Slashdot Mirror
Browser Vulnerability Study Unkind to Firefox
Browser Buddy writes "A new Symantec study on browser vulnerabilities covering the first half of 2006 has some surprising conclusions. It turns out that Firefox leads the pack with 47 vulnerabilities, compared to 38 for Internet Explorer. From Ars Technica's coverage: 'In addition to leading the pack in sheer number of vulnerabilities, Firefox also showed the greatest increase in number, as the popular open-source browser had only logged 17 during the previous reporting period. IE saw an increase of just over 50 percent, from 25; Safari doubled its previous six; and Opera was the only one of the four browsers monitored that actually saw a decrease in vulnerabilities, from nine to seven.' Firefox still leads the pack when it comes to patching though, with only a one-day window of vulnerability."
What's this? Could it be an indication that there is some truth to the market segment correlation to vulnerabilities and attacks?
-Rick
"Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
If we look to Secunia, we see that IE has 106 advisories, 19 of which are unpatched. Firefox has 3 of 36 unpatched. The most sever unpatched advisory in IE is rated as "extremely critical." In Firefox, as "less critical."
FireFox is constantly adding new features. When you add new features then you open yourself up to bugs.
IE 5/6 have been stagnant for years. Of course the number of bugs isn't going to be as large.
That said, I know which one will issue a bug fix more quickly when something IS found...
Love sees no species.
The pretty graph does show an increase in the number of vunerabilities found between July 05 to December 05, and January 06 to June 06, but could this be because the number of users has also increased in that time? More users finding and reporting the bugs, or even a greater number of developers writing the code making it less manageable and secure?
Yes I use Windows.
For most of the IE vulnerabilities, I have to reboot my computer to install it.
Firefox is nice enough to download it and install it the next time I start the browser.
And it does it more than the 2nd Tuesday of each month.
The ARS Technica doesnt mention the version for any of the browsers they mention.When they say 47 bugs were discovered for Firefox ,which version are they talking about? 1.5? 1.7? 2.0 Beta? Same for IE. 6 or 7?
Wincopy
Have a look at Opera 9.x's advisory list :-)
If you get this, we're 10 of a kind.
This study shows me nothing useful. Given the fact that all software is buggy, there are many more people looking at the source for Firefox than for IE, so it's inevitable more issues will be found. The more that are found the more that can be fixed before they're a problem.
IE has improved over the years, and will improve further with v7. Doubtless Firefox's progress is at least partially driving that. But the noddy users (hi Dad!) that I've given Firefox or Opera to have had far fewer malware problems than those who insist on sticking with IE.
There is a big difference between how vulnerable a program is and how dangerous it is to use.
The more ubiquitous an application, the more it will be examined as a possible attack vector, and the more it will be exploited as an attack vector.
IE is still far more dangerous to use than Firefox thanks to the fact it is still used by far more people.
A much better measure of security is how many days the users spend being vulnerable after a vulnerability is made public. The browser with the fewest days of vulnerability is the safer browser. And that's no contest.
I've taken to surfing from a copy of Opera running inside a VMWare virtual machine. If anything gets through (so far so good) I just go back to a clean snapshot. Nice to see my browser doing so good.
Consider this, too:
This report is put out by a company that makes its living by protecting users from software like Internet Explorer. If people stopped using Internet Explorer, how would it make its money? (Okay, that's a little tinfoil-hatish.)
But also consider this:
Those are vulnerabilities that we know of. They're pretty easy to find (oh, and fix) when people can pore over your source code. How many vulnerabilities are in Internet Explorer/Opera/Safari that we don't know of, that aren't getting fixed, and just waiting for someone to figure out to blow up?
That's when you're really thankful of this:
Its not the number of vulnerabilities its more about the severity of them. A cookie injection , or cross site scripting is NOT the same as a buffer overflow/shell execution vulnerability. FF is by far less suseptable to the serious system risk level attack than IE; with no "known" arbitrary execution exploits at this time , IE has one outstanding right now and "drive by downloads" of scum ware is booming in the last few weeks.
It turns out that Firefox leads the pack with 47 vulnerabilities, compared to 38 for Internet Explorer.
This is very misleading. These are the numbers of vulnerabilities reported to Symantec and which the vendor has acknowledged to Symantec. The total number of vulnerabilities reported to Symantec are 50 for Firefox and 57 for IE.
If you add to this the quote from Symantec, "at the time of writing, no widespread exploitation of any browser except Microsoft Internet Explorer has occurred..." you start to see that this is mostly spin with little substance. Firefox is not really being attacked, and while they have bugs they fix them an order of magnitude faster and have an open process that responds to the community. This bug count includes all the bugs the Firefox team found, but who knows what percentage of bugs Microsoft and partners found that they deemed not worth fixing and which do not show up in this study? It is debatable that in theory, Firefox is more secure, but attempts like this to twist numbers to make is seem like maybe Firefox is not more secure in practice, are misleading and simply a way to get attention. I declare the summary here to be FUD.
