Slashdot Mirror
Browser Vulnerability Study Unkind to Firefox
Browser Buddy writes "A new Symantec study on browser vulnerabilities covering the first half of 2006 has some surprising conclusions. It turns out that Firefox leads the pack with 47 vulnerabilities, compared to 38 for Internet Explorer. From Ars Technica's coverage: 'In addition to leading the pack in sheer number of vulnerabilities, Firefox also showed the greatest increase in number, as the popular open-source browser had only logged 17 during the previous reporting period. IE saw an increase of just over 50 percent, from 25; Safari doubled its previous six; and Opera was the only one of the four browsers monitored that actually saw a decrease in vulnerabilities, from nine to seven.' Firefox still leads the pack when it comes to patching though, with only a one-day window of vulnerability."
If we look to Secunia, we see that IE has 106 advisories, 19 of which are unpatched. Firefox has 3 of 36 unpatched. The most sever unpatched advisory in IE is rated as "extremely critical." In Firefox, as "less critical."
The ARS Technica doesnt mention the version for any of the browsers they mention.When they say 47 bugs were discovered for Firefox ,which version are they talking about? 1.5? 1.7? 2.0 Beta? Same for IE. 6 or 7?
Wincopy
This article is pretty light. Sure, more vulnerabilities is bad, but it doesn't necessarily that more vulnerabilites is worse. Firefox is patched quicker, which is very important. Also, I don't see anything about the nature of these vulnerabilities. Are they all critical, you box is getting trojaned? Just comparing the pure numbers doesn't tell us much.
This study shows me nothing useful. Given the fact that all software is buggy, there are many more people looking at the source for Firefox than for IE, so it's inevitable more issues will be found. The more that are found the more that can be fixed before they're a problem.
IE has improved over the years, and will improve further with v7. Doubtless Firefox's progress is at least partially driving that. But the noddy users (hi Dad!) that I've given Firefox or Opera to have had far fewer malware problems than those who insist on sticking with IE.
Consider this, too:
This report is put out by a company that makes its living by protecting users from software like Internet Explorer. If people stopped using Internet Explorer, how would it make its money? (Okay, that's a little tinfoil-hatish.)
But also consider this:
Those are vulnerabilities that we know of. They're pretty easy to find (oh, and fix) when people can pore over your source code. How many vulnerabilities are in Internet Explorer/Opera/Safari that we don't know of, that aren't getting fixed, and just waiting for someone to figure out to blow up?
That's when you're really thankful of this:
Its not the number of vulnerabilities its more about the severity of them. A cookie injection , or cross site scripting is NOT the same as a buffer overflow/shell execution vulnerability. FF is by far less suseptable to the serious system risk level attack than IE; with no "known" arbitrary execution exploits at this time , IE has one outstanding right now and "drive by downloads" of scum ware is booming in the last few weeks.
It turns out that Firefox leads the pack with 47 vulnerabilities, compared to 38 for Internet Explorer.
This is very misleading. These are the numbers of vulnerabilities reported to Symantec and which the vendor has acknowledged to Symantec. The total number of vulnerabilities reported to Symantec are 50 for Firefox and 57 for IE.
If you add to this the quote from Symantec, "at the time of writing, no widespread exploitation of any browser except Microsoft Internet Explorer has occurred..." you start to see that this is mostly spin with little substance. Firefox is not really being attacked, and while they have bugs they fix them an order of magnitude faster and have an open process that responds to the community. This bug count includes all the bugs the Firefox team found, but who knows what percentage of bugs Microsoft and partners found that they deemed not worth fixing and which do not show up in this study? It is debatable that in theory, Firefox is more secure, but attempts like this to twist numbers to make is seem like maybe Firefox is not more secure in practice, are misleading and simply a way to get attention. I declare the summary here to be FUD.
Opera keeps having new features added too, though. Despite this, according to the article, Opera managed to have a decrease in vulnerabilities - so why not Firefox?
And dont just count the "vulnerabilities". Give some weightages. One "not critical" vulnerability in Firefox IS NOT EQUAL to one critical vulnerability in IE. Like "Not Critical" has a weight of 1, and scale it by a factor of 10 for each higher level. Then do a weighted sum.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
The article says that their numbers come from Symantec's security threat report, but where does Symantec get their numbers from? Obviously to count a vulnerability, they have to know about it. Are they only counting ones they have verified, any that have been publicly announced, do they do their own research? Are we counting all the vulnerabilities that appear in bugzilla? Are we not counting the vulnerabilities that MS knows about but hasn't made public?
I can't really say, but to me it looks like exactly what I would expect from an open source system: More publicly known bugs (not necessarily more or less actual bugs), and a faster turnaround time on bugs.
The enemies of Democracy are
For that matter, they all could basically be because someone ran a code-audit on Firefox recently. Something like that would raise the 'found vulnerablities' level through the roof for the moment, but it really doesn't mean there are bigger problems with it; just that there was a concerted effort to find them recently. (I don't know of any such audit off the top of my head, but I don't follow that closely. It wouldn't nececarrally make the news.)
'Sensible' is a curse word.