Symantec has issued a report that suggests that Internet Explorer may be more secure than the open source Mozilla Foundation browsers. "According to the report, 25 vendor-confirmed vulnerabilities were disclosed for the Mozilla browsers during the first half of 2005, "the most of any browser studied," the report's authors stated. Eighteen of these flaws were classified as high severity. "During the same period, 13 vendor-confirmed vulnerabilities were disclosed for IE, eight of which were high severity," the report noted."

Why do I feel that this report is somewhat biased in nature?
http://news.com.com/Symantec+Mozilla+browsers+more+vulnerable+than+IE/2100-1002_3-5873273.html

There is one caveat: Symantec counts only those security flaws that have been confirmed by the vendor. According to security monitoring company Secunia, there are 19 security issues that Microsoft still has to deal with for Internet Explorer, while there are only three for Firefox.

What about this?

I'll take security advice from Symantec about the same day I take security advice from MS.

:---)

Symantec has a lot to protect with Microsofts constant attempts at integrating AV and AS programs into the OS directly. As Microsoft continues down that path, it will become less and less nessecary for someone like Symantec, or MacAfee even to exist.

Symantec exists in a symbiotic relationship with Microsoft. If the host organism changes significantly the parasite dies. It is in their interests that people continue to use MS products.

EDIT: Oh...the parasite thing was an analogy, not necessarily a description of Symantec so don't sue me.

Symantec has a lot to protect with Microsofts constant attempts at integrating AV and AS programs into the OS directly. As Microsoft continues down that path, it will become less and less nessecary for someone like Symantec, or MacAfee even to exist.

You nailed it King, I work for a VAR and we are a Symantec channel partner, their tune has changed considerably since MS put OneCare (which is quite awful, I tried it at work on a spare workstation) into BETA. They went from scoffing at MS anti-spyware and anti-virus to now looking for a place at the table.

If you read the report carefully, you will see that it says vulnerabilities that the companies have acknowledged (aka "vendor-confirmed"). Just another play on words... even though IE has just as many, if not more vulnerabilities, MS just refuses to acknowledge them.

If you read the report carefully, you will see that it says vulnerabilities that the companies have acknowledged (aka "vendor-confirmed"). Just another play on words... even though IE has just as many, if not more vulnerabilities, MS just refuses to acknowledge them.



That's not entirely true.

Microsoft has a lot more to lose than Mozilla if they don't address vulnerabilities. Why is it hard to believe that a close source program has less vulnerabilities than one that's open source?

How about all of the crazy 3rd party unsigned extensions everyone likes to use?


You also have to take into account how many operating systems Mozilla / Firefox runs on vs. IE.


From my point of view, Firefox is less vulnerable to the common niusances of the internet like popups and obviously, malicious directx controls. As far as program vulnerabilities, that's a debate. At least Firefox isn't tied into the OS as IE is.

Microsoft has a lot more to lose than Mozilla if they don't address vulnerabilities. Why is it hard to believe that a close source program has less vulnerabilities than one that's open source?

If MS has more to lose why are they typically so slow to respond? For more than 3 months when the first URL spoofing/phishing flaws were found MS only had one suggested fix for IE: don't click on any suspicious URLs? And no suggestions as to what would constitute "suspicious". Equally vexing is their "baby with the bathwater" approach to email attachments, allow no attachments or all attachments is hardly a "fix".

As Securina points out, there are many flaws MS refuses to even acknowledge and a little research will show that if MS thinks an exploit is to "difficult" for the average person to experience they will not attempt to correct it, ever. While your argument might hold true for a company with a long history of secure code, it doesn't with MS.

I would also contend Mozilla/FireFox has much more to lose if they drop the ball on security, lacking an illegal monopoly to distribute their products and all. It wouldn't take more than one major flaw to go unfixed for long to get the MS FUD machine cranked in to high gear.

Ahahahaha. What a thread. Let me count the number of PCs I've had to go save because they got breached through Firefox. Umm. None. Then I'll compare it with the number of PCs totally hosed because of IE. Yup. Sounds to me Symantec's report is biased towards where their business is.


If MS has more to lose why are they typically so slow to respond? For more than 3 months when the first URL spoofing/phishing flaws were found MS only had one suggested fix for IE: don't click on any suspicious URLs? And no suggestions as to what would constitute "suspicious". Equally vexing is their "baby with the bathwater" approach to email attachments, allow no attachments or all attachments is hardly a "fix".

