Mozilla Hits Back at Browser Security Claim 295
UltimaGuy writes "Mozilla has reacted to the Symantec report issued on Monday which said serious vulnerabilities were being found in Mozilla's browsers faster than in Microsoft's Internet Explorer. Tristan Nitot, president of Mozilla Europe, hit back by claiming on Monday that when a vulnerability is found Mozilla's 'ability to react, find a solution and put it into the user's hands is better than Microsoft.'"
mozilla vs M$ or (Score:5, Insightful)
first post (Score:3, Insightful)
just because mozilla can react quicker to security flaws found in its browser, doesn't make Symantec's report that greater security flaws are being found in Firefox less valid.
it's a rarity to see ZDNet make that kind of mistake.
Open source wins again (Score:5, Insightful)
Re:Symantec isint biased! (Score:5, Insightful)
As a corporation, they have a sharp sense of self preservation. Shocking, I say. Dammit, just shocking.
It's all academic (Score:5, Insightful)
1. When I used IE, I got infected out the wazoo; colleagues I know using IE still have problems.
2. After switching to Firefox while still running Windows, I had zero infections. ZERO. Nothing else on the system changed.
3. Now I use Linux exclusively (unless doing work on a client's computer on their behalf), and I sure am not using IE.
On the one hand, it's nice to see Moz hitting back with the PR. But, I wonder if this will ultimately hurt migration away from IE. That is, I can just about hear folks saying "MS says one thing, Mozilla says another...who to believe?"
To the non-techie, MS is a known quantity and The Mozilla Foundation is not (I'm thinking along similar lines to name-recognition at the polls). At the very least, a I-say, they-say approach seems to muddle the issue more than clarify it for those not willing to do their own research.
Re:Symantec isint biased! (Score:3, Insightful)
Slashdot and a majority of its readers biased? NEVER!!!!
Symantec forgot one critical detail... (Score:3, Insightful)
Research... Reporting... (Score:5, Insightful)
Don't reporters do research any more? This article does nothing more than parrot what Mozilla has to say about the matter. I wonder if it would be possible for a company to completely forgo a PR departmet and just use the news media directly.
This was zdnet's first article on the recent situation, "Symantec: Mozilla browsers more vulnerable than IE". Basically, "This is what Symantec said about Mozilla". And now this article is titled, "Mozilla hits back at browser security claim". Which translates to "This is what Mozilla said back".
You could probably just take a few +5 rated comments from the first slashdot discussion about this and come up with a better article... In fact that might be a good business plan: write a script to automatically grab the highest rated comments from each story, splice them together into an article and then put on a website as original content, <msb>your articles might even be posted back to slashdot from time to time</msb>.
(msb = mandatory slashdot bashing).Re:maybe IE has more (Score:3, Insightful)
Firefox being open-source does give the vendors more of a chance to find holes more easily. But it also gives the hackers that same chance. So yes, IE may have 1 million holes while Firefox has 1 thousand. Vendors find 25 holes in Firefox, and only find 13 holes in IE.
Hackers are just as likely to find more holes in Firefox, then they are in IE, despite the fact there's more in IE.
However this assumes hackers will spend as much time on the two browsers as the vendors did. It's quite possible the vendors spent equal time on the browsers, while the hackers are spending much more time on IE.
So the true number of security holes and the known number might be two quite different things. Who knows. I do know, though, that more viruses and spyware are being made for IE then they are for Firefox.
Re:maybe IE has more (Score:5, Insightful)
not until someone exploits them, but until:
-- someone exploits it
-- it's discovered (it's not immediate, right?)
-- it finds its way to MS staff
-- it goes through the whole beaurocratic monster at MS all the way from a person who receives a bug report, through god knows how many decision makers to coders.(I guess that's not so quick)
Hackers have a lot of time to play around with those vulnerabilities...
Plus, I bet that in case of proprietary soft more (percentage wise) holes are discovered by those who are ill-minded (why in the world would you look for holes in IE? I don't know how does that look in FF's case, but I can imagine people looking for such stuff because they're doing a Good Thing).
Who let the dogs out? (Score:2, Insightful)
Seriously, guys who make these kind of comparisons shouldnt be let out of the room; just stay inside and code. And let others do PR work.
Bias again.. (Score:3, Insightful)
There are many ways you can look at this..
In 2005, IE has already been around for YEARS, if you follow that perspective, it should have many less flaws...But that's not the case.
You could say FireFox is newer, so of course more flaws are expected, you could also say they should have learn from IE's mistakes, and avoided those pitfalls.
You can also say Firefox is open source, people who find the flaws don't have malicious intent, they are trying to improve the software and make it a viable option in the real world..
