Slashdot Mirror

← Back to Stories (view on slashdot.org)

Browser Vulnerability Study Unkind to Firefox

Posted by ryuzaki0 on from the still-beats-IE-on-my-linux-boxes dept.

Browser Buddy writes "A new Symantec study on browser vulnerabilities covering the first half of 2006 has some surprising conclusions. It turns out that Firefox leads the pack with 47 vulnerabilities, compared to 38 for Internet Explorer. From Ars Technica's coverage: 'In addition to leading the pack in sheer number of vulnerabilities, Firefox also showed the greatest increase in number, as the popular open-source browser had only logged 17 during the previous reporting period. IE saw an increase of just over 50 percent, from 25; Safari doubled its previous six; and Opera was the only one of the four browsers monitored that actually saw a decrease in vulnerabilities, from nine to seven.' Firefox still leads the pack when it comes to patching though, with only a one-day window of vulnerability."

12 of 253 comments (clear)

  1. Version? by in2mind · · Score: 5, Interesting

    The ARS Technica doesnt mention the version for any of the browsers they mention.When they say 47 bugs were discovered for Firefox ,which version are they talking about? 1.5? 1.7? 2.0 Beta? Same for IE. 6 or 7?

    --
    Wincopy
  2. Re:Consider this... by KDR_11k · · Score: 2, Interesting

    I'd say this is more due to the open nature of Firefox, when FF has a vulnerability it's discussed publicly and vulnerabilities are easier to spot since it's opensource. With other browsers you don't know how many vulnerabilities are found and patched behind the scenes and they are much more difficult to find for outside observers.

    --
    Justice is the sheep getting arrested while an impartial judge declares the vote void.
  3. What do the numbers even mean? by Chris+Burke · · Score: 5, Interesting

    The article says that their numbers come from Symantec's security threat report, but where does Symantec get their numbers from? Obviously to count a vulnerability, they have to know about it. Are they only counting ones they have verified, any that have been publicly announced, do they do their own research? Are we counting all the vulnerabilities that appear in bugzilla? Are we not counting the vulnerabilities that MS knows about but hasn't made public?

    I can't really say, but to me it looks like exactly what I would expect from an open source system: More publicly known bugs (not necessarily more or less actual bugs), and a faster turnaround time on bugs.

    --

    The enemies of Democracy are
    1. Re:What do the numbers even mean? by jesterzog · · Score: 2, Interesting

      Totally. Pointless. Comparison.

      I think it'd be more correct to say it's an unfair and biased comparison than a pointless one. I know I'm being cynical, but the comparison is completely logical from a Symantec marketing perspective. (Well, that's what FUD is realistically.)

      In particular, Firefox is a web browser that doesn't have a reputation of needing external software to protect it. If more people use Firefox, it also increases the motivation for website developers to develop compatible websites, and this means that less people overall are tied to MSIE and Windows, which is where Symantec makes nearly all of its money. By making people think twice before shifting to Firefox, Symantec raises the likelihood that people will stay with MSIE, and people who use MSIE are more likely to use Symantec's software to protect their PC's.

      This is just another of Symantec's small contributions towards keeping as many people as possible on a single, unreliable platform that's more likely to be in need of third party security products.

  4. Re:Not so bleak by Himring · · Score: 2, Interesting

    Like the piece symantec did last year -- I think was -- on firefox and security, it still stands. They have a vested interest in firefox NOT being a solution for computer security. I take their reviews with a grain of salt....

    --
    "All great things are simple & expressed in a single word: freedom, justice, honor, duty, mercy, hope." --Churchill
  5. ActiveX by AnalogDiehard · · Score: 4, Interesting
    ActiveX is IE's major vulnerability to drive-by downloads, covert spyware/adware installs, and malicious attempts to take over your computer. Because IE is the dominant browser, it is the target of most malicious coders.

    Firefox may have more vulnerabilities, but none of them are as dangerous as the ActiveX server in IE. The numeric comparision in TFA is not even half the truth.

