Slashdot Mirror
Browser Vulnerability Study Unkind to Firefox
Browser Buddy writes "A new Symantec study on browser vulnerabilities covering the first half of 2006 has some surprising conclusions. It turns out that Firefox leads the pack with 47 vulnerabilities, compared to 38 for Internet Explorer. From Ars Technica's coverage: 'In addition to leading the pack in sheer number of vulnerabilities, Firefox also showed the greatest increase in number, as the popular open-source browser had only logged 17 during the previous reporting period. IE saw an increase of just over 50 percent, from 25; Safari doubled its previous six; and Opera was the only one of the four browsers monitored that actually saw a decrease in vulnerabilities, from nine to seven.' Firefox still leads the pack when it comes to patching though, with only a one-day window of vulnerability."
What's this? Could it be an indication that there is some truth to the market segment correlation to vulnerabilities and attacks?
-Rick
"Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
If we look to Secunia, we see that IE has 106 advisories, 19 of which are unpatched. Firefox has 3 of 36 unpatched. The most sever unpatched advisory in IE is rated as "extremely critical." In Firefox, as "less critical."
Are you unkind when you tell the truth?
Maybe i'm prejudiced towards Firefox for not letting myself get blinded by numbers but.. from TFA: Looking at the data, it is apparent that one's choice of browser does not automatically confer invulnerability while surfing the web. Security through obscurity--which has been a popular strategy with some users--doesn't guarantee safety. That said, Internet Explorer remains the most popular target for attacks, with 69 percent of all browser attacks targeted specifically at that browser alone. 20 percent of the attacks monitored during the period in question were targeted at Firefox. When it comes to patching, all of the browsers are improving. Firefox is the fastest to get its patches out, with a one-day window of exposure. Opera had a two-day window of exposure, down from 18 days during the last half of 2005. The window of exposure for Safari is up to five days (from zero), while Internet Explorer typically has a nine-day window, down from 25 days in the previous study.
my capcha was condom
FireFox is constantly adding new features. When you add new features then you open yourself up to bugs.
IE 5/6 have been stagnant for years. Of course the number of bugs isn't going to be as large.
That said, I know which one will issue a bug fix more quickly when something IS found...
Love sees no species.
its not good to say they had more, and leave the implication they are less safe. if FF only leaves each one open for a day, they're still more secure than IE which leaves fewer openlonger....
The pretty graph does show an increase in the number of vunerabilities found between July 05 to December 05, and January 06 to June 06, but could this be because the number of users has also increased in that time? More users finding and reporting the bugs, or even a greater number of developers writing the code making it less manageable and secure?
Yes I use Windows.
For most of the IE vulnerabilities, I have to reboot my computer to install it.
Firefox is nice enough to download it and install it the next time I start the browser.
And it does it more than the 2nd Tuesday of each month.
If its icon isn't a clicky-clicky new shiny multi-colored latte-cup stack of glass-office wire-rimmed flowchart shapes (short description: a link to a windows program) it must be non-standard.
Business isn't willing to pay for products, innovation and careers, so we get brands, mortgage commercials and layoffs.
The ARS Technica doesnt mention the version for any of the browsers they mention.When they say 47 bugs were discovered for Firefox ,which version are they talking about? 1.5? 1.7? 2.0 Beta? Same for IE. 6 or 7?
Wincopy
Have a look at Opera 9.x's advisory list :-)
If you get this, we're 10 of a kind.
This study shows me nothing useful. Given the fact that all software is buggy, there are many more people looking at the source for Firefox than for IE, so it's inevitable more issues will be found. The more that are found the more that can be fixed before they're a problem.
IE has improved over the years, and will improve further with v7. Doubtless Firefox's progress is at least partially driving that. But the noddy users (hi Dad!) that I've given Firefox or Opera to have had far fewer malware problems than those who insist on sticking with IE.
Newsflash: Browsers that are actually used by large numbers of people have larger numbers of bugs found and exploited than browsers that are mostly ignored.
So it long seems obvious that these extremely complex and bloated browsers will *NEVER* be secure.
So what recourse do we have in Linux to deal with that? I'm saying 'screw the bloatware developers'.. Assume the worst about these apps and fix it in the OS via better security... But how?
There is a big difference between how vulnerable a program is and how dangerous it is to use.
The more ubiquitous an application, the more it will be examined as a possible attack vector, and the more it will be exploited as an attack vector.
IE is still far more dangerous to use than Firefox thanks to the fact it is still used by far more people.
Seriously dude.
Did you have an aneurysm in your language center or something?
A much better measure of security is how many days the users spend being vulnerable after a vulnerability is made public. The browser with the fewest days of vulnerability is the safer browser. And that's no contest.
