Slashdot Mirror
Browser Vulnerability Study Unkind to Firefox
Browser Buddy writes "A new Symantec study on browser vulnerabilities covering the first half of 2006 has some surprising conclusions. It turns out that Firefox leads the pack with 47 vulnerabilities, compared to 38 for Internet Explorer. From Ars Technica's coverage: 'In addition to leading the pack in sheer number of vulnerabilities, Firefox also showed the greatest increase in number, as the popular open-source browser had only logged 17 during the previous reporting period. IE saw an increase of just over 50 percent, from 25; Safari doubled its previous six; and Opera was the only one of the four browsers monitored that actually saw a decrease in vulnerabilities, from nine to seven.' Firefox still leads the pack when it comes to patching though, with only a one-day window of vulnerability."
What's this? Could it be an indication that there is some truth to the market segment correlation to vulnerabilities and attacks?
-Rick
"Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
If we look to Secunia, we see that IE has 106 advisories, 19 of which are unpatched. Firefox has 3 of 36 unpatched. The most sever unpatched advisory in IE is rated as "extremely critical." In Firefox, as "less critical."
Maybe i'm prejudiced towards Firefox for not letting myself get blinded by numbers but.. from TFA: Looking at the data, it is apparent that one's choice of browser does not automatically confer invulnerability while surfing the web. Security through obscurity--which has been a popular strategy with some users--doesn't guarantee safety. That said, Internet Explorer remains the most popular target for attacks, with 69 percent of all browser attacks targeted specifically at that browser alone. 20 percent of the attacks monitored during the period in question were targeted at Firefox. When it comes to patching, all of the browsers are improving. Firefox is the fastest to get its patches out, with a one-day window of exposure. Opera had a two-day window of exposure, down from 18 days during the last half of 2005. The window of exposure for Safari is up to five days (from zero), while Internet Explorer typically has a nine-day window, down from 25 days in the previous study.
my capcha was condom
FireFox is constantly adding new features. When you add new features then you open yourself up to bugs.
IE 5/6 have been stagnant for years. Of course the number of bugs isn't going to be as large.
That said, I know which one will issue a bug fix more quickly when something IS found...
Love sees no species.
The pretty graph does show an increase in the number of vunerabilities found between July 05 to December 05, and January 06 to June 06, but could this be because the number of users has also increased in that time? More users finding and reporting the bugs, or even a greater number of developers writing the code making it less manageable and secure?
Yes I use Windows.
For most of the IE vulnerabilities, I have to reboot my computer to install it.
Firefox is nice enough to download it and install it the next time I start the browser.
And it does it more than the 2nd Tuesday of each month.
The ARS Technica doesnt mention the version for any of the browsers they mention.When they say 47 bugs were discovered for Firefox ,which version are they talking about? 1.5? 1.7? 2.0 Beta? Same for IE. 6 or 7?
Wincopy
Have a look at Opera 9.x's advisory list :-)
If you get this, we're 10 of a kind.
This study shows me nothing useful. Given the fact that all software is buggy, there are many more people looking at the source for Firefox than for IE, so it's inevitable more issues will be found. The more that are found the more that can be fixed before they're a problem.
IE has improved over the years, and will improve further with v7. Doubtless Firefox's progress is at least partially driving that. But the noddy users (hi Dad!) that I've given Firefox or Opera to have had far fewer malware problems than those who insist on sticking with IE.
There is a big difference between how vulnerable a program is and how dangerous it is to use.
The more ubiquitous an application, the more it will be examined as a possible attack vector, and the more it will be exploited as an attack vector.
IE is still far more dangerous to use than Firefox thanks to the fact it is still used by far more people.
A much better measure of security is how many days the users spend being vulnerable after a vulnerability is made public. The browser with the fewest days of vulnerability is the safer browser. And that's no contest.
I've taken to surfing from a copy of Opera running inside a VMWare virtual machine. If anything gets through (so far so good) I just go back to a clean snapshot. Nice to see my browser doing so good.
Consider this, too:
This report is put out by a company that makes its living by protecting users from software like Internet Explorer. If people stopped using Internet Explorer, how would it make its money? (Okay, that's a little tinfoil-hatish.)
But also consider this:
Those are vulnerabilities that we know of. They're pretty easy to find (oh, and fix) when people can pore over your source code. How many vulnerabilities are in Internet Explorer/Opera/Safari that we don't know of, that aren't getting fixed, and just waiting for someone to figure out to blow up?
That's when you're really thankful of this:
Seriously? You've never used Billywindows before? That's the whole reason people BUY new versions of Windows: so they can get the new light blue/yellow/lime green stack of little interconnected blocks icon that makes them feel like they are the Lawnmower man while they try to get their fucking video card installed.
It's all about the marketing.
Business isn't willing to pay for products, innovation and careers, so we get brands, mortgage commercials and layoffs.
Its not the number of vulnerabilities its more about the severity of them. A cookie injection , or cross site scripting is NOT the same as a buffer overflow/shell execution vulnerability. FF is by far less suseptable to the serious system risk level attack than IE; with no "known" arbitrary execution exploits at this time , IE has one outstanding right now and "drive by downloads" of scum ware is booming in the last few weeks.
