Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Mozilla Hits Back at Browser Security Claim

ScuttleMonkey posted about 9 years ago | from the community-loves-responsive-developers dept.

Mozilla 295

UltimaGuy writes "Mozilla has reacted to the Symantec report issued on Monday which said serious vulnerabilities were being found in Mozilla's browsers faster than in Microsoft's Internet Explorer. Tristan Nitot, president of Mozilla Europe, hit back by claiming on Monday that when a vulnerability is found Mozilla's 'ability to react, find a solution and put it into the user's hands is better than Microsoft.'"

cancel ×


Sorry! There are no comments related to the filter you selected.

fp (-1, Offtopic)

Anonymous Coward | about 9 years ago | (#13611158)


lp (-1, Offtopic)

Anonymous Coward | about 9 years ago | (#13611173)


Symantec isint biased! (5, Funny)

W3BMAST3R101 (904060) | about 9 years ago | (#13611160)

Symantec biased? NEVER!!!

Re:Symantec isint biased! (5, Insightful)

digitalunity (19107) | about 9 years ago | (#13611188)

Bias is inescapable. You mean to tell me Symantec's stance on browser security reinforces the need for their solutions?

As a corporation, they have a sharp sense of self preservation. Shocking, I say. Dammit, just shocking.

Re:Symantec isint biased! (4, Insightful)

nacturation (646836) | about 9 years ago | (#13611383)

You mean to tell me Symantec's stance on browser security reinforces the need for their solutions?

How's that? They're claiming that the browser which the vast majority of people use is *more* secure. So if you use IE, you need their products *less* than if you used Firefox.

Re:Symantec isint biased! (3, Informative)

fymidos (512362) | about 9 years ago | (#13611425)

Everybody who has used internet explorer knows that it is not secure. The don't have to tell them that. They are talking to the people who (rightfully) think they are more secure with firefox, and they are trying to pass between the lines that you still need protection, no matter what browser you use, and anyway, changing the browser will not make you safe.
(but a good antivirus/antispam/antiinternet/antiusingyourcompu te will)

Re:Symantec isint biased! (3, Insightful)

theJerk242 (778433) | about 9 years ago | (#13611203)

Symantec biased? NEVER!!!

Slashdot and a majority of its readers biased? NEVER!!!!

Re:Symantec isint biased! (2, Interesting)

RandomPrecision (911416) | about 9 years ago | (#13611327)

Remember when they also claimed that Macs were dangerous [] ?

I admit, they do seem a bit one-sidedly influenced.

Re:Symantec isint biased! (0, Troll)

dlichterman (868464) | about 9 years ago | (#13611374)

I know why they say to use IE....Cause thats where their CUSTOMER BASE is..... They dont have security stuff other than for winblows

Slashdot isint biased! (0, Redundant)

3770 (560838) | about 9 years ago | (#13611386)

Slashdot biased? NEVER!!!

1st Opera Post! (-1, Offtopic)

Anonymous Coward | about 9 years ago | (#13611163)

See the speed?!?


Anonymous Coward | about 9 years ago | (#13611279)

You sir, are a complete failure.

mozilla vs M$ or (5, Insightful)

timeToy (643583) | about 9 years ago | (#13611165)

Open-source Full disclosure vs Close-source Please-wait-for-us-to-fix-the-vulnerability-before -publishing-it-else-we-sue

Re:mozilla vs M$ or (2, Informative)

Raistlin77 (754120) | about 9 years ago | (#13611181)

Had you read the fucking article instead of trying to get first-somewhat-sensible post, you would have seen Mozilla admitted that they do try to keep vulnerabilites quiet until a patch can be found.

Re:mozilla vs M$ or (1)

TheCarlMau (850437) | about 9 years ago | (#13611235)

This is a good thing. You don't want vulnerabilities seeping out as then someone can exploit them. If they remain quiet until a patch is out, there won't be a stage of 'fear and panic'.

Re:mozilla vs M$ or (1)

Crunchie Frog (791929) | about 9 years ago | (#13611254)

so full disclosure is good but not when its Mozilla ? no wait, maybe my sarcasm filter is broken.

Re:mozilla vs M$ or (1)

Raistlin77 (754120) | about 9 years ago | (#13611260)

I wasn't saying that is a bad thing; I agree it is a good thing. However, I'd like to add that Mozilla does it for the right reasons while Microsoft does not, which I should have included in my reply.

Re:mozilla vs M$ or (1)

aussie_a (778472) | about 9 years ago | (#13611305)

So Microsoft keeping vulnerabilities quiet is a good thing too? Or is it only good when Mozilla does it?

I'll get modded down for this (I'm thinking -1 Troll), but this is pathetic. As long as a company isn't Microsoft it can do no wrong according to you people. You're a zealot. []

Re:mozilla vs M$ or (3, Insightful)

TheCarlMau (850437) | about 9 years ago | (#13611354)

1) Yes
2) No

In my post, I never said wether it only applied to Mozilla or Microsoft. :-) I was talking in general - something that applies to most companies. I'm sorry if I gave the impression that it only applied to Mozilla.

Any software maker does not want to post details on how the vulnerability can be reproduced, as that's basically like waving a giant, red flag and yelling "come and get me"

Re:mozilla vs M$ or (4, Interesting)

n0-0p (325773) | about 9 years ago | (#13611326)

The Mozilla security fixes always end up public eventually, whereas silent patching is a common practice for most software vendors (including MS). This occurs more often with internally discovered vulnerabilities of lower severity or by grouping a number issues under a single umbrella.

