Mozilla has reacted to a Symantec report issued on Monday which said serious vulnerabilities were being found in Mozilla's browsers faster than in Microsoft's Internet Explorer. The study was conducted over the first six months of 2005.
Tristan Nitot, president of Mozilla Europe, hit back by claiming on Monday that when a vulnerability is found Mozilla's "ability to react, find a solution and put it into the user's hands is better than Microsoft."
Nitot said that Mozilla's reaction time was faster than Microsoft's. "If you look at our ability to respond, we are in much better shape. On 6 September an IDN buffer issue was reported to Mozilla. On 8 September it was publicly disclosed. We ask our developers not to mention any problems until we have a fix for them, but for some reason he went public. On 9 September we had a configuration change that disabled the IDN problem, that users could implement manually, or they could use a patch. Within ten days we had a newer version that was fixed completely."
"If you look at Microsoft — this month they decided to skip a security patch," so any vulnerabilities won't be addressed, according to Nitot. "That's not the kind of thing that happens with us," he said.
He also argued that, according to security company Secunia's statistics, the Microsoft vulnerabilities were more critical, and had been so over a longer timescale. In the period 2003 to 2005 Secunia have issued 22 security advisories regarding Firefox 1.x, and rate it as "less critical". In the same period Microsoft Internet Explorer 6.x had 85 Secunia advisories, and is rated as "highly critical".
"Basically their vulnerabilities are more critical. With Firefox — yeah, you have holes, but they're much less serious." Nitot likened the differences between Firefox and IE vulnerabilities as being like injuries: "Which would you prefer, to have a broken finger, or your head ripped off?"
Ollie Whitehouse, a researcher at Symantec, thought that the results were surprising but were due to a number of factors, primarily the short uptake time for Firefox and the fact that it was open source.
"Firstly, there has been a wide adoption of Firefox in a short space of time. More security researchers and people with more nefarious motives have been able to look at the code base. Secondly, as Firefox is open source more people have access to the code base, so they are free to look for bugs. IE is closed source, and so it's more difficult to access the code."
"Rogue Web sites find Firefox is quite difficult to exploit because it runs on a large number of platforms."
When asked to comment on Nitot's point about the short timeframe of the study, Whitehouse responded, "Up until now Firefox has had a lot less holes [than IE] — but it has had a wider adoption in the last six months. It will be interesting to see whether this is a blip, or whether the trend will continue."
"As Firefox becomes more popular, it becomes a more attractive target. People who have swapped [from IE to Firefox], even if this is a blip, should ask whether the assumption that Firefox is more secure than IE is valid anymore. They shouldn't just rely on changing their browser, but may think about having to look at a different configuration."
Talkback
Even if the two browsers had equally insecure code bases, the fact that Internet Explorer supports ActiveX under Windows while Firefox does not gives IE the potential to be considerably more dangerous.
Let's not lose perspective here people. Even if Firefox had 100 vulnerabilities to Micorosts 10 each month but Firefox QUICKLY fixes them as compared to Microsoft which takes weeks and months, in the long run Microsoft's IE is more "user friendly" for hackers and virus writers because of the window of opportunity in IE. Evne if both browsers had 50% of the market, with Microsoft taking much longer to patch their vulnerabilities it will always be more attractive to hackers.
What is this REALLY telling us? It tells us that Microsoft is again concerned by fair competition -- the thing it hates most. I suspect their lackies at Wagg Ed are probably behind this if we let history be our teacher: or did I hear they were replaced? Hmm.. Anyway.... As a general rule in life, we should see those people who use fear to manipulate us are the ones we actually should be the most afraid of. It is good for business for Symantic to be a "team player" (cough ... "Linux Viruses"... cough... gag), -- this isn't the first time.
The fact is, and Symantic developers must know this, there should be more weakenesses found in open source software like Mozilla. That's the enitre point of it being open source -- for the good guys to find all the security weaknesses to repair -- whereas the opposing Microsoft appoarch is to hide them. Just because Microsoft's customers don't know about security weaknesses, doesn't mean the bad guys won't find them and silently use them. Hiding one's head in the sand is not security. Every other field of engineering requires peer review, so why do so many people not require peer review for the technology they are trusting their future to? For certain companies, fear and security weaknesses are very good for business, so they are "team players".
Linux is frightening to companies like Symantic who have made virus fighting their bread and butter. It doesn't have to be like this. They could shift into other service areas instead of fighting the progression of technology. Of course, this requires character from the people in upper management, so I'm not too hopeful about them, because I know corporate America well.
Symantic is filled with security experts, so they know the whole story about WHY more discovered exploits in Mozilla is a good thing, but according to this article, they are expectedly not telling the whole story. There's a word for people who hide part of the truth to accomplish selfish goals... now what was that word...
By the way, if you happen to be an employee of Symantic, you probably should not feel affronted by my words. Most of you are probably good people, and typically highly skilled, and are innocent of the games mean to hurt competition through deception. It's a dirty business isn't it? Alsa, if there were an industry without massive corruption, I'd be there.
