Forgot your password?
typodupeerror

Browser Vulnerability Study Unkind to Firefox 253

Posted by timothy
from the still-beats-IE-on-my-linux-boxes dept.
Browser Buddy writes "A new Symantec study on browser vulnerabilities covering the first half of 2006 has some surprising conclusions. It turns out that Firefox leads the pack with 47 vulnerabilities, compared to 38 for Internet Explorer. From Ars Technica's coverage: 'In addition to leading the pack in sheer number of vulnerabilities, Firefox also showed the greatest increase in number, as the popular open-source browser had only logged 17 during the previous reporting period. IE saw an increase of just over 50 percent, from 25; Safari doubled its previous six; and Opera was the only one of the four browsers monitored that actually saw a decrease in vulnerabilities, from nine to seven.' Firefox still leads the pack when it comes to patching though, with only a one-day window of vulnerability."
This discussion has been archived. No new comments can be posted.

Browser Vulnerability Study Unkind to Firefox

Comments Filter:
  • by RingDev (879105) on Monday September 25, 2006 @01:20PM (#16187369) Homepage Journal
    What's this? Could it be an indication that there is some truth to the market segment correlation to vulnerabilities and attacks?

    -Rick
    • by Nos. (179609) <andrew@NospaM.thekerrs.ca> on Monday September 25, 2006 @01:27PM (#16187505) Homepage
      This article is pretty light. Sure, more vulnerabilities is bad, but it doesn't necessarily that more vulnerabilites is worse. Firefox is patched quicker, which is very important. Also, I don't see anything about the nature of these vulnerabilities. Are they all critical, you box is getting trojaned? Just comparing the pure numbers doesn't tell us much.
      • by Daniel_Staal (609844) <DStaal@usa.net> on Monday September 25, 2006 @02:05PM (#16188087)
        For that matter, they all could basically be because someone ran a code-audit on Firefox recently. Something like that would raise the 'found vulnerablities' level through the roof for the moment, but it really doesn't mean there are bigger problems with it; just that there was a concerted effort to find them recently. (I don't know of any such audit off the top of my head, but I don't follow that closely. It wouldn't nececarrally make the news.)
        • Re: (Score:3, Insightful)

          by advocate_one (662832)

          For that matter, they all could basically be because someone ran a code-audit on Firefox recently. Something like that would raise the 'found vulnerablities' level through the roof for the moment, but it really doesn't mean there are bigger problems with it; just that there was a concerted effort to find them recently.

          somebody did... [g2zero.com] recently... like just a very short while ago...

      • I figured something like this would come along, and that's why I provide three web browsers in my Knoppix remaster, (see screenshots below). Right now, I am using it with Opera 9.02, but also have Flock and Firefox in the CD. They are keeping me busy updating these browsers, I cannot use the automatic update setup that Firefox uses on Windows machines, mine is a livecd setup.
        Having said that, I don't see how my machine can be trojaned. This is knoppix, after all. I do have Firefox protected somewhat with th
      • Re: (Score:3, Insightful)

        by catwh0re (540371)
        I've said this ad nauseam on here, and generally most people will agree: The number of patches released for a piece of software is not an indication of the software's security.

        There seems to be a journalistic approach that equates more patches with less security.. More patches means a -more- secure product, not a less secure product. We're not talking about Windows XP here, where the tide of patches has never stemmed, to the point where their patches have been guilty of creating new security vulnerabilities

      • Re: (Score:3, Insightful)

        by shaitand (626655)
        "Sure, more vulnerabilities is bad,"

        More vulnerabilities is bad, but more reported vulnerabilities is not. More reported vulnerabilities is good as long as the vulnerabilities are being patched. I would be happy to hear that they ironed out a thousand vulnerabilities in FireFox this month.