It's hard to blame vendors for taking this route though. I've heard from MS devs say that the best way to push a fix through these days is to label it as a security bug. I can only imagine what MS' track record would look like if all of those internal bug reports were made public.

With that in mind I expect that OSS will generally have more documented security issues than eqivalent quality closed source software. It's just a side effect of a transparent development model. Well... mostly transparent, but I'm glad they hide the security bugs until they're patched.

first post (3, Insightful)

ronsta (815765) | about 9 years ago | (#13611168)

no no no.

just because mozilla can react quicker to security flaws found in its browser, doesn't make Symantec's report that greater security flaws are being found in Firefox less valid.

it's a rarity to see ZDNet make that kind of mistake.

Re:first post (3, Interesting)

aussie_a (778472) | about 9 years ago | (#13611236)

It does mean that given this particular moment, Firefox is more unsecure, however given their speedy patching time, in say one year, Firefox will be more secure. If you're after whose the most secure browser right at this particular second, then IE does appear to be the one. However if you care about long-term stability then Firefox is your browser.

Having said that, this is assuming Tristan Nitot isn't simply spreading FUD. I don't know how fast IE and Firefox do release their patches. I do know one thing, not as many people are taking advantage of Firefox's insecurities as are taking advantage of IE's. So at the moment, it's safer for me to use Firefox.

Re:first post (2, Insightful)

Overly Critical Guy (663429) | about 9 years ago | (#13611309)

Quite true, but this is Slashdot, and whenever something Bad(tm) is posted about OSS, there needs to be a counterbalance posted later to make it Good(tm). Security flaws in Mozilla? Well, uh, they're patched faster! On with the frontpage article to make the Mozilla fans feel better again (and tons of page hits each time!). If there was an anti-Internet Explorer article, it wouldn't have a followup "Robert Scoble Hits Back At Browser Security Claim."

See my recent comment on this--How To Respond To Bad Mozilla Security News On /. [] +

Re:first post (1)

n0-0p (325773) | about 9 years ago | (#13611387)

That was actually only one of several points. They also brought up the severity of the vulnerabilities and transparent nature of OSS development among other things. Sorry, I would have clarified this sooner but I chose to read the article first.

Original Symantec Article (5, Informative)

NoInfo (247461) | about 9 years ago | (#13611172)

The download for Symantec's actual report is here (registration required): L=YES&PDFID=2124 []

But to save you some trouble, here's the excerpts about Mozilla:

Mozilla browsers have the most vulnerabilities

During the first half of 2005, 25 vendor confirmed vulnerabilities were disclosed for the Mozilla browsers,
the most of any browser. 18 of these were classified as high severity. During the same period, 13 vendor
confirmed vulnerabilities were disclosed for Microsoft Internet Explorer, eight of which were high severity.

  Mozilla browsers have the most vulnerabilities

The Web browser is a critical and ubiquitous application that has become a frequent target for
vulnerability researchers. In the past, the focus of security has been on the perimeter: servers, firewalls,
and other systems with external exposure. However, a notable shift has occurred, with client-side
systems--primarily end-user systems--becoming increasingly prominent targets of malicious activity.
More and more, Web browser vulnerabilities are becoming a preferred entry point into systems.
During the first half of 2005, the Mozilla browsers, including Firefox, had the most vulnerabilities of all
browsers. During this period, 25 vendor confirmed Mozilla vulnerabilities were disclosed, compared to 32
in the previous reporting period and two in the first half of 2004. 18 of the 25 Mozilla vulnerabilities in this
period, or 72%, were classified as high severity. This is up from the 14 high-severity Mozilla vulnerabilities
in the second half of 2004 and one in the first half of 2004.

During the first six months of 2005, 13 vendor confirmed Microsoft Internet Explorer vulnerabilities were
disclosed. This is a decrease from the 31 documented in the second half of 2004.26 During the first half of
2004, seven Internet Explorer vulnerabilities were confirmed by Microsoft.
The average severity rating of the vulnerabilities associated with Internet Explorer during the first six
months of 2005 was high. Eight of the 13 Internet Explorer vulnerabilities disclosed during the current
period, or 62%, were considered high severity. 18 Internet Explorer vulnerabilities were considered
high-severity in the last six months of 2004, amounting to 58%. In the first half of 2004, four of the
seven, or 57%, were rated high severity.


The fact that Mozilla browsers had the most vendor confirmed vulnerabilities over the past two six-month
periods may suggest that Mozilla is currently acknowledging and fixing vulnerabilities more quickly than
other vendors. This could be because the Mozilla browsers are open source and may be more responsive
to reports of new vulnerabilities and subsequently developing and delivering associated patches. For
instance, except in certain instances,60 Microsoft releases fixes on a relatively fixed schedule rather than
as needed, potentially increasing their acknowledgement time.

Re:Original Symantec Article (1, Interesting)

Anonymous Coward | about 9 years ago | (#13611213)

Symantec seem to have been fairly un-biased about this, they even go so far as to speculate on the reasons and give some possible benifit-of-the-doubt.

I've never thought Mozilla / Firefox would prove to have less bugs - but as a programmer I appreciate the difference between a flaw (a problem with the design) and a bug (a problem with the coding). So does Mozilla have more flaws or more bugs? I've never been bothered to check.

maybe IE has more (4, Interesting)

Coneasfast (690509) | about 9 years ago | (#13611175)

maybe more vulnerabilities are found in mozilla because it is open-source

arguably, one could say this is better than in IE, where there may be some which are not known until some hacker exploits it.