I've taken to surfing from a copy of Opera running inside a VMWare virtual machine. If anything gets through (so far so good) I just go back to a clean snapshot. Nice to see my browser doing so good.
Consider this, too:
This report is put out by a company that makes its living by protecting users from software like Internet Explorer. If people stopped using Internet Explorer, how would it make its money? (Okay, that's a little tinfoil-hatish.)
But also consider this:
Those are vulnerabilities that we know of. They're pretty easy to find (oh, and fix) when people can pore over your source code. How many vulnerabilities are in Internet Explorer/Opera/Safari that we don't know of, that aren't getting fixed, and just waiting for someone to figure out to blow up?
That's when you're really thankful of this:
Seriously? You've never used Billywindows before? That's the whole reason people BUY new versions of Windows: so they can get the new light blue/yellow/lime green stack of little interconnected blocks icon that makes them feel like they are the Lawnmower man while they try to get their fucking video card installed.
It's all about the marketing.
Business isn't willing to pay for products, innovation and careers, so we get brands, mortgage commercials and layoffs.
I'll keep using Opera so that I don't have to defend my browser. :)
Its not the number of vulnerabilities its more about the severity of them. A cookie injection , or cross site scripting is NOT the same as a buffer overflow/shell execution vulnerability. FF is by far less suseptable to the serious system risk level attack than IE; with no "known" arbitrary execution exploits at this time , IE has one outstanding right now and "drive by downloads" of scum ware is booming in the last few weeks.
It turns out that Firefox leads the pack with 47 vulnerabilities, compared to 38 for Internet Explorer.
This is very misleading. These are the numbers of vulnerabilities reported to Symantec and which the vendor has acknowledged to Symantec. The total number of vulnerabilities reported to Symantec are 50 for Firefox and 57 for IE.
If you add to this the quote from Symantec, "at the time of writing, no widespread exploitation of any browser except Microsoft Internet Explorer has occurred..." you start to see that this is mostly spin with little substance. Firefox is not really being attacked, and while they have bugs they fix them an order of magnitude faster and have an open process that responds to the community. This bug count includes all the bugs the Firefox team found, but who knows what percentage of bugs Microsoft and partners found that they deemed not worth fixing and which do not show up in this study? It is debatable that in theory, Firefox is more secure, but attempts like this to twist numbers to make is seem like maybe Firefox is not more secure in practice, are misleading and simply a way to get attention. I declare the summary here to be FUD.
I am so going to get modded down for this. But this is what I really feel. Before I go on I like firefox.
This is like Linux vs. Windows. Open Sorce vs closed sorce.
People say Windows has many holes. Its not that they have many holes its just people choose to find thoes holes in the OS over Linux because the majority of users use windows. Linux could have more problems its just people dont care about Linux because most businesses use windows.
Now whats happening is that more and more people are using firefox and now people are begining to search for problems with firefox because alot of people use it now. The truth now comes out that Open sorce software can have just as many if not more problems than closed sorce.
The greatest revenge in life is massive success.
Firefox's code base did not suddenly get far worse. The change must come from more people paying attention.
Agreed, pretty meaningless without specifying the severity of the vulnerabilities and the time to get them patched.
Plus, to a pragmatic user, does it really matter why there are so few exploits in the wild? "Inherent" security won't pay for a format and reinstall. If you can browse safely, the only reason to pay attention to the "It's not popular enough to exploit" arguments is to stay alert as your browser gains market share.
Let's think about this.....a report from a ANTI VIRUS VENDOR!! Anyone want to make a bet when Symantec will make a Firefox Extension for scanning for malicious websites......AND make you pay for it??
Gorkman
And dont just count the "vulnerabilities". Give some weightages. One "not critical" vulnerability in Firefox IS NOT EQUAL to one critical vulnerability in IE. Like "Not Critical" has a weight of 1, and scale it by a factor of 10 for each higher level. Then do a weighted sum.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Firefox is free. Not that no cost is an excuse for it to have vulnerabilities, but rather, why pay for something that's broken? Not that MS should get every bug out of IE before it ships, but it should catch more than it does now.
How can IE have a "nine-day window" for patching if patches only come out once a month?
What is the deal with characterizing Symantec as being "unkind" to Firefox? The fact is that Symantec came out with a report that identified more security bugs in Firefox than IE. Why the "sour grapes" attitude about saying that the report was unkind? The truth hurts? I use Firefox just like any other good citizen, and I've almost never used IE unless I had to, so I'm not a Microsoftie. I'm just so tired of all this bias in slashdot where anything against MSFT is good and anything against OSS is bad. That's just not the case, and all this bias in the headlines just serves to trivialize what slashdot is all about.