        No software is without vulnerabilities, but the more vigorously they are hunted out and patched the more obscure the ones left will be. If a thousand vulnerabilities are found and fixed in FireFox this month they will prob
    • A much better measure of security is how many days the users spend being vulnerable after a vulnerability is made public. The browser with the fewest days of vulnerability is the safer browser. And that's no contest.
      • Re: (Score:3, Insightful)

        by Mistshadow2k4 (748958)
        The fewer the safer? I wouldn't say that -- Active X is a huge vulnerability all by itself. You may be able to disable Active X in IE7 beta but you can't in 6 without 3rd-party software, to my knowledge.
        • Re: (Score:3, Informative)

          by aztracker1 (702135)
          Set the security level for the "internet" zone to "high"... no active-x, you can also do custom for dissabling active-x, while leaving javascript. I wouldn't mind seeing a "permitted controls" list, so you could allow say javascript, xmlhttprequest, flash and java, while leaving the rest disabled... I usually put those sites that *NEED* it into the "trusted" zone (set to medium security).

          I use Firefox for my general browsing, and am now using linux as my main OS. My wife/kid's pc's are setup as above..
          • Just out of interest, is there any way to 'slipstream' (to use an MSism) an extension into a FF install? I want to build some to just hand out to people with IETab ready to go.
            • by fuzzix (700457)

              Just out of interest, is there any way to 'slipstream' (to use an MSism) an extension into a FF install? I want to build some to just hand out to people with IETab ready to go.

              You might try installing an extension on Firefox portable [portableapps.com] and giving them that in a self extractor that includes a shortcut to Firefox on the All Users desktop... or something... Man, it's so long since I've done this Windows stuff I'm not even sure what's feasible any more :)

            • Re: (Score:3, Informative)

              by cp.tar (871488)

              I don't know whether it's a feature of Firefox itself, or an extension called MR Tech's Local Install, but if you place downloaded extensions in the Extensions folder, Firefox will prompt you to install them next time it's run.

              FWIW, it would be nice to be able to slipstream extension installs into Firefox installs; you could make a tightened security... heh... distribution of Firefox with AdBlock, NoScript and so on included; a neat, quick install for people who have to do it a lot.

              Then again, it doesn't

    • Firefox's code base did not suddenly get far worse. The change must come from more people paying attention.

      Agreed, pretty meaningless without specifying the severity of the vulnerabilities and the time to get them patched.

      Plus, to a pragmatic user, does it really matter why there are so few exploits in the wild? "Inherent" security won't pay for a format and reinstall. If you can browse safely, the only reason to pay attention to the "It's not popular enough to exploit" arguments is to stay alert as your br
    • JC, mobs and mods (Score:5, Insightful)

      by RingDev (879105) on Monday September 25, 2006 @02:23PM (#16188369) Homepage Journal
      I made no derogatory comment about either browser. I was merely commenting on the correlation between usage and detected vulnerabilities. Many people have discounted the notion that FF has less vulnerabilities because of its lower market penetration, but this article would suggest that as FF's popularity has increase, so has the rate of vulnerability discovery.

      That said, I use FF. I think it is a superior product when compared to IE. And FF developers' ability to address and rectify those vulnerabilities has been proven time after time to be better than MS's ability.

      So, the whole point I was hoping to provoke in conversation:

      Vulnerabilities Discovered != Vulnerabilities

      Increased Usage = Increased Vulnerabilities Discovered

      -Rick
  • Not so bleak (Score:5, Informative)

    by Noksagt (69097) on Monday September 25, 2006 @01:20PM (#16187377) Homepage
    From the article (emphasis mine):
    That said, Internet Explorer remains the most popular target for attacks, with 69 percent of all browser attacks targeted specifically at that browser alone. 20 percent of the attacks monitored during the period in question were targeted at Firefox.

    When it comes to patching, all of the browsers are improving. Firefox is the fastest to get its patches out, with a one-day window of exposure. Opera had a two-day window of exposure, down from 18 days during the last half of 2005. The window of exposure for Safari is up to five days (from zero), while Internet Explorer typically has a nine-day window, down from 25 days in the previous study.
    So Firefox is still less targeted than IE & also gets fixed much sooner.