Re:maybe IE has more (2, Insightful)

aussie_a (778472) | about 9 years ago | (#13611264)

I had that same thought, but upon further consideration I decided against that reasoning.

Firefox being open-source does give the vendors more of a chance to find holes more easily. But it also gives the hackers that same chance. So yes, IE may have 1 million holes while Firefox has 1 thousand. Vendors find 25 holes in Firefox, and only find 13 holes in IE.

Hackers are just as likely to find more holes in Firefox, then they are in IE, despite the fact there's more in IE.

However this assumes hackers will spend as much time on the two browsers as the vendors did. It's quite possible the vendors spent equal time on the browsers, while the hackers are spending much more time on IE.

So the true number of security holes and the known number might be two quite different things. Who knows. I do know, though, that more viruses and spyware are being made for IE then they are for Firefox.

Re:maybe IE has more (2, Informative)

n0-0p (325773) | about 9 years ago | (#13611413)

If you're trying to balance things evenly you also have to consider that IE 6 has undergone no significant development in the last four years. The only changes have been bugfixes and minor security adjustments, so arguably it should be extremely stable. Yet we've still seen a number of severe vulnerabilities over the last year in what should be a very mature (by software standards) product.

Re:maybe IE has more (5, Insightful)

muszek (882567) | about 9 years ago | (#13611269)

until some hacker exploits it

not until someone exploits them, but until:
-- someone exploits it
-- it's discovered (it's not immediate, right?)
-- it finds its way to MS staff
-- it goes through the whole beaurocratic monster at MS all the way from a person who receives a bug report, through god knows how many decision makers to coders.(I guess that's not so quick)

Hackers have a lot of time to play around with those vulnerabilities...

Plus, I bet that in case of proprietary soft more (percentage wise) holes are discovered by those who are ill-minded (why in the world would you look for holes in IE? I don't know how does that look in FF's case, but I can imagine people looking for such stuff because they're doing a Good Thing).

Re:maybe IE has more (1)

aussie_a (778472) | about 9 years ago | (#13611317)

If you're truly interested in whether or not Firefox is faster (rather then assuming) perhaps you could do a study of all reports from 2 years ago, how many were made, how many were ranked as very very serious, and how long until each was fixed. That would be much more useful and informative then this non-article (Symantec says Firefox is unsecure with facts and figures, Firefox comes back with refute with nothing but their word to back them up).

Or if you'd like to just keep spreading FUD, go on as you were.

Re:maybe IE has more (1)

TheCarlMau (850437) | about 9 years ago | (#13611274)

On the flip side, it could work against Mozilla. An attacker has all the source code to find some hidden vulnerability and then not report it. In IEs case, at least exploits must be stumbled upon.

All in all, I think open source is still the way to go. If one attacker can find it, one contributor probably can too!

Re:maybe IE has more (2, Funny)

Hey, Retard... (915400) | about 9 years ago | (#13611293)

...your couldn't be more right. What you just said might be the greatest epiphany in the history of software development. No, the history of modern times...No...Dare I say it? Yes! The history of the world!! Stop the hunt for this year's Noble Prize winner in the field of the obviousness.

Re:maybe IE has more (0, Redundant)

Breakfast Pants (323698) | about 9 years ago | (#13611356)

Usually a person's epiphany which is considered great, let alone greatest ever, is at least original. This has been a common talking point for closed source advocacy for... as long as there has been an ongoing argument.

Re:maybe IE has more (3, Funny)

Hey, Retard... (915400) | about 9 years ago | (#13611375)

...I guess we can stop the hunt for this year's winner of the Nobel Prize in the field of density too.

Open source wins again (4, Insightful)

mind21_98 (18647) | about 9 years ago | (#13611179)

When other people can see the code, problems are spotted more quickly. That's probably why Mozilla seems to have more problems than IE to them--the problems in Mozilla are spotted before they can be exploited, while IE's problems are noticed when exploits are made and used in the wild. That said, good job to the Mozilla team.

Re:Open source wins again (2, Interesting)

XAJIM (916303) | about 9 years ago | (#13611219)

Do you have figures that back up your claim that Mozilla's problems aren't found in the wild? I'd be interested in looking at those statistics.

Re:Open source wins again (0)

Anonymous Coward | about 9 years ago | (#13611266)

You can get a good look at a T-Bone by sticking your head up a bulls ass, but wouldnt you rather take the butchers word for it?

Re:Open source wins again (1)

aussie_a (778472) | about 9 years ago | (#13611334)

wouldnt you rather take the butchers word for it?

A butcher is somewhat of an expert in the field (I know this because presumingly I've been shopping from him for quite some time). The OP might or might not be an expert, but even if he does claim to be one, I have no way to know that for sure.

Re:Open source wins again (4, Informative)

CTho9305 (264265) | about 9 years ago | (#13611355) 2004 []
In 2004, there was only ONE WEEK during which there were no known remote code execution exploits for fully-patched MSIE. There were 30 days for Firefox if you don't count Mac OS (which would be fair if we're only interested in browsers for Windows users).

Re:Open source wins again (1)

weicco (645927) | about 9 years ago | (#13611315)

But could that also mean that problems are exploited more quickly?

I mean with open source product you could just pick up the source code and look for problems and holes in it. After this you are ready to exploit what ever system uses that code.