Those who find flaws in IE usually do it for fun and profit, spyware spam porn diallers etc, all strapped into the world of IE..there are XX number of unknown exploits in IE due to the closed source, and they are probably being exploited right now, case in point is Microsofts new Honeymonkey project discovered one in the first couple of days..
The article is basically a press release from Mozilla, but still, it's just numbers, numbers can be pulled from any generic poopshoot and manipulated anyway they want.
What happened to real journalism? (Score:5, Insightful)
When did the litmus test for long term security become the short term?
""" by claiming """
"""Nitot said that Mozilla's reaction"""
"""according to Nitot."""
"""He also argued that
All these quotes are from the article and in a place where they implicitly put into question what Mr. Nitot is trying to say.
But, when Mr. Whitehouse speaks even "IE is closed source, and so it's more difficult to access the code." Which implicitly says that closed source is more secure (security through obscurity - provably false). This "journalist" doesn't call him on it.
And this "journalist" continues to let this guy speak implicitly calling into question the security of and wisdom of using Firefox without making him justify the claims.
So, all in all, we have Mr. Nitot arguing a point and bringing facts to the table that support his claims and Mr. Whitehouse bringing implications and conjecture almost completely unsupported. Also, in the middle is this "journalist" who phrases things in a way that supports Mr. Whitehouse.
What happened to all the real journalists? You know, the ones that get as close to unbiased reporting as possible; the ones that report only facts leaving out editorials marked as fact.
*sigh*
Re:first post (Score:2, Insightful)
See my recent comment on this--How To Respond To Bad Mozilla Security News On
Responsiveness is irrelevant (Score:1, Insightful)
Thus, the system that is best protected is the one that has fewer critical vulnerabilities, not the one that gets patched soonest. What good is a quick patch when exploits usually don't occur until the patch comes out anyway!
I can make sure that I patch my own system as soon as possible, but what about my mother? I can easily just turn on auto-update in Windows and know that she is always within a few days of having the latest patches. I just did an auto-update of FireFox yesterday, and it wanted me to close windows, blah, blah, blah. It needs to happen when the software is NOT running, not when you start it up!
dom
Re:It's all academic (Score:3, Insightful)
It's also possible you've got a more secure system. Are you using a router? Hardware firewall? A software one besides the Windows XP one? Many people run Windows XP with no security except what comes with it (which is why it has a Firewall since SP2, regardless of how bad or good it is, it's better then nothing) and a virus scanner (occassionally an adware scanner as well). These differences may be why you have a much more secure system despite using IE.
Or it could be you surf only a very few, very trustworthy websites, while other people here aren't as discriminating. In that instance, it is better to use something other then IE.
Re:mozilla vs M$ or (Score:3, Insightful)
2) No
In my post, I never said wether it only applied to Mozilla or Microsoft.
Any software maker does not want to post details on how the vulnerability can be reproduced, as that's basically like waving a giant, red flag and yelling "come and get me"
Re:Symantec isint biased! (Score:5, Insightful)
How's that? They're claiming that the browser which the vast majority of people use is *more* secure. So if you use IE, you need their products *less* than if you used Firefox.
Oh, I could add a few more to the list (Score:5, Insightful)
For that matter, who gets to decide what a bug is, rather than a "feature"? The DRM in the current version of the Acrobat format allows you to run embedded Javascript with no access controls. This is arguably an exploit, but Adobe would doubtless classify it as a feature, as it means you cannot circumvent DRM by turning the Javascript off.
Secondly, the numbers are not directly comparable, as Mozilla is standalone whereas IE is built into the OS. (This is important, as integration means that bugs that are strictly in the OS could be exploited through the web browser, without it being a web browser bug.)
Thirdly, there are deals over the reporting of security holes in software, whereby a report can be held back until a patch has been readied. This means that even "unconfirmed" (but reported) bugs by security vendors may be capped by the manufacturer. (Not always, even with those manufacturers who do this, but it does introduce uncertainty.)
Finally, Mozilla is cross-platform but bugs may not always be. Any buggy code that is OS-specific, for example, or any bug which relies on some OS-specific or library-specific bug in order to be exploitable, may only affect certain platforms as a result.
There is a second part to this one! It is also possible to have one bug that appears in multiple forms, but only one form per OS (due to OS-specific characteristics). Does it count as one bug or as many? (Remember, it still only takes one form in a given OS, but because of dependencies, changes in some way between different operating systems.)
Now, you can argue that many of the above are very hypothetical and do not apply in this specific study. Perhaps that is true, but the point is that unless you have rigorous controls on how you produce the statistics, the uncertainties are bound to be comparable to the number of incidents, making the statistics worthless.