    If we look to Secunia, we see that IE has 106 advisories, 19 of which are unpatched. [secunia.com] Firefox has 3 of 36 unpatched [secunia.com]. The most sever unpatched advisory in IE is rated as "extremely critical." In Firefox, as "less critical."
    • Opera wins :-) (Score:2, Insightful)

      by RobbieGee (827696)

      Have a look at Opera 9.x's advisory list [secunia.com] :-)

      Affected By 1 Secunia advisories

      Unpatched 0% (0 of 1 Secunia advisories)

      Most Critical Unpatched
      There are no unpatched Secunia advisories affecting this product, when all vendor patches are applied.
      • by pingveno (708857)
        I can't help but wonder if the Qt GUI toolkit has helped Opera be among the top few browsers, as well as the other factors involved (small user base, closed source). Is that possible?
      • One advantage Opera has is that they manage to coordinate advisory releases and bug fixes. It's rare that someone announces a security vulnerability in Opera before the updated version is out.

        This probably means that most vulnerabilities in Opera are found internally, or reported straight to Opera by researchers. At that point Opera works on a bug fix, then releases the update and the advisory together.

        By contrast, many vulnerabilities for Microsoft and Mozilla products get posted to Bugtraq or otherwise
    • by RonnyJ (651856)
      If we look to Secunia, we see that IE has 106 advisories, 19 of which are unpatched. Firefox has 3 of 36 unpatched.
      Why didn't you quote Opera 9's statistics [secunia.com] from Secunia too?

      Affected By 1 Secunia advisories, Unpatched 0% (0 of 1 Secunia advisories)

    • How can IE have a "nine-day window" for patching if patches only come out once a month?
      • Re: (Score:2, Informative)

        by Athenais (922233)
        Routine patches come out once a month; critical updates are released as soon as a patch has been developed and tested. Often, this is less than a month. ;)
        • Not to mention a flaw discovered on Nov. 25 and patched for the Dec. 1 release plays with the "1 month" curve a little.
    • by Chris Burke (6130) on Monday September 25, 2006 @02:00PM (#16187991) Homepage
      The article says that their numbers come from Symantec's security threat report, but where does Symantec get their numbers from? Obviously to count a vulnerability, they have to know about it. Are they only counting ones they have verified, any that have been publicly announced, do they do their own research? Are we counting all the vulnerabilities that appear in bugzilla? Are we not counting the vulnerabilities that MS knows about but hasn't made public?

      I can't really say, but to me it looks like exactly what I would expect from an open source system: More publicly known bugs (not necessarily more or less actual bugs), and a faster turnaround time on bugs.
      • by this great guy (922511) on Monday September 25, 2006 @03:13PM (#16189147)

        (Here what I was about to post, but you pretty much summed up my viewpoint. Before all, here is a direct link to this Symantec Internet Security Threat Report -- Volume X: September 2006 [veritas.com] that is talked about.)

        It turns out that Firefox leads the pack with 47 vulnerabilities, compared to 38 for Internet Explorer.

        Totally. Pointless. Comparison.

        First, as the Slashdot posting correctly points out, the window of vulnerability is much larger with IE. Microsoft is known for taking months to fix some vulns, and is taking longer and longer [washingtonpost.com] over the years.

        Second, what about the importance of these vulns ? Was it 47 minor DoS for Firefox and 38 critical arbitrary code execution vulns for IE ?

        Third, what about the methodology used to gather the vuln counts ? The report always says "Source: Symantec Corporation", with no more information. Did they count Firefox security related bugs or security advisories ? Did they count 1 Microsoft patch fixing N vulns as 1 or N vulns (too many studies make this mistake) ?

        Fourth, what about silently fixed vulns in IE ? Microsoft is known for secretly fixing vulns that are discovered internally [eweek.com], and of course they never talk about them in public. Symantec certainly did not count these.

        There are just too many reasons making virtually all studies comparing the number of security patches between 2 products useless. This one is no exception.

        • Re: (Score:3, Interesting)

          by jesterzog (189797)

          Totally. Pointless. Comparison.