With closed source you can't just look into the source, but you have to try blindly different kinds of situations and give different kinds of inputs to applications; look for problems more iterative and timeconsuming way.

Just couple of thoughts...

But was it... (0)

lohphat (521572) | about 9 years ago | (#13611180)

"faster than a dog with no legs. If the dog's up to its waist in treacle. And dead." /you'd think DOJ lawyers could tell if a newsgroup posting was a forward or not //you'd be right if you guessed "not".

Not a dupe (1)

steelfood (895457) | about 9 years ago | (#13611183)

This isn't a dupe, technically, but shouldn't this bit have gone with the dupe of the Symantec report below as an update or something? After all, someone posted the link in the comments to that (duped) story shortly after it appeared.

But if this is a dupe, what might it be called? A trupe? April-fools joke on a regular day?

Re:Not a dupe (1)

Raistlin77 (754120) | about 9 years ago | (#13611194)

It should have just been posted in the original story summary as an update...

Re:Not a dupe (2, Funny)

op12 (830015) | about 9 years ago | (#13611204)

How about quadrupe [] ? ...Or maybe infinupe. Seriously, this is the 4th Firefox vs. IE story in 10 days...isn't that a bit excessive?

Re:Not a dupe (1)

steelfood (895457) | about 9 years ago | (#13611307)

Well, the debate itself between whether FF or IE is more secure has been going on since forever. This Symantec article is the latest incarnation of that debate. It's sort of like the debate over whether Linux is ready for mainstream home use or not or how google continues to grow; not a week goes by without at least one. But this one article pretty much has two entries (three including this one). At the least, if this had been included in or come in the form of an update to the dupe, it would at least lend legitimacy to the dupe. But a third one? And a rehash of a comment in the dupe at that?

Disappointed, to say the least, but maybe my surprise is unjustified.

Re:Not a dupe (1)

op12 (830015) | about 9 years ago | (#13611336)

And a rehash of a comment in the dupe at that?

Duplicating the comment here would have been somewhat hypocritical/ironic, so I linked to it :)

It's mostly to prove a point, which is there is no point (to this story). As you suggest, this is an update, not a story.

Misleading numbers (5, Informative)

GXFragger (758649) | about 9 years ago | (#13611186)

Symantec's report is also slanted becasue it uses vendor confirmed vulnerabilities rather than both confirmed and unconfirmed ones. This leads to misleading headlines and hurts Mozilla's reputation. I am suprised that Mozilla didn't say anything about that.

Oh, I could add a few more to the list (5, Insightful)

jd (1658) | about 9 years ago | (#13611396)

First, who decides how critical a bug is? And how do they make that decision? The more wiggle-room there is, the easier it is to adjust the number of critical bugs in your favour and likewise in the opposite direction of competitors.

For that matter, who gets to decide what a bug is, rather than a "feature"? The DRM in the current version of the Acrobat format allows you to run embedded Javascript with no access controls. This is arguably an exploit, but Adobe would doubtless classify it as a feature, as it means you cannot circumvent DRM by turning the Javascript off.

Secondly, the numbers are not directly comparable, as Mozilla is standalone whereas IE is built into the OS. (This is important, as integration means that bugs that are strictly in the OS could be exploited through the web browser, without it being a web browser bug.)

Thirdly, there are deals over the reporting of security holes in software, whereby a report can be held back until a patch has been readied. This means that even "unconfirmed" (but reported) bugs by security vendors may be capped by the manufacturer. (Not always, even with those manufacturers who do this, but it does introduce uncertainty.)

Finally, Mozilla is cross-platform but bugs may not always be. Any buggy code that is OS-specific, for example, or any bug which relies on some OS-specific or library-specific bug in order to be exploitable, may only affect certain platforms as a result.

There is a second part to this one! It is also possible to have one bug that appears in multiple forms, but only one form per OS (due to OS-specific characteristics). Does it count as one bug or as many? (Remember, it still only takes one form in a given OS, but because of dependencies, changes in some way between different operating systems.)

Now, you can argue that many of the above are very hypothetical and do not apply in this specific study. Perhaps that is true, but the point is that unless you have rigorous controls on how you produce the statistics, the uncertainties are bound to be comparable to the number of incidents, making the statistics worthless.

And that is my point. If the possible variance in the number of actual bugs (reported or otherwise) gets to be comparable to the number of bugs reported, then the reports mean nothing. The actual number of bugs encountered could range from zero to infinity and the stats would still be "correct".

Ideally, the security companies would produce sufficient additional information to demonstrate the confidence they have in the values produced as opposed to simply citing the numbers but not really backing them up with anything concrete.

Where uncertainty is required by the vendor, then publish a range or some other indicator of how many unpublishable but reported bugs are believed to exist. (Since there is no guarantee that the unpublishable data is circulated with security vendors, an accurate figure may not be producable at all.)

Allegory (-1, Offtopic)

ReformedExCon (897248) | about 9 years ago | (#13611187)

When I was a little kid, I was a bully. I pushed other weak little kids around and took their lunch money. I'm not proud of that, but just saying.

I got older, and they got older. And when they started getting to be about the same size as me (I was big for my age in elementary school), they started fighting back. But they didn't fight back with fists and bats. They knew what they'd get if they tried that with me and my friends. Rather, they fought back with whining and posturing. They would take every little perceived slight to heart and try to come back with the cleverest, most hurtful response. But, you see, it didn't affect me, like water off a duck's back.

