Slashdot Mirror
Browser Vulnerability Study Unkind to Firefox
Browser Buddy writes "A new Symantec study on browser vulnerabilities covering the first half of 2006 has some surprising conclusions. It turns out that Firefox leads the pack with 47 vulnerabilities, compared to 38 for Internet Explorer. From Ars Technica's coverage: 'In addition to leading the pack in sheer number of vulnerabilities, Firefox also showed the greatest increase in number, as the popular open-source browser had only logged 17 during the previous reporting period. IE saw an increase of just over 50 percent, from 25; Safari doubled its previous six; and Opera was the only one of the four browsers monitored that actually saw a decrease in vulnerabilities, from nine to seven.' Firefox still leads the pack when it comes to patching though, with only a one-day window of vulnerability."
What's this? Could it be an indication that there is some truth to the market segment correlation to vulnerabilities and attacks?
-Rick
"Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
If we look to Secunia, we see that IE has 106 advisories, 19 of which are unpatched. Firefox has 3 of 36 unpatched. The most sever unpatched advisory in IE is rated as "extremely critical." In Firefox, as "less critical."
FireFox is constantly adding new features. When you add new features then you open yourself up to bugs.
IE 5/6 have been stagnant for years. Of course the number of bugs isn't going to be as large.
That said, I know which one will issue a bug fix more quickly when something IS found...
Love sees no species.
Yes I use Windows.
For most of the IE vulnerabilities, I have to reboot my computer to install it.
Firefox is nice enough to download it and install it the next time I start the browser.
And it does it more than the 2nd Tuesday of each month.
The ARS Technica doesnt mention the version for any of the browsers they mention.When they say 47 bugs were discovered for Firefox ,which version are they talking about? 1.5? 1.7? 2.0 Beta? Same for IE. 6 or 7?
Wincopy
This study shows me nothing useful. Given the fact that all software is buggy, there are many more people looking at the source for Firefox than for IE, so it's inevitable more issues will be found. The more that are found the more that can be fixed before they're a problem.
IE has improved over the years, and will improve further with v7. Doubtless Firefox's progress is at least partially driving that. But the noddy users (hi Dad!) that I've given Firefox or Opera to have had far fewer malware problems than those who insist on sticking with IE.
There is a big difference between how vulnerable a program is and how dangerous it is to use.
The more ubiquitous an application, the more it will be examined as a possible attack vector, and the more it will be exploited as an attack vector.
IE is still far more dangerous to use than Firefox thanks to the fact it is still used by far more people.
A much better measure of security is how many days the users spend being vulnerable after a vulnerability is made public. The browser with the fewest days of vulnerability is the safer browser. And that's no contest.
Consider this, too:
This report is put out by a company that makes its living by protecting users from software like Internet Explorer. If people stopped using Internet Explorer, how would it make its money? (Okay, that's a little tinfoil-hatish.)
But also consider this:
Those are vulnerabilities that we know of. They're pretty easy to find (oh, and fix) when people can pore over your source code. How many vulnerabilities are in Internet Explorer/Opera/Safari that we don't know of, that aren't getting fixed, and just waiting for someone to figure out to blow up?
That's when you're really thankful of this:
Its not the number of vulnerabilities its more about the severity of them. A cookie injection , or cross site scripting is NOT the same as a buffer overflow/shell execution vulnerability. FF is by far less suseptable to the serious system risk level attack than IE; with no "known" arbitrary execution exploits at this time , IE has one outstanding right now and "drive by downloads" of scum ware is booming in the last few weeks.
It turns out that Firefox leads the pack with 47 vulnerabilities, compared to 38 for Internet Explorer.
This is very misleading. These are the numbers of vulnerabilities reported to Symantec and which the vendor has acknowledged to Symantec. The total number of vulnerabilities reported to Symantec are 50 for Firefox and 57 for IE.
