Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Mozilla The Internet IT

Mozilla Hits Back at Browser Security Claim 295

UltimaGuy writes "Mozilla has reacted to the Symantec report issued on Monday which said serious vulnerabilities were being found in Mozilla's browsers faster than in Microsoft's Internet Explorer. Tristan Nitot, president of Mozilla Europe, hit back by claiming on Monday that when a vulnerability is found Mozilla's 'ability to react, find a solution and put it into the user's hands is better than Microsoft.'"
This discussion has been archived. No new comments can be posted.

Mozilla Hits Back at Browser Security Claim

Comments Filter:
  • by W3BMAST3R101 ( 904060 ) on Tuesday September 20, 2005 @11:39PM (#13611160)
    Symantec biased? NEVER!!!
    • by digitalunity ( 19107 ) <digitalunityNO@SPAMyahoo.com> on Tuesday September 20, 2005 @11:45PM (#13611188) Homepage
      Bias is inescapable. You mean to tell me Symantec's stance on browser security reinforces the need for their solutions?

      As a corporation, they have a sharp sense of self preservation. Shocking, I say. Dammit, just shocking.
      • by nacturation ( 646836 ) <nacturation&gmail,com> on Wednesday September 21, 2005 @12:38AM (#13611383) Journal
        You mean to tell me Symantec's stance on browser security reinforces the need for their solutions?

        How's that? They're claiming that the browser which the vast majority of people use is *more* secure. So if you use IE, you need their products *less* than if you used Firefox.
         
        • by fymidos ( 512362 ) on Wednesday September 21, 2005 @12:50AM (#13611425) Journal
          Everybody who has used internet explorer knows that it is not secure. The don't have to tell them that. They are talking to the people who (rightfully) think they are more secure with firefox, and they are trying to pass between the lines that you still need protection, no matter what browser you use, and anyway, changing the browser will not make you safe.
          (but a good antivirus/antispam/antiinternet/antiusingyourcompu te will)
        • by aweraw ( 557447 ) * <aweraw@gmail.com> on Wednesday September 21, 2005 @12:51AM (#13611429) Homepage Journal
          Well, with the slow assed patching cycle that IE has, you have more need for Symantec products to 'protect' you in the interim.

          While firefox may have more exploits popping up these days, fixes for it are issued in a much more timely manner than for IE.
        • by zurab ( 188064 ) on Wednesday September 21, 2005 @01:52AM (#13611615)
          How's that? They're claiming that the browser which the vast majority of people use is *more* secure. So if you use IE, you need their products *less* than if you used Firefox.

          Ahh... you started the thought but didn't finish. Imagine all those people who have switched to Firefox because of the perception of being more secure - they may have even thought that they no longer need to pay for anti-virus, anti-spyware, etc. tools after the switch. So, Symantec hits back saying to these people - you are wrong, you still need our anti-virus, in fact, you may even need it more now (after the switch) than before.
          • by Stephen Samuel ( 106962 ) <samuel AT bcgreen DOT com> on Wednesday September 21, 2005 @03:34AM (#13611807) Homepage Journal
            Yep! I'll second that. Symantec doesn't have to worry about trashing their market here... I mean, can any of us think of anybody that would seriously argue that people who connect to the net with IE don't need an anti-virus solution?


            I'm guessing that the best we could come out with would be someone who hasn't thought about it -- and most of those are the types that would probably just buy an anti-virus program 'because everybody else has one".


            Selling anti-virus programs to IE users is like selling air-conditioners in arizona. The only question beyond if they already have one is whether they can afford yours -- and if the answer to the second question is 'no', you still have a chance....

        • by Master of Transhuman ( 597628 ) on Wednesday September 21, 2005 @03:18AM (#13611781) Homepage

          Not at all. They would be doing that IF they were rational, and IF people listening were rational. Neither is the case.

          They either can't reason like you do, or they assume (and hope) no one else will.

          Their belief is quite obvious - if people use Firefox, those people won't need them. So they need to prevent DEFECTION from IE, because they KNOW people who use IE DO need them.

          The obvious logic flaw - that if IE WERE secure, people using it wouldn't need them - obviously either didn't occur to them (unlikely, but possible since their marketing people are probably morons) or (more likely) they ignore it (and hope everybody listening to them will) in favor of spreading FUD to deal with their actual fear - that people actually WILL need them less by switching to Firefox.

          The bias is obvious.

          Also the deliberate attempt to ignore past IE flaws by comparing only vulnerabilities in the last six months, and then proclaiming that, since Firefox has vastly more uptake in the last six months, that the comparison is valid.

          Plus ignoring unpatched vulnerabilities that Microsoft has been sitting on for months, according to other articles on the subject.

          Makes it pretty obvious. Also makes it obvious that they're relying on the ignorance of the average user about the issues involved.
      • As a corporation, they have a sharp sense of self preservation. Shocking, I say. Dammit, just shocking.

        It may not be "shocking" that they are showing preferential bias towards their own product, but it is unacceptable that they are purposefully and significantly misrepresenting the facts.