I wasn't in any competition with them. I was out of their league. I was so far ahead of them in smarts and brawn that I simply didn't have to mess with them anymore once out of middle school. The slights they perceived were of their own creation. Their inferiority complex (which I may have helped create) made them react like whiners instead of winners (and there's your soundbite for today).


Anonymous Coward | about 9 years ago | (#13611214)

Where's your Messiah now?!</quimby>

Re:Allegory (4, Informative)

Raistlin77 (754120) | about 9 years ago | (#13611218)

Microsoft (the bully) is scared of Mozilla (the other weak little kids). If Microsoft was not scared of Mozilla, it would not bother trying to tarnish Mozilla's image by using it's bully friends (Symantec).

Re:Allegory (1)

rtb61 (674572) | about 9 years ago | (#13611294)

I wonder who is being bullied. I seem to remember microsoft has bought a series of companies that compete with Symantec hmm. Do what we say or else. At the moment symantecs only real hope for a long term future is Linux, perhaps they just don't believe they have a future in either direction and management are just doing what management does (covering their own arse first).

Re:Allegory (-1, Offtopic)

Anonymous Coward | about 9 years ago | (#13611234)

Jesus saved me from my past. He can save you as well

Sorry, he can't! The Torah (which Jesus himself followed) clearly says that for sins against man, you have to seek forgiveness from those you hurt (and make them whole!) personally. Saying "oopsie! I'm really, really, really, sorry Jesus! Now get me a good seat in Heaven" is a flawed, dangerous, and immature point of view.

Re:Allegory (0)

Anonymous Coward | about 9 years ago | (#13611333)

Boy, you might be mentally retarded.

Truth is in the using (0)

Anonymous Coward | about 9 years ago | (#13611197)

I've had far fewer problems since I switched to Mozilla/Firefox, period. It operates faster than IE and is more stable. The only problem I've had is getting Flash to install properly. Small price to pay. Any site that won't play right I switch to IE then immediately go back to Firefox.

There are no vulnerabilities in Firefox. Never! (-1, Troll)

Anonymous Coward | about 9 years ago | (#13611198)

The vulnerabilities are committing suicide by the hundreds on the gates of Firefox. Be assured, Firefox is safe, protected.

secunia (1, Interesting)

Anonymous Coward | about 9 years ago | (#13611199)

What about the Secunia Secuirty advisories. []

Cant see them running to fix some of those issues?

It's all academic (5, Insightful)

dsci (658278) | about 9 years ago | (#13611202)

IMO, all this bandying about with numbers is next to pointless. All I know is that in my experience:

1. When I used IE, I got infected out the wazoo; colleagues I know using IE still have problems.

2. After switching to Firefox while still running Windows, I had zero infections. ZERO. Nothing else on the system changed.

3. Now I use Linux exclusively (unless doing work on a client's computer on their behalf), and I sure am not using IE.

On the one hand, it's nice to see Moz hitting back with the PR. But, I wonder if this will ultimately hurt migration away from IE. That is, I can just about hear folks saying "MS says one thing, Mozilla says another...who to believe?"

To the non-techie, MS is a known quantity and The Mozilla Foundation is not (I'm thinking along similar lines to name-recognition at the polls). At the very least, a I-say, they-say approach seems to muddle the issue more than clarify it for those not willing to do their own research.

Re:It's all academic (0)

Anonymous Coward | about 9 years ago | (#13611267)

1. When I used IE, I got infected out the wazoo; colleagues I know using IE still have problems.

This is a quite common sentiment on Slashdot, but I don't get it. I've been using IE for years and have never had a problem. It's not like every site on the web attempts to exploit browser vulnerabilities. Where are all these web sites?

yea mod that up (0)

Anonymous Coward | about 9 years ago | (#13611321)

Same here. I've been using browsers for over 10 years and I can say I've never been "infected" with anyting by going to a website.

My diagnosis on Mr Wazoo infection is: user probably doesn't know the difference between IE and the Explorer.

I guess there's just no patch for dumbass.

Re:It's all academic (0)

Anonymous Coward | about 9 years ago | (#13611337)

"Where are all these web sites?"

Porn and warez. Not that I would know anything about those...

Re:It's all academic (2, Insightful)

aussie_a (778472) | about 9 years ago | (#13611346)

When was the last time you ran an adware scan and a virus scan? You may have no problems you've detected, but it's quite possible that you've been exploited quite a bit.

It's also possible you've got a more secure system. Are you using a router? Hardware firewall? A software one besides the Windows XP one? Many people run Windows XP with no security except what comes with it (which is why it has a Firewall since SP2, regardless of how bad or good it is, it's better then nothing) and a virus scanner (occassionally an adware scanner as well). These differences may be why you have a much more secure system despite using IE.

Or it could be you surf only a very few, very trustworthy websites, while other people here aren't as discriminating. In that instance, it is better to use something other then IE.

Re:It's all academic (1)

dsci (658278) | about 9 years ago | (#13611426)

When was the last time you ran an adware scan and a virus scan? You may have no problems you've detected, but it's quite possible that you've been exploited quite a bit.

Not infected means not infected. Period.

It's also possible you've got a more secure system. That's why I pointed out nothing else changed besides switching browsers.

It's anecdotal of course, but it is my own, direct experience.

Re:It's all academic (2, Interesting)

laughingcoyote (762272) | about 9 years ago | (#13611273)

"The Mozilla Foundation" might not be a well-known quantity outside of tech circles, but "Firefox" most certainly is.

