Slashdot Mirror

← Back to Stories (view on slashdot.org)

Symantec Rethinks Firefox vs IE Vulnerabilities

Posted by ryuzaki0 on from the double-think dept.

chill writes "Last September security software vendor Symantec issued a report claiming IE had fewer critical flaws than Firefox and thus was more secure. Well, it seem they have now rethought that position. 'How we did it before wasn't a fair comparison,' said Oliver Friedrichs, the senior manager of Symantec's security response group. 'It wasn't an apples to apples comparison.' The key was vendor acknowledged critical vulnerabilities. Thus, if Microsoft (or the Mozilla Foundation) didn't agree it was critical, then it didn't get counted."

39 of 214 comments (clear)

  1. imagine that by Anonymous Coward · · Score: 5, Funny

    profit motive = incentive to lie

    I'm SHOCKED!

    1. Re:imagine that by Anonymous Coward · · Score: 3, Interesting

      Of course, the two concepts are completely unrelated, when one realizes that lying doesn't occur because the lier decided that lying was NOT in his best interest. Lying occurs because the lier, at the time, decided it would benefit him somehow. In other words, in order to profit. (Profit doesn't have to be measured in raw dollars, but can take the form of anything which an individual considers to benefit him.) Therefore, all lying is an attempt to profit, just like all truth telling is an attempt to profit. (Why would someone tell the truth if they didn't believe it was in their best interest, i.e. for profit?) People do things because they believe, at least at that moment, that those things are in their best interest.

      So there is no more connection between lying and profit than truth-telling and profit. D'oh!

    2. Re:imagine that by causality · · Score: 5, Insightful
      (Why would someone tell the truth if they didn't believe it was in their best interest, i.e. for profit?)

      I know this might come as a surprise to some of you, but there's a few strange individuals who have integrity, who do really strange things like telling the truth even when it may not be in their best interests. I suppose that might not fit into your worldview ...
      --
      It is a miracle that curiosity survives formal education. - Einstein
    3. Re:imagine that by LouisZepher · · Score: 3, Insightful

      What he means is that you'd be telling the truth in order to proft from that warm fuzzy feeling of having "done the right thing". In cases such as that however, I don't think it's a bad thing at all, even if society gets to the point where everyone is doing "the right thing" only to get that warm fuzzy feeling, it wouldn't change the fact that the right thing was getting done and everyone walks away happy.

    4. Re:imagine that by tyme · · Score: 4, Insightful
      some nitwit of an anonymouse coward wrote:
      Human nature tells us that an individual can't possibly make a decision against what he sees as his best interests

      Complete bullshit, people do all sorts of things that are completely irrational, because at the moment that they did them they couldn't think straight (due to emotion, intoxication, haste, etc.). In a moment of irrational exuberence (or panic) a persion is at least as likely to act against their own best interests (whether we are talking monetary, psychological or even physical) as they are not to. This is the sort of circumstance in which a person might jump into a freezing cold river to save a drowning person or run into a burning house to save a person calling for help, even though ration thought would tell them that they are far more likely to perish themselves than to effect a successful rescue.

      While this sort of action might benefit the species or society or the geneome, it is clearly detrimental to the individual, and can't be reconciled with some naive notion of pure utility and self-interest. Simply put, the absurd notion that people always act in some manner to maximize some intelectual goal (profit, moral integrity, etc.) depends upon the notion that people always act rationally, since it is clear that people don't always act rationally (in fact, many people seem to act irrationally most of the time) the proposition fails on it's own premises.

      --
      just a ghost in the machine.
    5. Re:imagine that by killjoe · · Score: 4, Insightful

      People with integrity can't run big businesses. If a person with integrity starts a business and runs it ethically it will never get past the small to medium business range. Untethical people will always outcompete you because there is so much profit in sleaze.

      So really there are no people of integrity (in charge) in a company with more then a 100 employees.

      --
      evil is as evil does
    6. Re:imagine that by Anonymous Coward · · Score: 3, Funny

      Given that IE is a far more mature code base than Firefox (version 6 versus version 1.5) I would expect IE to be far more secure than Firefox. The fact that more people use IE causes more security flaws to be found anyway since more people look for flaws in it.

