Mozilla Hits Back at Browser Security Claim 295
UltimaGuy writes "Mozilla has reacted to the Symantec report issued on Monday which said serious vulnerabilities were being found in Mozilla's browsers faster than in Microsoft's Internet Explorer. Tristan Nitot, president of Mozilla Europe, hit back by claiming on Monday that when a vulnerability is found Mozilla's 'ability to react, find a solution and put it into the user's hands is better than Microsoft.'"
Symantec isint biased! (Score:5, Funny)
Re:Symantec isint biased! (Score:5, Insightful)
As a corporation, they have a sharp sense of self preservation. Shocking, I say. Dammit, just shocking.
Re:Symantec isint biased! (Score:5, Insightful)
How's that? They're claiming that the browser which the vast majority of people use is *more* secure. So if you use IE, you need their products *less* than if you used Firefox.
Re:Symantec isint biased! (Score:4, Informative)
(but a good antivirus/antispam/antiinternet/antiusingyourcomp
Re:Symantec isint biased! (Score:5, Informative)
While firefox may have more exploits popping up these days, fixes for it are issued in a much more timely manner than for IE.
Re:Symantec isint biased! (Score:5, Insightful)
Ahh... you started the thought but didn't finish. Imagine all those people who have switched to Firefox because of the perception of being more secure - they may have even thought that they no longer need to pay for anti-virus, anti-spyware, etc. tools after the switch. So, Symantec hits back saying to these people - you are wrong, you still need our anti-virus, in fact, you may even need it more now (after the switch) than before.
Re:Symantec isint biased! (Score:4, Interesting)
I'm guessing that the best we could come out with would be someone who hasn't thought about it -- and most of those are the types that would probably just buy an anti-virus program 'because everybody else has one".
Selling anti-virus programs to IE users is like selling air-conditioners in arizona. The only question beyond if they already have one is whether they can afford yours -- and if the answer to the second question is 'no', you still have a chance....
Re:Symantec isint biased! (Score:4, Insightful)
Not at all. They would be doing that IF they were rational, and IF people listening were rational. Neither is the case.
They either can't reason like you do, or they assume (and hope) no one else will.
Their belief is quite obvious - if people use Firefox, those people won't need them. So they need to prevent DEFECTION from IE, because they KNOW people who use IE DO need them.
The obvious logic flaw - that if IE WERE secure, people using it wouldn't need them - obviously either didn't occur to them (unlikely, but possible since their marketing people are probably morons) or (more likely) they ignore it (and hope everybody listening to them will) in favor of spreading FUD to deal with their actual fear - that people actually WILL need them less by switching to Firefox.
The bias is obvious.
Also the deliberate attempt to ignore past IE flaws by comparing only vulnerabilities in the last six months, and then proclaiming that, since Firefox has vastly more uptake in the last six months, that the comparison is valid.
Plus ignoring unpatched vulnerabilities that Microsoft has been sitting on for months, according to other articles on the subject.
Makes it pretty obvious. Also makes it obvious that they're relying on the ignorance of the average user about the issues involved.
Re:Symantec isint biased! (Score:3, Interesting)
It may not be "shocking" that they are showing preferential bias towards their own product, but it is unacceptable that they are purposefully and significantly misrepresenting the facts.
We're not talking Pepsi saying they win in a blind taste-test, or Taco Bell saying hamburgers are blase, we're talking borderline fraud.
Yeah, I know, "welcome to the real world", and all that, but maybe, just maybe, if enou
Re:Symantec isint biased! (Score:3, Insightful)
Slashdot and a majority of its readers biased? NEVER!!!!
