Browser Vulnerability Study Unkind to Firefox 253
Browser Buddy writes "A new Symantec study on browser vulnerabilities covering the first half of 2006 has some surprising conclusions. It turns out that Firefox leads the pack with 47 vulnerabilities, compared to 38 for Internet Explorer. From Ars Technica's coverage: 'In addition to leading the pack in sheer number of vulnerabilities, Firefox also showed the greatest increase in number, as the popular open-source browser had only logged 17 during the previous reporting period. IE saw an increase of just over 50 percent, from 25; Safari doubled its previous six; and Opera was the only one of the four browsers monitored that actually saw a decrease in vulnerabilities, from nine to seven.' Firefox still leads the pack when it comes to patching though, with only a one-day window of vulnerability."
Not so bleak (Score:5, Informative)
If we look to Secunia, we see that IE has 106 advisories, 19 of which are unpatched. [secunia.com] Firefox has 3 of 36 unpatched [secunia.com]. The most sever unpatched advisory in IE is rated as "extremely critical." In Firefox, as "less critical."
So what? (Score:5, Informative)
This study shows me nothing useful. Given the fact that all software is buggy, there are many more people looking at the source for Firefox than for IE, so it's inevitable more issues will be found. The more that are found the more that can be fixed before they're a problem.
IE has improved over the years, and will improve further with v7. Doubtless Firefox's progress is at least partially driving that. But the noddy users (hi Dad!) that I've given Firefox or Opera to have had far fewer malware problems than those who insist on sticking with IE.
Belt and suspenders (Score:2, Informative)
Re:Consider this... (Score:5, Informative)
Opera keeps having new features added too, though. Despite this, according to the article, Opera managed to have a decrease in vulnerabilities - so why not Firefox?
Re:And consider this, too... (Score:4, Informative)
Webkit is to Safari what Gecko is to Firefox and what KHTML is to Konqueror.
Re:Wow, how surprising (Score:3, Informative)
From The Ars Technica article:
It seems like Mozilla developers are quite interested and skilled in fixing bugs to me.
Re:Article hurts my brain (Score:2, Informative)
Re:Truth to the market segment argument? (Score:5, Informative)
I predict an even greater number next time. (Score:3, Informative)
Re:Not so bleak (Score:1, Informative)
Re:Not so bleak (Score:3, Informative)
This is only theoretically possible and then really only in circumstances where the virus or trojan is not an OS specific binary but a script of some sort. It is virtually impossible to have a cross platform OS binary work on more than one OS. For this to work, the exploit would need to leverage similar flaws in both OS binary loaders such as the Windows PXE loader and the Linux ELF loader. The odds of the planets lining up this way are very slim and even then, the window of opportunity would likely be very short lived. Cross platform exploits based on scripts (eg. Perl) or portable binary formats (eg. Java) are possible but they all involve writing a OS specific payload to an executable, so it's not a true cross platform virus in the sense that it propagates itself between platforms. Rather, a they're cross platform scripts that deliver a platform specific payload
Re:Comparing Dogs and Foxes. (Score:3, Informative)
Yes, but only until a fix is delivered to most users (automatic downloads, linux distros update their repositories). After that, the bugzilla entry is publicly accessible for all to see, including the original reporting date, the discussion of the problem and who reviewed the fix. This is similar to the handling for most security vulnerabilities which are dealt with privately with the original developers until either the reporter gets fed up with waiting or the problem is fixed.
Cheers,
Toby Haynes
Re:Opera wins :-) (Score:1, Informative)
Supported browsers Menus created using Menu Maker will be displayed in the following web browsers:
Windows
* IE5 or later
* NS6.1 or later
* Mozilla
* Opera 7 or later
Mac
* NS6.1 or later
* Mozilla
* Apple Safari
Feel free to check their provided example menus. They all work properly in Opera (which does not break with any "common JavaScript", since it has superb DOM compliance).
Unless, of course, the last time you used Opera was in 2000, and you're just trolling now and inventing a straw man.
it's better to have a virus than symantec on a pc (Score:2, Informative)
Re:How about measuring days of vulnerability (Score:3, Informative)
I use Firefox for my general browsing, and am now using linux as my main OS. My wife/kid's pc's are setup as above.. Firefox is the main browser, with IETab for the 2-3 sites they use that require IE, with security tightened a bit.
Re:Opera wins :-) (Score:3, Informative)
Re:How about measuring days of vulnerability (Score:3, Informative)
I don't know whether it's a feature of Firefox itself, or an extension called MR Tech's Local Install, but if you place downloaded extensions in the Extensions folder, Firefox will prompt you to install them next time it's run.
FWIW, it would be nice to be able to slipstream extension installs into Firefox installs; you could make a tightened security... heh... distribution of Firefox with AdBlock, NoScript and so on included; a neat, quick install for people who have to do it a lot.
Then again, it doesn't sound like a very good security model in itself...
Read the report yourself (Score:3, Informative)
It never fails to amaze me that slashdotters tend to post news stories rather than the source.
Re:Truth to the market segment argument? (Score:3, Informative)