The Active Network
ActiveMac Anonymous | Create a User | Reviews | News | Forums | Advertise  
 

  *  

  Symantec: 'There is no safe browser'
Time: 11:10 EST/16:10 GMT | News Source: InfoWorld | Posted By: Andre Da Costa

Hackers are hitting paydirt in their search for browser bugs. According to Symantec's twice-yearly Internet Security Threat Report, hackers found 47 bugs in Mozilla's open-source browsers and 38 bugs in Internet Explorer (IE) during the first six months of this year. That's up significantly from the 17 Mozilla and 25 IE bugs found in the previous six months.

Write Comment
Return to News

  Displaying 1 through 25 of 340
Last | Next
  The time now is 11:25:00 AM ET.
Any comment problems? E-mail us
#1 By 7754 (216.160.8.41) at 9/25/2006 11:40:57 AM
The IE7-on-Vista sandboxing can't come soon enough....

#2 By 3653 (68.52.143.149) at 9/25/2006 1:11:50 PM
microsoft obviously has symantec in their back pocket, and probably even paid for this research that makes IE look more secure than Onfirefox.

oh wait...

#3 By 2960 (68.101.39.180) at 9/25/2006 1:16:01 PM
Heeeere's NotParkker!

:)

TL

#4 By 15406 (216.191.227.68) at 9/25/2006 2:14:18 PM
Symantec is right in that no browser is 'safe', whatever your definition of 'safe' is. However, total vulnerabilities are only 1/3 of the story. Incident severity and window of exposure (pun intended) combined with total incidents give much more meaningful context.

#5 By 52115 (66.181.69.250) at 9/25/2006 2:20:32 PM
And this is why I use Opera:

"Opera was the only browser tracked by Symantec that saw the number of vulnerabilities decline, but not by much. Opera bugs dropped from nine to seven during the period."

#6 By 13030 (198.22.121.110) at 9/25/2006 2:51:43 PM
Symantec has business reasons to spread FUD about browser insecurity--they sell a security solution. (And a cruddy one at that.) The most important point in the article is the proper configuration of your browser.

Here's an interesting way to look at the security issue: days of vulnerability. Take the the average time it takes to issue a patch and multiply it by the number of bugs for the first half of the year. Using numbers from the article gives us:

IE 9 * 38 = 342
Firefox 1 * 47 = 47
Opera 2 * 7 = 14
Safari 5 *12 = 60

Factoring this by severity level could prove interesting as well...

#7 By 32132 (142.32.208.238) at 9/25/2006 6:42:27 PM
1) Mozilla keeps its bug database pretty secret. After a 4-5 months you can look at a security hole and sometimes you find out that the bug was around for a long time.

For example:

5 months - http://www.mozilla.org/security/announce/2006/mfsa2006-10.html
5 months - http://www.mozilla.org/security/announce/2006/mfsa2006-14.html


What happens is that Mozilla announces a the bug and the fix on the same day and hopes no one snoops around too much.

#8 By 15406 (24.43.125.29) at 9/25/2006 7:14:41 PM
#7: You're so dense it's funny. Those two bugs you posted were fixed in v1.5.0.0 a looong time ago. I guess you're not too picky when you're grasping at straws eh?

#9 By 32132 (142.32.208.238) at 9/25/2006 7:49:01 PM
The bug was entered in Bugzilla October 7, 2005.

The patch was released April 13th, 2006.

(I know 1.5 seems a million years ago. But it was only April)


Another example:

Dec, 11 2005: Bugzilla: https://bugzilla.mozilla.org/show_bug.cgi?id=319858
April 21, 2006 Patch: http://www.mozilla.org/security/announce/2006/mfsa2006-21.html

Most of the patches I look at have old bugzilla entries. Months old before the patch comes out.

This post was edited by NotParker on Monday, September 25, 2006 at 19:54.

#10 By 32132 (64.180.219.241) at 9/25/2006 10:44:28 PM
Feb 13, 2005: Bugzilla: https://bugzilla.mozilla.org/show_bug.cgi?id=282105
Apr 13, 2006: Patch: http://www.mozilla.org/security/announce/2006/mfsa2006-20.html

Thats only 10 months. 300 days.


#6 Can you redo your math ch to include 10 months for this one, and 5 months for a couple of others? Can you actually find one patched within a few days of the bugzilla entry?

How about:

Jan 27, 2006: Bugzilla: https://bugzilla.mozilla.org/show_bug.cgi?id=324918
Jun 1, 2006: Patch: http://www.mozilla.org/security/announce/2006/mfsa2006-32.html

150-160 days?

This post was edited by NotParker on Monday, September 25, 2006 at 22:47.

#11 By 32132 (64.180.219.241) at 9/25/2006 10:51:17 PM
ch, if you claim there are 47 bugs with an average of 1 day to patch, and I've found of those 47 I looked at a few to come up with over 800 days ... doesn't that demolish the claim of an average of 1 day to patch?