It turns out that Firefox leads the pack with 47 vulnerabilities, compared to 38 for Internet Explorer.
This is very misleading. These are the numbers of vulnerabilities reported to Symantec and which the vendor has acknowledged to Symantec. The total number of vulnerabilities reported to Symantec are 50 for Firefox and 57 for IE.
If you add to this the quote from Symantec, "at the time of writing, no widespread exploitation of any browser except Microsoft Internet Explorer has occurred..." you start to see that this is mostly spin with little substance. Firefox is not really being attacked, and while they have bugs they fix them an order of magnitude faster and have an open process that responds to the community. This bug count includes all the bugs the Firefox team found, but who knows what percentage of bugs Microsoft and partners found that they deemed not worth fixing and which do not show up in this study? It is debatable that in theory, Firefox is more secure, but attempts like this to twist numbers to make is seem like maybe Firefox is not more secure in practice, are misleading and simply a way to get attention. I declare the summary here to be FUD.
> Newsflash: Browsers that are actually used by large numbers of people have larger numbers of bugs found and exploited than browsers that are mostly ignored.
Newsflash: Bloated applications with developers more interested in adding features than fixing bugs are more easily exploitable.
Firefox's code base did not suddenly get far worse. The change must come from more people paying attention.
Agreed, pretty meaningless without specifying the severity of the vulnerabilities and the time to get them patched.
Plus, to a pragmatic user, does it really matter why there are so few exploits in the wild? "Inherent" security won't pay for a format and reinstall. If you can browse safely, the only reason to pay attention to the "It's not popular enough to exploit" arguments is to stay alert as your browser gains market share.
Let's think about this.....a report from a ANTI VIRUS VENDOR!! Anyone want to make a bet when Symantec will make a Firefox Extension for scanning for malicious websites......AND make you pay for it??
Gorkman
Well, if being kind means not telling the truth, then sure. Unkind doesn't necessarily mean the opposite of kind, just that it wasn't kind. Like 'ungood' doesn't mean 'bad.' Double plus ungood probably does though.
A guilty conscience means at least you've got one.
And dont just count the "vulnerabilities". Give some weightages. One "not critical" vulnerability in Firefox IS NOT EQUAL to one critical vulnerability in IE. Like "Not Critical" has a weight of 1, and scale it by a factor of 10 for each higher level. Then do a weighted sum.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Firefox is free. Not that no cost is an excuse for it to have vulnerabilities, but rather, why pay for something that's broken? Not that MS should get every bug out of IE before it ships, but it should catch more than it does now.
How can IE have a "nine-day window" for patching if patches only come out once a month?
What is the deal with characterizing Symantec as being "unkind" to Firefox? The fact is that Symantec came out with a report that identified more security bugs in Firefox than IE. Why the "sour grapes" attitude about saying that the report was unkind? The truth hurts? I use Firefox just like any other good citizen, and I've almost never used IE unless I had to, so I'm not a Microsoftie. I'm just so tired of all this bias in slashdot where anything against MSFT is good and anything against OSS is bad. That's just not the case, and all this bias in the headlines just serves to trivialize what slashdot is all about.
Grow up guys. If you want to bias all articles towards OSS and against MSFT, why don't you just change your slogan to "News for OSS Nerds". At least you'll be honest. As long as you attempt to portray yourself as a news aggregator that is relevant to all nerds, then keep the bias to your blogs.
As more people use a product, more people will try to find bugs in it. Opera has low number of bugs because of that, phisers/spammers/"hackers" are not interested in waste time in low number of people, they prefer aim to a larger percent of the net users. Thats why IE has been so much attacked all this years, and firefox is living this now too. But you can't compare the times that each one takes for path their systems.
The knowledge is something that you learn. The experience is something that you earn. The rest, you can buy it.
I could give a shit less about sheer number of vulnerabilities. The things that matter to me are severity of black-hat response and duration of exposure.
Firefox: Rarely targetted, even for severy evulnerabilities. Nearly always fixed in a couple days, tops. Patched as soon as fix becomes available.
IE: Always targetted, with rapid response from a variety of nefarious 'net villains. Patch released the second Tuesday of the month, unless that happens to be less than 2wks away, in which case it stands a fair chance of being the second Tuesday of next month. If no exploits gain significant media coverage, it may be over a half year. Patch is optionally downloaded / installed as soon as it becomes available, but to enable this you must also enable automatic patching of the OS, office suite, and possibly even some 3rd party software, which needless to say is a dangerous thing to do institution-wide.
Unpleasantries.
It's a troll when you don't make ANY mention of what ANY of the bugs are.
Mr. Period: Nine is the one that's right by ten!
Nine: One day I will kill him. Then, I will be Ten.
The article says that their numbers come from Symantec's security threat report, but where does Symantec get their numbers from? Obviously to count a vulnerability, they have to know about it. Are they only counting ones they have verified, any that have been publicly announced, do they do their own research? Are we counting all the vulnerabilities that appear in bugzilla? Are we not counting the vulnerabilities that MS knows about but hasn't made public?