        We're not talking Pepsi saying they win in a blind taste-test, or Taco Bell saying hamburgers are blase, we're talking borderline fraud.

        Yeah, I know, "welcome to the real world", and all that, but maybe, just maybe, if enou
    • Symantec biased? NEVER!!!

      Slashdot and a majority of its readers biased? NEVER!!!!

    • Here are some usage statistics from my website.

      Browser/version: ---- Hits
      • MSIE
        MSIE 6.0 ---- 1699
        Total: 1699
      • FIREFOX
        Firefox 1.6 ---- 1
        Firefox 1.4 ---- 233
        Firefox 1.0.6 ---- 3218
        Firefox 1.0.4 ---- 1123
        Firefox 1.0.3 ---- 4
        Firefox 1.0.2 ---- 2437
        Firefox 1.0.1 ---- 130
        Firefox 1.0 ---- 31
        Firefox 0.10.1 ---- 4
        Total: 7181
      • NETSCAPE ----
        Netscape 4.04 ---- 1
      • OTHERS
  • mozilla vs M$ or (Score:5, Insightful)

    by timeToy ( 643583 ) on Tuesday September 20, 2005 @11:40PM (#13611165)
    Open-source Full disclosure vs Close-source Please-wait-for-us-to-fix-the-vulnerability-before -publishing-it-else-we-sue
    • Re:mozilla vs M$ or (Score:2, Informative)

      by Raistlin77 ( 754120 )
      Had you read the fucking article instead of trying to get first-somewhat-sensible post, you would have seen Mozilla admitted that they do try to keep vulnerabilites quiet until a patch can be found.
      • Re:mozilla vs M$ or (Score:5, Interesting)

        by n0-0p ( 325773 ) on Wednesday September 21, 2005 @12:19AM (#13611326)
        The Mozilla security fixes always end up public eventually, whereas silent patching is a common practice for most software vendors (including MS). This occurs more often with internally discovered vulnerabilities of lower severity or by grouping a number issues under a single umbrella.

        It's hard to blame vendors for taking this route though. I've heard from MS devs say that the best way to push a fix through these days is to label it as a security bug. I can only imagine what MS' track record would look like if all of those internal bug reports were made public.

        With that in mind I expect that OSS will generally have more documented security issues than eqivalent quality closed source software. It's just a side effect of a transparent development model. Well... mostly transparent, but I'm glad they hide the security bugs until they're patched.
      • by Master of Transhuman ( 597628 ) on Wednesday September 21, 2005 @03:25AM (#13611788) Homepage

        Ahem, Mozilla believes in RESPONSIBLE disclosure, i.e., shut up while we look into this and figure out how bad it is, then produce a patch before anyone gets wind of it, so we avoid an actual exploit.

        Microsoft and Cisco say: shut up while we look into this and figure out how bad it is, then decide when, if ever, we produce a patch - because it costs us money to distribute these fucking patches, and Bill gets upset when things cost us money without bringing IN money...and if we decide to take six to twelve months to produce the patch, and you go public in that time, we sue you - because we've got the money to do it, and you'll end up giving us money, which will make Bill happy again.
  • first post (Score:3, Insightful)

    by ronsta ( 815765 ) on Tuesday September 20, 2005 @11:41PM (#13611168) Homepage
    no no no.

    just because mozilla can react quicker to security flaws found in its browser, doesn't make Symantec's report that greater security flaws are being found in Firefox less valid.

    it's a rarity to see ZDNet make that kind of mistake.

    • Re:first post (Score:4, Interesting)

      by aussie_a ( 778472 ) on Tuesday September 20, 2005 @11:58PM (#13611236) Journal
      It does mean that given this particular moment, Firefox is more unsecure, however given their speedy patching time, in say one year, Firefox will be more secure. If you're after whose the most secure browser right at this particular second, then IE does appear to be the one. However if you care about long-term stability then Firefox is your browser.

      Having said that, this is assuming Tristan Nitot isn't simply spreading FUD. I don't know how fast IE and Firefox do release their patches. I do know one thing, not as many people are taking advantage of Firefox's insecurities as are taking advantage of IE's. So at the moment, it's safer for me to use Firefox.
      • Re:first post (Score:2, Interesting)

        by gordgekko ( 574109 )
        It does mean that given this particular moment, Firefox is more unsecure, however given their speedy patching time, in say one year, Firefox will be more secure.

        You pull that number from your ass? Go hit the Mozilla database and check out the years old bug reports that haven't been fixed yet and there is no indication they will be fixed any time soon, including your magical one year.

        I like Firefox as much as the next man (check out my sig) but let's not make extravagent claims.

        • You pull that number from your ass?

          Yup, I was speaking hypothetically and wasn't talking about the real world. My point was, given X amount of time, Firefox will eventually become more secure IF their response time is faster then IE's.
        • Re:first post (Score:4, Informative)

          by ArsenneLupin ( 766289 ) on Wednesday September 21, 2005 @05:25AM (#13612078)
          Go hit the Mozilla database and check out the years old bug reports that haven't been fixed yet and there is no indication they will be fixed any time soon, including your magical one year.

