Slashdot Mirror
Firefox Most Vulnerable Browser, Safari Close
An anonymous reader writes "Cenzic released its report revealing the most prominent types of Web application vulnerabilities for the first half of 2009. The report identified over 3,100 total vulnerabilities, which is a 10 percent increase in Web application vulnerabilities compared to the second half of 2008. Among Web browsers, Mozilla Firefox had the largest percentage of Web vulnerabilities, followed by Apple Safari, whose browser showed a vast increase in exploits, due to vulnerabilities reported in the Safari iPhone browser." It seems a bit surprising to me that this study shows that only 15% of vulnerabilities are in IE.
How many of these vulnerabilities were due to Firefox itself, and how many due to plugins?
which is totally what she said
So just down the page on slashdot, this very day, there are warnings about a "Windows kernel vulnerability" that is exploited through IE. I'll take three cross-site scripting bugs any day over a kernel level compromise, thank you.
I know the world doesn't have a good objective measure of "impact" to assign to these things so that one could assess the total "probable inconvenience" of the presented security vulnerabilities, and that makes unbiased data gathering difficult, but this feels pretty absurd.
It seems a bit surprising to me that this study shows that only 15% of vulnerabilities are in IE.
There is an explanation for that.
Cenzic Recognized as a Microsoft Certified Partner, Experiences Substantial Momentum in Q2
Sounds like exactly the kind of result Microsoft would love: FLOSS and OSX going down. Too fake.
Does the vulnerability stay the same when you turn off Java? How about Javascript?
For the most part, I'm happy surfing most of the time with both turned off... I've turned them off on my grandparent's browsers too in order to lessen their exposure
I looked through older reports and cannot find a list of "vulnerabilities by major type." Anyone know where to find that? Until you can point that to me, I'm not going to take much stock in a company which has an ad on the bottom of the article that reads:
Let us hack you before hackers do! The Cenzic website HealthCheck. FREE. Request yours now!
I'm sure one major category is "Win32 kernel exploits" while every piece of Gecko and Webkit qualifies as one major type.
My work here is dung.
Just another consultant hired to slant reality if you ask me.
http://search.cert.org/search?q=advisory+internet+explorer
http://search.cert.org/search?q=advisory+firefox
boycott slashdot February 10th - 17th check out: altSlashdot.org
I have heard the case against Safari often.
I have definitely found infected Firefox installations on relative machines. It's not immune because it is open source.
What is the prevailing flaw that Firefox has? Are they like ActiveX scale flaws where they own the PC or are they more minor but still serious?
Slashdot needs Geekcode | Can anyone recommend any good SCIFI? My tastes: Foundation, Startide Rising, CITY, Ringworld,
It seems a bit surprising but TFA is not about browser vulnerabilities. Most of it is focused in detailing web site vulnerabilities and has only two baseless pages with Firefox on top of web browser vulnerability list.
Just would like to note that this article is not saying that Firefox is the most vulnerable browser overall. It focuses on web applications and that Firefox is the most vulnerable when it comes to web applications.
That makes sense. Firefox and Safari support is something that's usually hastily tacked on after the product is developed for IE. It also explains Opera's small percentage, because there aren't many web applications out there that even work for Opera.
Not quite trustworthy. There is enough discussion, but where's the math and the design of the 'study', and method? Bogus... Drawing some diagrams and calling in a few numbers from an unspecified source doesn't make sense.
They're a certified Microsoft partner. Can't trust anybody to make that kind of statement about competition against MS unless they're an independent entity.
Most of "studies" are sponsored by one of the sides. So I don't see why this is news here.
The article has a pie chart and the link to the "detailed report" only has a pie chart. I guess we just have to trust Cenzic the internet security application provider. Doesn't even break it down by version number of browser or severity of exploit.
Maybe the version of firefox he downloaded to do the testing with, was probably a fake to begin with (maybe he was
part of a man in the middle attack by M$ who wanted to prove that FF was worst, and fed him an owned version of FF)
That would be too obvious, since being a security analyst, he would know to check all checksums of every app, right?