      Plus, IE doesn't use the page renderer to handle the user interface like Firefox does - that's already bitten Firefox several times and doubtlessly will continue to as people find ways to jump from "unsafe" content to "chrome" content.

    7. Re:imagine that by hey! · · Score: 3, Insightful

      People with integrity can't run big businesses. If a person with integrity starts a business and runs it ethically it will never get past the small to medium business range. Untethical people will always outcompete you because there is so much profit in sleaze.

      Oh, I don't think that is true at all. Ask people about Bill Hewlett, and they'll tell you he was a great engineer who was fanaticaly about treating his employees with respect. Although ethics issues have arisen in some of Berkshire Hathaway's insurance subsidiaries, nobody has anything but stellar things to say about Warren Buffet's personal integrity and of course business acumen.

      The thing is, these guys are are rare combinations of technical genius, organizational ability, and personal insight -- what they call these days "emotional intelligence". Most entrepreneurs fall short in one or more areas, and so bluster, pretense, and faking of results is common. With a bit of luck a sense of timing, these guys may achieve a measure of success. Nonetheless, while you can never predict how chance may affect the outcome of the best laid plans, in a one to one contest of entrepreneurship, I'd put my money on Warren Buffet against a guy who's main qualification is that he's willing to lie and cheat.

      --
      Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
  2. So Symantec hates microsoft now?? by nich37ways · · Score: 5, Funny

    I guess the latest TCO Microsoft is great checks failed to appear this week....

    --
    37 - what does it stand for really...
  3. It took them by colonslashslash · · Score: 4, Funny

    Over 6 months to realise and admit that? Nice going ...

    --
    She's built like a steak house, but she handles like a bistro....
  4. Surely it's just about potential for harm. by 91degrees · · Score: 5, Insightful

    Weakest point, and amount of possible damage.

    If one browser allows an attacker to read arbitrary files, and another allows an attacker to delete arbitrary files, then the one that allows the deletion is surely worse however many ways there are to read files.

    If one browser can be attacked in a generic manner, and the other needs some knowledge of the victim, then the one that can be attacked in a generic manner is less secure.

    Now, exactly how an easy to implement low impact and a hard to implement high impact attack compare is still going to be subjective, but wherever you draw the line, it's going to be better than simply counting the nuber of critical bugs.

    1. Re:Surely it's just about potential for harm. by syntaxglitch · · Score: 4, Insightful

      If one browser allows an attacker to read arbitrary files, and another allows an attacker to delete arbitrary files, then the one that allows the deletion is surely worse however many ways there are to read files.

      This isn't necessarily true. For instance, if the files that can be read include ones with, say, credit card information, wouldn't it be better to have those deleted (you can always re-enter the info to order online) than to have the information read without your knowledge and let someone else charge to your credit card?

      The basic point you're making is quite correct, though.

  5. OneCare by ROOK*CA · · Score: 5, Interesting

    I wonder if Symantec's "rethinking" of it's position has anything to do with Microsoft Announcing a Competeing offering (OneCare Live), apparently Symantec will no longer just take Microsofts word whether a suspected flaw is actually a bug/vulnerability or not, Sorry Microsoft that ole "Naw, that's not a vulnerability, it's just an undocumented feature" doesn't look like it's going to fly anymore.

    :D

    1. Re:OneCare by brian0918 · · Score: 4, Insightful

      Of course they're connected; there's no other possibility. Listening to Symantec's opinion on this would be like asking Philip Morris for an opinion on the link between cigarettes and lung cancer. So, how long until MS OneCare starts getting flagged as malicious spyware by Norton, or vice versa?

    2. Re:OneCare by ROOK*CA · · Score: 4, Funny

      So, how long until MS OneCare starts getting flagged as malicious spyware by Norton, or vice versa?

      LOL, Great Point, I can see it now "Symantec Client Security Has Detected A Serious Vulnerability On Your Computer Click OK to Uninstall ..... Microsoft Office" :D

      Great way to drive pay-per-incident Technical Support too.

      "Personal Security Suite Wars 2006 Coming to a Windows PC Near You."

