Mozilla has reacted to a Symantec report issued on Monday which said serious vulnerabilities were being found in Mozilla's browsers faster than in Microsoft's Internet Explorer. The study was conducted over the first six months of 2005.
Tristan Nitot, president of Mozilla Europe, hit back by claiming on Monday that when a vulnerability is found Mozilla's "ability to react, find a solution and put it into the user's hands is better than Microsoft."
He also argued that, according to security company Secunia's statistics, the Microsoft vulnerabilities were more critical, and had been so over a longer timescale. In the period 2003 to 2005 Secunia have issued 22 security advisories regarding Firefox 1.x, and rate it as "less critical". In the same period Microsoft Internet Explorer 6.x had 85 Secunia advisories, and is rated as "highly critical".
Nitot likened the differences between Firefox and IE vulnerabilities as being like injuries: "Which would you prefer, to have a broken finger, or your head ripped off?"
News source: ZDNet UK
Tristan Nitot, president of Mozilla Europe, hit back by claiming on Monday that when a vulnerability is found Mozilla's "ability to react, find a solution and put it into the user's hands is better than Microsoft."
He also argued that, according to security company Secunia's statistics, the Microsoft vulnerabilities were more critical, and had been so over a longer timescale. In the period 2003 to 2005 Secunia have issued 22 security advisories regarding Firefox 1.x, and rate it as "less critical". In the same period Microsoft Internet Explorer 6.x had 85 Secunia advisories, and is rated as "highly critical".
Nitot likened the differences between Firefox and IE vulnerabilities as being like injuries: "Which would you prefer, to have a broken finger, or your head ripped off?"
News source: ZDNet UK
Neowin wants to know what you think about the iTunes service, will a price increase change your downloading habits? Will it make you consider using other legal services? Would you like to use other services but are unable to?
Anyways, for those couple of posters who where guessing how long it will take Mozilla to fix this security flaw (and the
new security prob announced today), no need to guess anymore. Firefox 1.0.7 was just released that addresses all these problems:
Mozilla Firefox 1.0.7 Download
Firefox 1.0.7 Release notes
http://news.bbc.co.uk/1/hi/business/4213466.stm
http://news.bbc.co.uk/1/hi/business/4213466.stm
Of course, Ballmer states he has never thrown a chair in his life. All we have is the word of Kai-Fu Lee, and his character is certainly questionable. He signs a contract, knowing that he is not allowed to be in a job that puts him in a competition position against Microsoft. He joins Google anyway, and according to some evidence Microsoft found in Mr. Lee's Recycle Bin, he was providing Google with information before quitting Microsoft. Unethical. And everyone says Microsoft is stealing ideas from Google?
Don't get me wrong, it is possible that Steve got as mad as Kai Fu Lee claims, but these claims are coming from a man that lied to the company he worked for, and knowingly broke a legal agreement he made as a condition of his employment there.
Anyways, I use both IE and Mozilla. IE is still the most compatable browser (because everyone designs pages for what it does and does not support). However I use Mozilla whenever possible.
Also I have seen that Secunia misses several vulnerabilities in many products.
In addition, contrary to the claim, the comparison of the incorrect counts is between the 2003-2005 numbers for one browser and lifetime number of another.
Last edited by 89300 on 20 Sep 2005 - 22:29
They used recent numbers to demonstrate that as Firefox's popularity grows it is becoming a more frequent target.
The he gives numbers from back when nobody used Mozilla to prove them wrong? Clearly, Nitot completely missed the point.
His quote gives hard numbers--85 vulnerabilties vs Firefox's 22 within the same period of time (2003-2005).
Or are you suggesting that "nobody used Mozilla" in 2005? You know what year it is right?
Or are you suggesting that "nobody used Mozilla" in 2005? You know what year it is right?
His quote doesn't give "hard numbers" - it gives "wrong numbers". Those 85 vulnerabilities came over 3 years. The 22 for Firefox came over a 1 year period.
My full response is here.
And your suggestion that recent Mozilla vulnerabilities are "usually minor" is absurd.
Contrary to popular belief, there are still a LOT of users that use dialup and yes a 4.7MB (megabyte, not megabit as you typed) can be a "bit large" compared to a patch for IE which is a couple of hundred kilobytes. People here on Neowin tend to forget (or just don't care) that there are other PC users in this world not as savvy as they. Why do you think people still haven't upgraded to SP2 in some cases, due to the download size (which I know is MUCH larger than a FF download). If you tell most users that you can either download for 40 minutes to install an update or 10 minutes and a restart, what do you think they will do? I have broadband, I use FF, and I keep my system updated as I am sure most of us here do. We are not typical users. Neowin users need to think outside the geek box every now and then.
But Mrbester, my point had nothing to do with the size of the download. The point is that daily CVS builds are incredibly unstable. No one should be running those on a regular basis and to claim that every FF user should is just absurd.
As for the second problem, which is the lack of patch support, that is a different issue. However, since you brought it up Mrbester, are you saying that FF users should have re-installed 22 times over the last year? I have at least 5 machines that I work on every day, some with several multiboot partitions. Without patch support, keeping Firefox up-to-date would be a full time job!