Grow up guys. If you want to bias all articles towards OSS and against MSFT, why don't you just change your slogan to "News for OSS Nerds". At least you'll be honest. As long as you attempt to portray yourself as a news aggregator that is relevant to all nerds, then keep the bias to your blogs.
As more people use a product, more people will try to find bugs in it. Opera has low number of bugs because of that, phisers/spammers/"hackers" are not interested in waste time in low number of people, they prefer aim to a larger percent of the net users. Thats why IE has been so much attacked all this years, and firefox is living this now too. But you can't compare the times that each one takes for path their systems.
The knowledge is something that you learn. The experience is something that you earn. The rest, you can buy it.
I could give a shit less about sheer number of vulnerabilities. The things that matter to me are severity of black-hat response and duration of exposure.
Firefox: Rarely targetted, even for severy evulnerabilities. Nearly always fixed in a couple days, tops. Patched as soon as fix becomes available.
IE: Always targetted, with rapid response from a variety of nefarious 'net villains. Patch released the second Tuesday of the month, unless that happens to be less than 2wks away, in which case it stands a fair chance of being the second Tuesday of next month. If no exploits gain significant media coverage, it may be over a half year. Patch is optionally downloaded / installed as soon as it becomes available, but to enable this you must also enable automatic patching of the OS, office suite, and possibly even some 3rd party software, which needless to say is a dangerous thing to do institution-wide.
Unpleasantries.
How much did M$ pay Symantec for that study!
It's a troll when you don't make ANY mention of what ANY of the bugs are.
Mr. Period: Nine is the one that's right by ten!
Nine: One day I will kill him. Then, I will be Ten.
So an open project where it would be extremely difficult to hide vulnerabilities has more publically reported vulnerabilities than a closed project? And the number of known difficulties in the open project increases as interest in the project increases, more people get involved as users and developers, and more features are added? And where there is a culture of "the closed project has issues and it's not even worth reporting them because someone else already has"?
Ok, thanks, I guess that's something an intern might not have been able to tell me, maybe?
The article says that their numbers come from Symantec's security threat report, but where does Symantec get their numbers from? Obviously to count a vulnerability, they have to know about it. Are they only counting ones they have verified, any that have been publicly announced, do they do their own research? Are we counting all the vulnerabilities that appear in bugzilla? Are we not counting the vulnerabilities that MS knows about but hasn't made public?
I can't really say, but to me it looks like exactly what I would expect from an open source system: More publicly known bugs (not necessarily more or less actual bugs), and a faster turnaround time on bugs.
The enemies of Democracy are
As an example of this, just look at the tag on this article - 'fud'. There aren't any posts showing how it's FUD though.
Vulnurabilities are directly proporitonal to user base and increase with access to source control.
Opera has a low user base and is closed source. Therefore, few vulnurabilities. In short, no one cares.
Firefox, on the other hand, has a moderate user base but the source code is right there, the vulnurabilities are ripe for the picking. Hence why the vulnurabilities are high but the turnaround time to fix them, also quick.
IE on the other hand, high user base closed source. High vulnurabilities because of the high user base but potential hackers have to work harder.
Really, this study is a no-brainer. The results make perfect sense.
This is exactly what I thought when I read the article. Vulnerabilities aren't equal, even ignoring which browser is targeted more. Some vulnerabilities are quite difficult to exploit and might require someone to compromise the DNS lookups of a target, while other vulnerabilities you'd only have to visit a website with
malicious code on it.
It'd be like grouping all crimes together between two cities. City A might have 150 incidents of shoplifting, but only 10 murders. City B might only have 100 incidents of shoplifting, but 30 murders. If you just add up the crime statistics it looks like City A is "worse" than City B with 150 crimes vs 130. But most people would be FAR more concerned about murders than shoplifting.
AccountKiller
' Firefox still leads the pack when it comes to patching though, with only a one-day window of vulnerability.
For the moment I started reading the summary, I was a bit concerned, 'till I got to the last line.. Now I'm not even going to bother to RTFA.
-=[ place
Firefox may have more vulnerabilities, but none of them are as dangerous as the ActiveX server in IE. The numeric comparision in TFA is not even half the truth.
M$ won't patch a vulnerability IE overnight - but look how fast they patched a hack to their WMP DRM.
Eternity: will that be smoking, or non-smoking? I Corinthians 6:9-10
"Firefox still leads the pack when it comes to patching though, with only a one-day window of vulnerability." Well that settles that then.
Whether the measurements are accurate or practical, one must note that Symantec has an interest in seeing people continue to use IE because, historically, IE users are more likely to get viruses.
More risk and more problems means Symantec has an easier time selling its services.
.sigs are for post^Hers.
