Mozilla Hits Back at Browser Security Claim 295
UltimaGuy writes "Mozilla has reacted to the Symantec report issued on Monday which said serious vulnerabilities were being found in Mozilla's browsers faster than in Microsoft's Internet Explorer. Tristan Nitot, president of Mozilla Europe, hit back by claiming on Monday that when a vulnerability is found Mozilla's 'ability to react, find a solution and put it into the user's hands is better than Microsoft.'"
maybe IE has more (Score:5, Interesting)
arguably, one could say this is better than in IE, where there may be some which are not known until some hacker exploits it.
secunia (Score:1, Interesting)
http://secunia.com/product/4227/ [secunia.com]
Cant see them running to fix some of those issues?
Re:Original Symantec Article (Score:1, Interesting)
I've never thought Mozilla / Firefox would prove to have less bugs - but as a programmer I appreciate the difference between a flaw (a problem with the design) and a bug (a problem with the coding). So does Mozilla have more flaws or more bugs? I've never been bothered to check.
Re:Open source wins again (Score:2, Interesting)
Mozilla is a disaster waiting to happen (Score:0, Interesting)
Eventually someone is going to figure out how to reverse the process and call "chrome" JavaScript from "non-chrome" JavaScript, and then it's all over. Since JavaScript can access literally anything in Mozilla, you've got a nice cross-platform vulnerability waiting to happen.
Extensions are proof enough of this. Yes, extensions can add a lot of functionality - but there really isn't that much different between an extension and a web page.
Internet Explorer may be a security joke now, but if Mozilla ever gains any popularity, it'll be an even bigger joke than Internet Explorer. It's a disaster waiting to happen.
The Symantec report is proof that this is starting to happen. If you want to use a secure browser, they're [opera.com] out [apple.com] there [konqueror.org], but Mozilla most certainly ISN'T one.
Credibility (Score:1, Interesting)
Re:first post (Score:4, Interesting)
Having said that, this is assuming Tristan Nitot isn't simply spreading FUD. I don't know how fast IE and Firefox do release their patches. I do know one thing, not as many people are taking advantage of Firefox's insecurities as are taking advantage of IE's. So at the moment, it's safer for me to use Firefox.
The interesting questions (Score:5, Interesting)
Does Symantec know customers who did?
Is Ed Gibson a Firefox user? [zdnet.co.uk]
Re:It's all academic (Score:3, Interesting)
"The Mozilla Foundation" might not be a well-known quantity outside of tech circles, but "Firefox" most certainly is.
As to the rest...it might be anecdotal, but I've certainly not heard -one- person yet complain of MORE infections after installing Firefox, always the opposite. The proof's in use, and in that, Firefox beats IE every time.
A better response... (Score:3, Interesting)
Re:mozilla vs M$ or (Score:5, Interesting)
It's hard to blame vendors for taking this route though. I've heard from MS devs say that the best way to push a fix through these days is to label it as a security bug. I can only imagine what MS' track record would look like if all of those internal bug reports were made public.
With that in mind I expect that OSS will generally have more documented security issues than eqivalent quality closed source software. It's just a side effect of a transparent development model. Well... mostly transparent, but I'm glad they hide the security bugs until they're patched.
Re:Symantec isint biased! (Score:1, Interesting)
I admit, they do seem a bit one-sidedly influenced.
Real world example vis Symantec vs. Mozilla (Score:5, Interesting)
The group of teachers were given Compaq and Dell laptops a few years back... and encouraged to use them at school and at home to help them in their work.
The schools gave them Symantec free subscriptions for a year... and Windows 98.
Over this summer I have fixed five of those PCs... a lot of hours in total. They were finally slowing to a halt (it is like a plague really finally hit those old Windows 98 machines) but the hardware was still going strong for what they needed. They were hijacked, malwared, and spywared to bits.
None of those teachers had bothered to upgrade their PCs via Microsoft Update ever as they did not know they had to (all of those laptops needed an update as far back as 2001 from MS), none of the teachers were going to shell out any money personally to keep their Symantec subscription up to date, and none of them had anytime to learn how to protect their machines.
Why? Because they are too frigging busy doing other things!
But they were pissed that their machines were hosed and all they used them to do was write out lesson plans on MS Word and surf the net.
I did the usual Micorsoft Update (and update and restart and update), Ad-Aware install and scan, Spybot install, schedule and scan, Spyware Blaster install, uninstall Symantec, install AVG-free, schedule and scan, remove IE shortcut from the desktop, install Firefox with a shortcut on the desktop pointing to it as the "new" IE, and give a quick tutorial (with a printout) to them when they came around to pick their machines up.
A few months later after the start of the school year and no call-backs. None.