Server statistics are telling (Score:3, Informative)
Browser/version: ---- Hits
MSIE 6.0 ---- 1699
Total: 1699
Firefox 1.6 ---- 1
Firefox 1.4 ---- 233
Firefox 1.0.6 ---- 3218
Firefox 1.0.4 ---- 1123
Firefox 1.0.3 ---- 4
Firefox 1.0.2 ---- 2437
Firefox 1.0.1 ---- 130
Firefox 1.0 ---- 31
Firefox 0.10.1 ---- 4
Total: 7181
Netscape 4.04 ---- 1
Re:Server statistics are telling (Score:3, Informative)
Re:Server statistics are telling (Score:3, Interesting)
1 12030 30.70% Googlebot/2.1
2 3352 8.55% msnbot/1.0 (+http://search.msn.com/msnbot.htm [msn.com])
3 3124 7.97% MSIE 6.0
4 3038 7.75% Yahoo! Slurp
5 1494 3.81% Mozilla/5.0 (Windows)
6 1351 3.45% psbot/0.1 (+http://www.picsearch.com/bot.html [picsearch.com])
7 1111 2.84% Wget/1.5.3
8 733 1.87% Mozilla/5.0 (X11)
9 678 1.73% MSIE 6.0 (SV1)
10 395 1.01% ConveraCrawler/0.9d (+http://www.authorit [authoritativeweb.com]
mozilla vs M$ or (Score:5, Insightful)
Re:mozilla vs M$ or (Score:2, Informative)
Re:mozilla vs M$ or (Score:5, Interesting)
It's hard to blame vendors for taking this route though. I've heard from MS devs say that the best way to push a fix through these days is to label it as a security bug. I can only imagine what MS' track record would look like if all of those internal bug reports were made public.
With that in mind I expect that OSS will generally have more documented security issues than eqivalent quality closed source software. It's just a side effect of a transparent development model. Well... mostly transparent, but I'm glad they hide the security bugs until they're patched.
Re:mozilla vs M$ or (Score:4, Insightful)
Ahem, Mozilla believes in RESPONSIBLE disclosure, i.e., shut up while we look into this and figure out how bad it is, then produce a patch before anyone gets wind of it, so we avoid an actual exploit.
Microsoft and Cisco say: shut up while we look into this and figure out how bad it is, then decide when, if ever, we produce a patch - because it costs us money to distribute these fucking patches, and Bill gets upset when things cost us money without bringing IN money...and if we decide to take six to twelve months to produce the patch, and you go public in that time, we sue you - because we've got the money to do it, and you'll end up giving us money, which will make Bill happy again.
Re:mozilla vs M$ or (Score:2)
I'll get modded down for this (I'm thinking -1 Troll), but this is pathetic. As long as a company isn't Microsoft it can do no wrong according to you people. You're a zealot. [gpf-comics.com]
Re:mozilla vs M$ or (Score:3, Insightful)
2) No
In my post, I never said wether it only applied to Mozilla or Microsoft.
Any software maker does not want to post details on how the vulnerability can be reproduced, as that's basically like waving a giant, red flag and yelling "come and get me"
first post (Score:3, Insightful)
just because mozilla can react quicker to security flaws found in its browser, doesn't make Symantec's report that greater security flaws are being found in Firefox less valid.
it's a rarity to see ZDNet make that kind of mistake.
Re:first post (Score:4, Interesting)
Having said that, this is assuming Tristan Nitot isn't simply spreading FUD. I don't know how fast IE and Firefox do release their patches. I do know one thing, not as many people are taking advantage of Firefox's insecurities as are taking advantage of IE's. So at the moment, it's safer for me to use Firefox.
Re:first post (Score:2, Interesting)
You pull that number from your ass? Go hit the Mozilla database and check out the years old bug reports that haven't been fixed yet and there is no indication they will be fixed any time soon, including your magical one year.
I like Firefox as much as the next man (check out my sig) but let's not make extravagent claims.
Re:first post (Score:2)
Yup, I was speaking hypothetically and wasn't talking about the real world. My point was, given X amount of time, Firefox will eventually become more secure IF their response time is faster then IE's.
Re:first post (Score:4, Informative)
Care to back up that claim with specifics URL to the relevant bug reports? I checked their database, and couldn't find any bugs that qualified. The great majority of bugs are either minor and non-security related, or less than a month old.
Re:first post (Score:3, Informative)
Ok, let's see... searching the bugzilla database for product Firefox, bugs filed more than a year ago, with severity being either "blocker" or "critical", and a status any other than "resolved", "verified" and "closed", for all OS, sort by importance. What do we get?
7 bugs found. Oo
Re:first post (Score:2, Insightful)
See my recent comment on this--How To Respond To Bad Mo [slashdot.org]
Re:first post (Score:2)
Re:first post (Score:2)
Yes, it does.