          I think it'd be more correct to say it's an unfair and biased comparison than a pointless one. I know I'm being cynical, but the comparison is completely logical from a Symantec marketing perspective. (Well, that's what FUD is realistically.)

          In particular, Firefox is a web browser that doesn't have a reputation of needing external software to protect it. If more people use Firefox, it also increases the motivation for website developers to develop compatible websites, an

    • Re: (Score:3, Interesting)

      by Himring (646324)
      Like the piece symantec did last year -- I think was -- on firefox and security, it still stands. They have a vested interest in firefox NOT being a solution for computer security. I take their reviews with a grain of salt....
  • Consider this... (Score:4, Insightful)

    by KermodeBear (738243) on Monday September 25, 2006 @01:21PM (#16187405) Homepage
    FireFox is constantly adding new features. When you add new features then you open yourself up to bugs.

    IE 5/6 have been stagnant for years. Of course the number of bugs isn't going to be as large.

    That said, I know which one will issue a bug fix more quickly when something IS found...
    • by KingSkippus (799657) * on Monday September 25, 2006 @01:35PM (#16187645) Homepage Journal

      Consider this, too:

      This report is put out by a company that makes its living by protecting users from software like Internet Explorer. If people stopped using Internet Explorer, how would it make its money? (Okay, that's a little tinfoil-hatish.)

      But also consider this:

      Those are vulnerabilities that we know of. They're pretty easy to find (oh, and fix) when people can pore over your source code. How many vulnerabilities are in Internet Explorer/Opera/Safari that we don't know of, that aren't getting fixed, and just waiting for someone to figure out to blow up?

      That's when you're really thankful of this:

      Firefox still leads the pack when it comes to patching though, with only a one-day window of vulnerability.
    • Re:Consider this... (Score:5, Informative)

      by RonnyJ (651856) on Monday September 25, 2006 @01:45PM (#16187785)
      FireFox is constantly adding new features. When you add new features then you open yourself up to bugs.

      Opera keeps having new features added too, though. Despite this, according to the article, Opera managed to have a decrease in vulnerabilities - so why not Firefox?

      • Re: (Score:2, Interesting)

        by KDR_11k (778916)
        I'd say this is more due to the open nature of Firefox, when FF has a vulnerability it's discussed publicly and vulnerabilities are easier to spot since it's opensource. With other browsers you don't know how many vulnerabilities are found and patched behind the scenes and they are much more difficult to find for outside observers.
      • by everphilski (877346) on Monday September 25, 2006 @02:02PM (#16188037) Journal
        Vulnurabilities are directly proporitonal to user base and increase with access to source control.

        Opera has a low user base and is closed source. Therefore, few vulnurabilities. In short, no one cares.

        Firefox, on the other hand, has a moderate user base but the source code is right there, the vulnurabilities are ripe for the picking. Hence why the vulnurabilities are high but the turnaround time to fix them, also quick.

        IE on the other hand, high user base closed source. High vulnurabilities because of the high user base but potential hackers have to work harder.

        Really, this study is a no-brainer. The results make perfect sense.
        • Admittedly, your comment adds a second component (source control), so it's better than some of the arguments I've seen, but...

          Does anyone else appreciate the irony inherent in the fact that some Firefox users claim that Opera only appears more secure because fewer people use it, and therefore fewer users encounter problems and fewer attackers look for them?

          It wasn't that long ago that IE users were making the same claim about Firefox. I seem to recall the argument wasn't terribly popular among this crowd.
    • Re: (Score:2, Funny)

      by Onan (25162)
      Fascinating. Isn't the most common accusation leveled at Microsoft that they always prioritize new features and bloat over making their existing stuff more stable and secure?

      So, in other words, the Mozilla project has become Microsoft, but more so?

  • The pretty graph does show an increase in the number of vunerabilities found between July 05 to December 05, and January 06 to June 06, but could this be because the number of users has also increased in that time? More users finding and reporting the bugs, or even a greater number of developers writing the code making it less manageable and secure?
  • by mobiux (118006) on Monday September 25, 2006 @01:22PM (#16187427)
    Yes I use Windows.
    For most of the IE vulnerabilities, I have to reboot my computer to install it.