M$ hasn't really had to bother with security or features of IE ever since Windows 98. Since everyone's got the browser anyway...
Back in the ol' day when people still had a choice, I'm sure they might have had to do something about things.

- Microsoft has had 10 years to fix IE, 4 years to fix IE6.
- Mozilla Firefox, while based on the earlier Mozilla suite and Netscape, is what, like 2 years old?

Therefore I would expect there to be fewer holes in IE than in Firefox.

Even if I still used MSWindows, I would not use IE because it is integrated into the OS. This monolithic design is one reason why IE is an insecure piece of junk. A hole in IE can open up a hole to the entire OS.

There is NO LOGICAL REASON why an OS requires a web browser to function. We all know Microsoft bound MSWindows and IE together to force IE on the world and eliminate Netscape.

M$ hasn't really had to bother with security or features of IE ever since Windows 98.

Well over half the security patches MS has released for XP have had some relationship to IE, so I would say that most of what they bother to fix is related to IE. The fact that they are still patching IE after this long is worrisome.

As inferred earlier, the only reason Symantec issued this statement is to gain some favor from MS as they are poised to enter the AV market with OneCare.

Well over half the security patches MS has released for XP have had some relationship to IE, so I would say that most of what they bother to fix is related to IE. The fact that they are still patching IE after this long is worrisome..

One would think after 4 years they would have gotten it right. The fact that IE7 will not be able to run on anything earlier than XP SP2 (like even Windows 2000 which has the same code-base as XP), is IRREFUTABLE PROOF that MSWindows and IE are bound together. In this relationship, the host, MSWindows requires the parasite IE to live. But in this case, the parasite is of the same species as the host and is not a distinct organism!

One would think after 4 years they would have gotten it right. The fact that IE7 will not be able to run on anything earlier than XP SP2 (like even Windows 2000 which has the same code-base as XP), is IRREFUTABLE PROOF that MSWindows and IE are bound together. In this relationship, the host, MSWindows requires the parasite IE to live. But in this case, the parasite is of the same species as the host and is not a distinct organism!
<Fans the flames> dont lose focus here.

<Fans the flames> dont lose focus here.

But a comparison of IE security vs other web browsers is incomplete without a discussion of the tight coupling between MSWindows with IE. Furthermore, IE is based on ActiveX (which is a COM technology) but ActiveX does not have a security model. An ActiveX control (OCX) or library (DLL, EXE) must have total-machine-access or it does not run at all. I know what I'm talking about because I used to build ActiveX controls and libraries. There is absolutely no difference between a running ActiveX control and a standalone EXE application that you have executed except that the control needs a host (which may be IE, MSOffice or whatever.) But in IE, every plugin is an ActiveX control so IE is useless without ActiveX. My argument is that IE is insecure by design.

It is also highly relevant to point out that IE6 is already 4 years old and IE is a 10 year old product. However, the first release of Firefox 1.0 wasn't until November 2004. So Firefox is not even 1 year old. So one would expect that a mature product would be just that--more mature (i.e. stable, secure, robust etc...) So it does not follow that if Firefox has more holes than IE recently, that IE is "more secure" than Firefox. IMO it is a short-sighted claim.

Those numbers are hardly surpricing. One would expect open source software to have more known and therefore hopefully soon fixed security holes since it is easier to study. While closed source software would be expected to have more unknown secuirty holes that could become day-zero exploits.


The average severity rating of the vulnerabilities associated with both IE and Mozilla browsers in this period was classified as "high", which Symantec defined as "resulting in a compromise of the entire system if exploited."
I don't care if the web browser is secure or not. It is only supposed to render web sites so logically the only thing you can do by exploiting it is render a web site. Thats no big deal. ...Wait, the average severity is "a compromise of the entire system"? ...Thats just insane! ](*,)

Articles of this type use bad logic to equate software that is built in different ways.

Internet Explorer and Firefox are both browsers. No denying that. Though, that is where the similaraties stop for the most part.

So its problematic to compare them both based ONLY on security reports filed for the browsers. A few interesting facts.

Internet Explorer is a closed source application.

Firefox is a Open Source application.

OK, no news here right? So, might one ASSume that since practically anyone(and many people do) can do a code audit of Firefox, might one assume that it might have a higher bug reporting count due to the fact that you can see things you could not otherwise in Internet Explorer? You can take Firefox apart from the inside out, might that mean that more bugs are posted due to that fact? So we might imagine that Internet Explorer might have the same amount or more bugs than Firefox, but how would we know that really? It is only speculation. Honestly I would rather have more bugs registered and fixed than have a ? surrounding my webbrowser.

