Mozilla Hits Back at Browser Security Claim

UltimaGuy writes "Mozilla has reacted to the Symantec report issued on Monday which said serious vulnerabilities were being found in Mozilla's browsers faster than in Microsoft's Internet Explorer. Tristan Nitot, president of Mozilla Europe, hit back by claiming on Monday that when a vulnerability is found Mozilla's 'ability to react, find a solution and put it into the user's hands is better than Microsoft.'"

maybe IE has more

[Coneasfast]

maybe more vulnerabilities are found in mozilla because it is open-source

arguably, one could say this is better than in IE, where there may be some which are not known until some hacker exploits it.

secunia

[Anonymous Coward]

What about the Secunia Secuirty advisories.

http://secunia.com/product/4227/ [secunia.com]

Cant see them running to fix some of those issues?

Re:Original Symantec Article

[Anonymous Coward]

Symantec seem to have been fairly un-biased about this, they even go so far as to speculate on the reasons and give some possible benifit-of-the-doubt.

I've never thought Mozilla / Firefox would prove to have less bugs - but as a programmer I appreciate the difference between a flaw (a problem with the design) and a bug (a problem with the coding). So does Mozilla have more flaws or more bugs? I've never been bothered to check.

Re:Open source wins again

[XAJIM]

Do you have figures that back up your claim that Mozilla's problems aren't found in the wild? I'd be interested in looking at those statistics.

Mozilla is a disaster waiting to happen

[Anonymous Coward]

Mozilla is a disaster waiting to happen. It's that simple. A large portion of the browser is written in JavaScript. In fact, the browser's UI JavaScript can actually call JavaScript functions located in an HTML page.

Eventually someone is going to figure out how to reverse the process and call "chrome" JavaScript from "non-chrome" JavaScript, and then it's all over. Since JavaScript can access literally anything in Mozilla, you've got a nice cross-platform vulnerability waiting to happen.

Extensions are proof enough of this. Yes, extensions can add a lot of functionality - but there really isn't that much different between an extension and a web page.

Internet Explorer may be a security joke now, but if Mozilla ever gains any popularity, it'll be an even bigger joke than Internet Explorer. It's a disaster waiting to happen.

The Symantec report is proof that this is starting to happen. If you want to use a secure browser, they're [opera.com] out [apple.com] there [konqueror.org], but Mozilla most certainly ISN'T one.

Credibility

[RandomPrecision]

Symantec programs try to block Trillian every time I used my internet security suite and instant messenger at the same time. Of course, I gave up Symantec. Additionally, I wish I would have taken a screenshot when it tried to block the command-line ftp program. I also conjecture that they have some bias in favor of IE, since my default browser is set to Firefox, but webpages launched from Symantec anti-virus programs always launch in Internet Explorer anyway. That being said, I'm no expert in internet security, but when I used IE, I very rarely had to opportunity to close it myself - it was always ended by an illegal operation, and I often had my homepage hijacked and search bars added. Neither has ever happened to me since I switched to Firefox. While that doesn't necessarily prove anything, I feel that Firefox is more secure.

Re:first post

[aussie_a]

It does mean that given this particular moment, Firefox is more unsecure, however given their speedy patching time, in say one year, Firefox will be more secure. If you're after whose the most secure browser right at this particular second, then IE does appear to be the one. However if you care about long-term stability then Firefox is your browser.

Having said that, this is assuming Tristan Nitot isn't simply spreading FUD. I don't know how fast IE and Firefox do release their patches. I do know one thing, not as many people are taking advantage of Firefox's insecurities as are taking advantage of IE's. So at the moment, it's safer for me to use Firefox.

The interesting questions

[tmk]

Do you know someone who has got compromised through Firefox vulnarabilities?

Does Symantec know customers who did?

Is Ed Gibson a Firefox user? [zdnet.co.uk]

Re:It's all academic

[laughingcoyote]

"The Mozilla Foundation" might not be a well-known quantity outside of tech circles, but "Firefox" most certainly is.

As to the rest...it might be anecdotal, but I've certainly not heard -one- person yet complain of MORE infections after installing Firefox, always the opposite. The proof's in use, and in that, Firefox beats IE every time.

A better response...

[fbg111]

... would be that of course more vulnerabilities were found for Mozilla, it's several years younger than IE. How many exploits were being found (announced or not) when IE was at roughly the same maturity? He could also go into Open Source vs. proprietary, but that's already been covered by other posters...