And I could find more I'm sure, but most are still embargoed:

https://bugzilla.mozilla.org/show_bug.cgi?id=340727

You are not authorized to access bug #340727. To see this bug, you must first log in to an account with the appropriate permissions.

#12 By 3653 (68.52.143.149) at 9/26/2006 8:41:59 AM
ch and latch, are you pretending not to revisit this page?

;-)

#13 By 12071 (124.168.25.204) at 9/26/2006 10:27:28 AM
Wow... Security vendor comes out and says their products are still necessary! What's next? Microsoft paying for a study to tell us that Windows is cheaper than the competition? :)

#9, #10 and #11 Parkkker!!! I have just two questions for you. They're very simple so you should be able to get back to us with an answer REALLY quickly! I'll even type them out using simple words so you don't get confused, ready?

1) Can you please provide a link to Microsoft's bug tracker so that we can compare the information in that vs Bugzilla? Please note that if you cannot provide this link then you will have to concede the point that you have absolutely no idea how long it really takes Microsoft to get off their ass to fix their security holes.

2) Why is it that you didn't go to the same effort to reveal how long it really takes Microsoft to produce patches? It would have been fairly easy to do so, here I'll help you out with a few links from eEye:

210 days - http://research.eeye.com/html/advisories/published/AD20060509b.html
210 days - http://research.eeye.com/html/advisories/published/AD20060509a.html
120 days - http://research.eeye.com/html/advisories/published/AD20060214.html
163 days - http://research.eeye.com/html/advisories/published/AD20060110.html
204 days - http://research.eeye.com/html/advisories/published/AD20051213.html
224 days - http://research.eeye.com/html/advisories/published/AD20051108b.html
68 days - http://research.eeye.com/html/advisories/published/AD20051108a.html
154 days - http://research.eeye.com/html/advisories/published/AD20051011a.html
95 days - http://research.eeye.com/html/advisories/published/AD20051011b.html
69 days - http://research.eeye.com/html/advisories/published/AD20051011c.html
90 days - http://research.eeye.com/html/advisories/published/AD20050614.html
190 days - http://research.eeye.com/html/advisories/published/AD20050208.html
57 days - http://research.eeye.com/html/advisories/published/AD20050111.html
71 days - http://research.eeye.com/html/advisories/published/AD20041012A.html
208 days - http://research.eeye.com/html/advisories/published/AD20041012.html
216 days - http://research.eeye.com/html/advisories/published/AD20040413A.html
216 days - http://research.eeye.com/html/advisories/published/AD20040413B.html
188 days - http://research.eeye.com/html/advisories/published/AD20040413C.html
144 days - http://research.eeye.com/html/advisories/published/AD20040413D.html
64 days - http://research.eeye.com/html/advisories/published/AD20040413E.html
164 days - http://research.eeye.com/html/advisories/published/AD20040413F.html
...

and all of that is just from a SINGLE security vendor!

#12 Didn't you have a big whinge just a few days ago when someone else posted 3 comments in a row? I guess it's ok in this case :) Feel free to answer Parkkker's questions for us if you like!

#14 By 15406 (216.191.227.68) at 9/26/2006 10:28:32 AM
#9-11: Who to believe, Symantec or Parkkker? Hmm, I'll have to think on that one.

#15 By 13030 (198.22.121.110) at 9/26/2006 10:47:32 AM
#7, 9, 10 and(!) 11: Those weren't my numbers for fixes and average days until a fix was released; they came from the article. (You did read the article, right?) I just thought a "days of vulnerability" calculation using the article's numbers was interesting.

#13: Good points. We need a link to the MS bug tracker so we can do our own comparison with bugzilla.

#12: I don't waste time on MS zealots after hours. (Although, NotParker seems to have plenty of time during the night to research stuff...)

#16 By 32132 (64.180.219.241) at 9/26/2006 10:55:48 AM
#13 Nice try Kris, but I'd produce a longer list if I could.

But Firefox keeps most of their bugs secret.

Until months later when we find out it was 300 days for a fix. Which is a lot longer than the ones you came up with for IE.

This post was edited by NotParker on Tuesday, September 26, 2006 at 10:56.

#17 By 8556 (12.217.111.92) at 9/26/2006 10:56:25 AM
Green Border Pro puts IE6 in a sandbox where any infections are virtualized. I have tested it on very nasty sites. Green Border works perfectly. I now use it to surf often and always when I travel. Even unpatched IE6 will not infect your actual machine with Green Border running.

#18 By 15406 (216.191.227.68) at 9/26/2006 3:16:29 PM
#16: Ha, the best you can do is to show old bugs that have already been fixed. Well, just take ch up on his most recent offer. Show us the public MS bug database and we'll all compare things ok? Just let us know when you're ready. We'll be waiting.

