September 19, 2005 1:10 PM PDT
Symantec: Mozilla browsers more vulnerable than IE
- Related Stories
-
Barracuda adds IM protection to lineup
September 19, 2005 -
Microsoft acquires ID management company Alacris
September 19, 2005 -
Plan lets users be the judge of flaws
September 16, 2005 -
New Firefox, Mozilla releases to fix bugs
September 14, 2005
But the report, released Monday, also found that hackers are still focusing their efforts on IE.
The open-source Mozilla Foundation browsers, such as the popular Firefox, have typically been seen as more secure than IE, which has suffered many security problems in the past. Mitchell Baker, president of the foundation, said earlier this year that its browsers were fundamentally more secure than IE. She also predicted that Mozilla Foundation browsers would not face as many problems as IE, even as their market share grows.
Symantec's Internet Security Threat Report Volume VIII contains data for the first six months of this year that may contradict this perception.
According to the report, 25 vendor-confirmed vulnerabilities were disclosed for the Mozilla browsers during the first half of 2005, "the most of any browser studied," the report's authors stated. Eighteen of these flaws were classified as high severity.
"During the same period, 13 vendor-confirmed vulnerabilities were disclosed for IE, eight of which were high severity," the report noted.
The average severity rating of the vulnerabilities associated with both IE and Mozilla browsers in this period was classified as "high", which Symantec defined as "resulting in a compromise of the entire system if exploited."
The Mozilla Foundation did not immediately respond to requests for comment.
Symantec reported that the gap between vulnerabilities being reported and exploit code being released has dropped to six days on average. However, it's not clear from the report how quickly Microsoft and Mozilla released patches for their respective vulnerabilities, or how many of the vulnerabilities were targeted by hackers, though Microsoft generally releases patches only on a monthly basis.
Symantec admitted that "at the time of writing, no widespread exploitation of any browser except Microsoft Internet Explorer has occurred," but added that it "expects this to change as alternative browsers become increasingly widely deployed."
There is one caveat: Symantec counts only those security flaws that have been confirmed by the vendor. According to security monitoring company Secunia, there are 19 security issues that Microsoft still has to deal with for Internet Explorer, while there are only three for Firefox.
The report also highlighted a trend away from the focus of security being on "servers, firewalls, and other systems with external exposure." Instead, "client-side systems--primarily end-user systems--(are) becoming increasingly prominent targets of malicious activity."
Web browser vulnerabilities are becoming a preferred entry point into systems, the report stated. It also highlighted the trend of hackers operating for financial gain rather than recognition, increased potential exposure of confidential information, and a "dramatic increase in malicious code variants".
Tom Espiner of ZDNet UK reported from London. CNET News.com's Joris Evers contributed to this report.
See more CNET content tagged:
Mozilla Web browser,
Mozilla Corp.,
Symantec Corp.,
vulnerability,
Microsoft Internet Explorer
It looks to me more like a one sided report trying to make open source look less secure than closed source. Not having read the report it sounds like what it might be saying is that flaws are easier to find in open source than in closed source.
Without consideration for how long each browser took to fix the flaw and the number of exploits before a patch was released this report just doesn't look like much to help a user or company make an informed decision on what browser to use (if that was the purpose of the report). Like I said though I haven't read the report and you can't go by what the press says, so it maybe just the oppisite of that.
It looks to me more like a one sided report trying to make open source look less secure than closed source. Not having read the report it sounds like what it might be saying is that flaws are easier to find in open source than in closed source.
Without consideration for how long each browser took to fix the flaw and the number of exploits before a patch was released this report just doesn't look like much to help a user or company make an informed decision on what browser to use (if that was the purpose of the report). Like I said though I haven't read the report and you can't go by what the press says, so it maybe just the oppisite of that.
They will do anything to keep people using Windows and IE...more
profit.
They will do anything to keep people using Windows and IE...more
profit.
No matter what internet browser is placed on top if Windows,
the cracks or hooks in this operating system are still present no
matter what browser is used.
Sure, Firefox browser doesnt have as many pre-built hooks
down into Windows as Internet Explorer does, probably because
reverse-engineering Windows code is against the law for them,
but if the bricks of this Internet house are built on top of
Windows, there is only so much protection you can have.
The ultimate goal would be for MSFT to build a true Internet OS,
one that is not for the desktop, does not have hooks to DCOM,
or .exe, or Active-X. Until Windows is locked down, by design,
from the start, no browser will be able to protect PC users from
the features Windows offered to businesses for tying data
together, that are subsequently used by the hackers to tie the
hooks into a "web" of unintentional process calls and backdoor
traps.