Some other points:

Firefox does not use Activex. That is a big deal in terms of security. This makes Firefox more secure in the eyes of many people, including myself.

Its also worth noting that all security flaws reported on Firefox are not equal to all security flaws reported on Internet Explorer. So its pretty stupid to say "HEY LOOK 8 FLAWS IN FIREFOX ALL EQUAL TO 8FLAWS IN IE!!!111" Umm ok, how bout no. Compound that with the fact that the some Firefox flaws are windows centric. For instance, in Windows most people run as Administrator. Well its not how Ubuntu works, so if a flaw in Firefox causes some buffer overflow and explits permissions on the whole system, thats not a GNU/Linux issue now is it? So not all security flaws are equal, and if you run Ubuntu some dont even matter. Some security flaws in Firefox are petty to trivial, but they get a report anyway and they get fixed.

Its worth mentioing that some issues in IE are not fixed, and are not planned to be. Some speculate on Microsofts reason, I think they just don't care.

So in the end, the article is mostly filled with bad logic and nonsense.

Just because you can get some facts and line them up does not mean your conclusions fit the evidence.

Corellation!=Causation or rather Corellation does not always equal Causation.

Symantec makes their money from windows users getting viruses, of course they want people to use IE =P

Doesent Symantec sound similar to Synaptic? Odd...

All that matters is how many exploited vulnerabilities there are, not how many vulnerabilities.

If Firefox has a vulnerability, I never read about or see any exploitation of it--ever. I hear all sorts of hype about it in the news ("Firefox is insecure, too!"), but no one says, "Oh, my God. Someone took over my computer through Firefox." Mozilla issues a warning, usually telling you to disable javascript or change something in the about:config, and within a week a patch or new version is issued.

Internet Explorer's vulnerabilities are exploited on a daily basis. We experienced it in our own household, and I see it at least twice a month at work with my co-workers.

Plus, there are so many Firefox extensions that protect you from random exploits--the NoScript extension, for example, has you opt in for javascript on sites. Flashblock lets you opt in for Flash. You can uncheck the box "Allow websites to install software." If you mess around with Internet Explorer's security settings (which are usually meaningless--low, medium, high, highest), you can easily get a non-functional browser.

IE more secure than Firefox? I have only two words come to mind when I first read that.

BULLS%^T !!!!!!!!!!!

http://thilockdominus.freehomepage.com/images/smileys/Firefox%20vs.%20iexplorer.gif

AI--love the smiley, bro!

Symantec has issued a report that suggests that Internet Explorer may be more secure than the open source Mozilla Foundation browsers. "According to the report, 25 vendor-confirmed vulnerabilities were disclosed for the Mozilla browsers during the first half of 2005, "the most of any browser studied," the report's authors stated. Eighteen of these flaws were classified as high severity. "During the same period, 13 vendor-confirmed vulnerabilities were disclosed for IE, eight of which were high severity," the report noted."

Why do I feel that this report is somewhat biased in nature?
http://news.com.com/Symantec+Mozilla+browsers+more+vulnerable+than+IE/2100-1002_3-5873273.html


The reasoning of measuring security in this way is flawed in many respects.
1# The number of vulnerabilities and the severity should be viewed against who discovered them (the good guys?) and how long it takes for a fix to appear (the infamous window of opportunity).
2# As stated before me, they only count vendor confirmed ones, MS has a bad rep sometimes even threatening to sue researchers if they publish.
3# This way of measuring security only counts programming errors, not design mistakes. So, the hole that is ActiveX or the lack of options to control javascript etc is not a vulnerability.
Think about this, IE runs on windows only and will have admin privileges in 99% of the cases, this is not a bug, it was designed that way.

One little addition to my post. Most FOSS projects publish all vuln's, even the ones discovered by the project itself. A lot of commercial companies just slip them in the monthly security patches (which are black boxes). So counting like this is very unfair.

IE more secure than Firefox? I have only two words come to mind when I first read that.

BULLS%^T !!!!!!!!!!!

Is that one or two words in english?? :D

Amen btw.

And the Mozilla folks respond to Symante's claim. (http://news.zdnet.co.uk/0,39020330,39219186,00.htm)

IE more secure than Firefox? I have only two words come to mind when I first read that.

BULLS%^T !!!!!!!!!!!
http://software.silicon.com/security/0,39024655,39152480,00.htm
:smile:

http://thilockdominus.freehomepage.com/images/smileys/Firefox%20vs.%20iexplorer.gif

that smiley is awesome!