The Active Network
ActiveMac Anonymous | Create a User | Reviews | News | Forums | Advertise  
 

  *  

  Internet Explorer and Firefox Vulnerability Analysis Report
Time: 10:35 EST/15:35 GMT | News Source: *Linked Within Post* | Posted By: John Quigley

For most people, their web browser is central to their interaction with the Internet, connecting to global web sites and helping them consume online services providing everything from booking flights to banking services to online shopping. This reality makes browsers a key tool when evaluating the security experience of users as the browser interprets Web content and programs delivered from around the world. Over the past few years, there has been much discussion of the need for improvements in browser security, but few hard data studies performed to support assertions concerning the security of available browsers.

Write Comment
Return to News

  Displaying 1 through 25 of 331
Last | Next
  The time now is 10:34:07 AM ET.
Any comment problems? E-mail us
#1 By 20505 (216.102.144.11) at 12/1/2007 12:19:53 PM
Finally, a quasi-scientific study.

I'm still not sure what this means in the real world, ie do IE users or FF users get more malware, viruses and trojans on their computers?

Ultimately, this is the most important rubric for security.


#2 By 92283 (64.180.196.143) at 12/1/2007 4:29:17 PM
Quicktime is the biggest danger to web users. Firefox is 2nd.

http://blogs.zdnet.com/security/?p=697&tag=nl.e589

"Not counting silent (undocumented) fixes, Apple has patched at least 32 security flaws affecting QuickTime in 2007. Last year, the QuickTime patch count was 28. Five were documented in 2005.

Judging by the public release of details — and exploit code — for zero-day flaws affecting the company’s flagship media player, it looks like the number will rise again in 2008."

PS For the math challenged ... like Kabuki, 5 in 2005 to 28 in 2006 is a 460% increase.


This post was edited by NotParkerToo on Saturday, December 01, 2007 at 16:31.

#3 By 12071 (124.168.186.163) at 12/2/2007 7:05:05 AM
And the numbers game continues... For Mozilla's reply to this Microsoft marketing report see:
http://blog.mozilla.com/security/2007/11/30/critical-vulnerability-in-microsoft-metrics/
where they mention, amongst other things, boring little information like:
- IE6 being unsafe for 284 days in 2006 (http://blog.washingtonpost.com/securityfix/2007/01/internet_explorer_unsafe_for_2.html)

"We’re not building fixes for our PR team, we’re building them for our users. Go ahead and count."

For a bit more fun:
- http://weblogs.mozillazine.org/schrep/archives/2007/11/use_the_metric_which_suits_you.html
- http://shaver.off.net/diary/2007/11/30/counting-still-easy-critical-thinking-still-surprisingly-hard/

#4 By 92283 (64.180.196.143) at 12/2/2007 10:11:38 AM
Firefox. Unpatched. 3 years.

http://secunia.com/advisories/12403/

#5 By 15406 (99.224.112.94) at 12/2/2007 7:19:59 PM
#3: Good finds. It's laughable for MS to try and compare their closed buglist with Mozilla's open one. To me, it looks like Mozilla is much better at fixing their bugs. Plus, MS' exposure window compared to other browsers is just plain embarrassing. I guess that's why they're trying to put the focus on the one thing that doesn't make them look ridiculous. How they can claim they're more secure when IE was open to critical exploitation for 284 out of 365 days, compared to 9 for FF, is incredible.

#6 By 37047 (99.241.37.218) at 12/3/2007 7:11:04 AM
Newsflash: Bill Gates calls in sick. NotParkerToo points to Quicktime as the culprit.

#7 By 37047 (99.241.37.218) at 12/3/2007 7:17:55 AM
Newsflash: Microsoft decides to stop fixing Internet Explorer bugs and security holes. Since this will drop the number of IE patches in any period to 0, NotParkerToo declares that IE will remain the most secure browser ever.

#8 By 37047 (99.241.37.218) at 12/3/2007 7:45:55 AM
Internet Explorer 7:

http://secunia.com/product/12366/

Affected By: 19 Secunia advisories

Unpatched: 37% (7 of 19 Secunia advisories)

Firefox 2:

http://secunia.com/product/12434/

Affected By: 18 Secunia advisories

Unpatched: 22% (4 of 18 Secunia advisories)

And Firefox has no issues in the yellow (medium) level.

Opera:

http://secunia.com/product/10615/

Affected By: 10 Secunia advisories

Unpatched: 0% (0 of 10 Secunia advisories)

Konqueror:

http://secunia.com/product/3166/

Affected By: 14 Secunia advisories

Unpatched: 14% (2 of 14 Secunia advisories)

#9 By 13030 (198.22.121.110) at 12/3/2007 9:46:50 AM
#4, Firefox. Unpatched. 3 years.

You forgot to mention that that vulnerability has the second lowest security rating.