Yes - interesting how we have web vulnerabilities irrespective of the web browser.
Of the Web vulnerabilities, 90 percent pertained to code in commercial Web applications, while Web browsers comprised about 8 percent and Web servers about 2 percent. Of the browser vulnerabilities, Firefox had 44 percent of the total, but perhaps the biggest surprise was Safari, which formed 35 percent of the browser vulnerabilities. Internet Explorer was third, with 15 percent, and Opera was at 6 percent.
I'm repeating the link here -
http://www.cenzic.com/downloads/Cenzic_AppSecTrends_Q1-Q2-2009.pdf
Pathological kinda promises Path + Logical - but instead, you get stuck with pathetic.
Follow the money. Who funded this study. I find the results disturbing and not believable.
From the report.
Wait... so vendors and now applications?
They continue to say that Java and PHP are very vulnerable, but it's actually applications written in Java and PHP, not the language+runtime itself. In that case you could say that C++ has the most vulnerabilities.
It is a bit surprising to you because you and your (ahem!) "news" site are overtly bias.
pay for by M$
...I didn't RTFA (oh yeah who does today?) but I guess they forgot to count the vulnerability of all the ActiveX published.
According to the report, as best I can determine, this is how they found their results:
"Cenzic analyzed all reported vulnerability information from sources including NIST, MITRE, SANS, US-CERT, OSVDB, as well as other third party databases"
It seems reasonable that any/all open source software would have a higher number of reports in these databases than proprietary software, simply because more people are able to publicly scan and report on vulnerabilities... by definition, open source software conducts it's business in public, while proprietary software does so behind it's private curtain.
The article link is only one short page and does not describe in detail how they came to their conclusions.
...followed by Apple Safari, whose browser showed a vast increase in exploits, due to vulnerabilities reported in the Safari iPhone browser...
Looks like they're pretty clearly full of shit, and they're trying to be ambiguous and obscure by explaining little and using jargon to discourage people
from searching for what all the terms they're using means.
However, from the words they're using, they're implying common vulnerabilities exploited in corporate server-side applications. Not client-side.
SQL Injection and XXS Scripting are much bigger issues with implementation of web applications in web pages on the server side, use databases and scripting flaws in the code of the web apps to circumvent browser security.
They're talking about something that has little to do with the integrity of security of individual browsers, and more with the decisions webmasters make and what web applications they use.
Also, when they refer to Safari, they say they're referring to the iPhone Safari version:
I read TFA and the project lead and editors all had XXXXX of Marketing in their title.
When your stats are nothing more than a report of other stats that you do not list, its hard to take it seriously.
But I think generating a few leads is more important than backing your facts ^M^M^M^M^M stats.
Comment removed based on user account deletion
Is it just me or does the pie chart from the article look like a Windows logo? Same exact colors.
Firefox + NoScript + intelligent user who doesn't whitelist every page he visits
Just a guess, but I think this combo has very few vulnerabilities.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Comment removed based on user account deletion
So I'm reading this and these guys come across like goofs somewhat...
... something
Pg. 4 - says: "The top 10 vulnerabilities for the first half of 2009, included familiar names such as Sun, IBM, SAP, PHP, and Apache." which is according to page 7 the ones they classified as "as the most severe." whatever that means.
But in page 6 they say: "Sun Java, PHP, and Apache continue to be among the Top 10 vendors having the most severe vulnerabilities for the first half of 2009."
However in the whole top 10 list there are only two mentions of PHP that I can see...and these are problems with phpMyAdmin - which is way outside what I would consider a reasonable interpretation as a problem with PHP being a "vendor" of a vulnerable product.
So either there's a bunch of missing information or these guys can't tell the difference between PHP and an application written in PHP, or
The browser stuff seems too difficult to tell - if the actual question one is looking for is which is a safer experience. Were all vulnerabilities equally bad? Were they indexed with some information about usage? In other words do we look at the number of people using the vulnerable version and take that into account.
Like a lot of whitepapers the information isn't very helpful and the math is downright insulting.