I can't really say, but to me it looks like exactly what I would expect from an open source system: More publicly known bugs (not necessarily more or less actual bugs), and a faster turnaround time on bugs.
The enemies of Democracy are
From The Ars Technica article:
It seems like Mozilla developers are quite interested and skilled in fixing bugs to me.
What a fool believes, he sees, no wise man has the power to reason away.
Same procedure as always, running it with an account that doesn't have write rights to the OS or your userdata?
Justice is the sheep getting arrested while an impartial judge declares the vote void.
Vulnurabilities are directly proporitonal to user base and increase with access to source control.
Opera has a low user base and is closed source. Therefore, few vulnurabilities. In short, no one cares.
Firefox, on the other hand, has a moderate user base but the source code is right there, the vulnurabilities are ripe for the picking. Hence why the vulnurabilities are high but the turnaround time to fix them, also quick.
IE on the other hand, high user base closed source. High vulnurabilities because of the high user base but potential hackers have to work harder.
Really, this study is a no-brainer. The results make perfect sense.
Use a security model like SELinux (or maybe AppArmour, not sure what its capable of though), and make it so your browser is only able to write to areas it needs to (say ~/.$browser and /tmp/$user/$browser), and doesn't have permission to execute any other programs (or make a whitelist of what it can). It could also be setup so that the browser doesn't have permission to read any files except stuff in the directories its allowed to write in. Pretty much the worst case scenarios that could happen then are:
1.) All your browser's data is trashed (such as bookmarks, history, saved passwords, etc)
2.) Your browsers info is stolen (again history, bookmarks, saved passwords, etc)
3.) Your browser just dumps a crap load of data in the directories it can write to and fills up all space available (solveable by limiting how much data the individual app can write, etc).
Multilayered security is generally the best option, though it's harder to setup.
This is exactly what I thought when I read the article. Vulnerabilities aren't equal, even ignoring which browser is targeted more. Some vulnerabilities are quite difficult to exploit and might require someone to compromise the DNS lookups of a target, while other vulnerabilities you'd only have to visit a website with
malicious code on it.
It'd be like grouping all crimes together between two cities. City A might have 150 incidents of shoplifting, but only 10 murders. City B might only have 100 incidents of shoplifting, but 30 murders. If you just add up the crime statistics it looks like City A is "worse" than City B with 150 crimes vs 130. But most people would be FAR more concerned about murders than shoplifting.
AccountKiller
' Firefox still leads the pack when it comes to patching though, with only a one-day window of vulnerability.
For the moment I started reading the summary, I was a bit concerned, 'till I got to the last line.. Now I'm not even going to bother to RTFA.
-=[ place
Firefox may have more vulnerabilities, but none of them are as dangerous as the ActiveX server in IE. The numeric comparision in TFA is not even half the truth.
M$ won't patch a vulnerability IE overnight - but look how fast they patched a hack to their WMP DRM.
Eternity: will that be smoking, or non-smoking? I Corinthians 6:9-10
"Firefox still leads the pack when it comes to patching though, with only a one-day window of vulnerability." Well that settles that then.
Whether the measurements are accurate or practical, one must note that Symantec has an interest in seeing people continue to use IE because, historically, IE users are more likely to get viruses.
More risk and more problems means Symantec has an easier time selling its services.
.sigs are for post^Hers.
Of course, I don't think any of the other browsers have something like this going on. Automatic code analysis will turn up bugs for anyone, but nobody else makes the code so public.
PHEM - party like it's 1997-2003!
I made no derogatory comment about either browser. I was merely commenting on the correlation between usage and detected vulnerabilities. Many people have discounted the notion that FF has less vulnerabilities because of its lower market penetration, but this article would suggest that as FF's popularity has increase, so has the rate of vulnerability discovery.
That said, I use FF. I think it is a superior product when compared to IE. And FF developers' ability to address and rectify those vulnerabilities has been proven time after time to be better than MS's ability.
So, the whole point I was hoping to provoke in conversation:
Vulnerabilities Discovered != Vulnerabilities
Increased Usage = Increased Vulnerabilities Discovered
-Rick
"Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
Good old browser, refuses all the new CSS, XSS, DHML spy junk.
I understand that with Firefox, one can take the code, look through it, and find vulnerabilities and whatnot, but with other browsers whose code is not publicly available, like IE and Opera (At least it's my understanding that their source isn't available), don't you basically have to wait around until someone discovered a quirk and spreads knowledge of it?
I'm just wondering, I have no idea how this type of thing works, and the article was sparse on details. If anyone is in the know, please share.
To those who discount the notion that Macs have no viruses due to market share, take note. Firefox's market share increases and boom! What do you know, it leads the pack in vulnerabilities. We could quite easily see the same thing for Mac in a few years. As an owner of 2 Macs, I certainly hope not, but I'm not gonna stick my head in the sand about it either.
Nice job on the patch window, though. No company I know of could beat that!
In order to sell worthless mines some unscrupulous agents would put gold dust into a shotgun shell and shoot it at the wall of a mine. It doesn't take much dust to sparkle a lot and fool some folks into believing that the mine is more valuable than it really is.
