Posted on 09/19/2005 7:01:42 PM PDT by Incorrigible
Mozilla Web browsers are potentially more vulnerable to attack than Microsoft's Internet Explorer, according to a Symantec report. But the report, released Monday, also found that hackers are still focusing their efforts on IE.
The open-source Mozilla Foundation browsers, such as the popular Firefox, have typically been seen as more secure than IE, which has suffered many security problems in the past. Mitchell Baker, president of the foundation, said earlier this year that its browsers were fundamentally more secure than IE. She also predicted that Mozilla Foundation browsers would not face as many problems as IE, even as their market share grows.
Symantec's Internet Security Threat Report Volume VIII contains data for the first six months of this year that may contradict this perception.
According to the report, 25 vendor-confirmed vulnerabilities were disclosed for the Mozilla browsers during the first half of 2005, "the most of any browser studied," the report's authors stated. Eighteen of these flaws were classified as high severity.
"During the same period, 13 vendor-confirmed vulnerabilities were disclosed for IE, eight of which were high severity," the report noted.
The average severity rating of the vulnerabilities associated with both IE and Mozilla browsers in this period was classified as "high", which Symantec defined as "resulting in a compromise of the entire system if exploited."
The Mozilla Foundation did not immediately respond to requests for comment.
Symantec reported that the gap between vulnerabilities being reported and exploit code being released has dropped to six days on average. However, it's not clear from the report how quickly Microsoft and Mozilla released patches for their respective vulnerabilities, or how many of the vulnerabilities were targeted by hackers, though Microsoft generally releases patches only on a monthly basis.
Symantec admitted that "at the time of writing, no widespread exploitation of any browser except Microsoft Internet Explorer has occurred," but added that it "expects this to change as alternative browsers become increasingly widely deployed."
There is one caveat: Symantec counts only those security flaws that have been confirmed by the vendor. According to security monitoring company Secunia, there are 19 security issues that Microsoft still has to deal with for Internet Explorer, while there are only three for Firefox.
The report also highlighted a trend away from the focus of security being on "servers, firewalls, and other systems with external exposure." Instead, "client-side systems--primarily end-user systems--(are) becoming increasingly prominent targets of malicious activity."
Web browser vulnerabilities are becoming a preferred entry point into systems, the report stated. It also highlighted the trend of hackers operating for financial gain rather than recognition, increased potential exposure of confidential information, and a "dramatic increase in malicious code variants".
Tom Espiner of ZDNet UK reported from London. CNET News.com's Joris Evers contributed to this report.
Not for commercial use. For educational and discussion purposes only.
Actually its open source... so yes, I can, get it from many other places..
Unless you are rolling your own browser based on extrapolation of the source code - you are getting your browser from Mozilla (just being able to see the source code does not change this reality)
As expected, you were wrong. I decided to look up your BS, it took me all of 3 minutes to debunk it. I should have known all along.
http://seattlepi.nwsource.com/local/bill26.shtml
A spokesman for the Bill and Melinda Gates Foundation suggests that the efforts are misdirected because its donations do not pay for abortions.
"When we give a grant, it is for very specific things," Trevor Neilson said. "We have never made a grant for abortion services."
LOL! I haven't done anything STOOPID like that in the 8 & half years that I've been here [at least not recently! ;-)]
ESPECIALLY not late at night! :-)
As you're starting to see, he has a serious problem with reality.
Thanks, if they want to pull up the link you'll see it was late on a Friday or Saturday night, I don't remember which but I think it was Saturday. Probably after I had been out on the boat all day, and while I love being out on the water, the only way I can overcome all day seasickness is by drinking, LOL.
Dude, what's this all about? I mean, you're cert (or going to be) and you're teaching.
You don't seem like the type to get in OS food fights.
What's the deal with the Win2K threads?
Here's one of the threads weeks after he first started making the claim, called "MS issues final software update for Win2K". This thread was started by Shadowace, someone else perpetrating the lie n3wbie had already started a couple weeks before. Check some of this out, starting with n3wbie trying to claim "a hotfix != an update":
http://www.freerepublic.com/focus/f-news/1434031/posts?page=48#48
Okay, you are hereby informed.
According to the OSS crowd IE is horrible, so it should be easy to beat it hands down in security.
It is. You may notice Mozilla bugs are generally less serious and fixed faster.
But successfully compromising a small but well-known (especially for security) userbase will definitely give that notoriety. For example, the first person to write a successful self-propagating OS X virus will be famous. The next person to write a successful self-propagating Windows virus will be obscure at best, mixed in with tens of thousands of others, unless the virus is wildly successful and causes extensive damage.
Giving us another advantage for OS X and Firefox. Both are by default perfectly usable by most people while being fairly secure. Windows needs serious tweaks to make it usable and somewhat secure. IE requires you to run in a very unusable mode in order to be fairly secure, or a less secure mode to be usable.
And then there's the multi-vector aspect of IE, since IE is at its heart a set of system libraries used by several other programs that can provide vectors to the flaws in the IE code.
"flash bunny,
Looks like N3WBI3 is claiming it is old. Do you concur? "
Either you are intentionally dishonest, or you don't have a clue as to what you are talking about.
The mozilla project has been around since 1998.
The firebird browser, which uses the mozilla engine, only officially came out late last year. The first 'official' release of 1.0 was last september.
Understand yet, or do you think by trying to confuse the people who don't know the difference between the engine and the application, you can show yourself to be the smart one?
Or, given my reading of you, you are one of the people who cannot comprehend the diffence between the 7 year old mozilla project and the just-over-a-year old firefox browser application?
Gobble gobble gobble.
LOL! Read the article again. But if that's what all this blathering about OSS is all about..."our bugs may be more but we have a couple fewer severe bugs than you do (at least while we have a small install base...lord help us if we ever actually catch on)"--I'll stick with the monkey on my back that I know as opposed to swapping it for a different monkey that may grow into a gorilla.
So how that just doesn't sound too appealing. "Choose OSS we may have more bugs, but most of them aren't as severe"
You're still touting firefox? Wow! Read the article for once before posting. THis is too funny!
Obviously I don't understand. I'm trying to figure it out as N3WBI3 clearly said you were WRONG and now you're saying N3WBI3 was WRONG for saying you were.
I'm just going to the experts...so which one of you are the true expert?
forget it. Either you are dishonest or your mental capacity falls right around 'not able to tie his own shoes' level.
Why is it that I'm the dumb one when it's you and your idol N3WBI3 at odds with one another. Personally I'd put my money on N3WBI3, but we'll see.
So you're still saying N3WBI3 was wrong when he said you were wrong? Is that right :-) ?
I did. Most Firefox vulnerabilities aren't critical, while most IE ones are. Some are simply the consequence of supporting various standards (slightly upping the intelligence threshold required to spot spoofing). And Firefox vulnerabilities are fixed faster -- actually OSS has a better track record for fixing serious vulnerabilities than proprietary, especially Microsoft.
Ok, then a challenge. I'm running IE...now attack my machine. I'll give you an IP of a machine with IE and your job is to exploit it. Good luck.
I'll bet a years salary you can't harm that machine.
IE exploits usually don't work that way. The user has to browse to a malicious site, and it is common given the amount of spyware and trojans I find on the average Windows/IE box.
Ok, so you can't exploit it remotely and you have to trick me into the site. So I'll give that a go. Send me a link to a website of your choice and let's see if you can hack my box. It should be easy since IE has so many critical bugs that aren't fixed yet.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.