Interesting that the underlying report was led and edited by the Chief Marketing Officer for Cenzic, I'm just saying ....
I did not read the whole report but there is absolutely no mention of severity in that press release... nor does it mention how they counted them. Are these defects that have been acknowledged and fixed? From what I can see it's entirely possible that they've counted the THOUSANDS of trivial defects that Firefox discloses and fixes as a matter of course while Microsoft will only disclose the severe ones.
XML is a known as a key material required to create SMD: Software of Mass Destruction
Isn't counting bugs released as part of press releases and change logs kind of like saying "All confirmed criminals are in jail?"
been using it since the 90s and from long experience can say it's the safest by far. don't know why or care particularly. whether clever code or minuscule market penetration is academic from this user's pov. truth is the fat lady's song still keeps the bad guys away.
Comment removed based on user account deletion
I installed NoScript recently along with Request Policy. One protects from any request to a foreign domain and one blocks scripts until I allow them.
Have I reduced my exposure enough?
What I want to see is a community mediated system whereby the whitelists and blacklists are distributed amongst the community. A bit like ThreatNet, SpyNet, PrevX and all the other proprietary security systems. How the decision of whether or not to allow or disallow a request will be made but it needs to be made by a massive community. I generally experiment whitelisting a website until it works. If this information was made subscribable, people could browse with a bare minimum of exposure?
Sam
Slashdot needs Geekcode | Can anyone recommend any good SCIFI? My tastes: Foundation, Startide Rising, CITY, Ringworld,
Comparing openly known vulnerabilities, and calling it "all in all vulnerability".
As if they wouldn't know perfectly well, that Microsoft sends a cease and desist letter to anyone who is even talking about a vulnerability that is not official to MS.
I guess the old saying is true, that:
If you can't program, you teach.
If you can't teach, you administrate.
If you can't administrate, you report.
If you can't report, you criticize.
Any sufficiently advanced intelligence is indistinguishable from stupidity.
I looked through the report linked to the TFA and I can't figure out what exactly they were measuring. I think they relied on the fact that there were a lot of pretty graphs and the fact that they sound like they know what they're talking about to get past that.
They also call things like PHP insecure because things which use PHP are insecure.
They're apparently a vulnerability discovery company who's trying to scare web admins and managers into buying their service.
Firefox isn't the most secure browser ever created, but this report is just disingenuous.
Just noticed they confused the "most common attack" types. SQL was listed as most common at 25%, but this is actually the Transverse Directories %. Clarification.
Yeah, I've pretty much stopped trusting anything that has to include pie charts in order to describe what needs to be demonstrated. How about puttin' some numbers in there, chief? And not made up numbers or percentages.
The eternal struggle of good vs. evil begins within one's self.
I agree. They seem to throw out a lot of numbers without saying where any of their data is coming from and they don't seem to be ranking vulnerabilities at all.
Plus let's face it, this is a company whose job is to get people to hire them to check the security of their web apps. Sounds like they are trying to reel in some executives who don't know any better.
"Findings from the report point to the continued growth of attacks through Web applications. Web application vulnerabilities continue to make up the largest percentage of the reported vulnerability volume, with roughly 78 percent of all vulnerabilities resulting from them."
That is just stupid. It's like saying the code that the folks at CNN put into their pages is responsible for vulnerabilities in the browser itself. dumb. I think this man is confused between what a web browser is and what a web application is.
as Window Snyder (former MS employee who later worked for mozilla for some time) pointed out: Microsoft puts multiple fixes in one patch, so multiple IE holes are counted as just one... http://blog.mozilla.com/security/2007/11/30/critical-vulnerability-in-microsoft-metrics/
The MAFIAA is a bunch of mindless jerks who will be the first up against the wall when the revolution comes
Study/article is misleading and useless.
Also: Chrome, Bitches!
So, I'm posting as somebody who has gotten critical fixes pushed into both IE and Firefox. (Technically, Chrome and Opera too, but those were the pure crypto vulns.)