Symantec is doing much the same thing, for the same purpose, which is to encourage Linux/FireFox/FOSS users to buy their worthless anti-virus software.
The "study" they cite conveniently forgets that the ONLY security holes that IE users KNOW about are the ones that MICROSOFT TELLS THEM ABOUT. History has taught us that many holes were known by Micosoft for months, and in some situations years, before they were publically revealed, and many times NOT by Microsoft! The other thing that IE users DON'T KNOW is HOW LONG they have been vulnerable to those holes that Microsoft announces a patch for. FOSS applications, on the other hand, encourage PUBLIC annoucements of any security discoveries, along with any proof of concept code that can be used to test the patch. Those that use FOSS applications can then take timely and appropriate measures to protect their PCs and their data until the patch is released, which is usually within a day or two. Windows users hang, twising in the winds of vulnerability for months at a time or longer. In fact, some security holes are never patched and Microsoft serves its own bottom line by telling victims of their software to "upgrade", as if that would protect them. P.T. Barnum was right, you CAN fool some of the people ALL of the time.
Running with Linux for over 20 years!
Oh, no, the "security through obscurity" argument again on *nix and Windows. May I ask what OS you think is most popular for servers? What OS was the internet built on? By your logic, there would be as many viruses attacking *nix-type OSes because most servers are running thoses OSes. But there's not. If you were right, sites would be going down all the time, since *nix is supposed to be as vulnerable to malware as Windows. Imagine Google going down at least once a week! Or Slashdot, for that matter. But that doesn't happen that often, does it? If *nix Oses were as vulnerable to malware as Windows, the internet likely would be at the level now that it was in the mid-90s, if it hadn't been abadoned altogether since they couldn't keep the servers running. Or do you think script-kiddies and crackers only want to bother home and business users?
People who keep spouting this ignorant argument need to actually learn about computers and computing history. If you did you'd see just how wrong this nonsense is. Yet you see this spiel everywhere.
I dream of a better world... one in which chickens can cross roads without their motives being questioned.
There was a time when I would've agreed that was a possibility but I think those days are over. There's a great deal of tension between MS and Symantec right now, with Symantec being in a tizzy over Vista's security center. No, this is just self-serving; IE has more critical vulnerabilities than any other browser, yet they publish a misleading lower number of known vulnerabilities to get people to use it instead.
I dream of a better world... one in which chickens can cross roads without their motives being questioned.
come on dudes, have you seen what happens after installing some symantec so called protections? they make a super pc perform like an old wreck. They are incompetents and just fear people installing anything decently secure because they know their craps are removed immediately after.
While the data gathered in the study will undoubtedly be used to support various "product X is more secure than product Y" claims, I believe it's fundamentally impossible to soundly arrive at such a conclusion, ever. The reason is that there may always be bias in your input, and it's impossible to know this bias.
How many people were trying to find bugs in each product? How do the skills of the people looking for holes in one product compare to the skills of the people finding holes in the other products? What is the severity of the discovered holes, and how was that determined? How many vulnerabilities of currently unknown kinds exist in each of the products? How does the number of discovered vulnerabilities relate to the number of vulnerabilities actually present? Is more vulnerabilities discovered (and fixed) a good or a bad sign?
Please correct me if I got my facts wrong.
I may be missing something here, but Firefox has a large public database off all known firefox bugs. Opera and IE have no such system. They are comparing the known (Firefox bugs) to the unknown (IE and Opera bugs)
Like a poster before me mentioned:
Who knows how many vulnerabilities are actually present in IE or Opera. They are both closed source, proprietary apps. There could be thousands and we would never know it, unless some enterprising young soul decides to reverse engineer them both, and publicize the results (and risk getting sued into oblivion doing so).
Now, to get to the meat of why IE vulnerabilities will always be more dangerous than Firefox, Safari, etc combined:
Those idiots in Redmond integrated it into the OS with Ring0 access. IE7, same problem. They obviously have learned very little. IE is a straight vector into hosing/controlling the entire OS.
So, I take these advisory report scores with a grain of salt. There is simply no way to confirm that a proprietary app will ever be free of vulnerabilites, especially if it is tied directly into the OS.
@Mindless Drivel: 100% of Twitter posts ever Tweeted.
I didn't RTFA but does the FireFox count include any of the extensions?
Not that I'm bashing FireFox at all, I love it, but I wonder how many exploitations lie within the extensions?
When the Firefox push started, I told people "don't kid yourself, Firefox will have just as many vulnerabilities as IE". When people started using it and telling me I was "missing out" by sticking with Safari, I told them, "it doesn't matter, one is as secure as the other".
You see, licensing models don't make software secure. Not-Microsoft doesn't make software secure. Only competent programmers and a ruthless ability to say 'no' to new features will even begin to make Firefox secure. There's nothing that indicates the pool of programmers who contribute to firefox is any better than any other group of programmers. In fact I'd imagine it's *below* average. Firefox is a bloated, insecure browser. Most software is bloated and insecure, why on earth would firefox be different?
Sure, you have "faster patch turnaround", which is basically worthless. It's like your doctor telling you that you have cancer, "but hey, only one round of chemo!".
