Slashdot Mirror
Symantec Rethinks Firefox vs IE Vulnerabilities
chill writes "Last September security software vendor Symantec issued a report claiming IE had fewer critical flaws than Firefox and thus was more secure. Well, it seem they have now rethought that position. 'How we did it before wasn't a fair comparison,' said Oliver Friedrichs, the senior manager of Symantec's security response group. 'It wasn't an apples to apples comparison.' The key was vendor acknowledged critical vulnerabilities. Thus, if Microsoft (or the Mozilla Foundation) didn't agree it was critical, then it didn't get counted."
profit motive = incentive to lie
I'm SHOCKED!
I guess the latest TCO Microsoft is great checks failed to appear this week....
37 - what does it stand for really...
Over 6 months to realise and admit that? Nice going ...
She's built like a steak house, but she handles like a bistro....
Weakest point, and amount of possible damage.
If one browser allows an attacker to read arbitrary files, and another allows an attacker to delete arbitrary files, then the one that allows the deletion is surely worse however many ways there are to read files.
If one browser can be attacked in a generic manner, and the other needs some knowledge of the victim, then the one that can be attacked in a generic manner is less secure.
Now, exactly how an easy to implement low impact and a hard to implement high impact attack compare is still going to be subjective, but wherever you draw the line, it's going to be better than simply counting the nuber of critical bugs.
I wonder if Symantec's "rethinking" of it's position has anything to do with Microsoft Announcing a Competeing offering (OneCare Live), apparently Symantec will no longer just take Microsofts word whether a suspected flaw is actually a bug/vulnerability or not, Sorry Microsoft that ole "Naw, that's not a vulnerability, it's just an undocumented feature" doesn't look like it's going to fly anymore.
:D
How can you trust these guys with your security?
They make some b.s. statements that just aren't founded in logic, or in a reasonably cynical view of how people/companies behave. The result is that they suggest you do the ridiculous, with your security (not theirs). Then they (for whatever reason) say something else.
I'm not even suggesting that they "came to their senses", but perhaps, for one reason or another, decided that Microsoft was not their friend anymore (or maybe firefox is their friend now).
http://www.thebricktestament.com/the_law/when_to_
Symantec: Internet Explorer feasted on my childs bones.
Microsoft: We don't consider that critical.
Do you see what I did there?
I like the other part of TFA better:
"Windows XP Professional, said Symantec, stays safe just one hour and 12 seconds, while the Windows 2000 Server (with SP4) made it an hour and 17 minutes. An unpatched Windows Server 2003 system lasted somewhat longer.
In contrast, unpatched Linux installations of both Red Hat Enterprise Linux 3 and SuSE Linux 9 Desktop were never compromised during their month-and-a-half exposure to attackers."
My first thought was that this makes perfect sense - now that MS is a competitor of Symantec, they're going to discredit them as much as they can.
But Symantec has known for ages that MS is pushing into their space. Maybe they had a Netscape-esque agreement with Symantec and maybe Symantec found new evidence that convinced them partnering with MS isn't the best way to go?
It *could* be as simple as an upper-management type listening to the feedback the last report got, but I haven't seen an icy weather forecast for Hell today.
(For those who missed the MS Anti-trust days: it was 'alleged' that when MS decided that the 'net was not just a fad and MS needed to throw all their resources into making IE the dominant browser, MS offered not to compete in Mac-space if they left the Windows market quietly. Netscape refused, MS bundled IE with windows, and the rest is history)
StartKeyLogger
another undocmented feature...
- http://www.milkme.co.uk
It seems almost disingenuous to "rethink" this so late. Of course it's more than a little irritating, it directly impacts the perceptions and usage levels of the competing browsers. It's kind of like yelling "fire" in a crowded theater, waiting until the resultant stampede kills many in the theater and then saying, "I'm rethinking this, and it looks as if there is no fire."
I'm working in the IT industry myself, and one of the well-known problems with bug-counting is... well, counting bugs.
I have seen IT managers getting upset because there were 100's og bugs*.
Turned out all of them were because of ONE faulty thing.
I have seen bug reports of the form
1. pressing button A and then pressing button Y gets critical error.
2. pressing button B and then pressing button Y gets critical error.
3. pressing button C and then pressing button Y gets critical error.
etc etc
In other situations a manager was not upset, "there were only a few bugs*".
Later, this same manager became upset at a time that there were on the order of 50 or so "bugs*".
Turned out fixing those few bugs took more than o month, while those 50 were 'fixed' within a week.
So my professional view is that bug-counting doesn't count, the correct question is:
how sick did you get? (Compare getting bitten by a tsetse fly to getting bitten by a red ant...)
* To be honest: I am referring to a non-English term which is NOT equivalent to a bug, but more to 'a problem'.
Welcome to 2 years ago. This new Firefox browser is pretty cool, eh?
