Slashdot Mirror
Firefox Most Vulnerable Browser, Safari Close
An anonymous reader writes "Cenzic released its report revealing the most prominent types of Web application vulnerabilities for the first half of 2009. The report identified over 3,100 total vulnerabilities, which is a 10 percent increase in Web application vulnerabilities compared to the second half of 2008. Among Web browsers, Mozilla Firefox had the largest percentage of Web vulnerabilities, followed by Apple Safari, whose browser showed a vast increase in exploits, due to vulnerabilities reported in the Safari iPhone browser." It seems a bit surprising to me that this study shows that only 15% of vulnerabilities are in IE.
How many of these vulnerabilities were due to Firefox itself, and how many due to plugins?
which is totally what she said
So just down the page on slashdot, this very day, there are warnings about a "Windows kernel vulnerability" that is exploited through IE. I'll take three cross-site scripting bugs any day over a kernel level compromise, thank you.
I know the world doesn't have a good objective measure of "impact" to assign to these things so that one could assess the total "probable inconvenience" of the presented security vulnerabilities, and that makes unbiased data gathering difficult, but this feels pretty absurd.
It seems a bit surprising to me that this study shows that only 15% of vulnerabilities are in IE.
There is an explanation for that.
Cenzic Recognized as a Microsoft Certified Partner, Experiences Substantial Momentum in Q2
I looked through older reports and cannot find a list of "vulnerabilities by major type." Anyone know where to find that? Until you can point that to me, I'm not going to take much stock in a company which has an ad on the bottom of the article that reads:
Let us hack you before hackers do! The Cenzic website HealthCheck. FREE. Request yours now!
I'm sure one major category is "Win32 kernel exploits" while every piece of Gecko and Webkit qualifies as one major type.
My work here is dung.
Just another consultant hired to slant reality if you ask me.
http://search.cert.org/search?q=advisory+internet+explorer
http://search.cert.org/search?q=advisory+firefox
boycott slashdot February 10th - 17th check out: altSlashdot.org
I have heard the case against Safari often.
I have definitely found infected Firefox installations on relative machines. It's not immune because it is open source.
What is the prevailing flaw that Firefox has? Are they like ActiveX scale flaws where they own the PC or are they more minor but still serious?
Slashdot needs Geekcode | Can anyone recommend any good SCIFI? My tastes: Foundation, Startide Rising, CITY, Ringworld,
It seems a bit surprising but TFA is not about browser vulnerabilities. Most of it is focused in detailing web site vulnerabilities and has only two baseless pages with Firefox on top of web browser vulnerability list.
The article has a pie chart and the link to the "detailed report" only has a pie chart. I guess we just have to trust Cenzic the internet security application provider. Doesn't even break it down by version number of browser or severity of exploit.
Yes - interesting how we have web vulnerabilities irrespective of the web browser.
Of the Web vulnerabilities, 90 percent pertained to code in commercial Web applications, while Web browsers comprised about 8 percent and Web servers about 2 percent. Of the browser vulnerabilities, Firefox had 44 percent of the total, but perhaps the biggest surprise was Safari, which formed 35 percent of the browser vulnerabilities. Internet Explorer was third, with 15 percent, and Opera was at 6 percent.
I'm repeating the link here -
http://www.cenzic.com/downloads/Cenzic_AppSecTrends_Q1-Q2-2009.pdf
Pathological kinda promises Path + Logical - but instead, you get stuck with pathetic.
From the report.
Wait... so vendors and now applications?
They continue to say that Java and PHP are very vulnerable, but it's actually applications written in Java and PHP, not the language+runtime itself. In that case you could say that C++ has the most vulnerabilities.
What does that say for a certain site owned by Geeknet, Inc?
Dedicated Cthulhu Cultist since 4523 BC.
According to the report, as best I can determine, this is how they found their results:
"Cenzic analyzed all reported vulnerability information from sources including NIST, MITRE, SANS, US-CERT, OSVDB, as well as other third party databases"
It seems reasonable that any/all open source software would have a higher number of reports in these databases than proprietary software, simply because more people are able to publicly scan and report on vulnerabilities... by definition, open source software conducts it's business in public, while proprietary software does so behind it's private curtain.
The article link is only one short page and does not describe in detail how they came to their conclusions.