Re:mozilla vs M$ or

[n0-0p]

The Mozilla security fixes always end up public eventually, whereas silent patching is a common practice for most software vendors (including MS). This occurs more often with internally discovered vulnerabilities of lower severity or by grouping a number issues under a single umbrella.

It's hard to blame vendors for taking this route though. I've heard from MS devs say that the best way to push a fix through these days is to label it as a security bug. I can only imagine what MS' track record would look like if all of those internal bug reports were made public.

With that in mind I expect that OSS will generally have more documented security issues than eqivalent quality closed source software. It's just a side effect of a transparent development model. Well... mostly transparent, but I'm glad they hide the security bugs until they're patched.

Re:Symantec isint biased!

[RandomPrecision]

Remember when they also claimed that Macs were dangerous [silicon.com]?

I admit, they do seem a bit one-sidedly influenced.

Real world example vis Symantec vs. Mozilla

[Anonymous Coward]

I volunteer to fix PCs for a group of teachers in the US. I am not part of their official school board sanctifed tech support crew (because those guys are snowed under).

The group of teachers were given Compaq and Dell laptops a few years back... and encouraged to use them at school and at home to help them in their work.

The schools gave them Symantec free subscriptions for a year... and Windows 98.

Over this summer I have fixed five of those PCs... a lot of hours in total. They were finally slowing to a halt (it is like a plague really finally hit those old Windows 98 machines) but the hardware was still going strong for what they needed. They were hijacked, malwared, and spywared to bits.

None of those teachers had bothered to upgrade their PCs via Microsoft Update ever as they did not know they had to (all of those laptops needed an update as far back as 2001 from MS), none of the teachers were going to shell out any money personally to keep their Symantec subscription up to date, and none of them had anytime to learn how to protect their machines.

Why? Because they are too frigging busy doing other things!

But they were pissed that their machines were hosed and all they used them to do was write out lesson plans on MS Word and surf the net.

I did the usual Micorsoft Update (and update and restart and update), Ad-Aware install and scan, Spybot install, schedule and scan, Spyware Blaster install, uninstall Symantec, install AVG-free, schedule and scan, remove IE shortcut from the desktop, install Firefox with a shortcut on the desktop pointing to it as the "new" IE, and give a quick tutorial (with a printout) to them when they came around to pick their machines up.

A few months later after the start of the school year and no call-backs. None.

Symantec + IE vs. AVG/Spybot/Ad-Aware + Firefox? No contest.

In my mind, and the minds of the users I helped, Symantec is part of the problem.

They never got five subscriptions from those users and they never will.

Symantec are like a bunch of gangsters selling "protection". They need their own series on HBO!

Re:Mozilla is a disaster waiting to happen

[Anonymous Coward]

"Insert product here" is a disaster waiting to happen. It's that simple. A large portion of the program is written in executable code. Eventually someone is going to figure out how to reverse the process and call executable code from non-executable data and then it's all over. (*cough* any executable buffer overflow in any program that loads data ever)

Re:first post

[gordgekko]

It does mean that given this particular moment, Firefox is more unsecure, however given their speedy patching time, in say one year, Firefox will be more secure.

You pull that number from your ass? Go hit the Mozilla database and check out the years old bug reports that haven't been fixed yet and there is no indication they will be fixed any time soon, including your magical one year.

I like Firefox as much as the next man (check out my sig) but let's not make extravagent claims.

What is Symantec's definition of critical flaws?

[geo_2677]

Which browser is more secure?
Any vulnerablilty in IE turns out to be of the sort ' A remote attacker can gain complete control of the system'. Compare this to the flaws in Mozilla. How many bugs in Moz can take that credit?

*ahem*

[vena]

eEye's "upcoming advisories" [eeye.com] page is worth a look if you're interested in just how severe microsoft's lapse in patching can be. note that this page only catalogues vulnerabilities that microsoft acknowledge and the time since such acknowledgment, not since exploit nor since they were notified.

quoth eEye's product manager: "The more critical, the more pervasive the vulnerability, the longer it takes Microsoft to patch." [informationweek.com]

Re:Symantec isint biased!

[node 3]

As a corporation, they have a sharp sense of self preservation. Shocking, I say. Dammit, just shocking.

It may not be "shocking" that they are showing preferential bias towards their own product, but it is unacceptable that they are purposefully and significantly misrepresenting the facts.

We're not talking Pepsi saying they win in a blind taste-test, or Taco Bell saying hamburgers are blase, we're talking borderline fraud.