    3. Re:OneCare by ntsucks · · Score: 4, Interesting

      Perhaps the Symantec marketing trolls have embarked on a subtle campaign to undermind the general public's trust in Micro$oft's ability to deliver secure products. Basically a "Who do you trust?" positioning of themselves against OneCare Live. Strange as it may seem Joe Six Pack probably does not have the Slashdot crowd's contempt for Micro$oft's ability to deliver secure products, thus leaving some room for Symantec to discredit them.

      --
      Those who can do. Those who can't sue.
    4. Re:OneCare by sqlrob · · Score: 4, Informative

      vice versa happened a couple of weeks ago.

    5. Re:OneCare by Dehumanizer · · Score: 3, Informative

      Almost there.

      Joe Sixpack believes all software is from Microsoft. In fact, they invented computers, ya know.

      --
      The Tlog - a technology blog
    6. Re:OneCare by chill · · Score: 4, Funny

      LOL, Great Point, I can see it now "Symantec Client Security Has Detected A Serious Vulnerability On Your Computer Click OK to Uninstall ..... Microsoft Office" :D

      You were modded funny, only because "prophetic" isn't a legitimate mod. Actually, McAfee beat them to it. Their virus update sigs on Friday, March 10th classified MS Excel as a virus.

        -Charles

      --
      Learning HOW to think is more important than learning WHAT to think.
    7. Re:OneCare by burnin1965 · · Score: 3, Insightful

      "Perhaps the Symantec marketing trolls have embarked on a subtle campaign to undermind the general public's trust in Micro$oft's ability to deliver secure products"

      I suspect there is little public trust in the security of Microsoft's products that is worth undermining. Most people have been beaten into submission and have simply accepted their fate of dealing with the maladies which accompany Microsoft's products. At the same time everyone has also accepted that open source offerings are much more secure than Microsoft products but are beyond their technical skills.

      It is more likely that the Symantec marketing trolls are merely attacking their new enemy, Microsoft. Before the enemy was open source because of its public perception as a secure solution that does not need Symantec services, now Microsoft is the enemy because they are competing directly with Symantec. By scaring people away from products which don't require Symantec's services by refuting wide spread beliefs they hoped to maintain their market of installed Microsoft products which require their service, but now their greatest risk is that of losing their market directly to Microsoft.

      I'm with you in that Symantec's sudden change of heart concerning the security of IE verus Firefox appears rather disingenuous and loaded with ulterior motives, but I doubt there is a general feeling of trust between Microsoft and their customers which Symantec needs to break. Symantic is merely adding fuel to a long raging fire of mistrust of Microsoft and a perception of a need for protection against Microsoft's security failures. One could hardly say the negative perception of security in Microsoft's products is undeserving, to the contrary they made the mess they are in, but that doesn't mean that Symantec is suddenly devoid of malice towards Microsoft these days.

      It is also possible that the people at Symantec are truely printing what they believe to be the truth, its always good to give people the benefit of the doubt, but it does seem rather suspicious considering the circumstances.

      burnin

  6. How can you trust them? by putko · · Score: 3, Insightful

    How can you trust these guys with your security?

    They make some b.s. statements that just aren't founded in logic, or in a reasonably cynical view of how people/companies behave. The result is that they suggest you do the ridiculous, with your security (not theirs). Then they (for whatever reason) say something else.

    I'm not even suggesting that they "came to their senses", but perhaps, for one reason or another, decided that Microsoft was not their friend anymore (or maybe firefox is their friend now).

    --
    http://www.thebricktestament.com/the_law/when_to_s tone_your_children/dt21_18a.html
    1. Re:How can you trust them? by spiritraveller · · Score: 4, Insightful

      How can you trust these guys with your security?

      No sane person would. By their own admission, it is clear that they gave a blank check to Microsoft. Whatever their motive for doing that, it shows a lack of devotion to the stated goal of their products.

      If a company wants my money for securing my computers, they better show some integrity that doesn't shift depending on how their relationship with the bigger company is going that day.

  7. A Scenario by BumpyCarrot · · Score: 5, Funny

    Symantec: Internet Explorer feasted on my childs bones.

    Microsoft: We don't consider that critical.

    --
    Do you see what I did there?
  8. But there's more... by ABoerma · · Score: 5, Interesting

    I like the other part of TFA better:

    "Windows XP Professional, said Symantec, stays safe just one hour and 12 seconds, while the Windows 2000 Server (with SP4) made it an hour and 17 minutes. An unpatched Windows Server 2003 system lasted somewhat longer.