And that is my point. If the possible variance in the number of actual bugs (reported or otherwise) gets to be comparable to the number of bugs reported, then the reports mean nothing. The actual number of bugs encountered could range from zero to infinity and the stats would still be "correct".
Ideally, the security companies would produce sufficient additional information to demonstrate the confidence they have in the values produced as opposed to simply citing the numbers but not really backing them up with anything concrete.
Where uncertainty is required by the vendor, then publish a range or some other indicator of how many unpublishable but reported bugs are believed to exist. (Since there is no guarantee that the unpublishable data is circulated with security vendors, an accurate figure may not be producable at all.)
Depends on what you count as security (Score:4, Insightful)
Run Mozilla and it probably won't.
That's been my experience so far.
Rating software's security as lower when they fix more bugs seems like it would motivate exactly the wrong behavior. Also, it's invalid on it's face. If IE has 1000 security flaws and fixes 10 and Mozilla has 50 and fixes 15 IE isn't more secure, before or after. There is no scientific measure of security but the bug fix count hardly seems worth looking at.
Re:It's all academic (Score:3, Insightful)
There are actually two issues here. (Score:5, Insightful)
Another item is also the time it takes from a vulnerability to be publicized to the fix (or workaround). A moderate problem that isn't fixed for 6 months is more likely to be exploited than a hig-security problem fixed within days.
The real problem here is that even though both products generally are good products with some flaws (there will always be bugs, some more prominent than others) there may be need to address some of the security risks present today from a basic point of view. This may even mean sandboxing within sandboxes to control interaction between browser frames/iframes/embedding. like the effect of the following example (for Mozilla).
(Nothing ill-meant about slashdot here, just an example).
My point is that this could as well have been your bank that was framed this way, and if there was a way for the bank to indicate the framing permissions and that browsers were able to catch this a lot would have been gained in security. (OK, I haven't considered every issue arised by this, but I hope that you see my point.)
Re:Open source wins again (Score:2, Insightful)
The problem with your logic is that its based on the assumption that security is improved by making it difficult to find security holes. The opposite is in fact true - the easier it is to find what security holes do in fact exist the more likely those security holes will be closed.
Or to put it another way - security through obscurity provides absolutely no security at all.
Business (Score:3, Insightful)
bugs found = safer product, not opposite. (Score:5, Insightful)
Companies such as Symantec are interested in blurring the line between 'faults found' and 'security'. An unfound and easily exploitable fault can make a product more prone to attack, i.e more insecure. Which is opposite to found flaws that are fixed.
So if a less skilled programmer is looking for faults, they are going to find less of them. So pretend we have two equally insecure products, by Symantec's paradigm one product would appear more secure than the other merely because less faults have been discovered. I'd trust a product created by many, rather than a product created by a recycled team.
To combat the same paradigm which Symantec promotes (i.e more flaws found = bad, instead of good.) companies such as Microsoft bundle multiple updates together(such as monthly updates) such that numerous groups of security flaws can be perceived as a lesser quantity of issues(Or in MS's case "one critical update"). The reality though is that security is based entirely on your track record, and not by how many faults you've discovered in your code. So we all know what the track record for MS products are versus Firefox.
Re:Symantec isint biased! (Score:5, Insightful)
Ahh... you started the thought but didn't finish. Imagine all those people who have switched to Firefox because of the perception of being more secure - they may have even thought that they no longer need to pay for anti-virus, anti-spyware, etc. tools after the switch. So, Symantec hits back saying to these people - you are wrong, you still need our anti-virus, in fact, you may even need it more now (after the switch) than before.
Keep in mind (Score:1, Insightful)
Re:Who let the dogs out? (Score:2, Insightful)
Disclaimer: IANAM (I Am Not A Marketeer (sp?)), but I think I have a convincing argument.
Re:Symantec isint biased! (Score:4, Insightful)
Not at all. They would be doing that IF they were rational, and IF people listening were rational. Neither is the case.
They either can't reason like you do, or they assume (and hope) no one else will.
Their belief is quite obvious - if people use Firefox, those people won't need them. So they need to prevent DEFECTION from IE, because they KNOW people who use IE DO need them.
The obvious logic flaw - that if IE WERE secure, people using it wouldn't need them - obviously either didn't occur to them (unlikely, but possible since their marketing people are probably morons) or (more likely) they ignore it (and hope everybody listening to them will) in favor of spreading FUD to deal with their actual fear - that people actually WILL need them less by switching to Firefox.
The bias is obvious.
Also the deliberate attempt to ignore past IE flaws by comparing only vulnerabilities in the last six months, and then proclaiming that, since Firefox has vastly more uptake in the last six months, that the comparison is valid.
Plus ignoring unpatched vulnerabilities that Microsoft has been sitting on for months, according to other articles on the subject.