Using a more secure OS from the beginning is the only solution,
and with Bill Gates screwing his unknowing customers any
chance he gets, this will not happen anytime soon.
What a shame as we waste countless hours and billions of
dollars while he got the fortunes by making a horses rump of
you with his desire to stop Netscape at any cost; lets just mash
IE into Windows.
Although Gates is dumb, he is betting that many others are
dumber than he is, thus they keep buying Windows.
No matter what internet browser is placed on top if Windows,
the cracks or hooks in this operating system are still present no
matter what browser is used.
Sure, Firefox browser doesnt have as many pre-built hooks
down into Windows as Internet Explorer does, probably because
reverse-engineering Windows code is against the law for them,
but if the bricks of this Internet house are built on top of
Windows, there is only so much protection you can have.
The ultimate goal would be for MSFT to build a true Internet OS,
one that is not for the desktop, does not have hooks to DCOM,
or .exe, or Active-X. Until Windows is locked down, by design,
from the start, no browser will be able to protect PC users from
the features Windows offered to businesses for tying data
together, that are subsequently used by the hackers to tie the
hooks into a "web" of unintentional process calls and backdoor
traps.
Using a more secure OS from the beginning is the only solution,
and with Bill Gates screwing his unknowing customers any
chance he gets, this will not happen anytime soon.
What a shame as we waste countless hours and billions of
dollars while he got the fortunes by making a horses rump of
you with his desire to stop Netscape at any cost; lets just mash
IE into Windows.
Although Gates is dumb, he is betting that many others are
dumber than he is, thus they keep buying Windows.
https://ses.symantec.com/content.cfm?articleid=1539
https://ses.symantec.com/content.cfm?articleid=1539
makes fairly good virus protection software, but other than for
MS products, the need for Symantec's programs is quite low.
With no threat, no sales.
As reported: "Symantec admitted that "at the time of writing, no
widespread exploitation of any browser except Microsoft
Internet Explorer has occurred," but added that it "expects this
to change as alternative browsers become increasingly widely
deployed.".
Can't blame them for trying to pump sales. But we don't have to
pay any serious attention to their rather obvious marketing
maneuvers.
makes fairly good virus protection software, but other than for
MS products, the need for Symantec's programs is quite low.
With no threat, no sales.
As reported: "Symantec admitted that "at the time of writing, no
widespread exploitation of any browser except Microsoft
Internet Explorer has occurred," but added that it "expects this
to change as alternative browsers become increasingly widely
deployed.".
Can't blame them for trying to pump sales. But we don't have to
pay any serious attention to their rather obvious marketing
maneuvers.
"Mitchell Baker, president of the foundation, said earlier this year that its browsers were fundamentally more secure than IE. He also predicted that Mozilla Foundation browsers would not face as many problems as IE, even as their market share grows."
Mitchell Baker is a woman:
http://tinyurl.com/dd9tm
Good way to check the sources!
"Mitchell Baker, president of the foundation, said earlier this year that its browsers were fundamentally more secure than IE. He also predicted that Mozilla Foundation browsers would not face as many problems as IE, even as their market share grows."
Mitchell Baker is a woman:
http://tinyurl.com/dd9tm
Good way to check the sources!
13+18=31 for MS IE
25+ 3=28 for Firefox
13+18=31 for MS IE
25+ 3=28 for Firefox
ive noticed not just symantec but several other companies bad mouthing firefox for the last couple of months ever since they broke the 15% marketshare usage barrier
its like somone is afraid
well if you are realy wanting tobe secure you can use the updated CVS versions of Mozila and firefox updated almost every day
to keep up with all the security problems or do like i do and grab the most recent major revision when ever an update is available
ive noticed not just symantec but several other companies bad mouthing firefox for the last couple of months ever since they broke the 15% marketshare usage barrier
its like somone is afraid
well if you are realy wanting tobe secure you can use the updated CVS versions of Mozila and firefox updated almost every day
to keep up with all the security problems or do like i do and grab the most recent major revision when ever an update is available
- Apples & oranges
-
by dam7ri
September 19, 2005 2:47 PM PDT
- What everyone fails to realize is that Symantec found 25 flaws in the first 6 months of this year, in Firefox. How many flaws have been found in IE, since its release? What version of IE are we on now, and we are still dealing with the same flaws as the previous versions. Let's not even take into account the length of time that we are exposed to vulnerabilities, with IE. Firefox gets fixed, quickly.
-
Reply to this comment
View
reply
-
-
See all 123 Comments >>