(106 pages)
https://ses.symantec.com/content.cfm?articleid=1539
Read post on my blog
You also must be able to understand that if there are vulnerabilities (over 20 this year for Firefo
Where does "FF win hands-down" exactly? In response time to patches? Let's see how that compares when they offer support 15 OS/SP levels, for at least 100 million users across the globe in countless languages, with mission-critical business applications running on their software. Yeah, I'm sure their QA process is ready for that
This article shows the difference between open source security and proprietary security. Since we don't have the source for IE, any vulnerability flaw found is, by definition, exploitable. Someone found a way to exploit it, you get a vulnerability. Flaws found in Mozilla, on the other hand, are most often theoretical in nature. Someone looking through the source finds the problem, but no exploit is written.
Another major problem is that the average severity rating of the vulnerabilities associated with both IE and FF browsers in this period was classified as "high", which Symantec defined as "resulting in a compromise of the entire system if exploited." My entire system isn't going to be compromised from me browsing with Mozilla.
This bias is very obvious, when there is an attack for firefox, it's usually hidden unless it's deemed something the non-sheep users don't know, and usually it's a complete IE bashing section. But when the firefox is coping the flak, why isn't it out the front so people can see the truth and start voicing their concerns? Are they afraid that their loyal sheep will disband and switch back? What's going on?
When it comes to IE, every single itty bit if negative feedback seems to make it onto the front page, whether it's some dumbnut at mozilla talking trash about it, or some narrow minded blogger that doesn't like it anymore and is calling up sheep to join his cause, it's all there. Even security issues that require the user to do something are plastered all over the joint and then the firefox shepards come trying to recruit more sheep.
This has got to stop. When will the shepards stop spreading their FUD? Firefox's nightly build believe it or not do NOT mean sh*t. Nobody in the regular sense sits there at the damn site downloading a new build every day to ensure they are up-to-date. Most wait for the public build, which can take weeks to release, theses releases are what they are judged on, not that stupid nightly build stuff. Did you know Microsoft does nightly builds also? They just don't release them because that's plain stupid and they know it.
Microsoft releasing the patches on a monthly schedule is a good thing and they know it. They used to release them ASAP, but then people got confused over when to download updates and the like, do you honestly think if people could not cope with that, that they are going to even consider downloading nightly builds?
Most of the attacks against IE are released after the patch is released, which is mostly the same for all attacks, if you keep your OS up-to-date, then you're safe. If you believe all the crap the shepards tell you, then god help you.
Highly Critical Firefox advisory announced today by Secunia
This will give the Firefox programmers a real chance to show if they really can have a 1-2 day turnaround on fixing this issue.
Yeah that makes sense.
markjensen--Any reason why you'd expect a '1-2 day' turnaround? Surely you're not suggesting that IE patches have that kind of turnaround.
Because of the article linked-to above contains this quote (my emphasis):
I'm sure Mozilla is capable of finding a fix within 1-2 days. That's the beauty of the OSS system. The problem of course is that distribution of that fix would take longer (releasing an official, tested, packaged patch).
Well, for highly critical bugs, it seems it might be their goal or standard.
The advisory I quoted above has been fixed, and is in the 1.07 release of Firefox. (this advisory affected only unix/Linux, so Windows users may not have/need a 1.07 update)
Last edited by 36818 on 21 Sep 2005 - 11:21
STV
STV
You say all the negative comments about IE are posted here?
Name one good thing about IE.
That I like it over Firefox.
I renders almost every page on the internet as the web programmer intended. Don't start in about web standards. The vast majority of web surfers only care that the page they want to view is seen and functional.
hahahaahahaahahaahahaahahahahahahahahaahah ahahahaahahaahahaaha. oh my god, you should get a job as a comedian.
Why, did I say something funny? I know what has to be done to get a site to view right, but I also know some programmers who use tools that only view best with IE. I use FF and when I tried to view our company website it was misaligned and not the right size. If an AVERAGE user (not those of us who know better) were to view that in FF, they would blame the browser or say "but it looks right here." A lot of sites have improved and view better with FF (or the Gecko engine) so this issue is reducing, however, I don't see MS allowing FF users to access Microsoft Updates any time soon.
I could care less about security reports and flaws in browsers....Honestly all this is getting boring. I just call it getting pubilcity.
I wish there was a report that shows users that accually have been affected and these flaws have been used on.....
I personally (not even myself) dont know anyone that was been affected by these flaws.
STV
It is amazing how all of a sudden a high number of bug discoveries meant progress, when just a short time ago it meant buggy software. Interesting...
wasn't mozilla touting the fact that they had less bugs just amont or two ago? It is funny that some how the current circumstances have changed their position.
How sad... LOL @ Mozilla
STV
Look over the advisories with this in mind, and the data will show that IE has been left high and dry by Microsoft for some time (and that has only recently begun to change).
STV
Just look at the data yourself, using a reasonable method of determining what is better. Because counting all reported bugs equally, regardless if they are severe or how long they are left unfixed is just a plain stupid method.
So, yes they do have less bugs (and that's just the security related numbers). Surely you're capable of reading actual stats?
The Secunia study isn't invalid. It just looks at the most recent 6 months (well, first half of 2005, anyhow). It is an attempt to see a trend developing (which may or may not be sustained, or be an anomoly).