#8, Don't start with facts... it only provokes the Microsoft zealots.

#5, So very true. Security by obscurity is not security.


Still, to this day, I do not personally know any techie who uses IE over Firefox. What tools a technical person chooses to use for their day-to-day work is very telling.

#10 By 15406 (99.224.112.94) at 12/3/2007 10:02:53 AM
The final word: http://it.slashdot.org/article.pl?sid=07/12/03/0717229&from=rss

"When a Security Strategy Director at Microsoft decided to compare Internet Explorer security vulnerabilities with those of Mozilla Firefox, he may have forgotten that the Head Security Strategist of Mozilla was a former MS employee. In a rebuttal of the study, which finds IE more secure than Firefox, Mozilla said that the number of vulnerabilities publicly acknowledged was just a 'small subset' of all vulnerabilities fixed internally. The vulnerabilities found internally are fixed in service packs and major updates without public knowledge. 'For Microsoft this makes sense because these fixes get the benefit of a full test pass which is much more robust for a service pack or major release than it is for a security update. Unfortunately for Microsoft's users this means they have to wait sometimes a year or more to get the benefit of this work. That's a lot of time for an attacker to identify the same issue and exploit it to hurt users.'"

We had long suspected this, and now we have a former MS insider to confirm it.

#11 By 37047 (99.241.37.218) at 12/3/2007 10:16:39 AM
#4, Firefox. Unpatched. 3 years.

How about also mentioning that this defect is also only a problem in prehistoric versions, such as Firefox 0.9 and 1.0 for Mac OS/X. And it is a low priority defect. So, by this criterion of yours, should we start to discuss the defects in IE 4.x and IE 5.x? How about the issues in IE 1.0? Are those fair game as well? Should we mention that IE 4.0 has ZERO security and bug fixes for it? If you think that makes it the most secure version of IE because of no security patches, then you are as delusional as we think you are.

#12 By 37047 (99.241.37.218) at 12/3/2007 10:25:39 AM
#9: Still, to this day, I do not personally know any techie who uses IE over Firefox. What tools a technical person chooses to use for their day-to-day work is very telling.

Most telling of all was when Senior Microsoft Apologist and major fanboy Paul Thurrott even recommended that everyone should drop IE and switch to Firefox immediately. Paul Thurrott switching to Firefox over a Microsoft product was a major watershed event.

#13 By 23275 (71.12.191.230) at 12/3/2007 11:37:47 AM
#12, ah, no. I use IE 7 in PM under Vista. Every engineer in my company does the same, and I'd put our technical skills and credentials up against Paul's any day of the week - or any other "techie's" for that matter.

Similarly, since IE 7 PM under Vista shipped, Paul himself moved back to IE, or at least he said he did - para-phrasing, I think he said he found himself using IE 7 PM more and more and had found himself finding fewer reasons, or cause to use FF since 2.0 shipped - slamming it <FF 2.0> for what it was not [as in not worthy of a full point release designation].

Let me once again state, the pseudo-technical elite, aren't "leet" as I assess it, and those that wear FF use as some kind of indicator of their superiority, or membership among the technical elite is preposterous, elitist and without much basis in fact. I regard such people as under-informed and significantly less than expert technologists.

I further assess that truly expert users can secure any platform - including any version of Windows that remains supported and IE - which reduces which browser is used to what it should be, a choice and an expression of a preference and nothing more.

What we recommend/use:

Vista Ultimate as standard users
IE 7 in PM
Haute Secure for IE 7 PM/Vista http://www.hautesecure.com
ESET NOD32 AV
Windows FW [native to Vista]
Windows Defender [native to Vista]

#14 By 13030 (198.22.121.110) at 12/3/2007 12:25:54 PM
#13: Let me once again state, the pseudo-technical elite, aren't "leet" as I assess it, and those that wear FF use as some kind of indicator of their superiority, or membership among the technical elite is preposterous, elitist and without much basis in fact.

Certainly, choosing to use Firefox over IE does not guarantee in-and-of-itself one's admittance into the techical elite club.

However, the use of IE over Firefox can very well say as much about a techie as would the use of a drag-and-drop IDE over a programmer's editor.

I would never presume that many of the commentators here are not technically sophisticated. I just do not personally know any technically sophisticated person that chooses to use IE over Firefox. It's just an observation--nothing more, nothing less.

#15 By 37047 (99.241.37.218) at 12/3/2007 2:04:08 PM
I have been a "techie" for most of my life, and started to program computers back in the early 80's on Commodore hardware. I have used every version of Windows since 3.0, and every version of DOS since 2.11, even though I have owned versions going back to 1.0. I have also used every version of IE ever shipped, and several versions of Netscape Navigator, Opera, and Firefox. I swore by Navigator until IE 5 proved itself to be the superior product. IE 5.5 was nice too. IE 6 came along, and it was good too.