The real question is what are the typical severities of the vulnerabilities, how quickly does the vendor respond, and how quickly are updates pushed to the user. All of these are factors in how vulnerable users of either browser are. In my personal opinion (which can probably be easily backed by a little further research) the Mozilla development team respond very quickly to severe vulnerabilities and Firefox updates itself automatically by default. On the other hand Microsoft often leaves users with nothing more than a workaround that severely degrades browser functionality (e.g. turning off JavaScript) for weeks or months at a time, and I would not directly compare Windows Update to the Firefox update system because I think many users, like me, turn off automatic updates from Microsoft and prefer to manage their updates manually, particularly in light of all the DRM and WGA updates that get forced down our throat these days.
There is probably also something to be said for the fact that the Firefox source code is public and readily available to security researchers, whereas the same research in Internet Explorer requires reverse engineering.
Of course, I don't think any of the other browsers have something like this going on. Automatic code analysis will turn up bugs for anyone, but nobody else makes the code so public.
PHEM - party like it's 1997-2003!
I made no derogatory comment about either browser. I was merely commenting on the correlation between usage and detected vulnerabilities. Many people have discounted the notion that FF has less vulnerabilities because of its lower market penetration, but this article would suggest that as FF's popularity has increase, so has the rate of vulnerability discovery.
That said, I use FF. I think it is a superior product when compared to IE. And FF developers' ability to address and rectify those vulnerabilities has been proven time after time to be better than MS's ability.
So, the whole point I was hoping to provoke in conversation:
Vulnerabilities Discovered != Vulnerabilities
Increased Usage = Increased Vulnerabilities Discovered
-Rick
"Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
Hooray, the firefox fanboys are already out in force "OMG so what OSS RULES!!11"
Good old browser, refuses all the new CSS, XSS, DHML spy junk.
I understand that with Firefox, one can take the code, look through it, and find vulnerabilities and whatnot, but with other browsers whose code is not publicly available, like IE and Opera (At least it's my understanding that their source isn't available), don't you basically have to wait around until someone discovered a quirk and spreads knowledge of it?
I'm just wondering, I have no idea how this type of thing works, and the article was sparse on details. If anyone is in the know, please share.
One reason for the high number of recent Firefox security bug fixes (and fixes to come, I bet) is because a) it is open source and b) many people and companies are researching and analysing (because they can) the code base from security point of view. For example, Coverity has been doing this for a while, and a few weeks ago Klocworks also published some preliminary analysis of the Mozilla codebase.
To top that off there are the old school tinkerers who just figure out weird ways to make things happen, and with popularity rising more of these people will target Firefox as well.
So I predict there will still be a pretty high number of vulnerabilities during the next year, but I would expect the numbers to start winding down as the tools have done their job and the new tinkerers have found the easier gotchas.
It will never get to perfect, though, so fast patching is still going to be key to staying as secure as possible.
I'm sure Microsoft will have ironed out all security problems with this version.
To those who discount the notion that Macs have no viruses due to market share, take note. Firefox's market share increases and boom! What do you know, it leads the pack in vulnerabilities. We could quite easily see the same thing for Mac in a few years. As an owner of 2 Macs, I certainly hope not, but I'm not gonna stick my head in the sand about it either.
Nice job on the patch window, though. No company I know of could beat that!
In order to sell worthless mines some unscrupulous agents would put gold dust into a shotgun shell and shoot it at the wall of a mine. It doesn't take much dust to sparkle a lot and fool some folks into believing that the mine is more valuable than it really is.
Symantec is doing much the same thing, for the same purpose, which is to encourage Linux/FireFox/FOSS users to buy their worthless anti-virus software.
The "study" they cite conveniently forgets that the ONLY security holes that IE users KNOW about are the ones that MICROSOFT TELLS THEM ABOUT. History has taught us that many holes were known by Micosoft for months, and in some situations years, before they were publically revealed, and many times NOT by Microsoft! The other thing that IE users DON'T KNOW is HOW LONG they have been vulnerable to those holes that Microsoft announces a patch for. FOSS applications, on the other hand, encourage PUBLIC annoucements of any security discoveries, along with any proof of concept code that can be used to test the patch. Those that use FOSS applications can then take timely and appropriate measures to protect their PCs and their data until the patch is released, which is usually within a day or two. Windows users hang, twising in the winds of vulnerability for months at a time or longer. In fact, some security holes are never patched and Microsoft serves its own bottom line by telling victims of their software to "upgrade", as if that would protect them. P.T. Barnum was right, you CAN fool some of the people ALL of the time.
Running with Linux for over 20 years!
How is this study 'unkind'?