It's genuinely hard to write a secure web browser. Forget plugins -- you have a complex internal object model, subject to all sorts of very fine grained rules ("the filename on an input type=file form must not be settable from Javascript"), which can be made into a pile of moving parts under the control of an attacker. What's happened somewhat recently is a lot more people have gotten into bashing Firefox. You know those "many eyes" theories of open source, and how they're usually kind of full of it?
Well, "many eyes" are visiting it now, and Mozilla to their credit is doing a lot of very hard work to deal with the influx. Good on them.
Here's the gist of Cenzic's _marketing_ report as it applies to browsers:
"
78 percent of the total reported vulnerabilities affected Web technologies, such as Web servers, applications, Web browsers. Plugins and ActiveX, which is a significant increase from earlier in the year.
Of the Web vulnerabilities, Web Browser vulnerabilities comprised (sic) eight percent of the total vulnerabilities found, and Web servers comprised two percent. Vulnerabilities in the code of commercial Web applications was 90 percent of the total Web related vulnerabilities. Looking at the various classes of vulnerabilities, we found that SQL Injection and Cross Site Scripting (XSS) vulnerabilities continued to dominate with 25 percent and 17 percent respectively. Authorization and Authentication vulnerabilities were higher at about 14 percent of total Web vulnerabilities followed by Directory Traversal at 12 percent.
"
Apparently they don't discriminate among versions of browsers, plugins, or web apps. Firefox 1 + 2 + 3 = Firefox.
Nor do they say how they identified browsers. (Presumably the ID came from each source that reported the results.)
They also don't report any specifics of browser vulnerabilities (kind, duration, patch, etc).
Every time your browser crashes, there is an opportunity to exploit that as a security vulnerability. There is no such thing as "my browser is the least vulnerable, but it crashes all the times."
I once had a signature.
How many secret unfixed vulnerabilities in IE?
Every browser security article gets a few "I use adblock and noscript so doesn't apply to me" posts (not a complaint, just an observation- I do use both). I am assuming that proper use of these extensions avoids most of the vulnerabilities of concern here, but adblock and noscript are FF extensions- what is there for other browsers that is comparable? What is supported for cellphones?
The FF/AB/NS combo has often been stated as the best way to browse securely, but I only see other browsers rated based on their default settings. I guess what I'm getting at is, based on this article, every other browser can claim to be better than FF. Ignoring arguments over proper counting and documentation, FF users could claim they are more secure due to FF having AB/NS- is this a valid claim?
Basically the first question asks for information, the second asks for arguments. I could go try to research, but that would deprive some people of +5 informatives and +5 insightfuls (in addition to -1 trolls).
My webcomic
This comes from a company whose slogan is
Let us Hack you,
before hackers do!
sweet.
There is no way in hell I would believe that IE has less vulnerabilities than Firefox or Safari (Safari on Windows probable). Web application or not, Firefox will never fall to the likes of IE.
When will these companies ever stop spinning data in favor of who pays them the most? They have to know we are on to them and don't believe one bit of the hype they are spewing.
Keywords for the NSA overthrow oppressive regime true believers marathon Manhatten the financial district blueprints I
Anyone else notice that the so called "study" is actually a marketing material for some SaaS product? If you like that there are some great whitepapers out there... LOL.
its a joke - they just downloaded some bug reports, made some pretty graphs and called it a report. I will bet you the person putting it together could not explain what a "web browser vulnerability" is - other than something that should scare people to buy their product.
RelevantElephants: A Somatic WebComic...
Glossy, primary colours, circles ... reminds of the Chrome logo.
Don't blame me -- I voted for Roslin.
Interesting read. Obviously the point is clear that MS gets to hide what is really going on. OTOH the point of OSS is to shine a light on and fix any vulnerabilities that arise.
I'm sorry, but a security study who's report starts off comparing security vulnerabilities in software, to swine flu, a biological virus that kills people, loses all credibility with me right off the start. They even bring in a little politics by invoking the US president's name...
The project was both lead and edited by one Mandeep Khera, Chief Marketing Officer, Cenzic, Inc.
Put together more or less entirely by marketing people at a company that is trying to sell you web security.