Then, Microsoft decided to all but drop the browser as a supported, on-going developed product, and sit on its laurels for many years. The internet changed and grew, but IE did not grow with it. Along came Firefox, and starting with FF 1.0, it was a good browser, with a good UI, fast rendering, and most importantly, a development team that actually cared about the product. They listened to the needs of the users, fixed bugs and security problems as they were found, and made the effort to make the users happy. And they succeeded.

Suddenly, FF was making waves, and IE was starting to lose ground in the browser monopoly it had achieved. Only at this point did Microsoft suddenly care about IE again. If it wasn't for FF, there would be NO IE 7. For Microsoft, it is all about ensuring that everyone uses Microsoft technology, so they can continue to squeeze every last penny out of all of us. Do anything at all to maintain the monopoly. If the monopoly gets restored, then they can go back to ignoring the product again until the next product comes along to threaten the monopolistic hold on the market. It is all about maintaining the monopoly, not helping the user in any meaningful way.

Personally speaking, I use Firefox 2 because it is more flexible, has tons of plugins for me to choose from to enhance my internet browsing experience, is more standards compliant than IE, which is important to me, and generally works more smoothly than IE overall in my own personal experience. I am also more confident in Mozilla fixing security problems in a timely manner than I am in Microsoft doing likewise. At least with Mozilla, I can look and see what known issues are fixed or still outstanding, and take the necessary precautions. With Microsoft, you only hear about the issues that were previously made public, as reported by external agents who find the issues in the first place.

#16 By 37047 (99.241.37.218) at 12/3/2007 2:06:36 PM
#13: slamming it <FF 2.0> for what it was not [as in not worthy of a full point release designation]

Gee, what a damning criticism. He didn't think there was enough different from 1.5 to 2.0 to warrant changing from a 1.x to a 2.x versioning number. Every time my company puts out a new version of the software we've written, I hope that the version numbering scheme is the biggest problem someone can find with our product. That would be a happy day indeed!!

#17 By 15406 (99.224.112.94) at 12/3/2007 2:10:25 PM
#4: Halloooo? Parkkker? Did you vanish into the void again?

#13: I use IE 7 in PM under Vista.

As one of the biggest full-court press MS proponents here, that goes without saying. I see the same trend as ch: everywhere I go, the less technical users use what's already there while the more technical users go out of their way to get and use something better.

Every engineer in my company does the same...

How much of that is by choice? If I worked for a rah-rah MS idealogue, I would consider it career suicide to not play by his Microsoft top-to-bottom rules.

Tell me, do you or anyone in your company use any non-MS software where there is an MS equivalent?

#18 By 15406 (99.224.112.94) at 12/3/2007 2:28:14 PM
Even Ars Technica thinks the MS report is crap:

http://arstechnica.com/news.ars/post/20071203-security-analyst-rates-ie-higher-than-firefox.html

#19 By 37047 (99.241.37.218) at 12/3/2007 3:27:26 PM
#17: Do not invoke the name of he that should remain nameless, lest you cause his presence to be felt. Otherwise, this conversation will quickly devolve into a "Look, Quicktime bugs! Look over there!! Don't look at these IE issues. Nothing to see here!" kind of bickering match. We have a nice debate happening here. Why ruin it with the presence of those who are known conversation killers?

#18: Actually, the Ars Technica article does a great job of highlighting both Jeffrey Jones's report and Mike Shaver's rebuttal of the Jones report, and merely asks the question about what the results would be like if the time frame was expanded a bit further. Quite a balanced report, though little new info or opinion is presented. If I missed something, please let me know.

#20 By 15406 (99.224.112.94) at 12/3/2007 4:02:32 PM
#19: They pointed out the missing element in Jones' skewed report -- the undisclosed unpatched bugs that only MS is privy to, thanks to their closed system, as well as the attempt to frame the discussion positively by picking the 3-year time frame.

#21 By 23275 (71.12.191.230) at 12/3/2007 6:34:52 PM
Lath, you argue from a vacant lot... you never use Vista and IE 7 in PM - so how can you have a position at all? You can't possibly understand what I mean.

The guys here use what they wish to use - as I said, they can secure any browser and or OS there is. Prior to IE 7 and Vista, many used FF, but they stopped when IE 7 under Vista proved to be quite good and just as safe to use. The Dev Toolbar for IE has proven to be good and enough for what it is intended for. By the way, Latch, I built this place for these guys - when I pass, they will inherit this company - they've earned it and they'll continue the same kind of good work and good works we started. That kind of place does not dictate to people. It seeks to build people.

As to what we use, depends upon what it is and what it's for. We tend to use what works best for the customer.

#22 By 92283 (64.180.196.143) at 12/3/2007 10:00:46 PM
"Mozilla on Friday released the third update to Firefox this month, version 2.0.0.11, to fix a stability problem in the previous version.