...followed by Apple Safari, whose browser showed a vast increase in exploits, due to vulnerabilities reported in the Safari iPhone browser...
Looks like they're pretty clearly full of shit, and they're trying to be ambiguous and obscure by explaining little and using jargon to discourage people
from searching for what all the terms they're using means.
However, from the words they're using, they're implying common vulnerabilities exploited in corporate server-side applications. Not client-side.
SQL Injection and XXS Scripting are much bigger issues with implementation of web applications in web pages on the server side, use databases and scripting flaws in the code of the web apps to circumvent browser security.
They're talking about something that has little to do with the integrity of security of individual browsers, and more with the decisions webmasters make and what web applications they use.
Also, when they refer to Safari, they say they're referring to the iPhone Safari version:
Comment removed based on user account deletion
Firefox + NoScript + intelligent user who doesn't whitelist every page he visits
Just a guess, but I think this combo has very few vulnerabilities.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Comment removed based on user account deletion
So I'm reading this and these guys come across like goofs somewhat...
... something
Pg. 4 - says: "The top 10 vulnerabilities for the first half of 2009, included familiar names such as Sun, IBM, SAP, PHP, and Apache." which is according to page 7 the ones they classified as "as the most severe." whatever that means.
But in page 6 they say: "Sun Java, PHP, and Apache continue to be among the Top 10 vendors having the most severe vulnerabilities for the first half of 2009."
However in the whole top 10 list there are only two mentions of PHP that I can see...and these are problems with phpMyAdmin - which is way outside what I would consider a reasonable interpretation as a problem with PHP being a "vendor" of a vulnerable product.
So either there's a bunch of missing information or these guys can't tell the difference between PHP and an application written in PHP, or
The browser stuff seems too difficult to tell - if the actual question one is looking for is which is a safer experience. Were all vulnerabilities equally bad? Were they indexed with some information about usage? In other words do we look at the number of people using the vulnerable version and take that into account.
Like a lot of whitepapers the information isn't very helpful and the math is downright insulting.
I did not read the whole report but there is absolutely no mention of severity in that press release... nor does it mention how they counted them. Are these defects that have been acknowledged and fixed? From what I can see it's entirely possible that they've counted the THOUSANDS of trivial defects that Firefox discloses and fixes as a matter of course while Microsoft will only disclose the severe ones.
XML is a known as a key material required to create SMD: Software of Mass Destruction
Isn't counting bugs released as part of press releases and change logs kind of like saying "All confirmed criminals are in jail?"
been using it since the 90s and from long experience can say it's the safest by far. don't know why or care particularly. whether clever code or minuscule market penetration is academic from this user's pov. truth is the fat lady's song still keeps the bad guys away.
Comment removed based on user account deletion
I installed NoScript recently along with Request Policy. One protects from any request to a foreign domain and one blocks scripts until I allow them.
Have I reduced my exposure enough?
What I want to see is a community mediated system whereby the whitelists and blacklists are distributed amongst the community. A bit like ThreatNet, SpyNet, PrevX and all the other proprietary security systems. How the decision of whether or not to allow or disallow a request will be made but it needs to be made by a massive community. I generally experiment whitelisting a website until it works. If this information was made subscribable, people could browse with a bare minimum of exposure?
Sam
Slashdot needs Geekcode | Can anyone recommend any good SCIFI? My tastes: Foundation, Startide Rising, CITY, Ringworld,
Comparing openly known vulnerabilities, and calling it "all in all vulnerability".
As if they wouldn't know perfectly well, that Microsoft sends a cease and desist letter to anyone who is even talking about a vulnerability that is not official to MS.
I guess the old saying is true, that:
If you can't program, you teach.
If you can't teach, you administrate.
If you can't administrate, you report.
If you can't report, you criticize.
Any sufficiently advanced intelligence is indistinguishable from stupidity.
Just noticed they confused the "most common attack" types. SQL was listed as most common at 25%, but this is actually the Transverse Directories %. Clarification.
Yeah, I've pretty much stopped trusting anything that has to include pie charts in order to describe what needs to be demonstrated. How about puttin' some numbers in there, chief? And not made up numbers or percentages.
The eternal struggle of good vs. evil begins within one's self.
I agree. They seem to throw out a lot of numbers without saying where any of their data is coming from and they don't seem to be ranking vulnerabilities at all.