          Care to back up that claim with specifics URL to the relevant bug reports? I checked their database, and couldn't find any bugs that qualified. The great majority of bugs are either minor and non-security related, or less than a month old.

        • Re:first post (Score:3, Informative)

          by Phisbut ( 761268 )
          You pull that number from your ass? Go hit the Mozilla database and check out the years old bug reports that haven't been fixed yet and there is no indication they will be fixed any time soon, including your magical one year.

          Ok, let's see... searching the bugzilla database for product Firefox, bugs filed more than a year ago, with severity being either "blocker" or "critical", and a status any other than "resolved", "verified" and "closed", for all OS, sort by importance. What do we get?

          7 bugs found. Oo

    • Quite true, but this is Slashdot, and whenever something Bad(tm) is posted about OSS, there needs to be a counterbalance posted later to make it Good(tm). Security flaws in Mozilla? Well, uh, they're patched faster! On with the frontpage article to make the Mozilla fans feel better again (and tons of page hits each time!). If there was an anti-Internet Explorer article, it wouldn't have a followup "Robert Scoble Hits Back At Browser Security Claim."

      See my recent comment on this--How To Respond To Bad Mo [slashdot.org]
    • That was actually only one of several points. They also brought up the severity of the vulnerabilities and transparent nature of OSS development among other things. Sorry, I would have clarified this sooner but I chose to read the article first.
    • just because mozilla can react quicker to security flaws found in its browser, doesn't make Symantec's report that greater security flaws are being found in Firefox less valid.

      Yes, it does.

      Symantec isn't just saying that Firefox has had a greater number of security flaws, they're saying that it means Firefox is just as insecure as IE.

      This is just not true and Symantec deserves to be taken to task for this.

      The lack of validity isn't in the fact itself, it's in the way the fact is being used to falsely suppor
    • by catwh0re ( 540371 ) on Wednesday September 21, 2005 @01:49AM (#13611603)
      I don't really see the salt in arguments like Symantecs(and many previous arguments from different companies), simply because more faults are found in a product, whether severe or not, only indicates that there are people looking for faults.
      Companies such as Symantec are interested in blurring the line between 'faults found' and 'security'. An unfound and easily exploitable fault can make a product more prone to attack, i.e more insecure. Which is opposite to found flaws that are fixed.

      So if a less skilled programmer is looking for faults, they are going to find less of them. So pretend we have two equally insecure products, by Symantec's paradigm one product would appear more secure than the other merely because less faults have been discovered. I'd trust a product created by many, rather than a product created by a recycled team.

      To combat the same paradigm which Symantec promotes (i.e more flaws found = bad, instead of good.) companies such as Microsoft bundle multiple updates together(such as monthly updates) such that numerous groups of security flaws can be perceived as a lesser quantity of issues(Or in MS's case "one critical update"). The reality though is that security is based entirely on your track record, and not by how many faults you've discovered in your code. So we all know what the track record for MS products are versus Firefox.

  • by NoInfo ( 247461 ) * on Tuesday September 20, 2005 @11:41PM (#13611172) Homepage Journal
    The download for Symantec's actual report is here (registration required):
    https://ses.symantec.com/Content/displaypdf.cfm?SS L=YES&PDFID=2124 [symantec.com]

    But to save you some trouble, here's the excerpts about Mozilla:

    Mozilla browsers have the most vulnerabilities

    During the first half of 2005, 25 vendor confirmed vulnerabilities were disclosed for the Mozilla browsers,
    the most of any browser. 18 of these were classified as high severity. During the same period, 13 vendor
    confirmed vulnerabilities were disclosed for Microsoft Internet Explorer, eight of which were high severity.



      Mozilla browsers have the most vulnerabilities

    The Web browser is a critical and ubiquitous application that has become a frequent target for
    vulnerability researchers. In the past, the focus of security has been on the perimeter: servers, firewalls,
    and other systems with external exposure. However, a notable shift has occurred, with client-side
    systems--primarily end-user systems--becoming increasingly prominent targets of malicious activity.
    More and more, Web browser vulnerabilities are becoming a preferred entry point into systems.
    During the first half of 2005, the Mozilla browsers, including Firefox, had the most vulnerabilities of all
    browsers. During this period, 25 vendor confirmed Mozilla vulnerabilities were disclosed, compared to 32
    in the previous reporting period and two in the first half of 2004. 18 of the 25 Mozilla vulnerabilities in this
    period, or 72%, were classified as high severity. This is up from the 14 high-severity Mozilla vulnerabilities
    in the second half of 2004 and one in the first half of 2004.


    During the first six months of 2005, 13 vendor confirmed Microsoft Internet Explorer vulnerabilities were
    disclosed. This is a decrease from the 31 documented in the second half of 2004.26 During the first half of
    2004, seven Internet Explorer vulnerabilities were confirmed by Microsoft.
    The average severity rating of the vulnerabilities associated with Internet Explorer during the first six
    months of 2005 was high. Eight of the 13 Internet Explorer vulnerabilities disclosed during the current
    period, or 62%, were considered high severity. 18 Internet Explorer vulnerabilities were considered
    high-severity in the last six months of 2004, amounting to 58%. In the first half of 2004, four of the
    seven, or 57%, were rated high severity.