Firefox had 47 vulnerabilities. Yes, it's MORE than any other browser, but they were fixed in the shortest amount of time as well.
How does the fast patch turnover reflect negatively on Mozilla?
Opera once again kicks major behind! Now tell me again why this over-hyped peice of garbage **cough cough cough cough FIRECRAP cough cough cough** gets so much attention when an obviously superior (and now completely free) browser exists **cough cough OPERA cough cough**
come on dudes, have you seen what happens after installing some symantec so called protections? they make a super pc perform like an old wreck. They are incompetents and just fear people installing anything decently secure because they know their craps are removed immediately after.
While the data gathered in the study will undoubtedly be used to support various "product X is more secure than product Y" claims, I believe it's fundamentally impossible to soundly arrive at such a conclusion, ever. The reason is that there may always be bias in your input, and it's impossible to know this bias.
How many people were trying to find bugs in each product? How do the skills of the people looking for holes in one product compare to the skills of the people finding holes in the other products? What is the severity of the discovered holes, and how was that determined? How many vulnerabilities of currently unknown kinds exist in each of the products? How does the number of discovered vulnerabilities relate to the number of vulnerabilities actually present? Is more vulnerabilities discovered (and fixed) a good or a bad sign?
Please correct me if I got my facts wrong.
I may be missing something here, but Firefox has a large public database off all known firefox bugs. Opera and IE have no such system. They are comparing the known (Firefox bugs) to the unknown (IE and Opera bugs)
Like a poster before me mentioned:
Who knows how many vulnerabilities are actually present in IE or Opera. They are both closed source, proprietary apps. There could be thousands and we would never know it, unless some enterprising young soul decides to reverse engineer them both, and publicize the results (and risk getting sued into oblivion doing so).
Now, to get to the meat of why IE vulnerabilities will always be more dangerous than Firefox, Safari, etc combined:
Those idiots in Redmond integrated it into the OS with Ring0 access. IE7, same problem. They obviously have learned very little. IE is a straight vector into hosing/controlling the entire OS.
So, I take these advisory report scores with a grain of salt. There is simply no way to confirm that a proprietary app will ever be free of vulnerabilites, especially if it is tied directly into the OS.
@Mindless Drivel: 100% of Twitter posts ever Tweeted.
Symantec should worry about the vulnerabilities in their own garbage software before taking the time and money to run such a study, which is probably about as accurate as a norton virus scan.
I didn't RTFA but does the FireFox count include any of the extensions?
Not that I'm bashing FireFox at all, I love it, but I wonder how many exploitations lie within the extensions?
When the Firefox push started, I told people "don't kid yourself, Firefox will have just as many vulnerabilities as IE". When people started using it and telling me I was "missing out" by sticking with Safari, I told them, "it doesn't matter, one is as secure as the other".
You see, licensing models don't make software secure. Not-Microsoft doesn't make software secure. Only competent programmers and a ruthless ability to say 'no' to new features will even begin to make Firefox secure. There's nothing that indicates the pool of programmers who contribute to firefox is any better than any other group of programmers. In fact I'd imagine it's *below* average. Firefox is a bloated, insecure browser. Most software is bloated and insecure, why on earth would firefox be different?
Sure, you have "faster patch turnaround", which is basically worthless. It's like your doctor telling you that you have cancer, "but hey, only one round of chemo!".
As long as we have the mentality that "no software is secure", we're not going to get a secure browser. So please, stop pretending otherwise. And please stop defending Firefox.. it doesn't deserve it, and you don't know what else is lurking in that source code.
Well, the security aspect is clear when you compare Firefox against IExplorer. I bet with that guys from Symantec if they can open some brazilian banks sites with IE and stay cool. Or open some Astalavista searches.
The question is: how many people got spyware/adware/viruses while browsing with each of them?
People can point that Firefox, being open source, is eaiser to find vulnerabilities. But I really believe there are countless more vulnerabilities in IE and the general public doesn't know them because the "Tuesday patch": black hats know several more vulnerabilities, but no one else know them exactly because they aren't being sploited (yet). Once a new patch is unveiled, those sploits go to the wild and people would need to wait for another month to have an official patch.
>you box is getting trojaned?
That sounds like a line from a really bad movie, one of those where all the male actors have moustaches.
Nostalgia's not what it used to be.
Symnatec has come out with vulnerability "studies" before that lambasted Firefox, which they ended up retracting. So now they come out and do it all over again. Sorry Symnatec, I'm not buying it. You're trying to sell me security software, so it's not in your best interest to tell me that my browser is secure, because then I won't need YOU to make it that way.
This is coming from the makers of Norton, the number ONE Windows resource hog on the market today. Of course they're not going to tell you you're safe.