As to the might be anecdotal, but I've certainly not heard -one- person yet complain of MORE infections after installing Firefox, always the opposite. The proof's in use, and in that, Firefox beats IE every time.

Symantec forgot one critical detail... (3, Insightful)

Chrontius (654879) | about 9 years ago | (#13611206)

the time-to-patch, how long it takes between the discovery of a vulnerability and its repair. Frequently with Microshaft, this can be weeks. Maybe months, even. With Mozilla, I keep seeing the patch on either the same day or the next day.

Re:Symantec forgot one critical detail... (0)

Anonymous Coward | about 9 years ago | (#13611276)

With Mozilla, I keep seeing the patch on either the same day or the next day.

Yeah, for the workaround, but where's Firefox 1.0.7? The amount of time they're taking with it, you'd think they were actually regression-testing this one ;)

Re:Symantec forgot one critical detail... (2, Informative)

aussie_a (778472) | about 9 years ago | (#13611360)

Are you deliberately spreading FUD? Firefox 1.0.7 is right here. [] (if you were going for funny, I don't see the joke)

They've been building 1.5 (Deer Park) for at least one or two months. I'm assuming they finished working on 1.0.7 before they began work on 1.5, so 1.7 isn't exactly new.

Re:Symantec forgot one critical detail... (0)

Anonymous Coward | about 9 years ago | (#13611422)

They've been building 1.5 (Deer Park) for at least one or two months. I'm assuming they finished working on 1.0.7 before they began work on 1.5, so 1.7 isn't exactly new.

1.0.7 is a security fix for a recently discovered vulnerability or two on the 1.0 branch, whereas 1.5 is the next "major" release Mozilla Foundation are working to. Don't let the numbering system confuse you, the one does not precede the other.

Thanks for the link though. I wasn't aware 1.0.7 en-US version was out, the official build in my language should be just around the corner :)

Re:Symantec forgot one critical detail... (1)

aussie_a (778472) | about 9 years ago | (#13611283)

Well done, you just restated the point made in THIS ARTICLE. It may have been a valid point if, you know, you had posted it in one of the previous stories on this subject.

Were you trying to make a point? Or just looking for mod points (as of posting this the parent is at +2 Insightful).

Re:Symantec forgot one critical detail... (1)

Chrontius (654879) | about 9 years ago | (#13611311)

It's one fifteen A.M. Cut me some slack, it sure sounded insightful at the time.

Mozilla is a disaster waiting to happen (0, Interesting)

Anonymous Coward | about 9 years ago | (#13611220)

Mozilla is a disaster waiting to happen. It's that simple. A large portion of the browser is written in JavaScript. In fact, the browser's UI JavaScript can actually call JavaScript functions located in an HTML page.

Eventually someone is going to figure out how to reverse the process and call "chrome" JavaScript from "non-chrome" JavaScript, and then it's all over. Since JavaScript can access literally anything in Mozilla, you've got a nice cross-platform vulnerability waiting to happen.

Extensions are proof enough of this. Yes, extensions can add a lot of functionality - but there really isn't that much different between an extension and a web page.

Internet Explorer may be a security joke now, but if Mozilla ever gains any popularity, it'll be an even bigger joke than Internet Explorer. It's a disaster waiting to happen.

The Symantec report is proof that this is starting to happen. If you want to use a secure browser, they're [] out [] there [] , but Mozilla most certainly ISN'T one.

Re:Mozilla is a disaster waiting to happen (0)

Anonymous Coward | about 9 years ago | (#13611335)

alert( 'You learn something every day' );

Seriously, I did not know that.

Re:Mozilla is a disaster waiting to happen (1, Interesting)

Anonymous Coward | about 9 years ago | (#13611404)

"Insert product here" is a disaster waiting to happen. It's that simple. A large portion of the program is written in executable code. Eventually someone is going to figure out how to reverse the process and call executable code from non-executable data and then it's all over. (*cough* any executable buffer overflow in any program that loads data ever)

Re:Mozilla is a disaster waiting to happen (3, Informative)

CTho9305 (264265) | about 9 years ago | (#13611406)

Ummm... are you aware of what exactly was changed for Firefox 1.0.3 that broke extensions? Someone did find ways to do basically what you were saying, and it was all addressed. Big architectural changes were made to address the problem, making Mozilla significantly more secure.

Credibility (2, Interesting)

RandomPrecision (911416) | about 9 years ago | (#13611222)

Symantec programs try to block Trillian every time I used my internet security suite and instant messenger at the same time. Of course, I gave up Symantec. Additionally, I wish I would have taken a screenshot when it tried to block the command-line ftp program. I also conjecture that they have some bias in favor of IE, since my default browser is set to Firefox, but webpages launched from Symantec anti-virus programs always launch in Internet Explorer anyway. That being said, I'm no expert in internet security, but when I used IE, I very rarely had to opportunity to close it myself - it was always ended by an illegal operation, and I often had my homepage hijacked and search bars added. Neither has ever happened to me since I switched to Firefox. While that doesn't necessarily prove anything, I feel that Firefox is more secure.

It did not take too long. (1)

DeckerDel (914516) | about 9 years ago | (#13611224)

or did it, I mean to say.. It did not take ohh whatever! who cares as long as I don't have to tell people to start using IE!