    [...]

    The fact that Mozilla browsers had the most vendor confirmed vulnerabilities over the past two six-month
    periods may suggest that Mozilla is currently acknowledging and fixing vulnerabilities more quickly than
    other vendors. This could be because the Mozilla browsers are open source and may be more responsive
    to reports of new vulnerabilities and subsequently developing and delivering associated patches. For
    instance, except in certain instances,60 Microsoft releases fixes on a relatively fixed schedule rather than
    as needed, potentially increasing their acknowledgement time.

    • Mozilla browsers

      This entire article is about these "Mozilla browsers." But let's be real, the different "Mozilla browsers" that are out there are all patched on their own and modified and distributed on their own.

      Is it really fair to charge the problems of these different browsers to one application framework? Not that many aren't core problems - I'm sure most are. But we are comparing a group of products with one. The many products being developed by people, for free, around the world - the other product

  • maybe IE has more (Score:5, Interesting)

    by Coneasfast ( 690509 ) on Tuesday September 20, 2005 @11:42PM (#13611175)
    maybe more vulnerabilities are found in mozilla because it is open-source

    arguably, one could say this is better than in IE, where there may be some which are not known until some hacker exploits it.
    • by aussie_a ( 778472 )
      I had that same thought, but upon further consideration I decided against that reasoning.

      Firefox being open-source does give the vendors more of a chance to find holes more easily. But it also gives the hackers that same chance. So yes, IE may have 1 million holes while Firefox has 1 thousand. Vendors find 25 holes in Firefox, and only find 13 holes in IE.

      Hackers are just as likely to find more holes in Firefox, then they are in IE, despite the fact there's more in IE.

      However this assumes hackers w
      • Re:maybe IE has more (Score:3, Informative)

        by n0-0p ( 325773 )
        If you're trying to balance things evenly you also have to consider that IE 6 has undergone no significant development in the last four years. The only changes have been bugfixes and minor security adjustments, so arguably it should be extremely stable. Yet we've still seen a number of severe vulnerabilities over the last year in what should be a very mature (by software standards) product.
      • >Firefox being open-source does give the vendors
        >more of a chance to find holes more easily

        you are obviously confusing "vendors" with "external security experts". IE is as open source as it can be for its "vendor" (Microsoft).

    • by muszek ( 882567 ) on Wednesday September 21, 2005 @12:05AM (#13611269) Homepage
      until some hacker exploits it

      not until someone exploits them, but until:
      -- someone exploits it
      -- it's discovered (it's not immediate, right?)
      -- it finds its way to MS staff
      -- it goes through the whole beaurocratic monster at MS all the way from a person who receives a bug report, through god knows how many decision makers to coders.(I guess that's not so quick)

      Hackers have a lot of time to play around with those vulnerabilities...

      Plus, I bet that in case of proprietary soft more (percentage wise) holes are discovered by those who are ill-minded (why in the world would you look for holes in IE? I don't know how does that look in FF's case, but I can imagine people looking for such stuff because they're doing a Good Thing).
      • If you're truly interested in whether or not Firefox is faster (rather then assuming) perhaps you could do a study of all reports from 2 years ago, how many were made, how many were ranked as very very serious, and how long until each was fixed. That would be much more useful and informative then this non-article (Symantec says Firefox is unsecure with facts and figures, Firefox comes back with refute with nothing but their word to back them up).

        Or if you'd like to just keep spreading FUD, go on as you w
    • ...your couldn't be more right. What you just said might be the greatest epiphany in the history of software development. No, the history of modern times...No...Dare I say it? Yes! The history of the world!! Stop the hunt for this year's Noble Prize winner in the field of the obviousness.
  • by mind21_98 ( 18647 ) on Tuesday September 20, 2005 @11:43PM (#13611179) Homepage Journal
    When other people can see the code, problems are spotted more quickly. That's probably why Mozilla seems to have more problems than IE to them--the problems in Mozilla are spotted before they can be exploited, while IE's problems are noticed when exploits are made and used in the wild. That said, good job to the Mozilla team.
    • Do you have figures that back up your claim that Mozilla's problems aren't found in the wild? I'd be interested in looking at those statistics.
  • This isn't a dupe, technically, but shouldn't this bit have gone with the dupe of the Symantec report below as an update or something? After all, someone posted the link in the comments to that (duped) story shortly after it appeared.

    But if this is a dupe, what might it be called? A trupe? April-fools joke on a regular day?
    • by op12 ( 830015 )
      How about quadrupe [slashdot.org]? ...Or maybe infinupe. Seriously, this is the 4th Firefox vs. IE story in 10 days...isn't that a bit excessive?
      • Well, the debate itself between whether FF or IE is more secure has been going on since forever. This Symantec article is the latest incarnation of that debate. It's sort of like the debate over whether Linux is ready for mainstream home use or not or how google continues to grow; not a week goes by without at least one. But this one article pretty much has two entries (three including this one). At the least, if this had been included in or come in the form of an update to the dupe, it would at least lend
        • And a rehash of a comment in the dupe at that?