If you add to this the quote from Symantec, "at the time of writing, no widespread exploitation of any browser except Microsoft Internet Explorer has occurred..." you start to see that this is mostly spin with little substance. Firefox is not really being attacked, and while they have bugs they fix them an order of magnitude faster and have an open process that responds to the community. This bug count includes all the bugs the Firefox team found, but who knows what percentage of bugs Microsoft and partners found that they deemed not worth fixing and which do not show up in this study? It is debatable that in theory, Firefox is more secure, but attempts like this to twist numbers to make is seem like maybe Firefox is not more secure in practice, are misleading and simply a way to get attention. I declare the summary here to be FUD.
Let's think about this.....a report from a ANTI VIRUS VENDOR!! Anyone want to make a bet when Symantec will make a Firefox Extension for scanning for malicious websites......AND make you pay for it??
Gorkman
And dont just count the "vulnerabilities". Give some weightages. One "not critical" vulnerability in Firefox IS NOT EQUAL to one critical vulnerability in IE. Like "Not Critical" has a weight of 1, and scale it by a factor of 10 for each higher level. Then do a weighted sum.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
I could give a shit less about sheer number of vulnerabilities. The things that matter to me are severity of black-hat response and duration of exposure.
Firefox: Rarely targetted, even for severy evulnerabilities. Nearly always fixed in a couple days, tops. Patched as soon as fix becomes available.
IE: Always targetted, with rapid response from a variety of nefarious 'net villains. Patch released the second Tuesday of the month, unless that happens to be less than 2wks away, in which case it stands a fair chance of being the second Tuesday of next month. If no exploits gain significant media coverage, it may be over a half year. Patch is optionally downloaded / installed as soon as it becomes available, but to enable this you must also enable automatic patching of the OS, office suite, and possibly even some 3rd party software, which needless to say is a dangerous thing to do institution-wide.
Unpleasantries.
The article says that their numbers come from Symantec's security threat report, but where does Symantec get their numbers from? Obviously to count a vulnerability, they have to know about it. Are they only counting ones they have verified, any that have been publicly announced, do they do their own research? Are we counting all the vulnerabilities that appear in bugzilla? Are we not counting the vulnerabilities that MS knows about but hasn't made public?
I can't really say, but to me it looks like exactly what I would expect from an open source system: More publicly known bugs (not necessarily more or less actual bugs), and a faster turnaround time on bugs.
The enemies of Democracy are
Vulnurabilities are directly proporitonal to user base and increase with access to source control.
Opera has a low user base and is closed source. Therefore, few vulnurabilities. In short, no one cares.
Firefox, on the other hand, has a moderate user base but the source code is right there, the vulnurabilities are ripe for the picking. Hence why the vulnurabilities are high but the turnaround time to fix them, also quick.
IE on the other hand, high user base closed source. High vulnurabilities because of the high user base but potential hackers have to work harder.
Really, this study is a no-brainer. The results make perfect sense.
Firefox may have more vulnerabilities, but none of them are as dangerous as the ActiveX server in IE. The numeric comparision in TFA is not even half the truth.
M$ won't patch a vulnerability IE overnight - but look how fast they patched a hack to their WMP DRM.
Eternity: will that be smoking, or non-smoking? I Corinthians 6:9-10
Whether the measurements are accurate or practical, one must note that Symantec has an interest in seeing people continue to use IE because, historically, IE users are more likely to get viruses.
More risk and more problems means Symantec has an easier time selling its services.
.sigs are for post^Hers.
I made no derogatory comment about either browser. I was merely commenting on the correlation between usage and detected vulnerabilities. Many people have discounted the notion that FF has less vulnerabilities because of its lower market penetration, but this article would suggest that as FF's popularity has increase, so has the rate of vulnerability discovery.
That said, I use FF. I think it is a superior product when compared to IE. And FF developers' ability to address and rectify those vulnerabilities has been proven time after time to be better than MS's ability.
So, the whole point I was hoping to provoke in conversation:
Vulnerabilities Discovered != Vulnerabilities
Increased Usage = Increased Vulnerabilities Discovered
-Rick
"Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
And you completely ignored Hallvors' post where he said he would patch it for all Opera users if you'd given him the name of the site.
If you get this, we're 10 of a kind.