What this tells us, if anything, is that software will always have vulnerabilities, and that the number of vulnerabilities found seems to be proportional to the popularity of the software amongst non-technical users (and thus, the majority of software users).
Now, it can be implied that it indicates poor software development and overall poor software quality coming out of the Mozilla Foundation. But I think this would simply be conjecture. While it is certainly statistically true, there's a larger picture to look at.
Internet Explorer has been mostly static now for years; it hasn't seen any major development until recently (and that software isn't even what's being looked at here). Firefox, on the other hand, has been improving - adding new features, fixing complaints, and generally trying to come up with a better product. This is going to result in a higher number of security-problematic pieces of code - face it, people aren't perfect, and the only way to mitigate (not eliminate!) this realistically is to slow development to a standstill. Even then there would not be a guaranteed reduction in vulnerabilities, partially due to chance and oversight, and partially due to the large repository of existing code which it would have to interact with.
Furthermore, Firefox and Mozilla are just edging into the public consciousness, whereas Internet Explorer has had a technological hedgemony on the desktop as the browser now for almost a decade (in various versions). This means it's going to start receiving more scrutiny, both from malicious, malevolent folks, as well as from the benevolent security professionals. A higher detection rate is a natural result of this.
It's a double-edged sword. More detections are being made, resulting in more vulnerable systems. This is a natural state in computing, as computing innately involves security these days. There will always be risk involved. The significant thing to look at is how quickly these problems are being resolved, and how many how resurgent problems (ie, they weren't properly resolved). I would argue that the presented statistical information is irrelevant without further, more indepth analysis in this regard.
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
First it was fud, then it was notfud, then it was notnotfud, and now it's notnotnotfud! God I hate that acronym now...
'Yes, firefox is indeed greater than women. Can women block pops up for you? No. Can Firefox show you naked women? Yes.'
if Firefox is less secure than IE do I get bombed whenever I use IE, but it never happens with FF? Could this study be a little biased, or perhaps too theoretical?
I know that my sample size of 1 makes me not statisticly valid, but it is accurate for me.
Everybody knows 3 people with my name.
Indeed, and to make things worse, all four of them were displayed simultaneously. This caused me high levels of mental anxiety as I was unable to decipher what I'm supposed to think of TFA, so I tagged it fudge.
Mmmmmm, fudge...
Internet Explorer submit it's source code to symantec and see how many they find.
Pure numbers of vulnerabilities mean nothing. What matters is the breakdown of the vulnerabilities. For exaple, Secunia reports 21% of critical vulnerabilities on Firefox, that may allow remote access. The same number for IE is 56% (This is for 2006).
0 6
This means that IE has more than twice the number of vulnerabilities leading to a complete system compromise than Firefox.
More info here:
http://secunia.com/product/11/?task=statistics_20
I can't help but wonder if the Qt GUI toolkit has helped Opera be among the top few browsers, as well as the other factors involved (small user base, closed source). Is that possible?
"it's not about aptitude, it's the way you're viewed" - Galinda
The report is available at http://www.symantec.com/enterprise/threatreport/in dex.jsp
It never fails to amaze me that slashdotters tend to post news stories rather than the source.
Both Microsoft and Firefox find security bugs in their own software from time to time. However, they differ widely in what they will do once they find out this information.
Unless Microsoft sees that someone else knows the bug, they won't release a patch. They will fix it in the source tree for the next major release, but they will not release a patch for the current version. They do this because when they release a patch, security researchers, both good and bad, will do a "BinDiff" and find out what exploit they've fixed. Bad people will then use that bug on unpatched users. If a bug isn't externally rediscovered before the release of the next major version, it's kept secret forever. You can't bindiff major releases, because there's too many changes.
Firefox, in contrast, will generally release a patch for the current version, even if only the Firefox security team knew about it.
Under these circumstances, of course Firefox will have more listed exploits.
Melissa
"Screw Sun, cross-platform will never work. Let's move on and steal the Java language." - Visual J++ Product Manager
And it's not like this is a new idea, the original Morris Worm was cross-platform. (Solaris and BSD on DEC. hardware). That one had to actually make several network connections to a system, trying a different payload each time.
But a web browser, it will make multiple connections for you, and download multiple attack payloads for you. Isn't that convenient?
- "History shows again and again how nature points out the folly of men" -- Blue Oyster Cult, 'Godzilla'
Ok, first let me say that I'm a happy Firefox user.
That said, it would be interesting to see some data on how many Firfox fixes have introduced new vulnerabilities. If the number is substantial then would more time testing fixes be a wise thing to do or would it not make much of a difference?