Plus let's face it, this is a company whose job is to get people to hire them to check the security of their web apps. Sounds like they are trying to reel in some executives who don't know any better.
as Window Snyder (former MS employee who later worked for mozilla for some time) pointed out: Microsoft puts multiple fixes in one patch, so multiple IE holes are counted as just one... http://blog.mozilla.com/security/2007/11/30/critical-vulnerability-in-microsoft-metrics/
The MAFIAA is a bunch of mindless jerks who will be the first up against the wall when the revolution comes
Study/article is misleading and useless.
Also: Chrome, Bitches!
So, I'm posting as somebody who has gotten critical fixes pushed into both IE and Firefox. (Technically, Chrome and Opera too, but those were the pure crypto vulns.)
It's genuinely hard to write a secure web browser. Forget plugins -- you have a complex internal object model, subject to all sorts of very fine grained rules ("the filename on an input type=file form must not be settable from Javascript"), which can be made into a pile of moving parts under the control of an attacker. What's happened somewhat recently is a lot more people have gotten into bashing Firefox. You know those "many eyes" theories of open source, and how they're usually kind of full of it?
Well, "many eyes" are visiting it now, and Mozilla to their credit is doing a lot of very hard work to deal with the influx. Good on them.
A web site built on flat HTML pages is more likely to be secure than a web site built on PHP. The message is the medium.
Am I the only one who thinks that a MitM is a little far-fetched?
Right, because that's a logical path...
Just another ignorant American.
Here's the gist of Cenzic's _marketing_ report as it applies to browsers:
"
78 percent of the total reported vulnerabilities affected Web technologies, such as Web servers, applications, Web browsers. Plugins and ActiveX, which is a significant increase from earlier in the year.
Of the Web vulnerabilities, Web Browser vulnerabilities comprised (sic) eight percent of the total vulnerabilities found, and Web servers comprised two percent. Vulnerabilities in the code of commercial Web applications was 90 percent of the total Web related vulnerabilities. Looking at the various classes of vulnerabilities, we found that SQL Injection and Cross Site Scripting (XSS) vulnerabilities continued to dominate with 25 percent and 17 percent respectively. Authorization and Authentication vulnerabilities were higher at about 14 percent of total Web vulnerabilities followed by Directory Traversal at 12 percent.
"
Apparently they don't discriminate among versions of browsers, plugins, or web apps. Firefox 1 + 2 + 3 = Firefox.
Nor do they say how they identified browsers. (Presumably the ID came from each source that reported the results.)
They also don't report any specifics of browser vulnerabilities (kind, duration, patch, etc).
Every time your browser crashes, there is an opportunity to exploit that as a security vulnerability. There is no such thing as "my browser is the least vulnerable, but it crashes all the times."
I once had a signature.
Every browser security article gets a few "I use adblock and noscript so doesn't apply to me" posts (not a complaint, just an observation- I do use both). I am assuming that proper use of these extensions avoids most of the vulnerabilities of concern here, but adblock and noscript are FF extensions- what is there for other browsers that is comparable? What is supported for cellphones?
The FF/AB/NS combo has often been stated as the best way to browse securely, but I only see other browsers rated based on their default settings. I guess what I'm getting at is, based on this article, every other browser can claim to be better than FF. Ignoring arguments over proper counting and documentation, FF users could claim they are more secure due to FF having AB/NS- is this a valid claim?
Basically the first question asks for information, the second asks for arguments. I could go try to research, but that would deprive some people of +5 informatives and +5 insightfuls (in addition to -1 trolls).
My webcomic
Anyone else notice that the so called "study" is actually a marketing material for some SaaS product? If you like that there are some great whitepapers out there... LOL.
its a joke - they just downloaded some bug reports, made some pretty graphs and called it a report. I will bet you the person putting it together could not explain what a "web browser vulnerability" is - other than something that should scare people to buy their product.
RelevantElephants: A Somatic WebComic...
Glossy, primary colours, circles ... reminds of the Chrome logo.
Don't blame me -- I voted for Roslin.
Interesting read. Obviously the point is clear that MS gets to hide what is really going on. OTOH the point of OSS is to shine a light on and fix any vulnerabilities that arise.
I'm sorry, but a security study who's report starts off comparing security vulnerabilities in software, to swine flu, a biological virus that kills people, loses all credibility with me right off the start. They even bring in a little politics by invoking the US president's name...