I don't know about you guys but I've never known people in marketing to be anything less than the most fine and upstanding sort of the disgusting vile unmitigated cock sucking pustules that ever formed on the unwashed asses of pond scum.
Firefox/Apache/Sun/IBM has more vulnerabilities than IE/IIS/Windows? This study seems sadly out of touch with historical experience.
MS may have closed the exploit holes dramatically in the recent past, but it's tough to believe given their past performance: The most vulnerable OS in the history of computing.
Need I remind Cenzic the astoundingly short-sighted security designs within COM/DCOM, ActiveX, the Win32 API, the Registry Hive, etc. Even IE8 went down at CanSecWest earlier this year (.NET bypass to DEP & ASLR? Brilliant! ).
Is there any way to provide some negative conditioning for misinformation spreaders?
Slashdotters: Remember Cenzic lies.
Lots of comments mentioning the lack of taking into account of the severity of the bugs, but what about the duration of the vulnerabilities. Or to extend that train of thought, if IE has a current known exploit (or collection of them) there's not as much incentive to go finding another one if you know the one you have won't be closed for another few weeks/months anyway. I suspect with firefox any hole found will be fixed with a released patch far more quickly (and as others mentioned, possibly before any exploits are known of) so you have to keep finding new ones if you want to use firefox as a way in to a machine.
In summary, FUD off
Never underestimate the dark side of the Source
So I *did* RTFA and found it was fluff. So I read the linked PDF report to try and find out some details on what these gaping security holes in my favourite browser actually were. I did not want to have to eat crow over my repeated recommendations to us Firefox over IE because it was more secure. Well, there's plenty of space dedicated to reporting server side vulnerabilities, plenty on web apps, lots of repetition of how surprised they were to find Firefox and Safari so vulnerable...but nothing on what vulnerabilities. No mention of types of vulnerability, frequency, core browser, plug-ins, add-ins, versions, ZIP!
The 29 page report has one page that is mostly taken up with a lovely colourlful exploded pie chart. There is more space dedicated to advertising the Cenzic products and services than there is referencing browser vulnerabilities.
This is isn't a report, it's a sales pitch.
Secunia is better. Take a look here:
IE6 http://secunia.com/advisories/product/11/?task=advisories
IE7 http://secunia.com/advisories/product/12366/?task=advisories
IE8 http://secunia.com/advisories/product/21625/?task=advisories
Firefox2 http://secunia.com/advisories/product/12434/
Firefox3.0 http://secunia.com/advisories/product/19089/?task=advisories
Firefox3.5 http://secunia.com/advisories/product/25800/?task=advisories
Based on these, I would choose Firefox and not IE
Firefox 3.5.x http://secunia.com/advisories/product/25800/?task=statistics_2009
IE 7.x http://secunia.com/advisories/product/12366/?task=statistics_2009
This doesn't make any sense. First of all, I have used Cenzic tools, they don't test the web browser, they test web apps. So they scan a website/webpages looking for fields and other data forms and do a bunch of test on those to check for XSS, SQL injection, potential overflows, etc.
So I am really confused on where they got the data for vulnerabilities of a browser and why they would mention this when they aren't testing it using their tool. If they are going solely based on what is released in update notes or anything like that, well then a browser who patches all it's problems will appear way more vulnerable than one that patches only the ones it feels like getting around to; not to mention the one that is now patched is less vulnerable then the one that did nothing.
I would like to see someone visit a malicious site (somewhere that installs malware and the like) in all these browsers, it won't be Firefox or Safari (or Opera for that mater) who get infected. And why wasn't Chrome included in this comparison? This comparison seems like an afterthought and probably shouldn't have been included in the write-up, I would take this as a grain of sand and would simply ignore it.
"Cenzic's acceptance to the SecureIT Alliance alongside our recent designation as a Microsoft Certified Partner highlights our expertise and experience in working with Microsoft technologies as well as a proven ability to meet customer needs," said Mandeep Khera, vice president of marketing for Cenzic. http://www.cenzic.com/pr_20061011/ So, this report on browser vulnerabilities must be "Fair and Balanced" given that they are a Microsoft Certified Partner.