    In contrast, unpatched Linux installations of both Red Hat Enterprise Linux 3 and SuSE Linux 9 Desktop were never compromised during their month-and-a-half exposure to attackers."

    1. Re:But there's more... by DanteLysin · · Score: 4, Insightful

      So if you are a noob and don't patch your systems, you get by longer on Linux than Windows. No surprise there. My guess is that there are more Windows oriented viruses/worms circulating the Internet. The take home message is "patch your system". We Slashdotters know better, but does the regular home user?

  9. Not too surprising by enigma48 · · Score: 4, Interesting

    My first thought was that this makes perfect sense - now that MS is a competitor of Symantec, they're going to discredit them as much as they can.

    But Symantec has known for ages that MS is pushing into their space. Maybe they had a Netscape-esque agreement with Symantec and maybe Symantec found new evidence that convinced them partnering with MS isn't the best way to go?

    It *could* be as simple as an upper-management type listening to the feedback the last report got, but I haven't seen an icy weather forecast for Hell today.

    (For those who missed the MS Anti-trust days: it was 'alleged' that when MS decided that the 'net was not just a fad and MS needed to throw all their resources into making IE the dominant browser, MS offered not to compete in Mac-space if they left the Windows market quietly. Netscape refused, MS bundled IE with windows, and the rest is history)

  10. Oi norton... by djsmiley · · Score: 4, Interesting

    StartKeyLogger

    another undocmented feature...

    --
    - http://www.milkme.co.uk
  11. Number of bugs means... by plankrwf · · Score: 5, Insightful

    I'm working in the IT industry myself, and one of the well-known problems with bug-counting is... well, counting bugs.
    I have seen IT managers getting upset because there were 100's og bugs*.
    Turned out all of them were because of ONE faulty thing.

    I have seen bug reports of the form
    1. pressing button A and then pressing button Y gets critical error.
    2. pressing button B and then pressing button Y gets critical error.
    3. pressing button C and then pressing button Y gets critical error.
    etc etc

    In other situations a manager was not upset, "there were only a few bugs*".
    Later, this same manager became upset at a time that there were on the order of 50 or so "bugs*".
    Turned out fixing those few bugs took more than o month, while those 50 were 'fixed' within a week.

    So my professional view is that bug-counting doesn't count, the correct question is:
    how sick did you get? (Compare getting bitten by a tsetse fly to getting bitten by a red ant...)

    * To be honest: I am referring to a non-English term which is NOT equivalent to a bug, but more to 'a problem'.

    1. Re:Number of bugs means... by mav[LAG] · · Score: 3, Interesting

      This reminds me of a friend of mine who used to be a professional game tester for an EA dev team near where I live. Although somewhat looked down upon, testers are actually a terribly important part of the game dev process. If you're looking for budget to save, look somewhere else.

      Nobody told that to the manager. For the next project my friend was given absolutely nothing to work with - no design docs, no resources, no source code, no debug version, no reporting sheets - zip. Just a crappy PC with - occasionally - the latest build on. All his requests for the basic tools to let him do his job properly went unheeded. So he started filing bug reports via email like this:

      To: Developers
      Subject: Game is broken - fix it

      To: Developers
      Subject: Game crashes - needs to be fixed

      To: Developers
      Subject: Game broken - needs fixing

      He was quickly provided with the tools he needed :)

      --
      --- Hot Shot City is particularly good.
  12. Hi Symantec by babbling · · Score: 3, Insightful

    Welcome to 2 years ago. This new Firefox browser is pretty cool, eh?

    I wonder if anyone ever took Symantec seriously when they made this claim. Most computer illiterate users wouldn't have even heard about Symantec saying this, and those that did (eg. Slashdot readers) would already know better. It's as if Symantec is in their own little universe where it seems as thought everything incorrect is actually correct.

  13. Symantec tests windows xp by Centurix · · Score: 5, Funny

    "We have substatially tested Windows XP and have found the operating system to be completely bug free. Out tests were conducted in a time period of 1 minute, which contains 60 seconds. As all seconds are effectively the same, we can safely say that Windows XP will be safe for all future occurances of seconds."