I wonder if anyone ever took Symantec seriously when they made this claim. Most computer illiterate users wouldn't have even heard about Symantec saying this, and those that did (eg. Slashdot readers) would already know better. It's as if Symantec is in their own little universe where it seems as thought everything incorrect is actually correct.
FTFS:
Mozilla has Bugzilla to keep track of it's issues, MS is notorious for claiming bugs are in fact features.
Also, IMHO any security issue is 'critical'. Someone once said that MS's 'critical vulnerabilities' are security flaws that should never have made it past design stage.
Don't you just hate it when people reply to your signature?
"We have substatially tested Windows XP and have found the operating system to be completely bug free. Out tests were conducted in a time period of 1 minute, which contains 60 seconds. As all seconds are effectively the same, we can safely say that Windows XP will be safe for all future occurances of seconds."
Task Mangler
I guess I'll have to "rethink" my reliance on any Symantec security program.
Whose company products in all my years of computer maintenance have overall caused me more problems than all the malware/viruses they were supposed to be fighting. Thanks for the heads up!
You're seriously telling me that Symantec just added up the number of times a flaw was labelled "critical" by the owning company of the product, and based their 'report' on that - wtf?
I mean, *I* could have done that. When I hear that one of the leading security companies has issued a report on the security of two competing products, I assume that they've actually evaluated those products, rather than just spat back the company literature.
My already little faith in the company that brought us Norton has sunk lower still.
With VISTA coming out, Symantec is going to obviously be pushing its own products for that platform.
I agree, so far - All companies will want in on Vista, even though just about anyone who has seen or used Vista already will stick with XP until at least the server version comes out...
However, expect them to do a 360 in six months again citing VISTA the most secure product ever, bar none.
Why?
Symantec makes software that improves your PC's safety against attacks. If they can point to a million and one critical flaws in Vista, it makes their product (or one like it) all the more necessary.
People will not, in general, flee to Linux just because Vista sucks (which it does, and hard). They might stick with XP (for which Symantec also makes the same set of products).
People also won't switch to a different AV suite for Vista. People use what they have always used, which largely means Norton/Symantec.
Oh shit I'm going to have to switch back now! Do you have any idea how long it took to get IE running on Linux?
Just use Konqueror. I'm sure 99.9% of malicious hackers haven't even heard of it!
Symantec used to make top notch products. When I recently was exposed to their client software again assisting friends, I was shocked to see that they now make the worst security suite. It is just completely unsuable for customers. Their failure to even have their software work with Windows XP SP2 (and letting their customers take the problems such as all programs stop having internet connectivity but their own ...) is evidence that they with their "platform play" is becoming increasingly at odds with Microsoft. If they were able to understand that at least until recently Microsoft have only provided basic functionality to help protect customers (such as the basic firewall and a central place to see security status) and that there is considerable space in which to provide superior technology, I might have believed some of their comments.
The way it stands now, I cannot possibly recommend their products nor their "advice".
Let's say that I wrote the world's most flawed web browser (Anger Browser 1.0), with several hidden RC function and a welcome mat for specially scripted spyware installers. Yes, it has 500 more flaws than IE, but I only have an installed user base of two. Does this mean that my browser presents a higher risk than a browser with 100,000,000 users and one flaw?
All things the same, a flaw in IE presents a higher weighted risk than a browser with a fraction of the user base. Combining that with the relative ignorance of the average IE user, I say that a flaw in IE presents a much higher return to the bad guys than any other browser out there.
Since arguing the merits of one browser over another leads to no end, I hope this post would be somewhat refreshing to read.
Assuming a security measurement can sway users for switching from one browser to another, I propose the following measurement: multiply the number of vulnerabilities by market share, and call this the impact. At first glance, this is brutally unfair for IE, which continues to have the majority market share, but hear me explain.
Let's make another assumption. Suppose all competing browsers have vulnerabilities that lead to the same outcome, then the likelihood that script kiddies choose one browser over another to exploit is more or less determined by the browser's market share. Every vulnerability adds to this likelihood. Therefore, in the end, we end up summing a browser's market share a number of times that is the number of vulnerabilities for that browser. This is the same as multiplying number of vulnerabilities by market share. The result is a measurement of insecurity impact.
What happens if we adopt measuring impact for insecurity?
Since Firefox is a minority in browser market share, it can afford to have more bugs and be relatively secure. Its most critical vulnerabilities have lower impact than IE's equivalent. Suppose users then decide to switch to Firefox. The increase in Firefox market share means its vulnerabilities have higher impact. At one point, it becomes less secure than IE, and users start to switch back. We go back and forth and eventually reach an equilibrium. If users are perfectly "browser elastic" (have no resistence to switch browsers), then at the equilibrium, market share is inversely proportional to the number of vulnerabilities for all browsers. Of course, in the real life, things are never that simple, but let's keep things simple. It is good enough to point out that letting impact determine market share is more desirable than letting vulnerability count to determine market share.