Symantec isn't just saying that Firefox has had a greater number of security flaws, they're saying that it means Firefox is just as insecure as IE.
This is just not true and Symantec deserves to be taken to task for this.
The lack of validity isn't in the fact itself, it's in the way the fact is being used to falsely suppor
bugs found = safer product, not opposite. (Score:5, Insightful)
Companies such as Symantec are interested in blurring the line between 'faults found' and 'security'. An unfound and easily exploitable fault can make a product more prone to attack, i.e more insecure. Which is opposite to found flaws that are fixed.
So if a less skilled programmer is looking for faults, they are going to find less of them. So pretend we have two equally insecure products, by Symantec's paradigm one product would appear more secure than the other merely because less faults have been discovered. I'd trust a product created by many, rather than a product created by a recycled team.
To combat the same paradigm which Symantec promotes (i.e more flaws found = bad, instead of good.) companies such as Microsoft bundle multiple updates together(such as monthly updates) such that numerous groups of security flaws can be perceived as a lesser quantity of issues(Or in MS's case "one critical update"). The reality though is that security is based entirely on your track record, and not by how many faults you've discovered in your code. So we all know what the track record for MS products are versus Firefox.
Original Symantec Article (Score:5, Informative)
https://ses.symantec.com/Content/displaypdf.cfm?S
But to save you some trouble, here's the excerpts about Mozilla:
What people are missing: (Score:3)
This entire article is about these "Mozilla browsers." But let's be real, the different "Mozilla browsers" that are out there are all patched on their own and modified and distributed on their own.
Is it really fair to charge the problems of these different browsers to one application framework? Not that many aren't core problems - I'm sure most are. But we are comparing a group of products with one. The many products being developed by people, for free, around the world - the other product
maybe IE has more (Score:5, Interesting)
arguably, one could say this is better than in IE, where there may be some which are not known until some hacker exploits it.
Re:maybe IE has more (Score:3, Insightful)
Firefox being open-source does give the vendors more of a chance to find holes more easily. But it also gives the hackers that same chance. So yes, IE may have 1 million holes while Firefox has 1 thousand. Vendors find 25 holes in Firefox, and only find 13 holes in IE.
Hackers are just as likely to find more holes in Firefox, then they are in IE, despite the fact there's more in IE.
However this assumes hackers w
Re:maybe IE has more (Score:3, Informative)
Re:maybe IE has more (Score:2)
>more of a chance to find holes more easily
you are obviously confusing "vendors" with "external security experts". IE is as open source as it can be for its "vendor" (Microsoft).
Re:maybe IE has more (Score:5, Insightful)
not until someone exploits them, but until:
-- someone exploits it
-- it's discovered (it's not immediate, right?)
-- it finds its way to MS staff
-- it goes through the whole beaurocratic monster at MS all the way from a person who receives a bug report, through god knows how many decision makers to coders.(I guess that's not so quick)
Hackers have a lot of time to play around with those vulnerabilities...
Plus, I bet that in case of proprietary soft more (percentage wise) holes are discovered by those who are ill-minded (why in the world would you look for holes in IE? I don't know how does that look in FF's case, but I can imagine people looking for such stuff because they're doing a Good Thing).
Re:maybe IE has more (Score:2)
Or if you'd like to just keep spreading FUD, go on as you w
Re:maybe IE has more (Score:2, Funny)
Re:maybe IE has more (Score:3, Funny)
Open source wins again (Score:5, Insightful)
Re:Open source wins again (Score:2, Interesting)
Re:Open source wins again (Score:5, Informative)
In 2004, there was only ONE WEEK during which there were no known remote code execution exploits for fully-patched MSIE. There were 30 days for Firefox if you don't count Mac OS (which would be fair if we're only interested in browsers for Windows users).
Re:Open source wins again (Score:2)
A butcher is somewhat of an expert in the field (I know this because presumingly I've been shopping from him for quite some time). The OP might or might not be an expert, but even if he does claim to be one, I have no way to know that for sure.
Re:Open source wins again (Score:2, Insightful)
The problem with your logic is that its based on the assumption that security is improved by making it difficult to find security holes. The opposite is in fact true - the easier it is to find what security holes do in fact exist the more likely those security holes will be closed.