Firefox lives out in the open, has been extensively audited by a huge number of different people, not to mention the bunch of automated bug hunt tools makers who have combed the code. Internet Explorer on the other hand is patched with hidden patches all lumped together. Ever wondered why there always seems to be more holes found by virii makers than is reported after patch tuesday? Not to mention all those unpatched holes thats dragged on for as long as possible, only to be fixed in the next version?
All MS patching is about is limiting the statistical amount of patches. Security is on the bottom on the priority list.
But then again, people do seem to be stupid enough to go for these publicity stunts so maybe its time for Mozilla to start cooking the books?
HTTP/1.1 400
That Firefox is direct competition to Symantec (Anti)Virus and their internet suite.
If there were no enough bugs in Firefox, they would made up some. Because they got solution for all IE bugs, and then some.
And mods, this is not flamebait, thank you for understanding.
One advantage Opera has is that they manage to coordinate advisory releases and bug fixes. It's rare that someone announces a security vulnerability in Opera before the updated version is out.
This probably means that most vulnerabilities in Opera are found internally, or reported straight to Opera by researchers. At that point Opera works on a bug fix, then releases the update and the advisory together.
By contrast, many vulnerabilities for Microsoft and Mozilla products get posted to Bugtraq or otherwise announced to the world, sometimes even before MS/Moz is notified. Almost certainly, more people are looking for holes in IE and Firefox than in Opera. And Mozilla has the open-source philosophy which lends itself to people who lean toward full disclosure. With Microsoft, I'm sure there's a trust issue: people want to make sure they don't sit on it for a year, so they make it public.
From that, you can deduce that most researchers who find vulnerabilities in Opera trust them to fix the problem quickly.
So how "safe" is Konqueror, or does it suffer from the same flaws as Safari?
The way to deal with that, I've found, is to ask follow-up questions on the forums. If you keep track of the bug report numbers, it's even better.
I reported a couple of CSS bugs back during the betas for Opera 8. Nothing happened. So during the Opera 9 betas, I posted questions about them, asked about other bugs I encountered, and funny thing, every layout bug I asked about was fixed by the time Opera 9 final came out.
Admittedly, your comment adds a second component (source control), so it's better than some of the arguments I've seen, but...
Does anyone else appreciate the irony inherent in the fact that some Firefox users claim that Opera only appears more secure because fewer people use it, and therefore fewer users encounter problems and fewer attackers look for them?
It wasn't that long ago that IE users were making the same claim about Firefox. I seem to recall the argument wasn't terribly popular among this crowd.
> Show fud and !notfud to door
;-)
Impressed with your obvious genius at having both fud and !notfud, the door opens.
(With apologies to everyone who's ever played the HHGTTG infocom game...
Could be worse. Could be McAfee. You can run, configure, and update Norton Antivirus or even Norton Internet Security without loading a web browser. McAfee actually relies on IE --and IE specifically -- to handle parts of its interface, including the updater. In fact, some of the early IE7 betas actually broke the McAfee updater.
Yes, those posts are old, but a co-worker of mine just installed the latest version of McAfee on his computer last week, and it does still use IE internally.
I don't know about you, but I think relying on one of the most notoriously insecure pieces of software to handle updates for a security program doesn't sound like the greatest idea since sliced bread.
I'm proud to say that I'm one of those uses in Europe which uses Opera. Opera 9 rocks!
;)
Not because it's secure and got less vulnerabilities but because it's the fastest, most intelligent and innovative browser there is. And it also runs on a lot of different operating systems.
But you already knew, you just doesn't run it
1) Who would trust SYMANTEC after the SONY rootkit fiasco?
2) Surprise surprise. As F-Fox gains market share, a company whose main product is security software suddenly finds that the browser is not as secure as you would expect.(i.e. it needs their product)
I sense an opportunity for conflict of interest here. It certainly wouldnt do Symantec's business any good if they came out and said, "After an exhaustive audit we have determined that vulnerabilities in F-Fox are so minor, and fixed so quickly, you don't need our product' now would it?
I get to be the smug Opera user. I loves me my Opera. Its like a nicely configured install of Firefox with all of those neat plugins, except it does it right out of the box.
its not unkind. RTFA.
it says that firefox has more new bugs discovered, but the bugs get fixed nine times as quickly as those of IE.
There was no signficant bias towards OSS software. Unkind is commonly used in reasonably neutral journalism, in similar contexts, all the time. If you are really desperate to find something biased about this headline, you might comment on how it focuses on firefox over IE. IE has the largest user base, yet it was firefox that the study focuses on. However, that gets ripped to shreds when you consider that only roughly a quarter of /.ers actually use IE.
It seems that all you are really doing is looking for an excuse to bash OSS enthusiasts. Grow up, get a life.
You know, there is a difference between trolling and pointing out the flaws in your reasoning. Just saying.