The project was both lead and edited by one Mandeep Khera, Chief Marketing Officer, Cenzic, Inc.
Put together more or less entirely by marketing people at a company that is trying to sell you web security.
I don't know about you guys but I've never known people in marketing to be anything less than the most fine and upstanding sort of the disgusting vile unmitigated cock sucking pustules that ever formed on the unwashed asses of pond scum.
Is there any way to provide some negative conditioning for misinformation spreaders?
Slashdotters: Remember Cenzic lies.
Lots of comments mentioning the lack of taking into account of the severity of the bugs, but what about the duration of the vulnerabilities. Or to extend that train of thought, if IE has a current known exploit (or collection of them) there's not as much incentive to go finding another one if you know the one you have won't be closed for another few weeks/months anyway. I suspect with firefox any hole found will be fixed with a released patch far more quickly (and as others mentioned, possibly before any exploits are known of) so you have to keep finding new ones if you want to use firefox as a way in to a machine.
In summary, FUD off
Never underestimate the dark side of the Source
So I *did* RTFA and found it was fluff. So I read the linked PDF report to try and find out some details on what these gaping security holes in my favourite browser actually were. I did not want to have to eat crow over my repeated recommendations to us Firefox over IE because it was more secure. Well, there's plenty of space dedicated to reporting server side vulnerabilities, plenty on web apps, lots of repetition of how surprised they were to find Firefox and Safari so vulnerable...but nothing on what vulnerabilities. No mention of types of vulnerability, frequency, core browser, plug-ins, add-ins, versions, ZIP!
The 29 page report has one page that is mostly taken up with a lovely colourlful exploded pie chart. There is more space dedicated to advertising the Cenzic products and services than there is referencing browser vulnerabilities.
This is isn't a report, it's a sales pitch.
Secunia is better. Take a look here:
IE6 http://secunia.com/advisories/product/11/?task=advisories
IE7 http://secunia.com/advisories/product/12366/?task=advisories
IE8 http://secunia.com/advisories/product/21625/?task=advisories
Firefox2 http://secunia.com/advisories/product/12434/
Firefox3.0 http://secunia.com/advisories/product/19089/?task=advisories
Firefox3.5 http://secunia.com/advisories/product/25800/?task=advisories
Based on these, I would choose Firefox and not IE
This doesn't make any sense. First of all, I have used Cenzic tools, they don't test the web browser, they test web apps. So they scan a website/webpages looking for fields and other data forms and do a bunch of test on those to check for XSS, SQL injection, potential overflows, etc.
So I am really confused on where they got the data for vulnerabilities of a browser and why they would mention this when they aren't testing it using their tool. If they are going solely based on what is released in update notes or anything like that, well then a browser who patches all it's problems will appear way more vulnerable than one that patches only the ones it feels like getting around to; not to mention the one that is now patched is less vulnerable then the one that did nothing.
I would like to see someone visit a malicious site (somewhere that installs malware and the like) in all these browsers, it won't be Firefox or Safari (or Opera for that mater) who get infected. And why wasn't Chrome included in this comparison? This comparison seems like an afterthought and probably shouldn't have been included in the write-up, I would take this as a grain of sand and would simply ignore it.
"Cenzic's acceptance to the SecureIT Alliance alongside our recent designation as a Microsoft Certified Partner highlights our expertise and experience in working with Microsoft technologies as well as a proven ability to meet customer needs," said Mandeep Khera, vice president of marketing for Cenzic. http://www.cenzic.com/pr_20061011/ So, this report on browser vulnerabilities must be "Fair and Balanced" given that they are a Microsoft Certified Partner.
The top vulnerability is SQL injection.
Can anybody explain how the browser is responsible for SQL injection vulns?
thegodmovie.com - watch it
It seems a bit surprising to me that this study shows that only 15% of vulnerabilities are in IE.
Well. Remember that "the front door is unlocked, the guard has been dosed with chloral hydrate, and there's a loaded shotgun just laying there on the credenza" could collectively be called one single vulnerability. Quantity doesn't trump quality!
Pander fear, but then what do they trust for their web site and blog?
Apache and Centos and Redhat. Nice.
Well I actually looked at the pdf report. It starts off with "What do the swine flu and hackers have in common". That started to get a laugh, but then the executive summary says that web vulnerabilities are getting better because of Obama. How can anyone take this seriously??