    Firefox is nice enough to download it and install it the next time I start the browser.
    And it does it more than the 2nd Tuesday of each month.
  • Version? (Score:5, Interesting)

    by in2mind (988476) on Monday September 25, 2006 @01:24PM (#16187469) Homepage
    The ARS Technica doesnt mention the version for any of the browsers they mention.When they say 47 bugs were discovered for Firefox ,which version are they talking about? 1.5? 1.7? 2.0 Beta? Same for IE. 6 or 7?
    • Obviously not for a single version, but for the most current version when each vulnerability was discovered. Not counting betas.
  • So what? (Score:5, Informative)

    by ricky-road-flats (770129) on Monday September 25, 2006 @01:29PM (#16187529)
    Comparing the "number of vulnerabilities" is irrelevant to me. How many of them have actually been exploited in the wild? How many of them have caused users to lose data or unintentionally host malware? How many have resulted in people's identities being stolen?

    This study shows me nothing useful. Given the fact that all software is buggy, there are many more people looking at the source for Firefox than for IE, so it's inevitable more issues will be found. The more that are found the more that can be fixed before they're a problem.

    IE has improved over the years, and will improve further with v7. Doubtless Firefox's progress is at least partially driving that. But the noddy users (hi Dad!) that I've given Firefox or Opera to have had far fewer malware problems than those who insist on sticking with IE.

    • Re: (Score:2, Insightful)

      by portmapper (991533)
      > Comparing the "number of vulnerabilities" is irrelevant to me. How many of them have actually been exploited in
      > the wild? How many of them have caused users to lose data or unintentionally host malware? How many have resulted
      > in people's identities being stolen?

      The issue is that Firefox (and Thunderbird) has had many security issues, and still has many. For instance,
      KDE Konquerer WWW browser has not has nearly as many security issues.

      > his study shows me nothing useful. Given the fact that a
    • Comparing the "number of vulnerabilities" is irrelevant to me. How many of them have actually been exploited in the wild? How many of them have caused users to lose data or unintentionally host malware? How many have resulted in people's identities being stolen?

      The study does not give exact numbers for any of these things, but it does nicely summarize the state of these things by saying all the widespread exploits were for IE and none for any other browser.

      This study shows me nothing useful.

      The study

  • by ThinkFr33ly (902481) on Monday September 25, 2006 @01:32PM (#16187581)
    There is a big difference between how vulnerable a program is and how dangerous it is to use.

    The more ubiquitous an application, the more it will be examined as a possible attack vector, and the more it will be exploited as an attack vector.

    IE is still far more dangerous to use than Firefox thanks to the fact it is still used by far more people.
    • by Kaenneth (82978)
      Which means that we shouldn't want any more users of Firefox, because if it gains share, then it will become a bigger target.

      Switch back to IE, you're blocking the view from my Ivory Tower.
    • by suv4x4 (956391)
      There is a big difference between how vulnerable a program is and how dangerous it is to use.
      The more ubiquitous an application, the more it will be examined as a possible attack vector, and the more it will be exploited as an attack vector.
      IE is still far more dangerous to use than Firefox thanks to the fact it is still used by far more people.


      So if we all want to remain safer, we should all go to Firefox..
      In which case Firefox becomes the top browser, and IE will become less dangerous... You can't win, ca
  • Belt and suspenders (Score:2, Informative)

    by Anonymous Coward
    I've taken to surfing from a copy of Opera running inside a VMWare virtual machine. If anything gets through (so far so good) I just go back to a clean snapshot. Nice to see my browser doing so good.
    • by PitaBred (632671)
      Great security and all, but it's a bitch saving something to the desktop, not to mention downloading say, an ISO or whatnot, then having to transfer it over a local loopback network connection to your "real" machine.
  • by darkchubs (814225) on Monday September 25, 2006 @01:37PM (#16187685)
    Its not the number of vulnerabilities its more about the severity of them. A cookie injection , or cross site scripting is NOT the same as a buffer overflow/shell execution vulnerability. FF is by far less suseptable to the serious system risk level attack than IE; with no "known" arbitrary execution exploits at this time , IE has one outstanding right now and "drive by downloads" of scum ware is booming in the last few weeks.
  • Wrong Numbers (Score:5, Insightful)

    by 99BottlesOfBeerInMyF (813746) on Monday September 25, 2006 @01:37PM (#16187697)

    It turns out that Firefox leads the pack with 47 vulnerabilities, compared to 38 for Internet Explorer.