          Duplicating the comment here would have been somewhat hypocritical/ironic, so I linked to it :)

          It's mostly to prove a point, which is there is no point (to this story). As you suggest, this is an update, not a story.
  • Misleading numbers (Score:5, Informative)

    by GXFragger ( 758649 ) on Tuesday September 20, 2005 @11:45PM (#13611186)
    Symantec's report is also slanted becasue it uses vendor confirmed vulnerabilities rather than both confirmed and unconfirmed ones. This leads to misleading headlines and hurts Mozilla's reputation. I am suprised that Mozilla didn't say anything about that.
    • by jd ( 1658 ) <imipakNO@SPAMyahoo.com> on Wednesday September 21, 2005 @12:41AM (#13611396) Homepage Journal
      First, who decides how critical a bug is? And how do they make that decision? The more wiggle-room there is, the easier it is to adjust the number of critical bugs in your favour and likewise in the opposite direction of competitors.


      For that matter, who gets to decide what a bug is, rather than a "feature"? The DRM in the current version of the Acrobat format allows you to run embedded Javascript with no access controls. This is arguably an exploit, but Adobe would doubtless classify it as a feature, as it means you cannot circumvent DRM by turning the Javascript off.


      Secondly, the numbers are not directly comparable, as Mozilla is standalone whereas IE is built into the OS. (This is important, as integration means that bugs that are strictly in the OS could be exploited through the web browser, without it being a web browser bug.)


      Thirdly, there are deals over the reporting of security holes in software, whereby a report can be held back until a patch has been readied. This means that even "unconfirmed" (but reported) bugs by security vendors may be capped by the manufacturer. (Not always, even with those manufacturers who do this, but it does introduce uncertainty.)


      Finally, Mozilla is cross-platform but bugs may not always be. Any buggy code that is OS-specific, for example, or any bug which relies on some OS-specific or library-specific bug in order to be exploitable, may only affect certain platforms as a result.


      There is a second part to this one! It is also possible to have one bug that appears in multiple forms, but only one form per OS (due to OS-specific characteristics). Does it count as one bug or as many? (Remember, it still only takes one form in a given OS, but because of dependencies, changes in some way between different operating systems.)


      Now, you can argue that many of the above are very hypothetical and do not apply in this specific study. Perhaps that is true, but the point is that unless you have rigorous controls on how you produce the statistics, the uncertainties are bound to be comparable to the number of incidents, making the statistics worthless.


      And that is my point. If the possible variance in the number of actual bugs (reported or otherwise) gets to be comparable to the number of bugs reported, then the reports mean nothing. The actual number of bugs encountered could range from zero to infinity and the stats would still be "correct".


      Ideally, the security companies would produce sufficient additional information to demonstrate the confidence they have in the values produced as opposed to simply citing the numbers but not really backing them up with anything concrete.


      Where uncertainty is required by the vendor, then publish a range or some other indicator of how many unpublishable but reported bugs are believed to exist. (Since there is no guarantee that the unpublishable data is circulated with security vendors, an accurate figure may not be producable at all.)

    • Otherwise, anyone can skew the outcome.

      For example, I assert that Mozilla has 300 vulnerabilities. Mozilla hasn't confirmed them, but you count them. So now the numbers are skewed in IE's favor. Yes, this is a somewhat forced example, but it shows how you can't just go counting all accusations.

      I know there are problems with letting the fox guard the henhouse (in the case of Mozilla or IE), but really it is the writer(s)/manager(s) of the respective browsers who best know the code and behavior of the app, an
  • It's all academic (Score:5, Insightful)

    by dsci ( 658278 ) on Tuesday September 20, 2005 @11:49PM (#13611202) Homepage
    IMO, all this bandying about with numbers is next to pointless. All I know is that in my experience:

    1. When I used IE, I got infected out the wazoo; colleagues I know using IE still have problems.

    2. After switching to Firefox while still running Windows, I had zero infections. ZERO. Nothing else on the system changed.

    3. Now I use Linux exclusively (unless doing work on a client's computer on their behalf), and I sure am not using IE.

    On the one hand, it's nice to see Moz hitting back with the PR. But, I wonder if this will ultimately hurt migration away from IE. That is, I can just about hear folks saying "MS says one thing, Mozilla says another...who to believe?"

    To the non-techie, MS is a known quantity and The Mozilla Foundation is not (I'm thinking along similar lines to name-recognition at the polls). At the very least, a I-say, they-say approach seems to muddle the issue more than clarify it for those not willing to do their own research.
    • "The Mozilla Foundation" might not be a well-known quantity outside of tech circles, but "Firefox" most certainly is.

      As to the rest...it might be anecdotal, but I've certainly not heard -one- person yet complain of MORE infections after installing Firefox, always the opposite. The proof's in use, and in that, Firefox beats IE every time.