I hate product that include a local copy of Mozilla. You can't update it, and it's not easy to find or realize that it's even there. Same thing with using Apache just to display a gui.
Yes, and you're claiming Mozilla doesn't roll up Firefox patches?
Haven't RTFA yet but I bet they are using patch notes as their source of vulnerabilities.
So the headline should have been "Firefox most transparent browser when it comes to vulnerabilities".
I'm no FF fanboi. I think they've gone off the rails in a lot of ways - especially by forcing users to accept changes that many changes they don't like such as AWFULBAR. However one thing they do right is they're transparent about bugs and vulnerabilities (at least once they're able to reproduce them). The whole article is a fucking troll.
These posts express my own personal views, not those of my employer
Window of time that a flaw is known and exploitable before getting patched.
Dig a little deeper. Mandeep Khera, the Chief Marketing Officer for Cenzic, is Project Lead and Chief Editor for the paper. The only two other humans listed on the project are a "Erin Swanson, Sr. Director, Product and Strategic Marketing" and "Sameer Dixit, Cenzic ClickToSecure Service." If I found the right guy on Linkdn, Sameer is 3 years out of college.
How is anyone surprised by the resulting paper?
The fundamental flaw of all these studies is that they are NBOT measuring vulnerabilities, they are measuring PUBLIC vulnerabilities. Two very different things.
"Cenzic analyzed all reported vulnerability information from sources including NIST, MITRE, SANS, US-CERT, OSVDB, OWASP, as well as other third party databases for Web application security issues reported during the first half of 2009." Ah -- the old "count the number of bug reports" technique. I won't even bother ranting about that
Comment removed based on user account deletion
Comment removed based on user account deletion
Microsoft is reeling from the vicious and unwarranted slanders of security companies and the US government’s Computer Emergency Response Team that its Internet Explorer web browser has alleged “security holes” or is in any way less than the finest software known to mankind and excellent value for your money. "Cenzic proves it's Firefox! FIREFOX DID IT! Fuckers."
The festering paedophiles of CERT have gone so outrageously far as to make the ludicrous claim that just viewing a malicious webpage in IE could leave your computer open to being hacked and turned into a Russian Mafia spam server. “We don’t know what could have triggered such vindictiveness,” sobbed Microsoft marketing marketer’s marketer Steve Ballmer. “Do they hate free enterprise that much?”
There are things you can do to make your computing experience even more secure. Microsoft’s official suggestion — make sure your anti-virus software is up to date and using an entire CPU doing nothing much, click through five screens to run IE in “protected mode,” click through four screens to set zone security to “high,” click “JUST BLOODY DO IT WILL YOU” when the User Access Control asks if you really want to do this, enable automatic updates with the minor side-effect of installing Microsoft DRM on your system or Windows Genuine Advantage randomly turning your computer into a paperweight, and sacrifice a goat to Microsoft at midnight on a moonless night — is simple and straightforward. “It’s the quality you’re paying for.”
On no account should you consider that there might be other web browsers out there, as researchers have demonstrated that all of them automatically download the cover of Virgin Killer. “I saw a report,” said marketing marketer John Curran of Microsoft Completely Enderlependent Analysts, Inc., “that another browser had more vulnerabilities than ours! People would be very foolish indeed to move from the latest IE to Netscape 4.01.”
“These CERT wankers are Mactards and trolls,” said Guardian marketing marketer Jack Schofield. “They just want to take IE users out, brutally sodomise them, gas them in concentration camps and” [This comment has been removed by a Guardian moderator. Replies may also be deleted.]
http://rocknerd.co.uk
Comment removed based on user account deletion
What do the Swine flu and hacker attacks have in common?
Yeah, I'd say that's a good foot to start off on, especially when you're a security company fearmongering people into buying your product.
The only way to tell the difference between a hamster and a gerbil is that the hamster has more white meat.
Regardless, I have yet to fix a friend's or family member's 'slow' or 'misbehaving' computer that had anything other than IE as the default web browser.
I've had more than one friends with IE absolutely owned. None with firefox so far and the firefox crowd is bigger.
She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
Unlike Microsoft, Mozilla has a Bugtracker, which tells everybody about each and every fixed problem... the report doesn't say how firefox' vulnerabilities were counted, but why would they bother counting Patches (which they have to for IE), if Bugzilla tells them everything they need in just minutes of selecting the report criteria?