As long as we have the mentality that "no software is secure", we're not going to get a secure browser. So please, stop pretending otherwise. And please stop defending Firefox.. it doesn't deserve it, and you don't know what else is lurking in that source code.
Well, the security aspect is clear when you compare Firefox against IExplorer. I bet with that guys from Symantec if they can open some brazilian banks sites with IE and stay cool. Or open some Astalavista searches.
The question is: how many people got spyware/adware/viruses while browsing with each of them?
Not only fast, but correctly fixed without creating more problems. How does that compare with IE? How about comparing the total number for both since Firefox 1.0 came out? Then compare how long it took to patch each one, IE will always look worse than Firefox because it is.
Professional Politicians are not the solution, they ARE the problem.
People can point that Firefox, being open source, is eaiser to find vulnerabilities. But I really believe there are countless more vulnerabilities in IE and the general public doesn't know them because the "Tuesday patch": black hats know several more vulnerabilities, but no one else know them exactly because they aren't being sploited (yet). Once a new patch is unveiled, those sploits go to the wild and people would need to wait for another month to have an official patch.
Symnatec has come out with vulnerability "studies" before that lambasted Firefox, which they ended up retracting. So now they come out and do it all over again. Sorry Symnatec, I'm not buying it. You're trying to sell me security software, so it's not in your best interest to tell me that my browser is secure, because then I won't need YOU to make it that way.
This is coming from the makers of Norton, the number ONE Windows resource hog on the market today. Of course they're not going to tell you you're safe.
This is like Linux vs. Windows. Open Sorce[sic] vs closed sorce[sic].
Not really. This is a study of the state of the industry across a variety of open, closed and mixed open and closed source development processes. It is a bit disorganized, but it shows number of publicly known bugs and bugs speed of fixing bugs once they are public. We can speculate as to how much the popularity of a browser contributes to said, number of bugs, but the speed to fix is a lot more interesting, especially in this case.
People say Windows has many holes. Its[sic] not that they have many holes its[sic] just people choose to find thoes[sic] holes in the OS over Linux because the majority of users use windows.
It is hard to quantify the number of people searching for bugs on a given platform, but it is certainly not effected only by the number of users. For example, because Linux is open source, a lot of academics and hobbyists will view the code and incidentally find bugs. And then there is the level of concern. No one runs Windows as a secure platform. No really. Unless your tech people are morons they recognize that Windows is wholly unsuited to a task as a secure workstation. It was not designed for that role and because modifying the code is unsupportable, it cannot be modified to work well in that capacity. Thus, people really really concerned with security and with lots of headcount to devote to securing their systems (like the NSA) use Linux or UNIX variants. They consequently spend a lot of time auditing the code and finding bugs.
Linux could have more problems its[sic] just people dont[sic] care about Linux because most businesses[sic] use windows.
Linux and Windows both re-use a lot of code between their server and desktop versions. The majority of people concerned about security aside from secure workstations (who don't use Windows) are people running servers. Realistically, the risk of a server being compromised or DoSed is much higher and has much worse consequences than a desktop. The people operating them, in general, have lot more ability to find security holes. For server environments, Linux is still in the majority. Ergo, more bugs should be showing up in Linux than Windows.
Now whats[sic] happening is that more and more people are using firefox and now people are begining[sic] to search for problems with firefox because alot[sic] of people use it now. The truth now comes out that Open sorce[sic] software can have just as many if not more problems than closed sorce[sic].
Sigh, open or closed source software will have bugs and the development process is not the only thing that determines how many of those bugs will be found. Now that Firefox is more popular, it is attacked more often than IE is, but it is almost never compromised. This is because it had 1 day worth of time so far, when there was a vulnerability exposed without a patch. IE has had 9 days worth of time so far, and the type of vulnerability has been much more exploitable. Their are unpatched vulnerabilities for IE right now, being exploited in the wild. Will more malware authors target Firefox as it becomes more popular? Sure. Will it be compromised as much as IE if they both reach equal market share? Not likely. While open source development is not the only factor in making software secure, it is a contributing factor, as is design methodology aimed at making the users happy, rather than just the developers. I don't know where you're getting your ideas, but find some new sources of information. IE is a disaster and the fact that it is bundled with Windows is not the only reason that is the case.
P.S. Your sig reads, "Show me what Linux can do for a business, and I'll show you how Microsoft does it 20 times better." Are you a troll or a very ignorant Windows fan? For my business can you show me how I can get 100 workstation and 50 unlimited server licenses for free. Also, will you show me where I can get modifiable source code for Windows that I can strip down and use to easily make a super secure server that I can resell without paying any licensing fees? Because that is what I"m using Linux for at my business. Also, apparently Linux can spellcheck.
What this tells us, if anything, is that software will always have vulnerabilities, and that the number of vulnerabilities found seems to be proportional to the popularity of the software amongst non-technical users (and thus, the majority of software users).
Now, it can be implied that it indicates poor software development and overall poor software quality coming out of the Mozilla Foundation. But I think this would simply be conjecture. While it is certainly statistically true, there's a larger picture to look at.