Bugs hide other bugs. Firefox's fast bug fix turnaround means that more bugs get found. We don't see more Internet Explorer bugs, because we keep seeing the same old ones over and over.
Don't blame me, I didn't vote for either of them!
If you look up the MS definition of "critical", it's very carefully worded. I don't remember exactly, but there's a reason I grab Windows Updates which are not critical. Apparently, programs crashing, your entire system crashing, or massive data loss is not considered "critical" by MS.
Granted, it likely won't matter so much for a browser, but I suspect that if such a database were open, definitions would get twisted even more. If Firefox didn't similarly twist "critical" to mean "will instantly assimilate you into a botnet", we'd still have wrong numbers.
What we need are endorsements from respected people in the security community. Former IE developers, crypto specialists, Bruce Schneier, etc.
(Yes, Bruce Schneier gets a category of his own.)
Don't thank God, thank a doctor!
I think there's a plugin for that.
Don't thank God, thank a doctor!
This is a strange cross-point between Linux and Windows for me right now. I use Vista and Fedora Core, and while FC has SELinux and great confguration control to do things like what you describe... Vista comes will all that set by default in IE7+ (called Protected Mode). Any time you need to open another program from within IE, there's a prompt asking you if you want to allow once, allow always, deny once, or deny always. Any time you download a file, it goes into Temp. Internet Files first, and is copied to the location you specify after downloading (while being nearly identical in interface to IE6). Vista's capability to escalate a program's permissions while the program is running is what makes this possible; XP (which lacks this ability - I think it's a significant kernel modification) cannot use Protected Mode even with IE7.
There's no place I could be, since I've found Serenity...
Once again someone has performed a quantitative study and produced quantitative results and decided "well who cares about the qualitative side of things?!?!?". QUICK SOMEONE CALL THE FLAME BRIGADE!
Repeat after me: Raw numbers do not statistics make.
Where's the impact analysis? Where's the clustering or at least categorisation? 38 remote-root exploits certainly are "more" than 47 minor-nuissance bugs in any sense except pure quantity.
Then there's the multi-platform thing and all the other fine details these paid-for "statistics" regularily ignore.
Oh yes, and that Firefox has actually got some new features (which are prone to contain bugs) during the past 2 years while IE has been stagnant.
And you know what? Even if after considering everything Firefox were to turn out more buggy than IE, I'd still prefer it.
Assorted stuff I do sometimes: Lemuria.org
All that I recall (not that I pay rigorous attention these days, now that I'm running Linux) is some vulnerabilities that only affected Firefox or Opera users that happened to be running on Windows.
Turned out that the browsers were passing on to the underlying OS code that they didn't recognise as being the browser's responsibility to handle. Which is exactly what they should do. If the OS was Linux, or BSD (or OS X?), that code got dropped instead of executed. If the OS happened to be Windows, well, Windows didn't care where it came from -- it just blindly executed it any executable code it saw.
The Mozilla and Opera dev teams added measures to block this -- but they made it clear that they didn't like being expected to make up for MS's short-comings. Of course, this only took a day or two (the little delay there was came mainly from arguments over whether the Moz crew should add "special" code to the Windows-version code-base to cover MS's rear. MS of course to significantly longer to fix this.
If there were other cases, not OS dependent, feel free to let me know.
Bernard Swiss
When I was using IE + OE, my computer was full of problems. When I switched to Firefox + Thunderbird, the problems have gone away.
I am sure that a simple statistic like X versus Y vulnerabilities does not say much. The problem is not only quantitative, but also qualitative.
Removing their crap isn't as easy as you mention. It's a virus all by itself, possible, but very hard (or at least a lot of work) to remove completely. Of course at the same time, I would not want a virus to remove my anti-virus-software easily, so that might be the explanation.
This is possibly a good thing (tm). Lets stop being so cocky about Firefox, and admit that IE is good too. And lets get a 4-5 browser market out there; this will lessen the impact of a vulnerability on any one of them, and encourage competition between them.
Atheism is a non-prophet organisation
there must be the reason why firefox is more vulnerability than IE.. most users now prefer to use IE than firefox, even there is many advantages firefox offers such as Firefox allows users to surf the Internet safer and faster, and it displays the Internet the way that it was intended to be. Firefox also gives users more web page viewing space so that they can see more than they would with other browsers. but why must users more prefer to use IE...??? still waiting for the answer...
I've been using Firefox and IE for more than a year, but i found that firefox performed admirably than IE. I've experienced a little bit of bugginess here and there when using firefox - but on the whole it's been just fine, certainly good enough for full-time use. But it has really shone (as has the Mozilla Project as a whole, actually) in the area of privacy and security.