I feel safe swimming in Firefox pool for a reason. (1)

Maxhrk (680390) | about 9 years ago | (#13611240)

i dont care about which broswer has the most Vulnerabilities. I only care when it come down to broswer which has its the most infectious. So if Firefox has very far fewer infection, then I favour it over Internet Explorer anytime.

I dont know whatever i make is the valid points, but to be said because i hate spywares in IE anyway... My common belief that internet Explorer should be seperated from OS, otherwise It remain untouchable. So that is reason why I browsering Firefox than I use Internet Explorer. (imagine pop-up showup while i search the files on my harddrive!)

The interesting questions (4, Interesting)

tmk (712144) | about 9 years ago | (#13611248)

Do you know someone who has got compromised through Firefox vulnarabilities?

Does Symantec know customers who did?

Is Ed Gibson a Firefox user? []

Re:The interesting questions (1)

SnowZero (92219) | about 9 years ago | (#13611348)

Does Symantec know customers who did?

Of course not, as that would be admitting their products aren't perfect.

Hitting back... with patches! (1)

strredwolf (532) | about 9 years ago | (#13611252)

Symantec may be right in saying "Mozilla gets more critial holes reported," but it forgets that Mozilla is open source, and that the bug reporters can send in a patch to Mozilla.

So, Symantec? How many critical holes are there, that are reported to Mozilla are fully ID'ed down to the lines of source code and have patches to fix them? Mozilla is right in this reguard: Being open source means you get a faster responce time, as the folks who are finding out about these bugs can (and probably are) the ones that are fixing them.

Research... Reporting... (5, Insightful)

Wannabe Code Monkey (638617) | about 9 years ago | (#13611253)

Don't reporters do research any more? This article does nothing more than parrot what Mozilla has to say about the matter. I wonder if it would be possible for a company to completely forgo a PR departmet and just use the news media directly.

This was zdnet's first article on the recent situation, "Symantec: Mozilla browsers more vulnerable than IE". Basically, "This is what Symantec said about Mozilla". And now this article is titled, "Mozilla hits back at browser security claim". Which translates to "This is what Mozilla said back".

You could probably just take a few +5 rated comments from the first slashdot discussion about this and come up with a better article... In fact that might be a good business plan: write a script to automatically grab the highest rated comments from each story, splice them together into an article and then put on a website as original content, <msb>your articles might even be posted back to slashdot from time to time</msb>.

(msb = mandatory slashdot bashing).

Ability to respond (1)

Noose For A Neck (610324) | about 9 years ago | (#13611256)

I can't imagine it takes the Mozilla team that long to select the "Confidential" classification for critical security vulnerabilities submitted to Bugzilla and hit 'Enter'.

Who let the dogs out? (2, Insightful)

vrv1 (867214) | about 9 years ago | (#13611278)

"Which would you prefer, to have a broken finger, or your head ripped off?"

Seriously, guys who make these kind of comparisons shouldnt be let out of the room; just stay inside and code. And let others do PR work.

And... (1)

NcF (847200) | about 9 years ago | (#13611282)

And Firefox is in version 1.0.6 and IE is in version 6.x... Need I elaborate on this subject? :roll:

1.0.7 is out (3, Informative)

nonpareility (822891) | about 9 years ago | (#13611284)

Firefox 1.0.7 Released [] , and the bug is fixed.

Re:1.0.7 is out (0)

Anonymous Coward | about 9 years ago | (#13611373)

In your language maybe...

Bias again.. (3, Insightful)

ShaolinTiger (798138) | about 9 years ago | (#13611288)

Oh well, Symantec of course, riding on the proprietary platform of Microsloth is going to be biased.

There are many ways you can look at this..

In 2005, IE has already been around for YEARS, if you follow that perspective, it should have many less flaws...But that's not the case.

You could say FireFox is newer, so of course more flaws are expected, you could also say they should have learn from IE's mistakes, and avoided those pitfalls.

You can also say Firefox is open source, people who find the flaws don't have malicious intent, they are trying to improve the software and make it a viable option in the real world..

Those who find flaws in IE usually do it for fun and profit, spyware spam porn diallers etc, all strapped into the world of IE..there are XX number of unknown exploits in IE due to the closed source, and they are probably being exploited right now, case in point is Microsofts new Honeymonkey project discovered one in the first couple of days..

The article is basically a press release from Mozilla, but still, it's just numbers, numbers can be pulled from any generic poopshoot and manipulated anyway they want.

What happened to real journalism? (5, Insightful)

Secret Rabbit (914973) | about 9 years ago | (#13611300)

"""The study was conducted over the first six months of 2005."""

When did the litmus test for long term security become the short term?

""" by claiming """
"""Nitot said that Mozilla's reaction"""
"""according to Nitot."""
"""He also argued that ... the Microsoft vulnerabilities were more critical,"""

All these quotes are from the article and in a place where they implicitly put into question what Mr. Nitot is trying to say.

But, when Mr. Whitehouse speaks even "IE is closed source, and so it's more difficult to access the code." Which implicitly says that closed source is more secure (security through obscurity - provably false). This "journalist" doesn't call him on it.

And this "journalist" continues to let this guy speak implicitly calling into question the security of and wisdom of using Firefox without making him justify the claims.

So, all in all, we have Mr. Nitot arguing a point and bringing facts to the table that support his claims and Mr. Whitehouse bringing implications and conjecture almost completely unsupported. Also, in the middle is this "journalist" who phrases things in a way that supports Mr. Whitehouse.

What happened to all the real journalists? You know, the ones that get as close to unbiased reporting as possible; the ones that report only facts leaving out editorials marked as fact.