    M$ won't patch a vulnerability IE overnight - but look how fast they patched a hack to their WMP DRM.

    --
    Eternity: will that be smoking, or non-smoking? I Corinthians 6:9-10
  6. Back to Netscape 4.77 by zitintheass · · Score: 1, Interesting

    Good old browser, refuses all the new CSS, XSS, DHML spy junk.

  7. Perfect parallel to the question of Mac viruses by Anonymous Coward · · Score: 1, Interesting

    To those who discount the notion that Macs have no viruses due to market share, take note. Firefox's market share increases and boom! What do you know, it leads the pack in vulnerabilities. We could quite easily see the same thing for Mac in a few years. As an owner of 2 Macs, I certainly hope not, but I'm not gonna stick my head in the sand about it either.

    Nice job on the patch window, though. No company I know of could beat that!

  8. Salting the mine by Jerry · · Score: 2, Interesting

    In order to sell worthless mines some unscrupulous agents would put gold dust into a shotgun shell and shoot it at the wall of a mine. It doesn't take much dust to sparkle a lot and fool some folks into believing that the mine is more valuable than it really is.

    Symantec is doing much the same thing, for the same purpose, which is to encourage Linux/FireFox/FOSS users to buy their worthless anti-virus software.

    The "study" they cite conveniently forgets that the ONLY security holes that IE users KNOW about are the ones that MICROSOFT TELLS THEM ABOUT. History has taught us that many holes were known by Micosoft for months, and in some situations years, before they were publically revealed, and many times NOT by Microsoft! The other thing that IE users DON'T KNOW is HOW LONG they have been vulnerable to those holes that Microsoft announces a patch for. FOSS applications, on the other hand, encourage PUBLIC annoucements of any security discoveries, along with any proof of concept code that can be used to test the patch. Those that use FOSS applications can then take timely and appropriate measures to protect their PCs and their data until the patch is released, which is usually within a day or two. Windows users hang, twising in the winds of vulnerability for months at a time or longer. In fact, some security holes are never patched and Microsoft serves its own bottom line by telling victims of their software to "upgrade", as if that would protect them. P.T. Barnum was right, you CAN fool some of the people ALL of the time.

    --

    Running with Linux for over 20 years!

  9. Re:LIES by Mistshadow2k4 · · Score: 2, Interesting

    There was a time when I would've agreed that was a possibility but I think those days are over. There's a great deal of tension between MS and Symantec right now, with Symantec being in a tizzy over Vista's security center. No, this is just self-serving; IE has more critical vulnerabilities than any other browser, yet they publish a misleading lower number of known vulnerabilities to get people to use it instead.

    --
    I dream of a better world... one in which chickens can cross roads without their motives being questioned.
  10. Just a quick question... by bronzey214 · · Score: 2, Interesting

    I didn't RTFA but does the FireFox count include any of the extensions?

    Not that I'm bashing FireFox at all, I love it, but I wonder how many exploitations lie within the extensions?

  11. Umm... were those FF and Opera vulns, or Windows ? by Anonymous Coward · · Score: 1, Interesting

    All that I recall (not that I pay rigorous attention these days, now that I'm running Linux) is some vulnerabilities that only affected Firefox or Opera users that happened to be running on Windows.

    Turned out that the browsers were passing on to the underlying OS code that they didn't recognise as being the browser's responsibility to handle. Which is exactly what they should do. If the OS was Linux, or BSD (or OS X?), that code got dropped instead of executed. If the OS happened to be Windows, well, Windows didn't care where it came from -- it just blindly executed it any executable code it saw.

    The Mozilla and Opera dev teams added measures to block this -- but they made it clear that they didn't like being expected to make up for MS's short-comings. Of course, this only took a day or two (the little delay there was came mainly from arguments over whether the Moz crew should add "special" code to the Windows-version code-base to cover MS's rear. MS of course to significantly longer to fix this.

    If there were other cases, not OS dependent, feel free to let me know.

    Bernard Swiss