Symantec Rethinks Firefox vs IE Vulnerabilities

chill writes "Last September security software vendor Symantec issued a report claiming IE had fewer critical flaws than Firefox and thus was more secure. Well, it seem they have now rethought that position. 'How we did it before wasn't a fair comparison,' said Oliver Friedrichs, the senior manager of Symantec's security response group. 'It wasn't an apples to apples comparison.' The key was vendor acknowledged critical vulnerabilities. Thus, if Microsoft (or the Mozilla Foundation) didn't agree it was critical, then it didn't get counted."

Surely it's just about potential for harm.

[91degrees]

Weakest point, and amount of possible damage.

If one browser allows an attacker to read arbitrary files, and another allows an attacker to delete arbitrary files, then the one that allows the deletion is surely worse however many ways there are to read files.

If one browser can be attacked in a generic manner, and the other needs some knowledge of the victim, then the one that can be attacked in a generic manner is less secure.

Now, exactly how an easy to implement low impact and a hard to implement high impact attack compare is still going to be subjective, but wherever you draw the line, it's going to be better than simply counting the nuber of critical bugs.

Number of bugs means...

[plankrwf]

I'm working in the IT industry myself, and one of the well-known problems with bug-counting is... well, counting bugs.
I have seen IT managers getting upset because there were 100's og bugs*.
Turned out all of them were because of ONE faulty thing.

I have seen bug reports of the form
1. pressing button A and then pressing button Y gets critical error.
2. pressing button B and then pressing button Y gets critical error.
3. pressing button C and then pressing button Y gets critical error.
etc etc

In other situations a manager was not upset, "there were only a few bugs*".
Later, this same manager became upset at a time that there were on the order of 50 or so "bugs*".
Turned out fixing those few bugs took more than o month, while those 50 were 'fixed' within a week.

So my professional view is that bug-counting doesn't count, the correct question is:
how sick did you get? (Compare getting bitten by a tsetse fly to getting bitten by a red ant...)

* To be honest: I am referring to a non-English term which is NOT equivalent to a bug, but more to 'a problem'.

That's not exactly correct.

[khasim]

My guess is that there are more Windows oriented viruses/worms circulating the Internet.

"More" is correct. But the implication being that that is why the Linux boxes were not cracked is incorrect.

On the Internet, it is possible to scan whole ranges of addresses looking for vulnerabilities. Automatically. 24/7. And exploit them automatically, 24/7.

What matters is whether the box has open ports or not.

The take home message is "patch your system". We Slashdotters know better, but does the regular home user?

The system's security should be configured to account for the home user's non-patching.

Apple has. Their boxes, by default, have no open ports.
Ubuntu has. Their default install has no open ports.

No matter how many worms and infected machines are out there, a default Ubuntu box will never be infected by them.

The first step in security is to reduce the avenues of attack.

Re:imagine that

[causality]

(Why would someone tell the truth if they didn't believe it was in their best interest, i.e. for profit?)

I know this might come as a surprise to some of you, but there's a few strange individuals who have integrity, who do really strange things like telling the truth even when it may not be in their best interests. I suppose that might not fit into your worldview ...

The tables have turned.

[babbling]

... and now the tables have turned, and Microsoft is competing with Symantec. (Windows OneCare)

All of a sudden Symantec retaliates by deciding that Internet Explorer does indeed have more "critical" flaws than Mozilla Firefox does.