> Newsflash: Browsers that are actually used by large numbers of people have larger numbers of bugs found and exploited than browsers that are mostly ignored.
Newsflash: Bloated applications with developers more interested in adding features than fixing bugs are more easily exploitable.
Let's think about this.....a report from a ANTI VIRUS VENDOR!! Anyone want to make a bet when Symantec will make a Firefox Extension for scanning for malicious websites......AND make you pay for it??
Gorkman
And dont just count the "vulnerabilities". Give some weightages. One "not critical" vulnerability in Firefox IS NOT EQUAL to one critical vulnerability in IE. Like "Not Critical" has a weight of 1, and scale it by a factor of 10 for each higher level. Then do a weighted sum.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Firefox is free. Not that no cost is an excuse for it to have vulnerabilities, but rather, why pay for something that's broken? Not that MS should get every bug out of IE before it ships, but it should catch more than it does now.
I could give a shit less about sheer number of vulnerabilities. The things that matter to me are severity of black-hat response and duration of exposure.
Firefox: Rarely targetted, even for severy evulnerabilities. Nearly always fixed in a couple days, tops. Patched as soon as fix becomes available.
IE: Always targetted, with rapid response from a variety of nefarious 'net villains. Patch released the second Tuesday of the month, unless that happens to be less than 2wks away, in which case it stands a fair chance of being the second Tuesday of next month. If no exploits gain significant media coverage, it may be over a half year. Patch is optionally downloaded / installed as soon as it becomes available, but to enable this you must also enable automatic patching of the OS, office suite, and possibly even some 3rd party software, which needless to say is a dangerous thing to do institution-wide.
Unpleasantries.
The article says that their numbers come from Symantec's security threat report, but where does Symantec get their numbers from? Obviously to count a vulnerability, they have to know about it. Are they only counting ones they have verified, any that have been publicly announced, do they do their own research? Are we counting all the vulnerabilities that appear in bugzilla? Are we not counting the vulnerabilities that MS knows about but hasn't made public?
I can't really say, but to me it looks like exactly what I would expect from an open source system: More publicly known bugs (not necessarily more or less actual bugs), and a faster turnaround time on bugs.
The enemies of Democracy are
From The Ars Technica article:
It seems like Mozilla developers are quite interested and skilled in fixing bugs to me.
What a fool believes, he sees, no wise man has the power to reason away.
Vulnurabilities are directly proporitonal to user base and increase with access to source control.
Opera has a low user base and is closed source. Therefore, few vulnurabilities. In short, no one cares.
Firefox, on the other hand, has a moderate user base but the source code is right there, the vulnurabilities are ripe for the picking. Hence why the vulnurabilities are high but the turnaround time to fix them, also quick.
IE on the other hand, high user base closed source. High vulnurabilities because of the high user base but potential hackers have to work harder.
Really, this study is a no-brainer. The results make perfect sense.
Routine patches come out once a month; critical updates are released as soon as a patch has been developed and tested. Often, this is less than a month. ;)
Bored With ProgressQuest?
Firefox may have more vulnerabilities, but none of them are as dangerous as the ActiveX server in IE. The numeric comparision in TFA is not even half the truth.
M$ won't patch a vulnerability IE overnight - but look how fast they patched a hack to their WMP DRM.
Eternity: will that be smoking, or non-smoking? I Corinthians 6:9-10
Whether the measurements are accurate or practical, one must note that Symantec has an interest in seeing people continue to use IE because, historically, IE users are more likely to get viruses.
More risk and more problems means Symantec has an easier time selling its services.
.sigs are for post^Hers.
Of course, I don't think any of the other browsers have something like this going on. Automatic code analysis will turn up bugs for anyone, but nobody else makes the code so public.
PHEM - party like it's 1997-2003!
I made no derogatory comment about either browser. I was merely commenting on the correlation between usage and detected vulnerabilities. Many people have discounted the notion that FF has less vulnerabilities because of its lower market penetration, but this article would suggest that as FF's popularity has increase, so has the rate of vulnerability discovery.
That said, I use FF. I think it is a superior product when compared to IE. And FF developers' ability to address and rectify those vulnerabilities has been proven time after time to be better than MS's ability.
So, the whole point I was hoping to provoke in conversation:
Vulnerabilities Discovered != Vulnerabilities
Increased Usage = Increased Vulnerabilities Discovered
-Rick
"Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
In order to sell worthless mines some unscrupulous agents would put gold dust into a shotgun shell and shoot it at the wall of a mine. It doesn't take much dust to sparkle a lot and fool some folks into believing that the mine is more valuable than it really is.
Symantec is doing much the same thing, for the same purpose, which is to encourage Linux/FireFox/FOSS users to buy their worthless anti-virus software.