      • If they don't know Firefox, they'll almost certainly know Netscape. I just tell them Netscape became Firefox.

        Not sure how technically accurate that is, but it usually alleviates any misgivings.
  • by Chrontius ( 654879 ) on Tuesday September 20, 2005 @11:51PM (#13611206)
    the time-to-patch, how long it takes between the discovery of a vulnerability and its repair. Frequently with Microshaft, this can be weeks. Maybe months, even. With Mozilla, I keep seeing the patch on either the same day or the next day.
  • by tmk ( 712144 ) on Wednesday September 21, 2005 @12:01AM (#13611248)
    Do you know someone who has got compromised through Firefox vulnarabilities?

    Does Symantec know customers who did?

    Is Ed Gibson a Firefox user? [zdnet.co.uk]

  • Symantec may be right in saying "Mozilla gets more critial holes reported," but it forgets that Mozilla is open source, and that the bug reporters can send in a patch to Mozilla.

    So, Symantec? How many critical holes are there, that are reported to Mozilla are fully ID'ed down to the lines of source code and have patches to fix them? Mozilla is right in this reguard: Being open source means you get a faster responce time, as the folks who are finding out about these bugs can (and probably are) the ones th
  • by Wannabe Code Monkey ( 638617 ) on Wednesday September 21, 2005 @12:02AM (#13611253)

    Don't reporters do research any more? This article does nothing more than parrot what Mozilla has to say about the matter. I wonder if it would be possible for a company to completely forgo a PR departmet and just use the news media directly.

    This was zdnet's first article on the recent situation, "Symantec: Mozilla browsers more vulnerable than IE". Basically, "This is what Symantec said about Mozilla". And now this article is titled, "Mozilla hits back at browser security claim". Which translates to "This is what Mozilla said back".

    You could probably just take a few +5 rated comments from the first slashdot discussion about this and come up with a better article... In fact that might be a good business plan: write a script to automatically grab the highest rated comments from each story, splice them together into an article and then put on a website as original content, <msb>your articles might even be posted back to slashdot from time to time</msb>.

    (msb = mandatory slashdot bashing).
    • This is a typical bias in journalism that can be reduced to being called "each side is equal". The idea is, each party has their own opinion with equal likelihood of being right, even when they are speaking about factual things.

      Of course, this is an absurd assumption. I know next to nothing about particle physics, if I published a book about particle physics being caused by little ghosts, I would be laughed at by the scientific community. But if this journalist wrote an article, the headline would say somet
  • I can't imagine it takes the Mozilla team that long to select the "Confidential" classification for critical security vulnerabilities submitted to Bugzilla and hit 'Enter'.
  • by vrv1 ( 867214 )
    "Which would you prefer, to have a broken finger, or your head ripped off?"

    Seriously, guys who make these kind of comparisons shouldnt be let out of the room; just stay inside and code. And let others do PR work.

  • 1.0.7 is out (Score:3, Informative)

    by nonpareility ( 822891 ) on Wednesday September 21, 2005 @12:08AM (#13611284)
    Firefox 1.0.7 Released [mozilla.org], and the bug is fixed.
    • When I try the 'software updates' in the options/advanced menu, Firefox says it cannot find any available updates. I am running 1.06. I find this feature only works sporadically. That is, when I know there is an update on the web site and try the update feature, sometimes it works, and sometimes is doesn't. Anyway, until it works reliably, I think this feature can give a user a false sense of security. Anyone else have this issue?
  • Bias again.. (Score:3, Insightful)

    by ShaolinTiger ( 798138 ) on Wednesday September 21, 2005 @12:09AM (#13611288) Homepage
    Oh well, Symantec of course, riding on the proprietary platform of Microsloth is going to be biased.

    There are many ways you can look at this..

    In 2005, IE has already been around for YEARS, if you follow that perspective, it should have many less flaws...But that's not the case.

    You could say FireFox is newer, so of course more flaws are expected, you could also say they should have learn from IE's mistakes, and avoided those pitfalls.

    You can also say Firefox is open source, people who find the flaws don't have malicious intent, they are trying to improve the software and make it a viable option in the real world..

    Those who find flaws in IE usually do it for fun and profit, spyware spam porn diallers etc, all strapped into the world of IE..there are XX number of unknown exploits in IE due to the closed source, and they are probably being exploited right now, case in point is Microsofts new Honeymonkey project discovered one in the first couple of days..

    The article is basically a press release from Mozilla, but still, it's just numbers, numbers can be pulled from any generic poopshoot and manipulated anyway they want.
  • by Secret Rabbit ( 914973 ) on Wednesday September 21, 2005 @12:12AM (#13611300) Journal
    """The study was conducted over the first six months of 2005."""

    When did the litmus test for long term security become the short term?

    """ by claiming """
    """Nitot said that Mozilla's reaction"""
    """according to Nitot."""
    """He also argued that ... the Microsoft vulnerabilities were more critical,"""

    All these quotes are from the article and in a place where they implicitly put into question what Mr. Nitot is trying to say.