Or to put it another way - security through obscurit
Not a dupe (Score:2)
But if this is a dupe, what might it be called? A trupe? April-fools joke on a regular day?
Re:Not a dupe (Score:3, Funny)
Re:Not a dupe (Score:2)
Re:Not a dupe (Score:2)
Duplicating the comment here would have been somewhat hypocritical/ironic, so I linked to it
It's mostly to prove a point, which is there is no point (to this story). As you suggest, this is an update, not a story.
Misleading numbers (Score:5, Informative)
Oh, I could add a few more to the list (Score:5, Insightful)
For that matter, who gets to decide what a bug is, rather than a "feature"? The DRM in the current version of the Acrobat format allows you to run embedded Javascript with no access controls. This is arguably an exploit, but Adobe would doubtless classify it as a feature, as it means you cannot circumvent DRM by turning the Javascript off.
Secondly, the numbers are not directly comparable, as Mozilla is standalone whereas IE is built into the OS. (This is important, as integration means that bugs that are strictly in the OS could be exploited through the web browser, without it being a web browser bug.)
Thirdly, there are deals over the reporting of security holes in software, whereby a report can be held back until a patch has been readied. This means that even "unconfirmed" (but reported) bugs by security vendors may be capped by the manufacturer. (Not always, even with those manufacturers who do this, but it does introduce uncertainty.)
Finally, Mozilla is cross-platform but bugs may not always be. Any buggy code that is OS-specific, for example, or any bug which relies on some OS-specific or library-specific bug in order to be exploitable, may only affect certain platforms as a result.
There is a second part to this one! It is also possible to have one bug that appears in multiple forms, but only one form per OS (due to OS-specific characteristics). Does it count as one bug or as many? (Remember, it still only takes one form in a given OS, but because of dependencies, changes in some way between different operating systems.)
Now, you can argue that many of the above are very hypothetical and do not apply in this specific study. Perhaps that is true, but the point is that unless you have rigorous controls on how you produce the statistics, the uncertainties are bound to be comparable to the number of incidents, making the statistics worthless.
And that is my point. If the possible variance in the number of actual bugs (reported or otherwise) gets to be comparable to the number of bugs reported, then the reports mean nothing. The actual number of bugs encountered could range from zero to infinity and the stats would still be "correct".
Ideally, the security companies would produce sufficient additional information to demonstrate the confidence they have in the values produced as opposed to simply citing the numbers but not really backing them up with anything concrete.
Where uncertainty is required by the vendor, then publish a range or some other indicator of how many unpublishable but reported bugs are believed to exist. (Since there is no guarantee that the unpublishable data is circulated with security vendors, an accurate figure may not be producable at all.)
unconfirmed numbers would also be misleading... (Score:2)
For example, I assert that Mozilla has 300 vulnerabilities. Mozilla hasn't confirmed them, but you count them. So now the numbers are skewed in IE's favor. Yes, this is a somewhat forced example, but it shows how you can't just go counting all accusations.
I know there are problems with letting the fox guard the henhouse (in the case of Mozilla or IE), but really it is the writer(s)/manager(s) of the respective browsers who best know the code and behavior of the app, an
It's all academic (Score:5, Insightful)
1. When I used IE, I got infected out the wazoo; colleagues I know using IE still have problems.
2. After switching to Firefox while still running Windows, I had zero infections. ZERO. Nothing else on the system changed.
3. Now I use Linux exclusively (unless doing work on a client's computer on their behalf), and I sure am not using IE.
On the one hand, it's nice to see Moz hitting back with the PR. But, I wonder if this will ultimately hurt migration away from IE. That is, I can just about hear folks saying "MS says one thing, Mozilla says another...who to believe?"
To the non-techie, MS is a known quantity and The Mozilla Foundation is not (I'm thinking along similar lines to name-recognition at the polls). At the very least, a I-say, they-say approach seems to muddle the issue more than clarify it for those not willing to do their own research.
Re:It's all academic (Score:3, Interesting)
"The Mozilla Foundation" might not be a well-known quantity outside of tech circles, but "Firefox" most certainly is.