Symantec + IE vs. AVG/Spybot/Ad-Aware + Firefox? No contest.
In my mind, and the minds of the users I helped, Symantec is part of the problem.
They never got five subscriptions from those users and they never will.
Symantec are like a bunch of gangsters selling "protection". They need their own series on HBO!
Re:Mozilla is a disaster waiting to happen (Score:1, Interesting)
Re:first post (Score:2, Interesting)
You pull that number from your ass? Go hit the Mozilla database and check out the years old bug reports that haven't been fixed yet and there is no indication they will be fixed any time soon, including your magical one year.
I like Firefox as much as the next man (check out my sig) but let's not make extravagent claims.
What is Symantec's definition of critical flaws? (Score:3, Interesting)
Any vulnerablilty in IE turns out to be of the sort ' A remote attacker can gain complete control of the system'. Compare this to the flaws in Mozilla. How many bugs in Moz can take that credit?
*ahem* (Score:5, Interesting)
quoth eEye's product manager: "The more critical, the more pervasive the vulnerability, the longer it takes Microsoft to patch." [informationweek.com]
Re:Symantec isint biased! (Score:3, Interesting)
It may not be "shocking" that they are showing preferential bias towards their own product, but it is unacceptable that they are purposefully and significantly misrepresenting the facts.
We're not talking Pepsi saying they win in a blind taste-test, or Taco Bell saying hamburgers are blase, we're talking borderline fraud.
Yeah, I know, "welcome to the real world", and all that, but maybe, just maybe, if enough people point out these negative and anti-social actions, the world will turn out a little better than it otherwise would have.
Or maybe not, but it's certainly proper to try. What I don't understand is why you'd want to, if not explicitly at least implicitly, defend and promote the sort of thing Symantec is doing? You don't have to join the "revolution", but at least be decent enough not to stand in its way.
A better measure of browser security (Score:2, Interesting)
A better measure would be vulnerability days. The idea would be to sum up across all exploits the number of days between the vulnerability being discovered and a patch being available.
This statistic could be refined by weighting each vulnerability according to its severity.
Of course, for IE we probably won't get good info on just when the vulnerability was discovered.
Re:Symantec isint biased! (Score:4, Interesting)
I'm guessing that the best we could come out with would be someone who hasn't thought about it -- and most of those are the types that would probably just buy an anti-virus program 'because everybody else has one".
Selling anti-virus programs to IE users is like selling air-conditioners in arizona. The only question beyond if they already have one is whether they can afford yours -- and if the answer to the second question is 'no', you still have a chance....
Firefox 1.0.7 (Score:3, Interesting)
MOD PARENT DOWN: MISINFORMATIVE NOT INSIGHT (Score:1, Interesting)
Why such tripe is modded insightful is beyond me. Inciteful, maybe, but certainly not insightful.
Re:Server statistics are telling (Score:3, Interesting)
1 12030 30.70% Googlebot/2.1
2 3352 8.55% msnbot/1.0 (+http://search.msn.com/msnbot.htm [msn.com])
3 3124 7.97% MSIE 6.0
4 3038 7.75% Yahoo! Slurp
5 1494 3.81% Mozilla/5.0 (Windows)
6 1351 3.45% psbot/0.1 (+http://www.picsearch.com/bot.html [picsearch.com])
7 1111 2.84% Wget/1.5.3
8 733 1.87% Mozilla/5.0 (X11)
9 678 1.73% MSIE 6.0 (SV1)
10 395 1.01% ConveraCrawler/0.9d (+http://www.authoritativeweb.com/crawl [authoritativeweb.com])
11 385 0.98% Googlebot-Image/1.0
12 369 0.94% MSIE 6.0 (Windows NT 5.1)
13 348 0.89% ConveraCrawler/0.9c (+http://www.authoritativeweb.com/crawl [authoritativeweb.com])
14 335 0.85% Googlebot/2.1 (+http://www.google.com/bot.html [google.com])
15 328 0.84% MSIE 6.0 (Windows 98)
Out of 39187 hits last month excluding the first 5 days when the log partition filled up; whoops). Lots more MSIE than Mozilla 'n friends - and more googlebot than anything. The most popular parts of that site are my *Linux* projects and some *Linux* documentation, BTW.
Re:Symantec isint biased! (Score:1, Interesting)
Symantec provides a flawed solution to a legitimate problem in order to keep in business.
Symantec (Score:2, Interesting)
Symantec, as a corporate whole, did what all people who can't write software do. They switched over to making reports. Since nobody every crashed from reading a defective report, this allows them to hide their incompetence.
Honestly, I'd rather just take Ballmer's word for it rather than relying on Symantec, much like I'd rather have a virus than to let Norton do what it does to PCs its installed on.
I don't get it. (Score:1, Interesting)