    But, when Mr. Whitehouse speaks even "IE is closed source, and so it's more difficult to access the code." Which implicitly says that closed source is more secure (security through obscurity - provably false). This "journalist" doesn't call him on it.

    And this "journalist" continues to let this guy speak implicitly calling into question the security of and wisdom of using Firefox without making him justify the claims.

    So, all in all, we have Mr. Nitot arguing a point and bringing facts to the table that support his claims and Mr. Whitehouse bringing implications and conjecture almost completely unsupported. Also, in the middle is this "journalist" who phrases things in a way that supports Mr. Whitehouse.

    What happened to all the real journalists? You know, the ones that get as close to unbiased reporting as possible; the ones that report only facts leaving out editorials marked as fact.

    *sigh*
  • A better response... (Score:3, Interesting)

    by fbg111 ( 529550 ) on Wednesday September 21, 2005 @12:13AM (#13611308)
    ... would be that of course more vulnerabilities were found for Mozilla, it's several years younger than IE. How many exploits were being found (announced or not) when IE was at roughly the same maturity? He could also go into Open Source vs. proprietary, but that's already been covered by other posters...
  • On average, for the first 182 days of 2005:

    How many security alerts were open for Microsoft Internet Explorer?

    What was the average severity of those alerts?

    How many security alerts were open for Mozilla Firefox?

    What was the average severity of those alerts?

    The less severe the alert, and the faster it is resolved, the better the support behind the browser. It's that simple.
  • by grnchile ( 305671 ) * on Wednesday September 21, 2005 @12:21AM (#13611331)
    Symantec is the (proud?) publisher of the absolutely worst piece of software that I've ever used: WinFAX Pro 10.2. Not only did every major mode fail to work in some way, but it disabled my phone system for days after it was installed on a machine on my network. This software was so flawed that it convinced me to abandon the Windows platform altogether.

    Earlier this evening I was cleaning up a friend's Windows 2000 machine. After removing a collection of obsolete software, TCP/IP no longer worked. The culprit: Symantec Antivirus. It had left invalid service dependencies in the registry. I had to remove them by hand.

    Symantec can't even understand their own software, much less someone else's. Even ignoring the obvious corporate bias, I have no faith that they can begin to understand the actual severity of defects in either IE or Firefox. It would be far better to ask "how many machines have been compromised by this fault?" than to present simple defect counts.

  • Nevermind the trash can fire over there, look at this shiny object!

    I call shennigans on Mozilla, and I'm not falling for their sleight-of-hand bullshit. They get patches in user's hands faster? Whoop de freaking do. Whatever happened to Mozilla writing superior code? The "tens of thousands of eyes makes flaws shallow"? Microsoft isn't innocent, but shame on Mozilla for stooping to the same tactics.
  • by Anonymous Coward on Wednesday September 21, 2005 @12:40AM (#13611390)
    I volunteer to fix PCs for a group of teachers in the US. I am not part of their official school board sanctifed tech support crew (because those guys are snowed under).

    The group of teachers were given Compaq and Dell laptops a few years back... and encouraged to use them at school and at home to help them in their work.

    The schools gave them Symantec free subscriptions for a year... and Windows 98.

    Over this summer I have fixed five of those PCs... a lot of hours in total. They were finally slowing to a halt (it is like a plague really finally hit those old Windows 98 machines) but the hardware was still going strong for what they needed. They were hijacked, malwared, and spywared to bits.

    None of those teachers had bothered to upgrade their PCs via Microsoft Update ever as they did not know they had to (all of those laptops needed an update as far back as 2001 from MS), none of the teachers were going to shell out any money personally to keep their Symantec subscription up to date, and none of them had anytime to learn how to protect their machines.

    Why? Because they are too frigging busy doing other things!

    But they were pissed that their machines were hosed and all they used them to do was write out lesson plans on MS Word and surf the net.

    I did the usual Micorsoft Update (and update and restart and update), Ad-Aware install and scan, Spybot install, schedule and scan, Spyware Blaster install, uninstall Symantec, install AVG-free, schedule and scan, remove IE shortcut from the desktop, install Firefox with a shortcut on the desktop pointing to it as the "new" IE, and give a quick tutorial (with a printout) to them when they came around to pick their machines up.

    A few months later after the start of the school year and no call-backs. None.

    Symantec + IE vs. AVG/Spybot/Ad-Aware + Firefox? No contest.

    In my mind, and the minds of the users I helped, Symantec is part of the problem.

    They never got five subscriptions from those users and they never will.

    Symantec are like a bunch of gangsters selling "protection". They need their own series on HBO!
  • 'Mozilla's 'ability to react, find a solution and put it into the user's hands is better than Microsoft.'

    When an update for IE is available, it is automatically installed. When an updat for Firefox is ready, I have to download the browser itself and install it on top of the existing. (No, the auto-updates in Firefox doesn't work very well).