    --
    Task Mangler
  14. Seriously? by user24 · · Score: 3, Insightful

    You're seriously telling me that Symantec just added up the number of times a flaw was labelled "critical" by the owning company of the product, and based their 'report' on that - wtf?

    I mean, *I* could have done that. When I hear that one of the leading security companies has issued a report on the security of two competing products, I assume that they've actually evaluated those products, rather than just spat back the company literature.

    My already little faith in the company that brought us Norton has sunk lower still.

  15. Damn by pHatidic · · Score: 5, Funny

    Oh shit I'm going to have to switch back now! Do you have any idea how long it took to get IE running on Linux?

    1. Re:Damn by psocccer · · Score: 3, Funny
      Do you have any idea how long it took to get IE running on Linux?

      About 10 minutes? I run ie5.5 and ie6 under wine setup by this installer script so I can check web stuff without having to fire up qemu. And yes I know you were just kidding :p

      --
      Free Online Woodworking Resources Directory
  16. That's not exactly correct. by khasim · · Score: 5, Insightful
    My guess is that there are more Windows oriented viruses/worms circulating the Internet.
    "More" is correct. But the implication being that that is why the Linux boxes were not cracked is incorrect.

    On the Internet, it is possible to scan whole ranges of addresses looking for vulnerabilities. Automatically. 24/7. And exploit them automatically, 24/7.

    What matters is whether the box has open ports or not.
    The take home message is "patch your system". We Slashdotters know better, but does the regular home user?
    The system's security should be configured to account for the home user's non-patching.

    Apple has. Their boxes, by default, have no open ports.
    Ubuntu has. Their default install has no open ports.

    No matter how many worms and infected machines are out there, a default Ubuntu box will never be infected by them.

    The first step in security is to reduce the avenues of attack.
  17. Re:Why didn't you post the next paragraph... by MightyYar · · Score: 3, Insightful
    It is important to point out how vulnerable an unpatched version is. I - like many other /.'ers - am my family's PC support. I also - like many /.'ers - have learned the hard way to keep the PC unplugged from the network until it is patched. This makes things very rough when I'm at a home with only one PC, but you apparently can mitigate your risk by killing most of the processes running on the machine before launching Windows Update.

    In short, the "bashing" is justified. If I, a humble geek, can figure out on my own that killing all of these unnecessary services can make the unpatched machine safer, then why can't the smart geeks at Microsoft? Why does the thing ship with so many services enabled? The average user does not know that there are "services" or how to kill them. For the average user, it is impossible to install and patch Windows without getting infected - that is a pretty damning security situation.

    --
    W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
  18. The tables have turned. by babbling · · Score: 5, Insightful

    ... and now the tables have turned, and Microsoft is competing with Symantec. (Windows OneCare)

    All of a sudden Symantec retaliates by deciding that Internet Explorer does indeed have more "critical" flaws than Mozilla Firefox does.

  19. I can believe I am going to reply to this but... by Lightzout · · Score: 3, Interesting

    This has to be the best troll ever. I feel like I am the moth, there is the flame, gonna die, cant turn back now, going in anyway! I think this is funny for two reasons. One symantec has no interest in securing anything but profits and secondly the fact that symantec could make the "news" by publicly admitting something so obvious to most saavy consumers is all the proof I need that the joke is me. Expect Symantec to announce its Firefox browser bundle soon.

  20. Handgrenades? by gstovall · · Score: 3, Insightful

    I understand, and by and large agree with, your thesis that humans are self-absorbed, self-interested beings. However, how would you interpret those individuals who have thrown themselves on handgrenades to save their platoon buddies from death? Death was virtually certain for these individuals, and there was some opportunity to escape from the situation with only minor or moderate injury, yet they chose to sacrifice themselves for their comrades. By the self-interest theory, it was an inappropriate decision, even if they considered the possibility of posthumus accolade, because they wouldn't be there to experience the reward.

    Rather, I believe that people are able to rationally select a greater good, even if it brings personal harm. I'm not saying that most people actually do this on a regular basis, but the capability is there. On the other hand, I meet more and more people who meet the clinical definition of sociopaths, who truly are incapable of considering anything beyonds themselves, and they are scary people.