Remember:
* Mozilla's core theme is Internet {browsing, email, etc} while Microsoft's core business
is not Internet-specific.
* Mozilla have shown toi have good intent,
has Microsoft ?
* Mozilla have developed their own Internet-related technology from the "ground up" while Microsoft's IE is derived from licensing of Spyglass Mosaic browser back in 1995 (see http://tinyurl.com/dwbux ).
* SO, WHO DO YOU TRUST ?
To Ollie Whitehouse:
You have given us the answer you didn't want to give. By saying that people shouldn't switch their browser because popular browsers are or will be unsafe you in fact are saying that if people want to have a safe browser experience they should only use unpopular browsers.
But for that to happen true open/industry standards are required.
Thank you for confirming that true open/industry standards are indeed required to ensure an on-going overall safe browsing experience. Because that alone would allow people to switch to whatever (unpopular) browser they want once it turns out that their current browser is becoming to unsafe for them. Which seems to be exactly what's happening the world over right now and leading to "good enough" happy browsing.
As for reconfigurating IE in such ways that it's safer. Yes, that's possible. SImply follow (and keep on following for the remainder of your life) to the letter all the recommended security guidelines and advisories Microsoft comes out with on a monthly basis at least (hope you can understand them). Never mind that it'll severly impact your browsing experience ever so often for undisclosed amounts of time. However, make one mistake or be a little late and it could all be over or more likely, something less bad will happen. Yes, some say, that's how we should have a safe browsing experience in this new millenium. Question: is that how you do it yourself, Mr. Whitehouse? Answer: no, I rely on [insert commercial product here] to keep me safe! Gee, Mr. Whitehouse, what an unexpected answer that was. Tell me, could you make me such a fine protecting product for my current non-Microsoft browser of choice or is that you can't or won't? Because if you don't produce for the browser of my choice then why should I choose for your products that seem to require a browser I no longer want? Might I conclude that at least for the comming year I no longer need your IE specific product because of my choice of browser? And that by the time you do produce a product for my current browser of choice I will follow your excellent advise and move on to the next safe (unpopular) browser of that time. That is, if I ever need to.
A little word of advise, Mr. Whitehouse. You might want to start working on security products that don't come with IE specific add-ons and thus reduce the overall price of such products before your competition (which happens to include Microsoft itself in the comming years) does.
Because as things stand now by not using IE I do not only rid myself of plenty of annoyances but I can also replace by pricy anti-virus, anti-spyware, anti-whatever commercial product for a much less costly one. Free even. Heck, I might even be able to use my current hardware a year longer.
When you think about it, Symantec's entire business is built around patching holes in people's insecure computers. Letting a more secure web browser onto corporate networks might make their firewall and antivirus solutions less appealing to the corporate types, and that would be the worst thing for Symantec.
When you take that into account, it's unsurprising that you find them issuing press releases which claim that Firefox is less secure than IE, even though many of the more respectable bodies are still claiming the exact opposite.
perhaps people should be fair when reporting vulnerabilities and either give fair warning, or contantly release 0day. not show bias, like the security-protocols guy has...unless maybe that jerk works for microsoft.
Obviously symantec has to point problems on Mozilla since they are into partenrship with M$ !!!.
I don't think Symantec has neccessity to point out that there is a problem in Mozilla, as they have to dig more into this issue and then come back.
Mozilla is "far" better than M$ IE :).
Symantect must understand that with out Symantec products using Mozilla adds their functionalty, but if u use IE u are in trouble with out Symantec products.
I think Symantec understands this, and stop digging this and do better job in what they are doin now since their related job is to tackle problems in virus related which is growing more everyday, so they have to do good in this rather commenting on browser industry
Opera8 has great security (see secunia.com) and since yesterday its free! ($39 previously).
Symantec and Microsoft cannot be trusted. Much of what appears to be articles are really written by P.R. companies like Waggener Edstrom.
Here's one comment that seems correct to me:
IMHO, Symantec has done more damage themselves!
http://it.slashdot.org/comments.pl?sid=162741&cid=13600281
Here's another comment:
Register.uk's publishing Symantec's adware
http://it.slashdot.org/comments.pl?sid=162741&cid=13600303
Last time I checked Firefox didn't automatically update itself. So, if this is still true, it really is irrelevant how fast Mozilla pushes out the patches if they aren't being downloaded & installed by the average joes who've been setup to use Firefox by supposedly more intelligent friends.
Last time I checked Firefox didn't automatically update itself UNLESS, you check the "automatically update Firefox" box. Now how did I miss that? Hmmm...
Actually, Firefox DOES automatically update itself by default. You can turn off this option if you really want to, but I don't see why you would. But there is a little problem with it; it doesn't say nor let you specify how often it checks for updates. I think it checks every time Firefox starts, but all it says in the settings is "periodically"...however often that is.
As anyone thought that maybe Symantec's report is a little out of place, considering that they only develop for MS platforms? For Symantec to even consider writing the report gives credence to the thought they are trying to knock "anything not MS", disregarding their own facts. In fact, Symantec would be shooting themselves in the foot if they reported the actual real world facts, and thus, anything coming out of Symantec for any product other than Microsoft should be considered at the vary best as unreliable. In the real world, computers that has been hacked full of spyware & viruses where running IE and/or installing crippleware that the user did not read the agreement.
