a friend's machine last week. Symantec publishes the instructions to uninstall manually, because the automatic install DOES NOT WORK.
FIVE PAGES OF INSTRUCTIONS.
Countless services and hooks into the operating system, tied into Microsoft's automatic installation system, forcing itself to re-install if you miss a trace of the uninstall procedure (which is, itself not complete).
Before uninstalling, it would take up to 5 minutes to boot XP, after uninstalling, the bootup was in seconds. Everything ran faster after installing another anti-virus client.... EVERYTHING!! Even though taskk manager showed no CPU usage being stolen by Symantec, it clearly was sucking as much as 90% of the processor bandwidth with it's huge number of processes and hooks.
My own impression was that Symantec laid out Antivirus like a virus itself, trying to restart itself on any attempt to remove it. The reality is that it was just badly designed bloatware.
The latest version for me crashes constantly. Unfortunately I'm so hooked on the Fox now I can't stop using it. I'm waiting for them to hammer out the flaws. As an aside, deleting the profiles and creating a new one seems to cause the stability to return for a few days. then back to crashing.
Karma means nothing to me, so suck it...
This makes me think of the CVSS http://www.first.org/cvss/ and how inaccurate it also is.
Most vendors will downrank/ignore/contest vulnerabilities. Then they will try to make comparisons between themselves and their competitors off a biased vulnerability score, impact, etc.
Software vendors should have no part in acknowledging/ranking the legitimacy of vulnerabilities, once the security community has properly identified them, and repeated results, apart from sending a Thank you note to the security gurus that found the flaws.
... and now the tables have turned, and Microsoft is competing with Symantec. (Windows OneCare)
All of a sudden Symantec retaliates by deciding that Internet Explorer does indeed have more "critical" flaws than Mozilla Firefox does.
No, it's Capt. Paedant.
Linux users typically install software through (authenticated) package systems. Ubuntu will for example cry out loud if you install packets that are not "approved" by the Ubuntu organization.
But then Ubuntu will never approve proprietary software. So then you have each publisher of proprietary software, legitimate or otherwise, trying to social-engineer potential users into authorizing said publisher. (And by "social engineer" I mean con.)
This has to be the best troll ever. I feel like I am the moth, there is the flame, gonna die, cant turn back now, going in anyway! I think this is funny for two reasons. One symantec has no interest in securing anything but profits and secondly the fact that symantec could make the "news" by publicly admitting something so obvious to most saavy consumers is all the proof I need that the joke is me. Expect Symantec to announce its Firefox browser bundle soon.
I understand, and by and large agree with, your thesis that humans are self-absorbed, self-interested beings. However, how would you interpret those individuals who have thrown themselves on handgrenades to save their platoon buddies from death? Death was virtually certain for these individuals, and there was some opportunity to escape from the situation with only minor or moderate injury, yet they chose to sacrifice themselves for their comrades. By the self-interest theory, it was an inappropriate decision, even if they considered the possibility of posthumus accolade, because they wouldn't be there to experience the reward.
Rather, I believe that people are able to rationally select a greater good, even if it brings personal harm. I'm not saying that most people actually do this on a regular basis, but the capability is there. On the other hand, I meet more and more people who meet the clinical definition of sociopaths, who truly are incapable of considering anything beyonds themselves, and they are scary people.
I am seeing more and more of this crap!
Who in their right mind let the fox count the chickens?
You know the Fox by nature will always be holding a few chickens behind his back.
I even see this in major corporate contracts.
The Fox is in charge of the chicken coop, supplies the feed and builds the fences,
but the contractor is held responsible for the number of chickens.
Fuckin idiots put their own nuts in a vise when they signed the contract!
And then they have the nerve to pay me pennies on the dollar to make their mess work.
Bye Bye I'll left them to die a slow and ugly death on their own razor.
Rick B.
Isn't the damage already done? While I do appreciate Symantec's admission to not applying due diligence when publishing their previous report, I don't think it's enough. Most slashdotters could tell right away that the previous article, and those like it, aren't doing apples to apples comparisons. The people that don't know any better, and look to these articles as sources of information, take these articles as gospel; because the folks that write them should know better!
If you are doing research, and you genuinely set your biases aside, you won't be disappointed with the results. In fact, you may learn something!
"Put your message in a modem, and throw it into the cyber-sea." - Rush
Alas, this group is disproportionately represented amongst those in charge of large corporations.