    This is very misleading. These are the numbers of vulnerabilities reported to Symantec and which the vendor has acknowledged to Symantec. The total number of vulnerabilities reported to Symantec are 50 for Firefox and 57 for IE.

    If you add to this the quote from Symantec, "at the time of writing, no widespread exploitation of any browser except Microsoft Internet Explorer has occurred..." you start to see that this is mostly spin with little substance. Firefox is not really being attacked, and while they have bugs they fix them an order of magnitude faster and have an open process that responds to the community. This bug count includes all the bugs the Firefox team found, but who knows what percentage of bugs Microsoft and partners found that they deemed not worth fixing and which do not show up in this study? It is debatable that in theory, Firefox is more secure, but attempts like this to twist numbers to make is seem like maybe Firefox is not more secure in practice, are misleading and simply a way to get attention. I declare the summary here to be FUD.

    • Re: (Score:2, Insightful)

      by kfg (145172) *
      Firefox is more secure, but attempts like this to twist numbers to make is seem like maybe Firefox is not more secure in practice, are misleading and simply a way to get . . .

      . . .your money.

      KFG
  • FUD (Score:4, Insightful)

    by Chanc_Gorkon (94133) <gorkon&gmail,com> on Monday September 25, 2006 @01:54PM (#16187905)
    Let's think about this.....a report from a ANTI VIRUS VENDOR!! Anyone want to make a bet when Symantec will make a Firefox Extension for scanning for malicious websites......AND make you pay for it??

  • by 140Mandak262Jamuna (970587) on Monday September 25, 2006 @01:54PM (#16187915) Journal
    Let MSFT open its bug database open to public, the way bugzilla is open. Then we can count the vulnerability.

    And dont just count the "vulnerabilities". Give some weightages. One "not critical" vulnerability in Firefox IS NOT EQUAL to one critical vulnerability in IE. Like "Not Critical" has a weight of 1, and scale it by a factor of 10 for each higher level. Then do a weighted sum.

    • This is exactly what I thought when I read the article. Vulnerabilities aren't equal, even ignoring which browser is targeted more. Some vulnerabilities are quite difficult to exploit and might require someone to compromise the DNS lookups of a target, while other vulnerabilities you'd only have to visit a website with
      malicious code on it.

      It'd be like grouping all crimes together between two cities. City A might have 150 incidents of shoplifting, but only 10 murders. City B might only have 100 incidents
    • by legirons (809082)
      "Let MSFT open its bug database open to public, the way bugzilla is open"

      Doesn't bugzilla conceal security-related vulnerabilities?
      • Re: (Score:3, Informative)

        by tjwhaynes (114792)
        Doesn't bugzilla conceal security-related vulnerabilities?

        Yes, but only until a fix is delivered to most users (automatic downloads, linux distros update their repositories). After that, the bugzilla entry is publicly accessible for all to see, including the original reporting date, the discussion of the problem and who reviewed the fix. This is similar to the handling for most security vulnerabilities which are dealt with privately with the original developers until either the reporter gets fed up with w