The MAFIAA is a bunch of mindless jerks who will be the first up against the wall when the revolution comes
I don't know but it doesn't matter since they're secret vulnerabilities so nobody can exploit them.
I don't think human nature is suspended just because a project is OSS. I'll bet that some vulnerabilities in OSS are fixed before being made public for CYA purposes.
It's news here to pay Slashdot's bills. By now it should be clear that these studies (no matter who wins) won't change anybody's mind around here.
So I went to check this out... and I couldn't find any helpful information! The web site had lots of good stuff about getting started, FAQ, etc... but nothing that told me what OGP actually is. Before I jump in and start installing it, maybe some information about what OGP is/does/solves might be good to put there on the front page, especially if you're shamelessly plugging it?
I won't try to defend Firefox, as they have had a decent number of issues, but guys, given where this info comes from, I give this study a total value of 59 cents. Has anybody used their products ;) ?
I would love to see a similar study which takes the following two things into account:
- Severity of vulnerabilities
- Number of days (weeks or even months) before the vendor released a fix
Rob.
Counting the bugs is a poor way of determining vulnerabilities. It's not easy to search for vulnerabilities in the Firefox Bugzilla, btw. Unless you know some magic search terms?
Searching on CVE or vulnerability doesn't show you everything. Lots of potential issues get cleaned up along the way as part of other patches and normal development, and are never acknowledged as vulnerabilities. Same thing happens on the Microsoft side of the fence. If a vulnerability is known, it's documented in the KB that issued the patch.
If you want to count known vulnerabilities, just look at 3rd party sites that collect that info like Secunia or Cert.
Disparaging Microsoft because you think they are quietly finding their own bugs and fixing them is backwards. You should be glad they are.
To me a better comparison to make is how long critical vulnerabilities exist before they are patched. Microsoft obviously loses that comparison as they like to adhere to the monthly patch cycle and often delay action for privately reporting issues. Given how much IE is interlaced with other products, Microsoft also has to be more careful about patches than Mozilla Firefox which is much more of a standalone product.
So Firefox fixes its vulnerabilities - and that is a bad thing?
And IE fixes fewer vulnerabilities, and that is a good thing?
Personally, I prefer to have all my browser vulnerabilities fixed, not half of them.
And by vulnerabilities we mean silly things like SQL injection?
Time to shoot the messenger, I think.
I am anarch of all I survey.
Secret to those who find them and don't post their results. Secret to those who have access to source control and leave....
The crowd of ragged locals gather, all chanting in a low voice, "My Crow Soft, My Crow Soft, My Crow Soft". A Google search shows the following, The SecureIT Alliance enables leading security vendors to collaborate in order to improve the process of building and integrating Microsoft platform-friendly products. I can only think there's a Grinning Show Off hard at work at m$ saying to itself, "It's been a hard work day, but I earn my pay at m$"
Yes, nothing more, just pure dirty PR. Firefox is gaining success and quickly "eats" IE customers. So this news is just dirty PR response and standard FUD by MS paid company.
If you check that "vulnerabilities" of Firefox, most alredy patched. If you check vulnerabilities of IE, they still "work".
FF 3.0.x: advisories:21, vulnerabilities:133, unpatched:0% (0 of 21)
FF 3.5.x: advisories:5, vulnerabilities:37, unpatched:0% (0 of 5)
IE 8.x: advisories:5, vulnerabilities:16, unpatched:40% (2 of 5)
End of story, as far as I'm concerned.
OK. So what study should we look at? Why don't you post the right one?
Also, Slashdot has convinced me that in the interest of fairness I should disregard any study that is funded by Microsoft or competitors of Microsoft.
Comment removed based on user account deletion
Comment removed based on user account deletion
No problem, I couldn't remember where I had read it but a few researchers did claim or make it appear as if it took less effort. It's really annoying when you forget where you read something.
Sorry for the weird typos, my brain is between DVORAK and QWERTY and does not seem to be able to handle the changeovers that very well.
That definitely makes sense if they do develop products.
Slashdot needs Geekcode | Can anyone recommend any good SCIFI? My tastes: Foundation, Startide Rising, CITY, Ringworld,
Try the "common sense" study. I mean come on...any study that shows a huge slant in the direction of a company that is known to be vulnerable the majority of the time simply should be disregarded [period].