Internet Explorer has been mostly static now for years; it hasn't seen any major development until recently (and that software isn't even what's being looked at here). Firefox, on the other hand, has been improving - adding new features, fixing complaints, and generally trying to come up with a better product. This is going to result in a higher number of security-problematic pieces of code - face it, people aren't perfect, and the only way to mitigate (not eliminate!) this realistically is to slow development to a standstill. Even then there would not be a guaranteed reduction in vulnerabilities, partially due to chance and oversight, and partially due to the large repository of existing code which it would have to interact with.
Furthermore, Firefox and Mozilla are just edging into the public consciousness, whereas Internet Explorer has had a technological hedgemony on the desktop as the browser now for almost a decade (in various versions). This means it's going to start receiving more scrutiny, both from malicious, malevolent folks, as well as from the benevolent security professionals. A higher detection rate is a natural result of this.
It's a double-edged sword. More detections are being made, resulting in more vulnerable systems. This is a natural state in computing, as computing innately involves security these days. There will always be risk involved. The significant thing to look at is how quickly these problems are being resolved, and how many how resurgent problems (ie, they weren't properly resolved). I would argue that the presented statistical information is irrelevant without further, more indepth analysis in this regard.
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
if Firefox is less secure than IE do I get bombed whenever I use IE, but it never happens with FF? Could this study be a little biased, or perhaps too theoretical?
I know that my sample size of 1 makes me not statisticly valid, but it is accurate for me.
Everybody knows 3 people with my name.
Indeed, and to make things worse, all four of them were displayed simultaneously. This caused me high levels of mental anxiety as I was unable to decipher what I'm supposed to think of TFA, so I tagged it fudge.
Mmmmmm, fudge...
Yeah...find me support for all that hardware.
Umm, we sell servers on 8 different server platforms and have never had a problem with Linux supporting it. Nor have we had any problem with the Thinkpads, powerbooks, and towers we buy. Obviously you've never tried using Linux in a business environment.
I take it you mean you admit your sig is wrong, in that you can't find me a way MS does what I need 20 times better. Gee, what a surprise.
Also show me what Linux can do over Sharepoint, CRM, Portal server, GreatPlanes and other nice things Microsoft integrates with the business man.
Please, collaboration is easy enough without all the crappy MS junk that can't even talk to other platforms. As a company we have to interact with other professional companies that develop on Linux and the BSDs and that means engineering needs it. Buying a second workstation just to run collaboration software is horribly inefficient and it is dumb to lock yourself into a single supplier for all this software, rather than going with open standards so that you can get competing bids without throwing away your investment. For most people, the free software collaboration tools are more than sufficient and much cheaper.
I have no idea what GreatPlanes is, but since I've never needed it I can pretty much assume it is not useful to me or has a replacement. You don't seem to have a lot to back up your assertions. Have you ever run a business on Linux?
Internet Explorer submit it's source code to symantec and see how many they find.
Pure numbers of vulnerabilities mean nothing. What matters is the breakdown of the vulnerabilities. For exaple, Secunia reports 21% of critical vulnerabilities on Firefox, that may allow remote access. The same number for IE is 56% (This is for 2006).
0 6
This means that IE has more than twice the number of vulnerabilities leading to a complete system compromise than Firefox.
More info here:
http://secunia.com/product/11/?task=statistics_20
I can't help but wonder if the Qt GUI toolkit has helped Opera be among the top few browsers, as well as the other factors involved (small user base, closed source). Is that possible?
"it's not about aptitude, it's the way you're viewed" - Galinda
The report is available at http://www.symantec.com/enterprise/threatreport/in dex.jsp
It never fails to amaze me that slashdotters tend to post news stories rather than the source.
Both Microsoft and Firefox find security bugs in their own software from time to time. However, they differ widely in what they will do once they find out this information.
Unless Microsoft sees that someone else knows the bug, they won't release a patch. They will fix it in the source tree for the next major release, but they will not release a patch for the current version. They do this because when they release a patch, security researchers, both good and bad, will do a "BinDiff" and find out what exploit they've fixed. Bad people will then use that bug on unpatched users. If a bug isn't externally rediscovered before the release of the next major version, it's kept secret forever. You can't bindiff major releases, because there's too many changes.
Firefox, in contrast, will generally release a patch for the current version, even if only the Firefox security team knew about it.
Under these circumstances, of course Firefox will have more listed exploits.
Melissa
"Screw Sun, cross-platform will never work. Let's move on and steal the Java language." - Visual J++ Product Manager
And it's not like this is a new idea, the original Morris Worm was cross-platform. (Solaris and BSD on DEC. hardware). That one had to actually make several network connections to a system, trying a different payload each time.
But a web browser, it will make multiple connections for you, and download multiple attack payloads for you. Isn't that convenient?
- "History shows again and again how nature points out the folly of men" -- Blue Oyster Cult, 'Godzilla'
Ok, first let me say that I'm a happy Firefox user.
That said, it would be interesting to see some data on how many Firfox fixes have introduced new vulnerabilities. If the number is substantial then would more time testing fixes be a wise thing to do or would it not make much of a difference?