  • by finity (535067)
    Firefox is free. Not that no cost is an excuse for it to have vulnerabilities, but rather, why pay for something that's broken? Not that MS should get every bug out of IE before it ships, but it should catch more than it does now.
  • Don't care (Score:4, Insightful)

    by Odin_Tiger (585113) on Monday September 25, 2006 @01:58PM (#16187951) Journal
    I could give a shit less about sheer number of vulnerabilities. The things that matter to me are severity of black-hat response and duration of exposure.
    Firefox: Rarely targetted, even for severy evulnerabilities. Nearly always fixed in a couple days, tops. Patched as soon as fix becomes available.
    IE: Always targetted, with rapid response from a variety of nefarious 'net villains. Patch released the second Tuesday of the month, unless that happens to be less than 2wks away, in which case it stands a fair chance of being the second Tuesday of next month. If no exploits gain significant media coverage, it may be over a half year. Patch is optionally downloaded / installed as soon as it becomes available, but to enable this you must also enable automatic patching of the OS, office suite, and possibly even some 3rd party software, which needless to say is a dangerous thing to do institution-wide.
  • ActiveX (Score:5, Interesting)

    by AnalogDiehard (199128) on Monday September 25, 2006 @02:07PM (#16188105)
    ActiveX is IE's major vulnerability to drive-by downloads, covert spyware/adware installs, and malicious attempts to take over your computer. Because IE is the dominant browser, it is the target of most malicious coders.

    Firefox may have more vulnerabilities, but none of them are as dangerous as the ActiveX server in IE. The numeric comparision in TFA is not even half the truth.

    M$ won't patch a vulnerability IE overnight - but look how fast they patched a hack to their WMP DRM.

  • Symantec Motive (Score:5, Insightful)

    by blunte (183182) on Monday September 25, 2006 @02:14PM (#16188213)
    Whether the measurements are accurate or practical, one must note that Symantec has an interest in seeing people continue to use IE because, historically, IE users are more likely to get viruses.

    More risk and more problems means Symantec has an easier time selling its services.
  • Of course, I don't think any of the other browsers have something like this [slashdot.org] going on. Automatic code analysis will turn up bugs for anyone, but nobody else makes the code so public.
  • Salting the mine (Score:3, Interesting)

    by Jerry (6400) on Monday September 25, 2006 @02:28PM (#16188451)
    In order to sell worthless mines some unscrupulous agents would put gold dust into a shotgun shell and shoot it at the wall of a mine. It doesn't take much dust to sparkle a lot and fool some folks into believing that the mine is more valuable than it really is.

    Symantec is doing much the same thing, for the same purpose, which is to encourage Linux/FireFox/FOSS users to buy their worthless anti-virus software.

    The "study" they cite conveniently forgets that the ONLY security holes that IE users KNOW about are the ones that MICROSOFT TELLS THEM ABOUT. History has taught us that many holes were known by Micosoft for months, and in some situations years, before they were publically revealed, and many times NOT by Microsoft! The other thing that IE users DON'T KNOW is HOW LONG they have been vulnerable to those holes that Microsoft announces a patch for. FOSS applications, on the other hand, encourage PUBLIC annoucements of any security discoveries, along with any proof of concept code that can be used to test the patch. Those that use FOSS applications can then take timely and appropriate measures to protect their PCs and their data until the patch is released, which is usually within a day or two. Windows users hang, twising in the winds of vulnerability for months at a time or longer. In fact, some security holes are never patched and Microsoft serves its own bottom line by telling victims of their software to "upgrade", as if that would protect them. P.T. Barnum was right, you CAN fool some of the people ALL of the time.
  • come on dudes, have you seen what happens after installing some symantec so called protections? they make a super pc perform like an old wreck. They are incompetents and just fear people installing anything decently secure because they know their craps are removed immediately after.
  • While the data gathered in the study will undoubtedly be used to support various "product X is more secure than product Y" claims, I believe it's fundamentally impossible to soundly arrive at such a conclusion, ever. The reason is that there may always be bias in your input, and it's impossible to know this bias.

    How many people were trying to find bugs in each product? How do the skills of the people looking for holes in one product compare to the skills of the people finding holes in the other products? Wh
  • I didn't RTFA but does the FireFox count include any of the extensions?