How can the impact score improve current measurement of security?
We all know that some vendors like to play the optimist game by purposely reducing the severity of a vulnerability or even hiding it. If a certain highly popular browser vendor wants to manipulate the impact score, it has to to cheat a lot, and at one point this cheating will become painfully obvious. Hopefully, the risk of causing a scandal would limit the vendor's cheating to a degree that does not significantly variate the impact score.
I once had a signature.
"Thus, if Microsoft (or the Mozilla Foundation) didn't agree it was critical, then it didn't get counted."
That's it! That's the secret to making bug-free software! Not fix anything then deny it's a bug! That's what I'm gonna do!
"Hey, this is a critical exploit!"
"No, it's not."
"Okay."
BRILLIANT!
On the Internet, it is possible to scan whole ranges of addresses looking for vulnerabilities. Automatically. 24/7. And exploit them automatically, 24/7.
What matters is whether the box has open ports or not.The system's security should be configured to account for the home user's non-patching.
Apple has. Their boxes, by default, have no open ports.
Ubuntu has. Their default install has no open ports.
No matter how many worms and infected machines are out there, a default Ubuntu box will never be infected by them.
The first step in security is to reduce the avenues of attack.
A trusted source would say:
But if Symantec said do these 5 simple things, and make sure your kids can do these 5 simple things (or keep them off computer), then they'd be undermining the fear factor they count on to sell their bloated POS products (their corp. products don't seem that bad though.) Symantecs software will NOT keep a computer clean if the people using it don't use safe computing practices. At least Dell stopped bundling exclusively Symantec and McAfee products, should save people some grief from having their security software breaking their computers.
"Too lazy to fail." - Heinlein
In short, the "bashing" is justified. If I, a humble geek, can figure out on my own that killing all of these unnecessary services can make the unpatched machine safer, then why can't the smart geeks at Microsoft? Why does the thing ship with so many services enabled? The average user does not know that there are "services" or how to kill them. For the average user, it is impossible to install and patch Windows without getting infected - that is a pretty damning security situation.
W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
They might stick with XP
Scratch that. They will stick with XP unless they buy a new computer with Vista already installed. You have no idea how many people I deal with on a given day that are still using Windows 98. I even come across people who think Windows 95 is the cat's meow. For most people, that shit is "good enough", so it's unlikely that people will jump en masse to Vista without some major incentive.
This poo is cold.
... and now the tables have turned, and Microsoft is competing with Symantec. (Windows OneCare)
All of a sudden Symantec retaliates by deciding that Internet Explorer does indeed have more "critical" flaws than Mozilla Firefox does.
Opera 8.x had 13 flaws, 3 highly severe, 0 extremely severe;
Firefox 1.x had 27 flaws, 7 highly severe, 1 extremely severe;
MS IE 6.x had 77 flaws, 22 highly severe, 11 extremely severe.
It's still not apples to apples. (Time periods aren't the same, etc.)
I think the more important thing to note: all of the Opera flaws (to date) are fixed, there are still 2 open in FireFox, and 23 open in MS IE 6.x.
.. paranoid crackpot leftover from the days of Amiga.
This has to be the best troll ever. I feel like I am the moth, there is the flame, gonna die, cant turn back now, going in anyway! I think this is funny for two reasons. One symantec has no interest in securing anything but profits and secondly the fact that symantec could make the "news" by publicly admitting something so obvious to most saavy consumers is all the proof I need that the joke is me. Expect Symantec to announce its Firefox browser bundle soon.
I understand, and by and large agree with, your thesis that humans are self-absorbed, self-interested beings. However, how would you interpret those individuals who have thrown themselves on handgrenades to save their platoon buddies from death? Death was virtually certain for these individuals, and there was some opportunity to escape from the situation with only minor or moderate injury, yet they chose to sacrifice themselves for their comrades. By the self-interest theory, it was an inappropriate decision, even if they considered the possibility of posthumus accolade, because they wouldn't be there to experience the reward.
Rather, I believe that people are able to rationally select a greater good, even if it brings personal harm. I'm not saying that most people actually do this on a regular basis, but the capability is there. On the other hand, I meet more and more people who meet the clinical definition of sociopaths, who truly are incapable of considering anything beyonds themselves, and they are scary people.
"The key was vendor acknowledged critical vulnerabilities. Thus, if Microsoft (or the Mozilla Foundation) didn't agree it was critical, then it didn't get counted."
When asked if downloading music via P2P is 'stealing', respondents uniformly replied that it wasn't, so their downloads ceased being counted in MPAA music theft figures. The MPAA in a separate announcment stated it had no legal standing in curent cases and withdrew all complaints and charges against all music 'sharers'.
See we can use corporate logic too!