    He may be right about the other points, though I doubt it, but it's far easier to update IE than Firefox.
  • by egarland ( 120202 ) on Wednesday September 21, 2005 @01:10AM (#13611483)
    Run IE and your machine will probalby get infected with tons of spyware which will cripple your machine if you do a lot of web browsing.

    Run Mozilla and it probably won't.

    That's been my experience so far.

    Rating software's security as lower when they fix more bugs seems like it would motivate exactly the wrong behavior. Also, it's invalid on it's face. If IE has 1000 security flaws and fixes 10 and Mozilla has 50 and fixes 15 IE isn't more secure, before or after. There is no scientific measure of security but the bug fix count hardly seems worth looking at.
  • by geo_2677 ( 593590 ) on Wednesday September 21, 2005 @01:12AM (#13611487)
    Which browser is more secure?
    Any vulnerablilty in IE turns out to be of the sort ' A remote attacker can gain complete control of the system'. Compare this to the flaws in Mozilla. How many bugs in Moz can take that credit?
  • *ahem* (Score:5, Interesting)

    by vena ( 318873 ) on Wednesday September 21, 2005 @01:19AM (#13611513)
    eEye's "upcoming advisories" [eeye.com] page is worth a look if you're interested in just how severe microsoft's lapse in patching can be. note that this page only catalogues vulnerabilities that microsoft acknowledge and the time since such acknowledgment, not since exploit nor since they were notified.

    quoth eEye's product manager: "The more critical, the more pervasive the vulnerability, the longer it takes Microsoft to patch." [informationweek.com]
  • by Z00L00K ( 682162 ) on Wednesday September 21, 2005 @01:29AM (#13611540) Homepage Journal
    Mozilla is creating a product that is add-on to the operating system, and that with reasonable means can act with limited operating system rights. This means that it is possible to sandbox Mozilla better than it is possible to sandbox IE that is closely integrated with the OS.

    Another item is also the time it takes from a vulnerability to be publicized to the fix (or workaround). A moderate problem that isn't fixed for 6 months is more likely to be exploited than a hig-security problem fixed within days.

    The real problem here is that even though both products generally are good products with some flaws (there will always be bugs, some more prominent than others) there may be need to address some of the security risks present today from a basic point of view. This may even mean sandboxing within sandboxes to control interaction between browser frames/iframes/embedding. like the effect of the following example (for Mozilla).

    <?xml version="1.0" encoding="ISO-8859-1" ?>
    <!DOCTYPE html PUBLIC
    "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/2002/REC-xhtml1-20020801/DTD /xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
    <meta http-equiv="Content-Style-Type" content="text/css" />
    <title>Main</title>
    <script language="JavaScript1.2" type="text/javascript">
    function f1()
    {
    var element=document.getElementById("embedded");
    element.width=window.innerWidth-5;
    element.height=window.innerHeight-5;
    }
    </script>
    </head>
    <body style="border-style: none; margin: 0px;" onload="f1();">
    <iframe id="embedded" src="http://slashdot.org"></iframe>
    </body>
    </ht ml>

    (Nothing ill-meant about slashdot here, just an example).

    My point is that this could as well have been your bank that was framed this way, and if there was a way for the bank to indicate the framing permissions and that browsers were able to catch this a lot would have been gained in security. (OK, I haven't considered every issue arised by this, but I hope that you see my point.)

  • Business (Score:3, Insightful)

    by polyp2000 ( 444682 ) on Wednesday September 21, 2005 @01:43AM (#13611586) Homepage Journal
    Symantec's business os based upon the fact that software has security issues - they sell software to fill the holes. Perhaps the fact that so many people are switching from IE to Firefox is affecting their bottom line.
  • Comment removed (Score:4, Informative)

    by account_deleted ( 4530225 ) on Wednesday September 21, 2005 @02:20AM (#13611686)
    Comment removed based on user account deletion
  • Firefox 1.0.7 (Score:3, Interesting)

    by undauntedspirit ( 191319 ) <undauntedspirit@hotmail.com> on Wednesday September 21, 2005 @04:42AM (#13611978)
    Speaking of security, looks like Firefox 1.0.7 was just released sometime last night on Mozilla's web site.
  • Cold Fact (Score:3, Insightful)

    by salesgeek ( 263995 ) on Wednesday September 21, 2005 @07:21AM (#13612469) Homepage
    Let's set aside the "vendor acknowledged vulnerabilites" and discuss the one cold fact that matters: we don't really know what's secure or not in IE because we cannot check the source code. That allows an exploit to exist that not even Symantec knows about.
  • by dwheeler ( 321049 ) on Wednesday September 21, 2005 @09:14AM (#13613360) Homepage Journal
    The headline from the original article should win the "War is Peace" award for misleading the reader.

    Symantec's report counts up only the vulnerabilities acknowledged by the vendor. If you don't want to have a vulnerability included in their study, just don't acknowledge it. If you go to Secunia and add in all the unacknowledged vulnerabilities (but that are still known to the public), you find out that Internet Explorer has had more vulnerabilities in the same amount of time than Firefox. My thanks to Bruce Perens for pointing that out.

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (10) Sorry, but that's too useful.

Working...