Slashdot Mirror
Browser Vulnerability Study Unkind to Firefox
Browser Buddy writes "A new Symantec study on browser vulnerabilities covering the first half of 2006 has some surprising conclusions. It turns out that Firefox leads the pack with 47 vulnerabilities, compared to 38 for Internet Explorer. From Ars Technica's coverage: 'In addition to leading the pack in sheer number of vulnerabilities, Firefox also showed the greatest increase in number, as the popular open-source browser had only logged 17 during the previous reporting period. IE saw an increase of just over 50 percent, from 25; Safari doubled its previous six; and Opera was the only one of the four browsers monitored that actually saw a decrease in vulnerabilities, from nine to seven.' Firefox still leads the pack when it comes to patching though, with only a one-day window of vulnerability."
FireFox is constantly adding new features. When you add new features then you open yourself up to bugs.
IE 5/6 have been stagnant for years. Of course the number of bugs isn't going to be as large.
That said, I know which one will issue a bug fix more quickly when something IS found...
Love sees no species.
Yes I use Windows.
For most of the IE vulnerabilities, I have to reboot my computer to install it.
Firefox is nice enough to download it and install it the next time I start the browser.
And it does it more than the 2nd Tuesday of each month.
This article is pretty light. Sure, more vulnerabilities is bad, but it doesn't necessarily that more vulnerabilites is worse. Firefox is patched quicker, which is very important. Also, I don't see anything about the nature of these vulnerabilities. Are they all critical, you box is getting trojaned? Just comparing the pure numbers doesn't tell us much.
There is a big difference between how vulnerable a program is and how dangerous it is to use.
The more ubiquitous an application, the more it will be examined as a possible attack vector, and the more it will be exploited as an attack vector.
IE is still far more dangerous to use than Firefox thanks to the fact it is still used by far more people.
A much better measure of security is how many days the users spend being vulnerable after a vulnerability is made public. The browser with the fewest days of vulnerability is the safer browser. And that's no contest.
Consider this, too:
This report is put out by a company that makes its living by protecting users from software like Internet Explorer. If people stopped using Internet Explorer, how would it make its money? (Okay, that's a little tinfoil-hatish.)
But also consider this:
Those are vulnerabilities that we know of. They're pretty easy to find (oh, and fix) when people can pore over your source code. How many vulnerabilities are in Internet Explorer/Opera/Safari that we don't know of, that aren't getting fixed, and just waiting for someone to figure out to blow up?
That's when you're really thankful of this:
Its not the number of vulnerabilities its more about the severity of them. A cookie injection , or cross site scripting is NOT the same as a buffer overflow/shell execution vulnerability. FF is by far less suseptable to the serious system risk level attack than IE; with no "known" arbitrary execution exploits at this time , IE has one outstanding right now and "drive by downloads" of scum ware is booming in the last few weeks.
It turns out that Firefox leads the pack with 47 vulnerabilities, compared to 38 for Internet Explorer.
This is very misleading. These are the numbers of vulnerabilities reported to Symantec and which the vendor has acknowledged to Symantec. The total number of vulnerabilities reported to Symantec are 50 for Firefox and 57 for IE.
If you add to this the quote from Symantec, "at the time of writing, no widespread exploitation of any browser except Microsoft Internet Explorer has occurred..." you start to see that this is mostly spin with little substance. Firefox is not really being attacked, and while they have bugs they fix them an order of magnitude faster and have an open process that responds to the community. This bug count includes all the bugs the Firefox team found, but who knows what percentage of bugs Microsoft and partners found that they deemed not worth fixing and which do not show up in this study? It is debatable that in theory, Firefox is more secure, but attempts like this to twist numbers to make is seem like maybe Firefox is not more secure in practice, are misleading and simply a way to get attention. I declare the summary here to be FUD.
Let's think about this.....a report from a ANTI VIRUS VENDOR!! Anyone want to make a bet when Symantec will make a Firefox Extension for scanning for malicious websites......AND make you pay for it??
Gorkman
And dont just count the "vulnerabilities". Give some weightages. One "not critical" vulnerability in Firefox IS NOT EQUAL to one critical vulnerability in IE. Like "Not Critical" has a weight of 1, and scale it by a factor of 10 for each higher level. Then do a weighted sum.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
I could give a shit less about sheer number of vulnerabilities. The things that matter to me are severity of black-hat response and duration of exposure.
Firefox: Rarely targetted, even for severy evulnerabilities. Nearly always fixed in a couple days, tops. Patched as soon as fix becomes available.
IE: Always targetted, with rapid response from a variety of nefarious 'net villains. Patch released the second Tuesday of the month, unless that happens to be less than 2wks away, in which case it stands a fair chance of being the second Tuesday of next month. If no exploits gain significant media coverage, it may be over a half year. Patch is optionally downloaded / installed as soon as it becomes available, but to enable this you must also enable automatic patching of the OS, office suite, and possibly even some 3rd party software, which needless to say is a dangerous thing to do institution-wide.
Unpleasantries.
Vulnurabilities are directly proporitonal to user base and increase with access to source control.
Opera has a low user base and is closed source. Therefore, few vulnurabilities. In short, no one cares.
Firefox, on the other hand, has a moderate user base but the source code is right there, the vulnurabilities are ripe for the picking. Hence why the vulnurabilities are high but the turnaround time to fix them, also quick.
IE on the other hand, high user base closed source. High vulnurabilities because of the high user base but potential hackers have to work harder.
Really, this study is a no-brainer. The results make perfect sense.
Whether the measurements are accurate or practical, one must note that Symantec has an interest in seeing people continue to use IE because, historically, IE users are more likely to get viruses.
More risk and more problems means Symantec has an easier time selling its services.
.sigs are for post^Hers.
I made no derogatory comment about either browser. I was merely commenting on the correlation between usage and detected vulnerabilities. Many people have discounted the notion that FF has less vulnerabilities because of its lower market penetration, but this article would suggest that as FF's popularity has increase, so has the rate of vulnerability discovery.
That said, I use FF. I think it is a superior product when compared to IE. And FF developers' ability to address and rectify those vulnerabilities has been proven time after time to be better than MS's ability.
So, the whole point I was hoping to provoke in conversation:
Vulnerabilities Discovered != Vulnerabilities
Increased Usage = Increased Vulnerabilities Discovered
-Rick
"Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
(Here what I was about to post, but you pretty much summed up my viewpoint. Before all, here is a direct link to this Symantec Internet Security Threat Report -- Volume X: September 2006 that is talked about.)
Totally. Pointless. Comparison.
First, as the Slashdot posting correctly points out, the window of vulnerability is much larger with IE. Microsoft is known for taking months to fix some vulns, and is taking longer and longer over the years.
Second, what about the importance of these vulns ? Was it 47 minor DoS for Firefox and 38 critical arbitrary code execution vulns for IE ?
Third, what about the methodology used to gather the vuln counts ? The report always says "Source: Symantec Corporation", with no more information. Did they count Firefox security related bugs or security advisories ? Did they count 1 Microsoft patch fixing N vulns as 1 or N vulns (too many studies make this mistake) ?
Fourth, what about silently fixed vulns in IE ? Microsoft is known for secretly fixing vulns that are discovered internally, and of course they never talk about them in public. Symantec certainly did not count these.
There are just too many reasons making virtually all studies comparing the number of security patches between 2 products useless. This one is no exception.