"We strongly recommend that all Firefox users upgrade to this latest release," a post on the Firefox developer blog said.

The open-source Web browser update arrived swiftly after version 2.0.0.8, released October 18, version 2.0.0.9 from November 1, and version 2.0.0.10 from November 26. Which explains why I'm getting a lot of software update messages from my Web browser.

Version 2.0.0.10 broke a feature that lets images be displayed with special effects such as rotated pictures and image reflections, according to Mozilla's bug-tracking site. The problem was fixed within a day and distributed within five, but not before some whose sites were affected by the bug had voiced frustration.

"Customers are complaining because their Firefox automatically updated to 2.0.0.10 and now they can no longer order photo prints in our shop. I think this is a very serious problem and I hope it will be fixed immediately in a 2.0.0.11 update," a post by Klaus Reimer said.

In an indirect response, Firefox coder Nick Thomas pointed to mailing lists that people can use to test their sites with imminent new Firefox versions. Thomas also said that the five-day turnaround is "the fastest turnaround between Firefox releases to date.""

Thats what I like about OSS fanatics ... the fact that they are proud of screwing up so many times in a such a short period of time.

Four versions in 6 weeks.

I'm beginning to suspect that they are deliberately screwing up just to chage the stats.

OSS Fanatic: "See, we are quick in fixing our screwups".

Reality: "You should be, you get a lot of practice."


Firefox Automatics Updates: Automatically screwing up your browser to a version that just plain doesn't work. 4 times in 6 weeks.

Bahhh. Firefox is a joke.

#23 By 15406 (216.191.227.68) at 12/4/2007 8:56:44 AM
#21: Why does everything relate to Vista in your world??? This thread is about Internet Explorer, you know, the web browser? It runs on many versions of Windows besides Vista. The report that this thread is based on is talking about IE 6 and 7, so I'm not sure why you keep going on about Vista other than it's your word of the year.

#22: You should really get around to trying FF so that you might perhaps have a clue about what you are talking about. FF does not update anything automatically -- never has, never will. After all, it would be stupid to do the same boneheaded behaviour as Windows Update and WGA. FF updates after the update panel appears and prompts the user to click the "Update & restart Firefox" button. But then you knew that already as you've been told many times in the past. And lastly, I understand that your need to constantly lick the Microsoft boot means you're more than happy to wait weeks if not months for critical fixes. I'd rather have 5 critical bugs that get fixed in a day each than one critical bug that gets fixed a month later, but that's just me I guess.

#24 By 23275 (71.12.191.230) at 12/4/2007 10:48:31 AM
Latch, please get to a hospital before the clay in your head solidifies.... if they can get through the bone, there may be a chance you'll have a normal life.

Yes, it is about IE - the latest/best version is IE 7 PM on Vista - that is most relevant and since you have no experience with it, you can't speak to it. I have to mention Vista each time in this context, so as not to cause people to assume that IE 7 on XP is the same - it isn't.

Protected Mode, UIPI handling escalations out of that mode to user space is terribly important and it makes IE 7 on Vista far more secure than any other browser out there. UAC monitors such escalations and when UIPI detects that code is trying to execute outside of PM, it prevents it. If it is signed, it alerts the user and allows for a decision to be made by the user.

If people want to be safer online, they'll consider it.

#25 By 15406 (216.191.227.68) at 12/4/2007 11:51:04 AM
#24: Spare me the lame insults.

Yes, it is about IE - the latest/best version is IE 7 PM on Vista - that is most relevant...

Um, no. The fact that Vista use is below 10% makes IE7 under Vista not very relevant at all. The vats majority of IE users are using IE6/7 on XP.

...and since you have no experience with it, you can't speak to it.

I think I've said before that I've got Vista on my second system dual-booting with Ubuntu 7.10. I boot into it every week just to play around, apply updates and check how software I use installs and works. I even have your beloved Haute Secure installed, but I use FF for my web browsing under Vista. I may not br a Vista expert, but I certainly have used it and continue to do so, so you can cease with that argument.

Protected Mode, UIPI handling escalations out of that mode to user space is terribly important and it makes IE 7 on Vista far more secure than any other browser out there. UAC monitors such escalations and when UIPI detects that code is trying to execute outside of PM, it prevents it. If it is signed, it alerts the user and allows for a decision to be made by the user.

You certainly have a lot of faith in IE's Protected Mode as the panacea of security. If I recall correctly, Java was also supposed to have a sandbox model that code could not extend out of for security reasons. Too bad several exploits were discovered that allowed code to touch the external system and read & manipulate files. Nothing is absolute.

Write Comment
Return to News
  Displaying 1 through 25 of 331
Last | Next
  The time now is 10:34:07 AM ET.
Any comment problems? E-mail us
User name and password:

 

  *  
  *   *