Did you notice that the "Executive Summary" isn't from a security expert or even IT. It's from their Chief Marketing Officer. That says plenty right there.
The top vulnerability is SQL injection.
Can anybody explain how the browser is responsible for SQL injection vulns?
thegodmovie.com - watch it
They are either a wholy owned subsidiary of Micro$oft...
They want to be a wholy owned subsidiary of Micro$oft...
They are owned by a a wholy owned subsidiary of Micro$oft...
Or lastly they want to be owned a wholy owned subsidiary of Micro$oft...
Basically I consider the whole thing a bunch of FUD...
MacOSX, because making *NIX better is a lot better than waiting for Micro$loth to fix Windows
It seems a bit surprising to me that this study shows that only 15% of vulnerabilities are in IE.
Well. Remember that "the front door is unlocked, the guard has been dosed with chloral hydrate, and there's a loaded shotgun just laying there on the credenza" could collectively be called one single vulnerability. Quantity doesn't trump quality!
Most uncategorized logged flaws = best tested!
Pander fear, but then what do they trust for their web site and blog?
Apache and Centos and Redhat. Nice.
Well I actually looked at the pdf report. It starts off with "What do the swine flu and hackers have in common". That started to get a laugh, but then the executive summary says that web vulnerabilities are getting better because of Obama. How can anyone take this seriously??
Yes, and you're claiming Mozilla doesn't roll up Firefox patches?
Haven't RTFA yet but I bet they are using patch notes as their source of vulnerabilities.
So the headline should have been "Firefox most transparent browser when it comes to vulnerabilities".
I'm no FF fanboi. I think they've gone off the rails in a lot of ways - especially by forcing users to accept changes that many changes they don't like such as AWFULBAR. However one thing they do right is they're transparent about bugs and vulnerabilities (at least once they're able to reproduce them). The whole article is a fucking troll.
These posts express my own personal views, not those of my employer
Window of time that a flaw is known and exploitable before getting patched.
But they do have a nice shiny pie chart.
Which as you know, makes their assertion practically ironclad.
The fundamental flaw of all these studies is that they are NBOT measuring vulnerabilities, they are measuring PUBLIC vulnerabilities. Two very different things.
"Cenzic analyzed all reported vulnerability information from sources including NIST, MITRE, SANS, US-CERT, OSVDB, OWASP, as well as other third party databases for Web application security issues reported during the first half of 2009." Ah -- the old "count the number of bug reports" technique. I won't even bother ranting about that
Comment removed based on user account deletion
Comment removed based on user account deletion
Microsoft is reeling from the vicious and unwarranted slanders of security companies and the US government’s Computer Emergency Response Team that its Internet Explorer web browser has alleged “security holes” or is in any way less than the finest software known to mankind and excellent value for your money. "Cenzic proves it's Firefox! FIREFOX DID IT! Fuckers."
The festering paedophiles of CERT have gone so outrageously far as to make the ludicrous claim that just viewing a malicious webpage in IE could leave your computer open to being hacked and turned into a Russian Mafia spam server. “We don’t know what could have triggered such vindictiveness,” sobbed Microsoft marketing marketer’s marketer Steve Ballmer. “Do they hate free enterprise that much?”
There are things you can do to make your computing experience even more secure. Microsoft’s official suggestion — make sure your anti-virus software is up to date and using an entire CPU doing nothing much, click through five screens to run IE in “protected mode,” click through four screens to set zone security to “high,” click “JUST BLOODY DO IT WILL YOU” when the User Access Control asks if you really want to do this, enable automatic updates with the minor side-effect of installing Microsoft DRM on your system or Windows Genuine Advantage randomly turning your computer into a paperweight, and sacrifice a goat to Microsoft at midnight on a moonless night — is simple and straightforward. “It’s the quality you’re paying for.”