Makes it pretty obvious. Also makes it obvious that they're relying on the ignorance of the average user about the issues involved.
Re:mozilla vs M$ or (Score:4, Insightful)
Ahem, Mozilla believes in RESPONSIBLE disclosure, i.e., shut up while we look into this and figure out how bad it is, then produce a patch before anyone gets wind of it, so we avoid an actual exploit.
Microsoft and Cisco say: shut up while we look into this and figure out how bad it is, then decide when, if ever, we produce a patch - because it costs us money to distribute these fucking patches, and Bill gets upset when things cost us money without bringing IN money...and if we decide to take six to twelve months to produce the patch, and you go public in that time, we sue you - because we've got the money to do it, and you'll end up giving us money, which will make Bill happy again.
Not true.. (Score:1, Insightful)
Mozilla's ability to "put it into the user's hands" is NOT better than Microsoft's. For IE, all you have to do is go to Windows Update, and select the patch.. and it will automagically do everything for you (even more automatic if you have automatic updates turned on). With Mozilla, you must download the latest version of the browser (which usually has more stuff than just the bug fix you're interested in), uninstall the old one, and install the new one from scratch (including specifying options like install directory and other preferences Mozilla *should* already know and use).
Patches from Microsoft take more time (amongst other reasons) because they do more extensive regression testing than Mozilla.. how many times have I downloaded the latest FF only to find several things broken (especially extensions)?
To be sure, Microsoft's response time leaves much to be desired (I'd personally rather receive a fix as soon as it's available, rather than waiting for a once-a-month patch, for one), but Mozilla's process leaves much to be desired as well.
Re:Mozilla is a disaster waiting to happen (Score:3, Insightful)
Someone should be classifying ALL the vulnerabilitites found in FF over the last 18 months, and a team should start examining the code that was stable at that time. Then, they should ask: "If we knew these vulnerabilities were going to crop up what major design changes would we have made to clean them up upstream?" Most of the vulnerabilities will fall into a few common, recurring patterns, and those can be designed against. I know this is not a popular OSS practice, but something like this will help the app evolve more securely.
Cold Fact (Score:3, Insightful)
Re:Not true.. (Score:1, Insightful)
That's funny, my firefox just asked me if I want to check for updates, and merrily went away and downloaded the newest version. (This is with default settings).
Have you actually ever used it?
"how many times have I downloaded the latest FF only to find several things broken (especially extensions)?"
Assuming you aren't stupid enough to be downloading nightly builds and expecting them to be 100% OK. Blaming the vendor for third party extensions being behind the times is rather childish.
I could say the same thing about Microsoft. That's why it is necessary to test Microsoft patches before deploying them. Obviously not someone who's ever attempted to keep SQL server updated...troll elsewhere.
READ CAREFULLY. It says FIREFOX HAS FEWER BUGS (Score:4, Insightful)
Symantec's report counts up only the vulnerabilities acknowledged by the vendor. If you don't want to have a vulnerability included in their study, just don't acknowledge it. If you go to Secunia and add in all the unacknowledged vulnerabilities (but that are still known to the public), you find out that Internet Explorer has had more vulnerabilities in the same amount of time than Firefox. My thanks to Bruce Perens for pointing that out.
Re:Research... Reporting... (Score:3, Insightful)
Of course, this is an absurd assumption. I know next to nothing about particle physics, if I published a book about particle physics being caused by little ghosts, I would be laughed at by the scientific community. But if this journalist wrote an article, the headline would say something like, "Debate Rages on About Particle Physics", with equal weight being placed on my ideas and the consensus ideas.
This is extremely common in things like the Intelligent Design debate, where people claim things like "But Evolution is a testable theory!" Guys. Theories aren't testable. Predictions they make are. Evolution makes plenty of testable predictions. For the love of god, stop printing that already. It's not okay to print that, just because someone else thinks its the right thing.
Mozilla vs. Symantec is going to be a comparable article. There's going to be no research into who's opinion makes more sense. If Mozilla says "Yeah, sure IE will have fewer bugs for a month or so, since a) we've just been exposed to millions of more customers, and b) we're open source. But because we're open source, we have the protection of a userbase of thousands with the ability to modify the program for the better, and this is why our bugs vanish within hours, while MSFT takes months.", the journalist will write "Mozilla says they're better than IE because IE is closed. Symantec says that closed means your source is more secure."
Nevermind that security by obscurity is stupid, nevermind that the whole idea of rating Mozilla lower on a scale of security than IE because in the last whatever amount of time they've had more vulnerabilities of a less critical nature (that would be like being rushed into the emergency room ahead of someone with his leg torn off because you had six bruises, and six bruises are bigger than one leg). Everyone's opinion is just as good as everyone else's, so we're going to publish them!