Yeah, I know, "welcome to the real world", and all that, but maybe, just maybe, if enough people point out these negative and anti-social actions, the world will turn out a little better than it otherwise would have.

Or maybe not, but it's certainly proper to try. What I don't understand is why you'd want to, if not explicitly at least implicitly, defend and promote the sort of thing Symantec is doing? You don't have to join the "revolution", but at least be decent enough not to stand in its way.

A better measure of browser security

[Eric MB Lard MD]

A simple count of the number of vulnerabilities does not really tell the whole story.

A better measure would be vulnerability days. The idea would be to sum up across all exploits the number of days between the vulnerability being discovered and a patch being available.

This statistic could be refined by weighting each vulnerability according to its severity.

Of course, for IE we probably won't get good info on just when the vulnerability was discovered.

Re:Symantec isint biased!

[Stephen Samuel]

Yep! I'll second that. Symantec doesn't have to worry about trashing their market here... I mean, can any of us think of anybody that would seriously argue that people who connect to the net with IE don't need an anti-virus solution?

I'm guessing that the best we could come out with would be someone who hasn't thought about it -- and most of those are the types that would probably just buy an anti-virus program 'because everybody else has one".

Selling anti-virus programs to IE users is like selling air-conditioners in arizona. The only question beyond if they already have one is whether they can afford yours -- and if the answer to the second question is 'no', you still have a chance....

Firefox 1.0.7

[undauntedspirit]

Speaking of security, looks like Firefox 1.0.7 was just released sometime last night on Mozilla's web site.

MOD PARENT DOWN: MISINFORMATIVE NOT INSIGHT

[Anonymous Coward]

he's spreading FUD. As other responders have pointed out, there are simply NO security-related bugs older than a couple of weeks in the mozilla bug database.

Why such tripe is modded insightful is beyond me. Inciteful, maybe, but certainly not insightful.

Re:Server statistics are telling

[cloudmaster]

And here are some stats from mine:

1 12030 30.70% Googlebot/2.1
2 3352 8.55% msnbot/1.0 (+http://search.msn.com/msnbot.htm [msn.com])
3 3124 7.97% MSIE 6.0
4 3038 7.75% Yahoo! Slurp
5 1494 3.81% Mozilla/5.0 (Windows)
6 1351 3.45% psbot/0.1 (+http://www.picsearch.com/bot.html [picsearch.com])
7 1111 2.84% Wget/1.5.3
8 733 1.87% Mozilla/5.0 (X11)
9 678 1.73% MSIE 6.0 (SV1)
10 395 1.01% ConveraCrawler/0.9d (+http://www.authoritativeweb.com/crawl [authoritativeweb.com])
11 385 0.98% Googlebot-Image/1.0
12 369 0.94% MSIE 6.0 (Windows NT 5.1)
13 348 0.89% ConveraCrawler/0.9c (+http://www.authoritativeweb.com/crawl [authoritativeweb.com])
14 335 0.85% Googlebot/2.1 (+http://www.google.com/bot.html [google.com])
15 328 0.84% MSIE 6.0 (Windows 98)

Out of 39187 hits last month excluding the first 5 days when the log partition filled up; whoops). Lots more MSIE than Mozilla 'n friends - and more googlebot than anything. The most popular parts of that site are my *Linux* projects and some *Linux* documentation, BTW.

Re:Symantec isint biased!

[Anonymous Coward]

The whole let's try to track badness concept is fundementally flawed. Track goodness instead and allow "those" programs to run. It's a heck of alot easier than trying to track all the badness out there and prevent them from running. If the software isn't allowed to run... it can't damage your computer.

Symantec provides a flawed solution to a legitimate problem in order to keep in business.

Symantec

[TampaDeveloper]

Symantec, as a corporate whole, did what all people who can't write software do. They switched over to making reports. Since nobody every crashed from reading a defective report, this allows them to hide their incompetence.

Honestly, I'd rather just take Ballmer's word for it rather than relying on Symantec, much like I'd rather have a virus than to let Norton do what it does to PCs its installed on.

I don't get it.

[Anonymous Coward]

What site do you guys go to get infected by just browsing? I've used Netscape 0.97 to the latest browsers and in all my years of using a web browser, I have never had a virus infection. Now I have used KAZAA, BitTorrent and the files you download are often infected with malware. So my guess is if you ever did manage to get infected by simply browsing it's probably your fault and no matter what browser you were using you would have gotten infected anyway by going to www.hackmydumbass.com.