On no account should you consider that there might be other web browsers out there, as researchers have demonstrated that all of them automatically download the cover of Virgin Killer. “I saw a report,” said marketing marketer John Curran of Microsoft Completely Enderlependent Analysts, Inc., “that another browser had more vulnerabilities than ours! People would be very foolish indeed to move from the latest IE to Netscape 4.01.”
“These CERT wankers are Mactards and trolls,” said Guardian marketing marketer Jack Schofield. “They just want to take IE users out, brutally sodomise them, gas them in concentration camps and” [This comment has been removed by a Guardian moderator. Replies may also be deleted.]
http://rocknerd.co.uk
Comment removed based on user account deletion
What do the Swine flu and hacker attacks have in common?
Yeah, I'd say that's a good foot to start off on, especially when you're a security company fearmongering people into buying your product.
The only way to tell the difference between a hamster and a gerbil is that the hamster has more white meat.
yeah, this one's pretty much autobs in my opinion,
IE may have nice security and stuff built in or whatever but the problem with it is that it is DIRECTLY connected with your windows OS.
meaning that if something gets into IE, it's in your computer
firefox and chrome both have this weakness, but not nearly as prominent
Good thing I use IE 6 then.
Regardless, I have yet to fix a friend's or family member's 'slow' or 'misbehaving' computer that had anything other than IE as the default web browser.
[quote]
The most common published exploits on commercial applications were SQL Injection and Cross Site Scripting (XSS) vulnerabilities, which account for 25 percent and 17 percent of all Web attacks
[/qoute]
This is the web page being badly designed, tested, and developed (of course a tool kit that handled as much as this stuff as it could would help). This is like saying that the "Toyota Prius" is the automobile consuming the largest number of rechargeable batteries and it is a the problem that there is a shortage for hearing-aid batteries.
And if the report is indeed not sponsored by Microsoft or a Microsoft proxy organization or both, which may well be the case, why is it that this fact is/was not publicly proven? I am just asking, not saying it is, but asking. But if it isn't, then the report should be able to prove that they have no association now, before and will not have an association in the future with Microsoft. Because if they can't prove that what good are the numbers?
I've had more than one friends with IE absolutely owned. None with firefox so far and the firefox crowd is bigger.
She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
Unlike Microsoft, Mozilla has a Bugtracker, which tells everybody about each and every fixed problem... the report doesn't say how firefox' vulnerabilities were counted, but why would they bother counting Patches (which they have to for IE), if Bugzilla tells them everything they need in just minutes of selecting the report criteria?
The MAFIAA is a bunch of mindless jerks who will be the first up against the wall when the revolution comes
I don't know but it doesn't matter since they're secret vulnerabilities so nobody can exploit them.
I don't think human nature is suspended just because a project is OSS. I'll bet that some vulnerabilities in OSS are fixed before being made public for CYA purposes.
So I went to check this out... and I couldn't find any helpful information! The web site had lots of good stuff about getting started, FAQ, etc... but nothing that told me what OGP actually is. Before I jump in and start installing it, maybe some information about what OGP is/does/solves might be good to put there on the front page, especially if you're shamelessly plugging it?
I won't try to defend Firefox, as they have had a decent number of issues, but guys, given where this info comes from, I give this study a total value of 59 cents. Has anybody used their products ;) ?
I would love to see a similar study which takes the following two things into account:
- Severity of vulnerabilities
- Number of days (weeks or even months) before the vendor released a fix
Rob.
Counting the bugs is a poor way of determining vulnerabilities. It's not easy to search for vulnerabilities in the Firefox Bugzilla, btw. Unless you know some magic search terms?
Searching on CVE or vulnerability doesn't show you everything. Lots of potential issues get cleaned up along the way as part of other patches and normal development, and are never acknowledged as vulnerabilities. Same thing happens on the Microsoft side of the fence. If a vulnerability is known, it's documented in the KB that issued the patch.
If you want to count known vulnerabilities, just look at 3rd party sites that collect that info like Secunia or Cert.
Disparaging Microsoft because you think they are quietly finding their own bugs and fixing them is backwards. You should be glad they are.
