Symantec Rethinks Firefox vs IE Vulnerabilities

chill writes "Last September security software vendor Symantec issued a report claiming IE had fewer critical flaws than Firefox and thus was more secure. Well, it seem they have now rethought that position. 'How we did it before wasn't a fair comparison,' said Oliver Friedrichs, the senior manager of Symantec's security response group. 'It wasn't an apples to apples comparison.' The key was vendor acknowledged critical vulnerabilities. Thus, if Microsoft (or the Mozilla Foundation) didn't agree it was critical, then it didn't get counted."

imagine that

profit motive = incentive to lie

I'm SHOCKED!

Re:imagine that

[causality]

(Why would someone tell the truth if they didn't believe it was in their best interest, i.e. for profit?)

I know this might come as a surprise to some of you, but there's a few strange individuals who have integrity, who do really strange things like telling the truth even when it may not be in their best interests. I suppose that might not fit into your worldview ...

So Symantec hates microsoft now??

[nich37ways]

I guess the latest TCO Microsoft is great checks failed to appear this week....

Surely it's just about potential for harm.

[91degrees]

Weakest point, and amount of possible damage.

If one browser allows an attacker to read arbitrary files, and another allows an attacker to delete arbitrary files, then the one that allows the deletion is surely worse however many ways there are to read files.

If one browser can be attacked in a generic manner, and the other needs some knowledge of the victim, then the one that can be attacked in a generic manner is less secure.

Now, exactly how an easy to implement low impact and a hard to implement high impact attack compare is still going to be subjective, but wherever you draw the line, it's going to be better than simply counting the nuber of critical bugs.

OneCare

[ROOK*CA]

I wonder if Symantec's "rethinking" of it's position has anything to do with Microsoft Announcing a Competeing offering (OneCare Live), apparently Symantec will no longer just take Microsofts word whether a suspected flaw is actually a bug/vulnerability or not, Sorry Microsoft that ole "Naw, that's not a vulnerability, it's just an undocumented feature" doesn't look like it's going to fly anymore.

:D

A Scenario

[BumpyCarrot]

Symantec: Internet Explorer feasted on my childs bones.

Microsoft: We don't consider that critical.

But there's more...

[ABoerma]

I like the other part of TFA better:

"Windows XP Professional, said Symantec, stays safe just one hour and 12 seconds, while the Windows 2000 Server (with SP4) made it an hour and 17 minutes. An unpatched Windows Server 2003 system lasted somewhat longer.

In contrast, unpatched Linux installations of both Red Hat Enterprise Linux 3 and SuSE Linux 9 Desktop were never compromised during their month-and-a-half exposure to attackers."

Number of bugs means...

[plankrwf]

I'm working in the IT industry myself, and one of the well-known problems with bug-counting is... well, counting bugs.
I have seen IT managers getting upset because there were 100's og bugs*.
Turned out all of them were because of ONE faulty thing.

I have seen bug reports of the form
1. pressing button A and then pressing button Y gets critical error.
2. pressing button B and then pressing button Y gets critical error.
3. pressing button C and then pressing button Y gets critical error.
etc etc

In other situations a manager was not upset, "there were only a few bugs*".
Later, this same manager became upset at a time that there were on the order of 50 or so "bugs*".
Turned out fixing those few bugs took more than o month, while those 50 were 'fixed' within a week.

So my professional view is that bug-counting doesn't count, the correct question is:
how sick did you get? (Compare getting bitten by a tsetse fly to getting bitten by a red ant...)

* To be honest: I am referring to a non-English term which is NOT equivalent to a bug, but more to 'a problem'.

Symantec tests windows xp

[Centurix]

"We have substatially tested Windows XP and have found the operating system to be completely bug free. Out tests were conducted in a time period of 1 minute, which contains 60 seconds. As all seconds are effectively the same, we can safely say that Windows XP will be safe for all future occurances of seconds."

Damn

[pHatidic]

Oh shit I'm going to have to switch back now! Do you have any idea how long it took to get IE running on Linux?

That's not exactly correct.

[khasim]

My guess is that there are more Windows oriented viruses/worms circulating the Internet.

"More" is correct. But the implication being that that is why the Linux boxes were not cracked is incorrect.

On the Internet, it is possible to scan whole ranges of addresses looking for vulnerabilities. Automatically. 24/7. And exploit them automatically, 24/7.

What matters is whether the box has open ports or not.

The take home message is "patch your system". We Slashdotters know better, but does the regular home user?

The system's security should be configured to account for the home user's non-patching.

Apple has. Their boxes, by default, have no open ports.
Ubuntu has. Their default install has no open ports.

No matter how many worms and infected machines are out there, a default Ubuntu box will never be infected by them.

The first step in security is to reduce the avenues of attack.

The tables have turned.

[babbling]

... and now the tables have turned, and Microsoft is competing with Symantec. (Windows OneCare)

All of a sudden Symantec retaliates by deciding that Internet Explorer does indeed have more "critical" flaws than Mozilla Firefox does.