    Not that I'm bashing FireFox at all, I love it, but I wonder how many exploitations lie within the extensions?
  • The question is: how many people got spyware/adware/viruses while browsing with each of them?
  • People can point that Firefox, being open source, is eaiser to find vulnerabilities. But I really believe there are countless more vulnerabilities in IE and the general public doesn't know them because the "Tuesday patch": black hats know several more vulnerabilities, but no one else know them exactly because they aren't being sploited (yet). Once a new patch is unveiled, those sploits go to the wild and people would need to wait for another month to have an official patch.
  • both good and bad (Score:3, Insightful)

    by CAIMLAS (41445) on Monday September 25, 2006 @03:43PM (#16189769) Homepage
    What this tells us, if anything, is that software will always have vulnerabilities, and that the number of vulnerabilities found seems to be proportional to the popularity of the software amongst non-technical users (and thus, the majority of software users).

    Now, it can be implied that it indicates poor software development and overall poor software quality coming out of the Mozilla Foundation. But I think this would simply be conjecture. While it is certainly statistically true, there's a larger picture to look at.

    Internet Explorer has been mostly static now for years; it hasn't seen any major development until recently (and that software isn't even what's being looked at here). Firefox, on the other hand, has been improving - adding new features, fixing complaints, and generally trying to come up with a better product. This is going to result in a higher number of security-problematic pieces of code - face it, people aren't perfect, and the only way to mitigate (not eliminate!) this realistically is to slow development to a standstill. Even then there would not be a guaranteed reduction in vulnerabilities, partially due to chance and oversight, and partially due to the large repository of existing code which it would have to interact with.

    Furthermore, Firefox and Mozilla are just edging into the public consciousness, whereas Internet Explorer has had a technological hedgemony on the desktop as the browser now for almost a decade (in various versions). This means it's going to start receiving more scrutiny, both from malicious, malevolent folks, as well as from the benevolent security professionals. A higher detection rate is a natural result of this.

    It's a double-edged sword. More detections are being made, resulting in more vulnerable systems. This is a natural state in computing, as computing innately involves security these days. There will always be risk involved. The significant thing to look at is how quickly these problems are being resolved, and how many how resurgent problems (ie, they weren't properly resolved). I would argue that the presented statistical information is irrelevant without further, more indepth analysis in this regard.
  • Pure numbers of vulnerabilities mean nothing. What matters is the breakdown of the vulnerabilities. For exaple, Secunia reports 21% of critical vulnerabilities on Firefox, that may allow remote access. The same number for IE is 56% (This is for 2006).

    This means that IE has more than twice the number of vulnerabilities leading to a complete system compromise than Firefox.

    More info here:

    http://secunia.com/product/11/?task=statistics_200 6 [secunia.com]
  • by DaoudaW (533025) on Monday September 25, 2006 @05:00PM (#16191219)
    The report is available at http://www.symantec.com/enterprise/threatreport/in dex.jsp [symantec.com]

    It never fails to amaze me that slashdotters tend to post news stories rather than the source.
  • by Myria (562655) on Monday September 25, 2006 @05:01PM (#16191229)
    Both Microsoft and Firefox find security bugs in their own software from time to time. However, they differ widely in what they will do once they find out this information.

    Unless Microsoft sees that someone else knows the bug, they won't release a patch. They will fix it in the source tree for the next major release, but they will not release a patch for the current version. They do this because when they release a patch, security researchers, both good and bad, will do a "BinDiff" and find out what exploit they've fixed. Bad people will then use that bug on unpatched users. If a bug isn't externally rediscovered before the release of the next major version, it's kept secret forever. You can't bindiff major releases, because there's too many changes.

    Firefox, in contrast, will generally release a patch for the current version, even if only the Firefox security team knew about it.

    Under these circumstances, of course Firefox will have more listed exploits.

    Melissa
  • Firefox lives out in the open, has been extensively audited by a huge number of different people, not to mention the bunch of automated bug hunt tools makers who have combed the code. Internet Explorer on the other hand is patched with hidden patches all lumped together. Ever wondered why there always seems to be more holes found by virii makers than is reported after patch tuesday? Not to mention all those unpatched holes thats dragged on for as long as possible, only to be fixed in the next version?

    All MS

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (4) How many times do we have to tell you, "No prior art!"

Working...