Firefox lives out in the open, has been extensively audited by a huge number of different people, not to mention the bunch of automated bug hunt tools makers who have combed the code. Internet Explorer on the other hand is patched with hidden patches all lumped together. Ever wondered why there always seems to be more holes found by virii makers than is reported after patch tuesday? Not to mention all those unpatched holes thats dragged on for as long as possible, only to be fixed in the next version?
All MS patching is about is limiting the statistical amount of patches. Security is on the bottom on the priority list.
But then again, people do seem to be stupid enough to go for these publicity stunts so maybe its time for Mozilla to start cooking the books?
HTTP/1.1 400
That Firefox is direct competition to Symantec (Anti)Virus and their internet suite.
If there were no enough bugs in Firefox, they would made up some. Because they got solution for all IE bugs, and then some.
And mods, this is not flamebait, thank you for understanding.
One advantage Opera has is that they manage to coordinate advisory releases and bug fixes. It's rare that someone announces a security vulnerability in Opera before the updated version is out.
This probably means that most vulnerabilities in Opera are found internally, or reported straight to Opera by researchers. At that point Opera works on a bug fix, then releases the update and the advisory together.
By contrast, many vulnerabilities for Microsoft and Mozilla products get posted to Bugtraq or otherwise announced to the world, sometimes even before MS/Moz is notified. Almost certainly, more people are looking for holes in IE and Firefox than in Opera. And Mozilla has the open-source philosophy which lends itself to people who lean toward full disclosure. With Microsoft, I'm sure there's a trust issue: people want to make sure they don't sit on it for a year, so they make it public.
From that, you can deduce that most researchers who find vulnerabilities in Opera trust them to fix the problem quickly.
The way to deal with that, I've found, is to ask follow-up questions on the forums. If you keep track of the bug report numbers, it's even better.
I reported a couple of CSS bugs back during the betas for Opera 8. Nothing happened. So during the Opera 9 betas, I posted questions about them, asked about other bugs I encountered, and funny thing, every layout bug I asked about was fixed by the time Opera 9 final came out.
Admittedly, your comment adds a second component (source control), so it's better than some of the arguments I've seen, but...
Does anyone else appreciate the irony inherent in the fact that some Firefox users claim that Opera only appears more secure because fewer people use it, and therefore fewer users encounter problems and fewer attackers look for them?
It wasn't that long ago that IE users were making the same claim about Firefox. I seem to recall the argument wasn't terribly popular among this crowd.
> Show fud and !notfud to door
;-)
Impressed with your obvious genius at having both fud and !notfud, the door opens.
(With apologies to everyone who's ever played the HHGTTG infocom game...
Could be worse. Could be McAfee. You can run, configure, and update Norton Antivirus or even Norton Internet Security without loading a web browser. McAfee actually relies on IE --and IE specifically -- to handle parts of its interface, including the updater. In fact, some of the early IE7 betas actually broke the McAfee updater.
Yes, those posts are old, but a co-worker of mine just installed the latest version of McAfee on his computer last week, and it does still use IE internally.
I don't know about you, but I think relying on one of the most notoriously insecure pieces of software to handle updates for a security program doesn't sound like the greatest idea since sliced bread.
I'm proud to say that I'm one of those uses in Europe which uses Opera. Opera 9 rocks!
;)
Not because it's secure and got less vulnerabilities but because it's the fastest, most intelligent and innovative browser there is. And it also runs on a lot of different operating systems.
But you already knew, you just doesn't run it
1) Who would trust SYMANTEC after the SONY rootkit fiasco?
2) Surprise surprise. As F-Fox gains market share, a company whose main product is security software suddenly finds that the browser is not as secure as you would expect.(i.e. it needs their product)
I sense an opportunity for conflict of interest here. It certainly wouldnt do Symantec's business any good if they came out and said, "After an exhaustive audit we have determined that vulnerabilities in F-Fox are so minor, and fixed so quickly, you don't need our product' now would it?
I get to be the smug Opera user. I loves me my Opera. Its like a nicely configured install of Firefox with all of those neat plugins, except it does it right out of the box.
There was no signficant bias towards OSS software. Unkind is commonly used in reasonably neutral journalism, in similar contexts, all the time. If you are really desperate to find something biased about this headline, you might comment on how it focuses on firefox over IE. IE has the largest user base, yet it was firefox that the study focuses on. However, that gets ripped to shreds when you consider that only roughly a quarter of /.ers actually use IE.
It seems that all you are really doing is looking for an excuse to bash OSS enthusiasts. Grow up, get a life.
You know, there is a difference between trolling and pointing out the flaws in your reasoning. Just saying.
Bugs hide other bugs. Firefox's fast bug fix turnaround means that more bugs get found. We don't see more Internet Explorer bugs, because we keep seeing the same old ones over and over.
Don't blame me, I didn't vote for either of them!
If you look up the MS definition of "critical", it's very carefully worded. I don't remember exactly, but there's a reason I grab Windows Updates which are not critical. Apparently, programs crashing, your entire system crashing, or massive data loss is not considered "critical" by MS.
Granted, it likely won't matter so much for a browser, but I suspect that if such a database were open, definitions would get twisted even more. If Firefox didn't similarly twist "critical" to mean "will instantly assimilate you into a botnet", we'd still have wrong numbers.