#19 By 32132 (142.32.208.238) at 9/26/2006 4:51:24 PM
"Ha, the best you can do is to show old bugs that have already been fixed"

And they all took a long time to fix. Some as long as 300 days.

"Show us the public MS bug database"

Show us all the Firefox bugs. The "embargoed" ones. Then I'll tell you how long all the Firefox bugs took to fix.

This post was edited by NotParker on Tuesday, September 26, 2006 at 16:53.

#20 By 12071 (203.185.215.144) at 9/26/2006 10:08:49 PM
#16 Awww come on... they were such simple questions too!! And you're stumped for a response!

"But Firefox keeps most of their bugs secret."
And Microsoft keeps ALL their bugs secret - unless of course you can answer question #1 for us.

"Which is a lot longer than the ones you came up with for IE."
That's the beauty of keeping ALL your bugs a secret - it makes it difficult to compare apples to apples hey! It's a good thing that eEye provide us with SOME information at least so that we can see that the vast majority of bugs take 8 months to fix.

Can any of the other Microsoft zealots help Parkkker out? mooresa56? lketchum (I know you have at least 12 paragraphs in you)?

#21 By 32132 (64.180.219.241) at 9/26/2006 10:50:09 PM
#20 Poor Kris. Forced into admitting that Firefox isn't "open" at all.

Come on Kris, when you get Firefox to open up and quit acting so embarrassed about the huge number of security holes they've had this year, we can have this discussion.

I love pointing out the hypocrisy of a so-called open source software organization admitting there is a huge danger in opening up their bug reports to hackers.

Could it be they secretly yearn for the proprietary methods of making it harder for hackers to know what bugs are in their software.

I think the answer is an unequivical YES!

This is almost as much fun as pointing out that Apache's lead over IIS is only because of parked unused domains!

This post was edited by NotParker on Tuesday, September 26, 2006 at 22:51.

#22 By 12071 (203.185.215.144) at 9/27/2006 12:24:24 AM
#22 See, once again your illiteracy has let you down!

"Come on Kris, when you get Firefox to open up and quit acting so embarrassed about the huge number of security holes they've had this year, we can have this discussion."
I have never ever in my life cared about the number of bugs that any application has. That number is purely irrelevant UNLESS you take three additional metrics (and blend them together):
1) Severity - I'll take 100 low bugs over a single remote exploit
2) Time to patch - Multiply this by Severity
3) Impact - How easy is this bug to exploit? A remote exploit that can be placed on a web page with no user intervention is infinitely times worse than an exploit which requires a lot of user intervention.

If I've lost you anywhere here, let me know and I'll try to spell it out for you. I figure the sooner you step outside the box and understand that there's a lot more to consider than the number of bugs you will be one step closer to understanding security.

Firefox is completely open... even someone as completely clueless as yourself can download the full source code to it and do with it as you please. Even the bug tracker is completely open so that even someone as completely clueless as yourself can post a potential bug in the system for others to follow up on. I'm sorry if someone as completely clueless as yourself cannot get access to those bug reports which have had the minimal amount of security put on them to keep completely clueless people like yourself away. If it was up to me, I'd even let completely clueless people like yourself have access to them - I believe in full disclosure. But given that Microsoft believes is absolutely no disclosure whatsoever and then has completely clueless people like yourself spreading propaganda - I'm not suprised in the least bit that completely clueless people like yourself are kept away from certain bug reports. The not so completely clueless people do have access to those same reports.

For now those, let's just agree that you cannot answer my very simple questions because you are completely clueless. Come back when you have something of substance champ!

#23 By 3653 (68.52.143.149) at 9/27/2006 1:26:43 AM
2005 - "firefox has less bugs than IE"
2006 - "IE has less bugs than IE, but look at the severity"

stop being evasive and just step up to the plate like a man.

#24 By 12071 (124.168.25.204) at 9/27/2006 7:16:30 AM
#22 Wow... nobody is willing to help you out with those two simple questions are they? You're all on your own. You'd think that Microsoft could help you out somehow!

#23 How about you help your pal Parkkker out and answer the questions? I've made myself relatively clear on this topic for a number of years and I've always mentioned that the total # is meaningless unless you understand what that number really means. If you'd like me to walk you through it again just ask.


#25 By 13030 (198.22.121.110) at 9/27/2006 10:22:52 AM
#24: #22 Wow... nobody is willing to help you out with those two simple questions are they? You're all on your own. You'd think that Microsoft could help you out somehow!

Asking the MS zealots to stand up against this argument is too funny. I can understand why they are avoiding the issue and not wanting to answer the questions.

#24: #23 How about you help your pal Parkkker out and answer the questions?

I think he prefers NotParker to have to squirm rather than himself.

Write Comment
Return to News
  Displaying 1 through 25 of 340
Last | Next
  The time now is 11:25:00 AM ET.
Any comment problems? E-mail us
User name and password:

 

  *  
  *   *