To me a better comparison to make is how long critical vulnerabilities exist before they are patched. Microsoft obviously loses that comparison as they like to adhere to the monthly patch cycle and often delay action for privately reporting issues. Given how much IE is interlaced with other products, Microsoft also has to be more careful about patches than Mozilla Firefox which is much more of a standalone product.
So Firefox fixes its vulnerabilities - and that is a bad thing?
And IE fixes fewer vulnerabilities, and that is a good thing?
Personally, I prefer to have all my browser vulnerabilities fixed, not half of them.
And by vulnerabilities we mean silly things like SQL injection?
Time to shoot the messenger, I think.
I am anarch of all I survey.
Secret to those who find them and don't post their results. Secret to those who have access to source control and leave....
The crowd of ragged locals gather, all chanting in a low voice, "My Crow Soft, My Crow Soft, My Crow Soft". A Google search shows the following, The SecureIT Alliance enables leading security vendors to collaborate in order to improve the process of building and integrating Microsoft platform-friendly products. I can only think there's a Grinning Show Off hard at work at m$ saying to itself, "It's been a hard work day, but I earn my pay at m$"
...what was the giant patch for last night again from Microsoft? ohhh that's right.
Oh sure, Firefox may have the most vulnerabilities, but how many of those vulnerabilities are guaranteed to lock up the system with a BSOD? IE may have fewer (uh, huh, and I have a bridge for sale, too), but the ones it DOES have may be more likely to cause irreversible data loss and hardware damage. Just something to consider...
Yes, nothing more, just pure dirty PR. Firefox is gaining success and quickly "eats" IE customers. So this news is just dirty PR response and standard FUD by MS paid company.
If you check that "vulnerabilities" of Firefox, most alredy patched. If you check vulnerabilities of IE, they still "work".
FF 3.0.x: advisories:21, vulnerabilities:133, unpatched:0% (0 of 21)
FF 3.5.x: advisories:5, vulnerabilities:37, unpatched:0% (0 of 5)
IE 8.x: advisories:5, vulnerabilities:16, unpatched:40% (2 of 5)
End of story, as far as I'm concerned.
Comment removed based on user account deletion
Comment removed based on user account deletion
No problem, I couldn't remember where I had read it but a few researchers did claim or make it appear as if it took less effort. It's really annoying when you forget where you read something.
Sorry for the weird typos, my brain is between DVORAK and QWERTY and does not seem to be able to handle the changeovers that very well.
That definitely makes sense if they do develop products.
Slashdot needs Geekcode | Can anyone recommend any good SCIFI? My tastes: Foundation, Startide Rising, CITY, Ringworld,
is that the majority of vulnerabilities is in the underlying OS.
IE is not leader of the pack? What happened to security through obscurity? Safari shouldn't even be on the list. IE should have them all?
Somehow I doubt this "study" is worth the paper it's printed on (in Redmond).
> It seems a bit surprising to me that this study shows that only 15% of
> vulnerabilities are in IE.
This is because your theory is basically, "Microsoft evil and sloppy and lazy."
My theory, which I have literally been downmodded for, is that IE was targetted because it was far and away the most popular. Hence hackers, primarily people wanting to compromize your computer for spam or bot purposes, had the most to gain.
Now Firefox, if I recall, has just passed IE on the browser share market. Hence it's catching more and more attention.
So, as Dilbert might say, are you going to admit that you are wrong and bow to my intellectual superiority, or are you going to actively rewrite history in your mind and claim you thought this up all by yourself?
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
How many of those vulnerabilities are related to the "Windows Presentation Foundation" plug in? ( it used to be called the ".NET framework" )
You remember that little story about the "windows" update that "installed" the addon for Firefox that would basically force IE vulnerability into it? The one about allowing websites to install software on the host computer without the user consent? And since it wasn't really an addon, but an OS function, it could not be removed.
main(){system("/usr/bin/nc -l 1234 /bin/bash"));}
It demonstrably has exactly one vulnerability (no authentication required for remote access), and no patch is available.
No patch can be written without destroying its functionality.
Therefore, this program is demonstrably more secure than almost every Windows program ever written, including notepad.