As to the rest...it might be anecdotal, but I've certainly not heard -one- person yet complain of MORE infections after installing Firefox, always the opposite. The proof's in use, and in that, Firefox beats IE every time.
Re:It's all academic (Score:2)
Not sure how technically accurate that is, but it usually alleviates any misgivings.
Re:It's all academic (Score:3, Insightful)
It's also possible you've got a more secure system. Are you using a router? Hardware firewall? A software one besides the Windows XP one? Many people run Windows XP with no security except what comes with it (which is why it has a Firewall since SP2, regardless of how bad or good it is, it's better then nothing) and a virus scanner (occas
Re:It's all academic (Score:2)
Not infected means not infected. Period.
It's also possible you've got a more secure system. That's why I pointed out nothing else changed besides switching browsers.
It's anecdotal of course, but it is my own, direct experience.
Re:It's all academic (Score:2)
I wasn't responding to you, but the AC who replied to you (if you check, you'll see I'm not replying to your comment). He was claiming he hasn't ever had any problem with viruses or adware using IE, I was pointing out there's not having problems, and not noticing the fact you do have viruses and adware on your computer. While the same can be said about Firefox users, I tend to assume they're more cluey (they've discovered another browser after
Re:It's all academic (Score:3, Insightful)
Re:It's all academic (Score:2)
Well it's wrong for me. I use Firefox but my parents use IE and I constantly have adware on my computer (an adware scan a week gets rid of it all though). My father isn't stupid enough to install anything without knowing what it is, my mother only does internet banking (and she'd freak if it
Symantec forgot one critical detail... (Score:3, Insightful)
Re:Symantec forgot one critical detail... (Score:2)
Were you trying to make a point? Or just looking for mod points (as of posting this the parent is at +2 Insightful).
Re:Symantec forgot one critical detail... (Score:2)
Re:Symantec forgot one critical detail... (Score:3, Informative)
They've been building 1.5 (Deer Park) for at least one or two months. I'm assuming they finished working on 1.0.7 before they began work on 1.5, so 1.7 isn't exactly new.
The interesting questions (Score:5, Interesting)
Does Symantec know customers who did?
Is Ed Gibson a Firefox user? [zdnet.co.uk]
Re:The interesting questions (Score:2)
Of course not, as that would be admitting their products aren't perfect.
Hitting back... with patches! (Score:2)
So, Symantec? How many critical holes are there, that are reported to Mozilla are fully ID'ed down to the lines of source code and have patches to fix them? Mozilla is right in this reguard: Being open source means you get a faster responce time, as the folks who are finding out about these bugs can (and probably are) the ones th
Research... Reporting... (Score:5, Insightful)
Don't reporters do research any more? This article does nothing more than parrot what Mozilla has to say about the matter. I wonder if it would be possible for a company to completely forgo a PR departmet and just use the news media directly.
This was zdnet's first article on the recent situation, "Symantec: Mozilla browsers more vulnerable than IE". Basically, "This is what Symantec said about Mozilla". And now this article is titled, "Mozilla hits back at browser security claim". Which translates to "This is what Mozilla said back".
You could probably just take a few +5 rated comments from the first slashdot discussion about this and come up with a better article... In fact that might be a good business plan: write a script to automatically grab the highest rated comments from each story, splice them together into an article and then put on a website as original content, <msb>your articles might even be posted back to slashdot from time to time</msb>.
(msb = mandatory slashdot bashing).Re:Research... Reporting... (Score:3, Insightful)
Of course, this is an absurd assumption. I know next to nothing about particle physics, if I published a book about particle physics being caused by little ghosts, I would be laughed at by the scientific community. But if this journalist wrote an article, the headline would say somet
Ability to respond (Score:2)
Who let the dogs out? (Score:2, Insightful)
Seriously, guys who make these kind of comparisons shouldnt be let out of the room; just stay inside and code. And let others do PR work.
1.0.7 is out (Score:3, Informative)
Re:1.0.7 is out (Score:2)
Bias again.. (Score:3, Insightful)
There are many ways you can look at this..
In 2005, IE has already been around for YEARS, if you follow that perspective, it should have many less flaws...But that's not the case.
You could say FireFox is newer, so of course more flaws are expected, you could also say they should have learn from IE's mistakes, and avoided those pitfalls.