What we need are endorsements from respected people in the security community. Former IE developers, crypto specialists, Bruce Schneier, etc.
(Yes, Bruce Schneier gets a category of his own.)
Don't thank God, thank a doctor!
I think there's a plugin for that.
Don't thank God, thank a doctor!
This is a strange cross-point between Linux and Windows for me right now. I use Vista and Fedora Core, and while FC has SELinux and great confguration control to do things like what you describe... Vista comes will all that set by default in IE7+ (called Protected Mode). Any time you need to open another program from within IE, there's a prompt asking you if you want to allow once, allow always, deny once, or deny always. Any time you download a file, it goes into Temp. Internet Files first, and is copied to the location you specify after downloading (while being nearly identical in interface to IE6). Vista's capability to escalate a program's permissions while the program is running is what makes this possible; XP (which lacks this ability - I think it's a significant kernel modification) cannot use Protected Mode even with IE7.
There's no place I could be, since I've found Serenity...
Once again someone has performed a quantitative study and produced quantitative results and decided "well who cares about the qualitative side of things?!?!?". QUICK SOMEONE CALL THE FLAME BRIGADE!
Repeat after me: Raw numbers do not statistics make.
Where's the impact analysis? Where's the clustering or at least categorisation? 38 remote-root exploits certainly are "more" than 47 minor-nuissance bugs in any sense except pure quantity.
Then there's the multi-platform thing and all the other fine details these paid-for "statistics" regularily ignore.
Oh yes, and that Firefox has actually got some new features (which are prone to contain bugs) during the past 2 years while IE has been stagnant.
And you know what? Even if after considering everything Firefox were to turn out more buggy than IE, I'd still prefer it.
Assorted stuff I do sometimes: Lemuria.org
All that I recall (not that I pay rigorous attention these days, now that I'm running Linux) is some vulnerabilities that only affected Firefox or Opera users that happened to be running on Windows.
Turned out that the browsers were passing on to the underlying OS code that they didn't recognise as being the browser's responsibility to handle. Which is exactly what they should do. If the OS was Linux, or BSD (or OS X?), that code got dropped instead of executed. If the OS happened to be Windows, well, Windows didn't care where it came from -- it just blindly executed it any executable code it saw.
The Mozilla and Opera dev teams added measures to block this -- but they made it clear that they didn't like being expected to make up for MS's short-comings. Of course, this only took a day or two (the little delay there was came mainly from arguments over whether the Moz crew should add "special" code to the Windows-version code-base to cover MS's rear. MS of course to significantly longer to fix this.
If there were other cases, not OS dependent, feel free to let me know.
Bernard Swiss
When I was using IE + OE, my computer was full of problems. When I switched to Firefox + Thunderbird, the problems have gone away.
I am sure that a simple statistic like X versus Y vulnerabilities does not say much. The problem is not only quantitative, but also qualitative.
Removing their crap isn't as easy as you mention. It's a virus all by itself, possible, but very hard (or at least a lot of work) to remove completely. Of course at the same time, I would not want a virus to remove my anti-virus-software easily, so that might be the explanation.
This is possibly a good thing (tm). Lets stop being so cocky about Firefox, and admit that IE is good too. And lets get a 4-5 browser market out there; this will lessen the impact of a vulnerability on any one of them, and encourage competition between them.
Atheism is a non-prophet organisation
Ok[sic] all you did was bash that collaboration software. Setup a second workstation for it all? No? I can run everything mentioned on 2 Blades.
Are you telling me you don't even know the difference between a workstation and a server? A workstation is on your desk. A server is in the server room and might take blades. Since a lot of people need Linux development environments and those workstations aren't running Windows you need a second workstation for those employees just to run the Windows only client software you're recommending. Almost every other collaboration package has clients for Linux, OS X, Solaris, etc. so workers on those platforms don't need a second machine just to run them.
Oh and greatplanes is accounting software.
Do you Mean "Great Plains" software, which was bought out by Microsoft and their product renamed to "Dynamics" six years ago?
Now you still didnt[sic] tell me what Linux can do in it's[sic] place.
Well i could ask you what functionality you find necessary that you can't find on Linux, but I don't think it will make any difference. You obviously have no idea what runs on Linux and have never tried it. You're just talking out of your butt. I suspect you've never tried to run a business on any platform, since you don't know the difference between a server and a workstation and don't even know the name of the software you're recommending. Please stop wasting everyones time with your uneducated, clueless assertions.
there must be the reason why firefox is more vulnerability than IE.. most users now prefer to use IE than firefox, even there is many advantages firefox offers such as Firefox allows users to surf the Internet safer and faster, and it displays the Internet the way that it was intended to be. Firefox also gives users more web page viewing space so that they can see more than they would with other browsers. but why must users more prefer to use IE...??? still waiting for the answer...
I've been using Firefox and IE for more than a year, but i found that firefox performed admirably than IE. I've experienced a little bit of bugginess here and there when using firefox - but on the whole it's been just fine, certainly good enough for full-time use. But it has really shone (as has the Mozilla Project as a whole, actually) in the area of privacy and security.