Some people are pointing out that veracity has evolutionary benefits (on a group level). However, it would seem that we have managed to create an corporate environment where sociopathy is the prime survival trait.
Oliver Friedrichs?
Who is this loser? How can we still be stuck listening to this garbage?
Are we not men? Are we not people with critical thinking skills?
Where is the independent security consultant, the person who cares only for the study and the results? This Oliver Friedrichs guy only cares about profits. If a company doesn't agree with you that their product has vulnerabilities, then you publish the study anyway, and give them the results.
Where is the OSS front line these days? Do we even have a goal, or are we just hoping that things will work themselves out?
It's probably due to some extension/skin that you are using, check for bug reports for all the extensions you have installed.
One important point regarding the apples to oranges comparisons is that we are comparing one dynamic development process with constant changes and improvements (FireFox/Mozilla) and one that has had no new improvements for many years (IE).
... PERIOD
It is reasonable to expect that Mozilla/Firefox would have more flaws because over time because it is a product that is still in flux. Where in IE's case, we are still finding flaws that may have actually been there for many years or worse yet, were created through IE trying to fix other bugs.
Basically, boiling it down to the raw numbers, Firefox is way more secure than IE
JsD
It's too bad companies realize dealing with Microsoft is usually a bad idea in the long run. Make a profitable business based on Windows and Microsoft will always move in on your turf and leverage it's monopoly position against you.
There's no such thing as a symbiotic relationship with Microsoft.
Not R'ing TFM because it'll just piss me off... I can no longer ignore or accept this sort of behavior from corporations that should definitely know better.
I realize this sort of dishonesty in product comparison happens all the time. I assume it likely happens even in analyses of products that do not originate in Redmond. What I don't understand is why the status quo is accepted. I have purchased Symantec products before. I'll NEVER do so again. If asked, I will discourage anyone else from doing so.
I'd expect this sort of behavior from Microsoft or its usual hired lackeys, but this takes the cake! Its pretty clear that comparing the totals of only the 'admitted' 'critical' security problems in each browser is practically as unscientific as you can get. Anyone who made a major infrastructure decision because of it should sue Symantec immediately, IMHO. This sort of behavior can potentially (and probably did) artificially influence the market.
</rant>
Of course, I am not saying that a company should face severe penalties every time they report research findings that turn out to be incorrect, but c'mon, any 1st year science student knows what the scientific method is. Willfully releasing false and/or misleading information that impacts a given market should at the very least prompt SEC investigation. I guess at least Symantec admitted what that did was the wrong way to conduct the comparison, though at this point, I have a hard time believing they are admitting fault for any virtuous reason.
Hmm... Looks like I got pissed off anyway. Time for a beer
What could possibly hurt the security of the American people more than giving our own government the ability to hide its
"The key was vendor acknowledged critical vulnerabilities. Thus, if Microsoft (or the Mozilla Foundation) didn't agree it was critical, then it didn't get counted."
When asked if downloading music via P2P is 'stealing', respondents uniformly replied that it wasn't, so their downloads ceased being counted in MPAA music theft figures. The MPAA in a separate announcment stated it had no legal standing in curent cases and withdrew all complaints and charges against all music 'sharers'.
See we can use corporate logic too!
You don't have to be unethical to succeed... I think Google is doing a pretty good job of it so far!
Where are the links to the symantec study recently released? Or am I blind?
Well, one mitigating factor for Windows machines is the number of reboots needed for regular operation/upgrading. They cannot be compromised before the network interface goes up during the boot.
On the other hand, I wonder if they are vulnerable in the few seconds during shutdown.... Does the 3rd-party firewall shut off before the network interface is disabled?
I agree and have recently gone into more detail about this in a blog entry.
...don't post links to a website that REQUIRES Windows Media player ONLY. Everybody knows only Linux geeks on Slashdot!
Hmmm. Consider how many features of Internet Explorer would be considered bugs or security violations in Firefox. I reload windows machines for people infected by browser hijacks ,spyware and all that cruft. I advise people to use Firefox for their browsing. Those that follow my advice thank me, those that do not ask me to load windows for them again. I politely decline :)
I was reading that Symantec's Internet Security Suite (or whatever it's called - can't be bothered googling) disconnects its users from IRC if someone types the phrase 'startkeylogger' into a channel. If this is true then doesn't it naturally follow that they are crap?
There they are a conga line of suck holes. On the conservative side of Australian politics. - Mark Latham