A better response... (2, Interesting)

fbg111 (529550) | about 9 years ago | (#13611308)

... would be that of course more vulnerabilities were found for Mozilla, it's several years younger than IE. How many exploits were being found (announced or not) when IE was at roughly the same maturity? He could also go into Open Source vs. proprietary, but that's already been covered by other posters...

Responsiveness is irrelevant (1, Insightful)

Anonymous Coward | about 9 years ago | (#13611313)

The big issue is that 99% of all users never update their software, so they won't have their system patched against the spl0itz.

Thus, the system that is best protected is the one that has fewer critical vulnerabilities, not the one that gets patched soonest. What good is a quick patch when exploits usually don't occur until the patch comes out anyway!

I can make sure that I patch my own system as soon as possible, but what about my mother? I can easily just turn on auto-update in Windows and know that she is always within a few days of having the latest patches. I just did an auto-update of FireFox yesterday, and it wanted me to close windows, blah, blah, blah. It needs to happen when the software is NOT running, not when you start it up!


The reason why... (0)

Anonymous Coward | about 9 years ago | (#13611323)

Microsoft has less (this year) is because they've gone through 6 versions. Someone oughta write a report of all of the IE bugs, and then compare it Firefox.

the comparison is simple (1)

ChipMonk (711367) | about 9 years ago | (#13611325)

On average, for the first 182 days of 2005:

How many security alerts were open for Microsoft Internet Explorer?

What was the average severity of those alerts?

How many security alerts were open for Mozilla Firefox?

What was the average severity of those alerts?

The less severe the alert, and the faster it is resolved, the better the support behind the browser. It's that simple.

Symantec has no credibility on software issues (5, Informative)

grnchile (305671) | about 9 years ago | (#13611331)

Symantec is the (proud?) publisher of the absolutely worst piece of software that I've ever used: WinFAX Pro 10.2. Not only did every major mode fail to work in some way, but it disabled my phone system for days after it was installed on a machine on my network. This software was so flawed that it convinced me to abandon the Windows platform altogether.

Earlier this evening I was cleaning up a friend's Windows 2000 machine. After removing a collection of obsolete software, TCP/IP no longer worked. The culprit: Symantec Antivirus. It had left invalid service dependencies in the registry. I had to remove them by hand.

Symantec can't even understand their own software, much less someone else's. Even ignoring the obvious corporate bias, I have no faith that they can begin to understand the actual severity of defects in either IE or Firefox. It would be far better to ask "how many machines have been compromised by this fault?" than to present simple defect counts.

Symantec's so-called "findings" are irrelevant (1)

matt72186 (894876) | about 9 years ago | (#13611366)

This data doesn't seem like a relevant comparison considering IE has been considered a full version for years now, and Firefox has only recently hit 1.0.

I call shennanigans (1)

TheCabal (215908) | about 9 years ago | (#13611368)

Nevermind the trash can fire over there, look at this shiny object!

I call shennigans on Mozilla, and I'm not falling for their sleight-of-hand bullshit. They get patches in user's hands faster? Whoop de freaking do. Whatever happened to Mozilla writing superior code? The "tens of thousands of eyes makes flaws shallow"? Microsoft isn't innocent, but shame on Mozilla for stooping to the same tactics.

OPERA v8.5 (1)

cpangelich (843650) | about 9 years ago | (#13611389)

The OPERA [] browser is now freeware. No advertisements, no nag screens.

Security by obscurity?


Anonymous Coward | about 9 years ago | (#13611418)

Yeah but who gives a shit? Opera sucks monkey balls.

Real world example vis Symantec vs. Mozilla (5, Interesting)

Anonymous Coward | about 9 years ago | (#13611390)

I volunteer to fix PCs for a group of teachers in the US. I am not part of their official school board sanctifed tech support crew (because those guys are snowed under).

The group of teachers were given Compaq and Dell laptops a few years back... and encouraged to use them at school and at home to help them in their work.

The schools gave them Symantec free subscriptions for a year... and Windows 98.

Over this summer I have fixed five of those PCs... a lot of hours in total. They were finally slowing to a halt (it is like a plague really finally hit those old Windows 98 machines) but the hardware was still going strong for what they needed. They were hijacked, malwared, and spywared to bits.

None of those teachers had bothered to upgrade their PCs via Microsoft Update ever as they did not know they had to (all of those laptops needed an update as far back as 2001 from MS), none of the teachers were going to shell out any money personally to keep their Symantec subscription up to date, and none of them had anytime to learn how to protect their machines.

Why? Because they are too frigging busy doing other things!

But they were pissed that their machines were hosed and all they used them to do was write out lesson plans on MS Word and surf the net.

I did the usual Micorsoft Update (and update and restart and update), Ad-Aware install and scan, Spybot install, schedule and scan, Spyware Blaster install, uninstall Symantec, install AVG-free, schedule and scan, remove IE shortcut from the desktop, install Firefox with a shortcut on the desktop pointing to it as the "new" IE, and give a quick tutorial (with a printout) to them when they came around to pick their machines up.

A few months later after the start of the school year and no call-backs. None.

Symantec + IE vs. AVG/Spybot/Ad-Aware + Firefox? No contest.

In my mind, and the minds of the users I helped, Symantec is part of the problem.

They never got five subscriptions from those users and they never will.

Symantec are like a bunch of gangsters selling "protection". They need their own series on HBO!
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?