You can also say Firefox is open source, people who find the flaws don't have malicious intent, they are trying to improve the software and make it a viable option in the real world..
Those who find flaws in IE usually do it for fun and profit, spyware spam porn diallers etc, all strapped into the world of IE..there are XX number of unknown exploits in IE due to the closed source, and they are probably being exploited right now, case in point is Microsofts new Honeymonkey project discovered one in the first couple of days..
The article is basically a press release from Mozilla, but still, it's just numbers, numbers can be pulled from any generic poopshoot and manipulated anyway they want.
What happened to real journalism? (Score:5, Insightful)
When did the litmus test for long term security become the short term?
""" by claiming """
"""Nitot said that Mozilla's reaction"""
"""according to Nitot."""
"""He also argued that
All these quotes are from the article and in a place where they implicitly put into question what Mr. Nitot is trying to say.
But, when Mr. Whitehouse speaks even "IE is closed source, and so it's more difficult to access the code." Which implicitly says that closed source is more secure (security through obscurity - provably false). This "journalist" doesn't call him on it.
And this "journalist" continues to let this guy speak implicitly calling into question the security of and wisdom of using Firefox without making him justify the claims.
So, all in all, we have Mr. Nitot arguing a point and bringing facts to the table that support his claims and Mr. Whitehouse bringing implications and conjecture almost completely unsupported. Also, in the middle is this "journalist" who phrases things in a way that supports Mr. Whitehouse.
What happened to all the real journalists? You know, the ones that get as close to unbiased reporting as possible; the ones that report only facts leaving out editorials marked as fact.
*sigh*
A better response... (Score:3, Interesting)
Re:A better response... (Score:2)
-S
the comparison is simple (Score:2)
How many security alerts were open for Microsoft Internet Explorer?
What was the average severity of those alerts?
How many security alerts were open for Mozilla Firefox?
What was the average severity of those alerts?
The less severe the alert, and the faster it is resolved, the better the support behind the browser. It's that simple.
Re:the comparison is simple (Score:3, Informative)
Your questions are addressed on pages 3 and 4.
Symantec has no credibility on software issues (Score:5, Informative)
Earlier this evening I was cleaning up a friend's Windows 2000 machine. After removing a collection of obsolete software, TCP/IP no longer worked. The culprit: Symantec Antivirus. It had left invalid service dependencies in the registry. I had to remove them by hand.
Symantec can't even understand their own software, much less someone else's. Even ignoring the obvious corporate bias, I have no faith that they can begin to understand the actual severity of defects in either IE or Firefox. It would be far better to ask "how many machines have been compromised by this fault?" than to present simple defect counts.
I call shennanigans (Score:2)
I call shennigans on Mozilla, and I'm not falling for their sleight-of-hand bullshit. They get patches in user's hands faster? Whoop de freaking do. Whatever happened to Mozilla writing superior code? The "tens of thousands of eyes makes flaws shallow"? Microsoft isn't innocent, but shame on Mozilla for stooping to the same tactics.
Real world example vis Symantec vs. Mozilla (Score:5, Interesting)
The group of teachers were given Compaq and Dell laptops a few years back... and encouraged to use them at school and at home to help them in their work.
The schools gave them Symantec free subscriptions for a year... and Windows 98.
Over this summer I have fixed five of those PCs... a lot of hours in total. They were finally slowing to a halt (it is like a plague really finally hit those old Windows 98 machines) but the hardware was still going strong for what they needed. They were hijacked, malwared, and spywared to bits.
None of those teachers had bothered to upgrade their PCs via Microsoft Update ever as they did not know they had to (all of those laptops needed an update as far back as 2001 from MS), none of the teachers were going to shell out any money personally to keep their Symantec subscription up to date, and none of them had anytime to learn how to protect their machines.
Why? Because they are too frigging busy doing other things!
But they were pissed that their machines were hosed and all they used them to do was write out lesson plans on MS Word and surf the net.
I did the usual Micorsoft Update (and update and restart and update), Ad-Aware install and scan, Spybot install, schedule and scan, Spyware Blaster install, uninstall Symantec, install AVG-free, schedule and scan, remove IE shortcut from the desktop, install Firefox with a shortcut on the desktop pointing to it as the "new" IE, and give a quick tutorial (with a printout) to them when they came around to pick their machines up.