I've been using Symantec products for years, however, with this, and the repeated times that Symantec sent an unsolicited email (spam) to buy their anti-spam software, I believe its my (and my customers) time to move on. Thanks for the great ride while it lasted.
Is it any wonder many technologists view tech journalism as little more than shilling for advertisers? Symantec prints a press release attacking Mozilla, and you rush it out to press without giving Mozilla a chance to respond. Then when you finally run Mozilla's response, you give Symantec nearly half the article to reiterate their claims and rebut Mozilla.
What is this nonsense being spouted by a supposed security expert? Hinting that closed source is somehow "more secure" because the weenies can't get at it - security by obscurity is a lie Mr. and you know it, if you don't find a new job!
firefox may fail to update itself, and won't give an error log to end user about that.
+ 1.0.7 was released without enough testing.
Im fine with Both Internet Explorer and Fire Fox
and even with Internet Explorer i Had no Problems even with Virus or Spy Ware Related Thing's
i give my Pc a Daily YES "Daily" Maintenance
but that will take me just 2 min and some Scripting will do the rest for me!
i worked like 2 Week on my router to disable any Port that is Unused by my system
but without Harming function's of my Pc the internet. Gaming
Just need to Spend little more time when you Start using a pc for the first time
and heck im only 18 yr :-D
but my Pc is old and sometimes
Fire Fox Gives Problems "Resource's Then"
ther where days i lloked in Task manager and il see that Firefox used more memory then IE used
and i got 2 paged open in FF and 5 -to- 7 in Ie :S
so why is this i got the latest
but my specs are
1,8 GHz P4 400Mhz Fsb
786 MB memory
Aopen AX-4b 533 Mainboard
Geforce fx 5200 128MB
Maxtor 7200 Rpms 1mb Cache 40 gig HDD
ATA-100
yow See ya All later Dudes
Security by Obscurity has been found to be frail. All of a certain company's undocumented features were eventually detected and exploited (when the developer/administrator community had no idea whether these features/bugs existed.) This started BIG with a program called "Sidekick" that was the first TSR on M$-DOS (when TSRs were "undocumented").
The entire symantec report actually says, Firefox finds out more issues/bugs/holes in their software and fixes them almost as soon as they are detected. While Microsoft doesn't know if an exploit has been found until the next major worm or virus or whatever hits. They're actually saying hey, look Mozilla/Firefox is better!
You guys bashing Symantec about this are all a bit... ignorant to say the very least.
Symantec is more than crappy AV software...
Take a look at Ghost and BackupExec, for example. Symantec has some vested interested other than AV.
----
To all of you who say how open-source software is more secure becuase it gets patched faster and it is comparable to a broken finger... all I can say is this:
A broken finger can still kill you if not taken care of properly.
So they(mozilla) do agree that their browser are NOT secure , as they claimed in the beginning (Fast and secure).
We've heard this all before. They're trying to imply that because the source code is open, it's more vulnerable to attack. And yet since I started using Firefox, i've had zero problems with spyware and popups. And everytime I open my old IE, i still get popups.
What the hell is this symantec 'expert' talking about to another 'expert' journalist????
Accept it, Symentec and Miki$oft - Mozilla is more secure simply by virtue of not running Active X. Even in IE if you disable active X, it still pops up annoying dialogs warning you that it's disabled. Stupid idiot microblow$ 'engineers' thought it would be helpful. Morons - It's not helpful, it's idiotic. Also, what about stupid BHO (browser helper objects), etc, etc that makes IE a virus factory???? What pisses me off most about IE is that I can get infected by just browsing a site and not even know about it. It happened to me several times. I stopped using IE as my main browser. I use Mozilla. yes, it's slower, I don't care. It won't screw me like IE and I don't require multi-gigabyte patchset hotfixes from micro-ooze via 'automatic' updates.
Like the rest of Micro$oft's OS, IE is shit. It has always been shit and will always be shit. I am forced to use Microsoft's OSes every day because the applications that I need do not run under Unix. If that ever changes, Bill Gates will get a hot lava enema from the market place. Have a nice day, you all, omega geeks.
The spammers with their popups are getting clever. Now they have Flash popups. Mozilla 1.7 out of the box is unable to not display them. You have to get a patch - no biggie.
What other uses could there be for this annoying 'active' contents called Flash, besides writing popups (or pressing that 'Skip Intro' button). But of course, a killer application.
Replying to Thomas Corriher above:
Quote: " ... As a general rule in life, we should see those people who use fear to manipulate us are the ones we actually should be the most afraid of ... "
In another context, Thomas, such people would be referred to as "terrorists" - in other words, for fear to be induced, something MUST be threatened; and for a threat to be effective, the possibility of it being carried out must be believed. Thus, for terror to be successfully 'installed' intot the 'terrified', the 'terrorist' must be a believeable nasty piece of work - which effectively describes Microsoft!