The "study" they cite conveniently forgets that the ONLY security holes that IE users KNOW about are the ones that MICROSOFT TELLS THEM ABOUT. History has taught us that many holes were known by Micosoft for months, and in some situations years, before they were publically revealed, and many times NOT by Microsoft! The other thing that IE users DON'T KNOW is HOW LONG they have been vulnerable to those holes that Microsoft announces a patch for. FOSS applications, on the other hand, encourage PUBLIC annoucements of any security discoveries, along with any proof of concept code that can be used to test the patch. Those that use FOSS applications can then take timely and appropriate measures to protect their PCs and their data until the patch is released, which is usually within a day or two. Windows users hang, twising in the winds of vulnerability for months at a time or longer. In fact, some security holes are never patched and Microsoft serves its own bottom line by telling victims of their software to "upgrade", as if that would protect them. P.T. Barnum was right, you CAN fool some of the people ALL of the time.
Running with Linux for over 20 years!
There was a time when I would've agreed that was a possibility but I think those days are over. There's a great deal of tension between MS and Symantec right now, with Symantec being in a tizzy over Vista's security center. No, this is just self-serving; IE has more critical vulnerabilities than any other browser, yet they publish a misleading lower number of known vulnerabilities to get people to use it instead.
I dream of a better world... one in which chickens can cross roads without their motives being questioned.
come on dudes, have you seen what happens after installing some symantec so called protections? they make a super pc perform like an old wreck. They are incompetents and just fear people installing anything decently secure because they know their craps are removed immediately after.
I didn't RTFA but does the FireFox count include any of the extensions?
Not that I'm bashing FireFox at all, I love it, but I wonder how many exploitations lie within the extensions?
I told them, "it doesn't matter, one is as secure as the other".
You're kidding, right? IE = Firefox?
Not-Microsoft doesn't make software secure.
No, non-one patch day a month makes it secure.
Only competent programmers and a ruthless ability to say 'no' to new features will even begin to make Firefox secure.
I've never had Firefox crap out on me like IE.
There's nothing that indicates the pool of programmers who contribute to firefox is any better than any other group of programmers.
No, but there are more average ones, meaning that there are more ways at looking at a problem and more ways of fixing it.
In fact I'd imagine it's *below* average. Firefox is a bloated, insecure browser.
Do you even USE Firefox?
Sure, you have "faster patch turnaround", which is basically worthless. It's like your doctor telling you that you have cancer, "but hey, only one round of chemo!".This argument is valid if the chemo will automagically fix it. Microsoft has released patches that create MORE holes! Faster patch turnaround is a VERY big deal.
As long as we have the mentality that "no software is secure",
Paranoid much?
and you don't know what else is lurking in that source code.
Uh... yeah, we do... that's why it's called Open source
What this tells us, if anything, is that software will always have vulnerabilities, and that the number of vulnerabilities found seems to be proportional to the popularity of the software amongst non-technical users (and thus, the majority of software users).
Now, it can be implied that it indicates poor software development and overall poor software quality coming out of the Mozilla Foundation. But I think this would simply be conjecture. While it is certainly statistically true, there's a larger picture to look at.
Internet Explorer has been mostly static now for years; it hasn't seen any major development until recently (and that software isn't even what's being looked at here). Firefox, on the other hand, has been improving - adding new features, fixing complaints, and generally trying to come up with a better product. This is going to result in a higher number of security-problematic pieces of code - face it, people aren't perfect, and the only way to mitigate (not eliminate!) this realistically is to slow development to a standstill. Even then there would not be a guaranteed reduction in vulnerabilities, partially due to chance and oversight, and partially due to the large repository of existing code which it would have to interact with.
Furthermore, Firefox and Mozilla are just edging into the public consciousness, whereas Internet Explorer has had a technological hedgemony on the desktop as the browser now for almost a decade (in various versions). This means it's going to start receiving more scrutiny, both from malicious, malevolent folks, as well as from the benevolent security professionals. A higher detection rate is a natural result of this.
It's a double-edged sword. More detections are being made, resulting in more vulnerable systems. This is a natural state in computing, as computing innately involves security these days. There will always be risk involved. The significant thing to look at is how quickly these problems are being resolved, and how many how resurgent problems (ie, they weren't properly resolved). I would argue that the presented statistical information is irrelevant without further, more indepth analysis in this regard.
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
The report is available at http://www.symantec.com/enterprise/threatreport/in dex.jsp
It never fails to amaze me that slashdotters tend to post news stories rather than the source.
Both Microsoft and Firefox find security bugs in their own software from time to time. However, they differ widely in what they will do once they find out this information.
Unless Microsoft sees that someone else knows the bug, they won't release a patch. They will fix it in the source tree for the next major release, but they will not release a patch for the current version. They do this because when they release a patch, security researchers, both good and bad, will do a "BinDiff" and find out what exploit they've fixed. Bad people will then use that bug on unpatched users. If a bug isn't externally rediscovered before the release of the next major version, it's kept secret forever. You can't bindiff major releases, because there's too many changes.
Firefox, in contrast, will generally release a patch for the current version, even if only the Firefox security team knew about it.
Under these circumstances, of course Firefox will have more listed exploits.
Melissa
"Screw Sun, cross-platform will never work. Let's move on and steal the Java language." - Visual J++ Product Manager