A few months later after the start of the school year and no call-backs. None.
Symantec + IE vs. AVG/Spybot/Ad-Aware + Firefox? No contest.
In my mind, and the minds of the users I helped, Symantec is part of the problem.
They never got five subscriptions from those users and they never will.
Symantec are like a bunch of gangsters selling "protection". They need their own series on HBO!
Of course he's going to say something like that (Score:2)
When an update for IE is available, it is automatically installed. When an updat for Firefox is ready, I have to download the browser itself and install it on top of the existing. (No, the auto-updates in Firefox doesn't work very well).
He may be right about the other points, though I doubt it, but it's far easier to update IE than Firefox.
Re:Of course he's going to say something like that (Score:2)
Depends on what you count as security (Score:4, Insightful)
Run Mozilla and it probably won't.
That's been my experience so far.
Rating software's security as lower when they fix more bugs seems like it would motivate exactly the wrong behavior. Also, it's invalid on it's face. If IE has 1000 security flaws and fixes 10 and Mozilla has 50 and fixes 15 IE isn't more secure, before or after. There is no scientific measure of security but the bug fix count hardly seems worth looking at.
What is Symantec's definition of critical flaws? (Score:3, Interesting)
Any vulnerablilty in IE turns out to be of the sort ' A remote attacker can gain complete control of the system'. Compare this to the flaws in Mozilla. How many bugs in Moz can take that credit?
*ahem* (Score:5, Interesting)
quoth eEye's product manager: "The more critical, the more pervasive the vulnerability, the longer it takes Microsoft to patch." [informationweek.com]
There are actually two issues here. (Score:5, Insightful)
Another item is also the time it takes from a vulnerability to be publicized to the fix (or workaround). A moderate problem that isn't fixed for 6 months is more likely to be exploited than a hig-security problem fixed within days.
The real problem here is that even though both products generally are good products with some flaws (there will always be bugs, some more prominent than others) there may be need to address some of the security risks present today from a basic point of view. This may even mean sandboxing within sandboxes to control interaction between browser frames/iframes/embedding. like the effect of the following example (for Mozilla).
(Nothing ill-meant about slashdot here, just an example).
My point is that this could as well have been your bank that was framed this way, and if there was a way for the bank to indicate the framing permissions and that browsers were able to catch this a lot would have been gained in security. (OK, I haven't considered every issue arised by this, but I hope that you see my point.)
Business (Score:3, Insightful)
Comment removed (Score:4, Informative)
Firefox 1.0.7 (Score:3, Interesting)
Cold Fact (Score:3, Insightful)
READ CAREFULLY. It says FIREFOX HAS FEWER BUGS (Score:4, Insightful)
Symantec's report counts up only the vulnerabilities acknowledged by the vendor. If you don't want to have a vulnerability included in their study, just don't acknowledge it. If you go to Secunia and add in all the unacknowledged vulnerabilities (but that are still known to the public), you find out that Internet Explorer has had more vulnerabilities in the same amount of time than Firefox. My thanks to Bruce Perens for pointing that out.
Re:Allegory (Score:4, Informative)
Re:Allegory (Score:2)
Re:Mozilla is a disaster waiting to happen (Score:4, Informative)
Re:Mozilla is a disaster waiting to happen (Score:2, Informative)
Re:Mozilla is a disaster waiting to happen (Score:5, Informative)
As of Firefox 1.03 [mozilla.org], what you say is no longer correct. The Firefox team has separated the content document object model from the chrome, so that chrome functions are no longer vulnerable to being overriden by content.
In addition, they've encapsulated chrome code even further in Firefox 1.5 [mozilla.org]
Admittedly the original design was a bit insecure, but the risks going forward have been eliminated, and the real risks are mostly the usual browser vulnerabilities in parsing, buffers, etc., all of which are present in Konqueror, Safari, and Opera, all of which have received far less security scrutiny.
Re:Mozilla is a disaster waiting to happen (Score:3, Insightful)
Re:Responsiveness is irrelevant (Score:3, Informative)
Re:Porting the beast (Score:2)