So there isn't a single study in the entire world that you trust or would recommend? Sounds like excessive paranoia to me. You position seems to be - Everything is biased, so lets ignore everything and use "common sense". I beg to differ. "common sense" only works for common things.
Analyzing which browser has a better security infrastructure is not common knowledge. I very much doubt average users spend time browsing seclists.org or the firefox bugtracker and other than such news articles, have no way of being informed about this topic. Wait, I take that back! Common users aren't even going to read this artcle. They wont even be on slashdot :p
Let me suggest a new approach.
0. Accept that any report will have some unmeasurable bias
1. Outline a threat model for browsers.
2. Pick a point system based on some vaguely objective metric.
3. Evaluate IE 8, FF 3.5.5, etc. based on that.
Find the results and conclude that for a specific threat model and a specific point system, Browser X fared better. Feel free to debate different points systems and why you think one is better over the other. Here is an example of such a report from IBM:
http://www.servicemanagementcenter.com/ExternalContent/IBMRBMS/SMRC/WHITEPAPER/68843/XFTR-H1-2009Final.pdf
I can make a pie chart show anything I want ...
I appreciate the exaggeration for effect, but, no, you cant. :)
IE is not leader of the pack? What happened to security through obscurity? Safari shouldn't even be on the list. IE should have them all?
Somehow I doubt this "study" is worth the paper it's printed on (in Redmond).
Its clear that Ceznic partnered with Microsoft before publishing this study.
Yeah and I paid my expensive college tuition's too, and they still gave me an B+ instead of an A a few semesters back :( What the hell ! I paid them ! :P
Hint: Just because people get paid for the study, doesn't mean the results are automatically flawed. You have to first demonstrate that the process was flawed and hence produced flawed results. So far you're just ranting about peripheral topics and haven't attempted to tackle the primary point. Why don't you come up with a better process or suggest a way of improving an existing process to measure browser security? Then lets pit the browsers against each other and see who comes up on top?
Technical common sense comes from years of Internet use and before that ARPANET. Did you work on the original ARPANET?
And why would I care what you did? I don't. Its laughable really, that you have to resort to argument-from-authority. This isn't about this particular story. My first post conveniently forked the discussion to a open discussion on the general issue of not having any optimal metric to gauge a vague topic as browser security. So far I'm seeing nothing but empty rhetoric and thinly veiled insults out of you. Maybe you're just a non-technical user that doesn't understand browser security and are using your "technical sense".
That study you linked too by IBM does not clarify the point you are trying to make, simply because IBM was also a backer of the Ceznic study.
Actually its a pretty good report from IBMs X-Force labs who produce as far as I know fairly credible reports. If you have any insight into flaws in their process let us know.
Doesn't make it true and certainly doesn't do anything for any reputation I might be trying to hold onto.
Wow ! You're on a roll ! Attacking me and stuff. How cute ! I helpfully pointed you to a study that in my view attempts to tackle this serious topic. Your reply indicates that you didn't even read the entire study. Seems like to point you to that piece of information was a mistake and simply served as a purpose of an unwelcome rant.
I would pit my common sense against any study you can find and my common sense will win every time.
Wow, your reply is getting more infantile by the minute. This isn't about you. It seems obvious to me now you're not interested in an honest discussion and are just looking for a nice flame war. I will not oblige.
What a waste of my time. Sigh !
> It seems a bit surprising to me that this study shows that only 15% of
> vulnerabilities are in IE.
This is because your theory is basically, "Microsoft evil and sloppy and lazy."
My theory, which I have literally been downmodded for, is that IE was targetted because it was far and away the most popular. Hence hackers, primarily people wanting to compromize your computer for spam or bot purposes, had the most to gain.
Now Firefox, if I recall, has just passed IE on the browser share market. Hence it's catching more and more attention.
So, as Dilbert might say, are you going to admit that you are wrong and bow to my intellectual superiority, or are you going to actively rewrite history in your mind and claim you thought this up all by yourself?
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
main(){system("/usr/bin/nc -l 1234 /bin/bash"));}
It demonstrably has exactly one vulnerability (no authentication required for remote access), and no patch is available.
No patch can be written without destroying its functionality.
Therefore, this program is demonstrably more secure than almost every Windows program ever written, including notepad.