backtop


Print 95 comment(s) - last by Tomcatter.. on Dec 9 at 11:55 PM

A recent Microsoft took a rather insulting stab at Mozilla, so the open-source firm decide to do some trash talking of its own.

Mozilla is all hustle and bustle these days, trying to fix the remaining bugs before it rolls out its final release of the third iteration of its popular Firefox browser.

Perhaps catching wind of the press on these bugs, Microsoft released a security report on November 30, titled "Internet Explorer and Firefox Vulnerability Analysis".  The report, which examined the quantity and threat level of vulnerabilities within the two browsers, came out very strongly skewed in Microsoft's favor.  It reported that Internet Explorer experienced fewer threats across all security levels (low, medium, and high) than Firefox.  It also reported that Mozilla had to fix 199 security vulnerabilities, while in the same period of time Microsoft only had to fix 87.

Microsoft products are not always known as secure platforms, largely because they are the market leader and the biggest target for malicious attacks.  Not so, the report indicates, when it comes to Internet Explorer.

The report was produced by Microsoft's Jeff Jones, a security strategy director in Microsoft's Trustworthy Computing group and is available, here.

Mozilla's Mike Shaver had some choice words in response to the report.

"Just because dentists fix more teeth in America doesn't mean our teeth are worse than in Africa," he said, said left handedly comparing Internet Explorer to a festering tooth.

He continued, "It's something you'd expect from maybe an undergrad.  It's very disappointing to see somebody in a senior security position come out and say that because an organization is more transparent about their bugs and fixing them, they're somehow less secure."

Shaver says the analysis is lazy and possibly "malicious."

He does raise a valid point that Microsoft often lump several security issues together into a single "threat" that gets fixed irregularly with the arrival of the service pack.  Shaver points out that Mozilla has constantly been working to roll out fixes far more quickly than Microsoft's.  Shaver explains:
"If Mozilla wanted to do better than Microsoft on this report, we would have an easy path: stop fixing and disclosing bugs that we find in-house. It is well known that Microsoft redacts release notes for service packs and bundles fixes, sometimes meaning that you get a single vulnerability 'counted' for, say, seven defects repaired. Or maybe you don't hear about it at all, because it was rolled into SP2 and they didn't make any noise about it."

Shaver says in his blog, that we would have to be in a "parallel universe" for Microsoft to even "approach Mozilla's standard of transparency.”

In an interview with eWeek, he continued to vent, saying, "The vast majority [of the Firefox user base] is updated to the most secure version of Firefox in less than a week;  those are the things we measure and talk about publicly. Reports like [Jones'] really point the industry in a dangerous direction, which is to say you're [given an incentive] to keep [browser security fixes] quiet. That doesn't keep you safer, it just helps companies hide the real nature of what they're doing."

Earlier last month Jones had published a report on how Windows Vista was far less vulnerable than Leopard OS X or most Linux OS distributions.

Many will be sick of Microsoft and Mozilla's bickering, but when they attack each other so publicly, it’s simply hard to ignore.  This is unfortunate as it simply leaves the user feeling less secure and unsure of who to trust.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

It's important to remember
By borismkv on 12/3/2007 6:23:43 PM , Rating: 2
The weak link in any security plan is the user. A perfect security system can be completely screwed up by one dumb user. You know, the type of person that says, "Okay" when a large flashing button pops up that says, "Going to this web page will destroy the whole world." The *vast* majority of malware is targeted at these people. The simple fact of the matter is that pretty close to 100% of these people use IE. Why? Because that's what their computer comes with and they don't care to change it. People who use Firefox are more likely to be conscious of what will cause their computer harm. Either they've been taught by someone who knows a thing or two about staying safe on the Internet, or that same knowledgeable person recommended it to them.

The people who write malware are very conscious of what it takes to infect someone's computer. They know that if they can get the user to do something stupid, they'll have a free ticket to getting their software on that person's computer. As a result, they program more towards the vulnerabilities in the browser that uninformed or uncaring individuals use more often. Which, as I pointed out already, is IE. It doesn't matter how many vulnerabilities exist in a browser, it matters what type of user is operating the browser. If a complete click-on-everything-that-flashes moron is using it, you only need one vulnerability, disclosed or not, to get them.




RE: It's important to remember
By mechBgon on 12/3/2007 8:09:53 PM , Rating: 2
I think you should revise your first paragraph to say that the weak link is the computer's Administrator(s) . There's a great deal that can be done to "user-proof" a Windows PC, regardless of whether the user is smart or cooperative with policy, or which browser they're being idiots with today. ;)

Also, realize that browsers are not necessarily the direct target of the bad guys anymore, merely an attack vector by which to reach their actual target, which might be something like Flash Player, QuickTime, WinAmp, etc. For a recent case in point, read: http://www.f-secure.com/weblog/archives/00001325.h...

quote:
Symantec has some excellent analysis located here. They found that this exploit crashes the ActiveX Control in IE. Firefox on the other hand may pass off the QuickTime request directly to QuickTime player depending on configuration. So Firefox users may therefore be more vulnerable, not because of the browser itself, but because Firefox will deliver the exploit directly to its most optimal platform.


My suggestions:

1) Use a non-Admin user account whenever possible. http://www.mechbgon.com/build/Limited.html

2) Clean house, and remove software you don't actually use. It can't be attacked if it isn't there.

3) Keep everything patched up (home users, consider using Secunia's checkup utility found at https://psi.secunia.com for this purpose)

4) If you're a Windows Vista user, keep the User Account Control enabled and leave IE7 in Protected Mode (both of which are the default settings).

5) Use antivirus software, but don't place excessive reliance in that layer of security alone.

6) Do avoid all obvious risks, but again, don't assume that you will necessarily be able to avoid all hazards.


RE: It's important to remember
By mindless1 on 12/4/2007 9:49:45 AM , Rating: 2
in summary, jump through a lot of hoops while suggesting the user is at fault.

No, the user of a general purpose monopoly OS merely surfing the web should not have to be a security guru, and indeed it is fairly clear most are not so they are the target users, the standard against which a general purpose browser must be designed.


RE: It's important to remember
By mechBgon on 12/4/2007 8:48:44 PM , Rating: 2
quote:
in summary, jump through a lot of hoops while suggesting the user is at fault.


I could make a rather good analogy with the safety features of your car, such as seatbelts, headlights and windshield wipers. It's not unfair to expect you to know what they're for and to use them, even if they're not automatic, and even if you don't intend to do something stupid that causes a collision.

quote:
No, the user of a general purpose monopoly OS merely surfing the web should not have to be a security guru, and indeed it is fairly clear most are not so they are the target users, the standard against which a general purpose browser must be designed.


If there's a browser/OS that does fit your description, then in my opinion it would be IE7 in Protected Mode on Windows Vista, which is the default setup. No guru qualifications required, and no hoops to jump through. Stuff runs with the non-Admin part of your token and WIC watches over it to prevent hostile actions against system files. Thus, mitigation of working exploits is already planned into the OS and browser. Other browsers don't get the entire benefit of Vista's protection, but they do get some of it.

On WinXP/2000, I think the best advice is the advice I already gave, regardless of one's browser of choice. Where possible, using a disallowed-by-default Software Restriction Policy is also a good idea: http://www.mechbgon.com/srp


“Then they pop up and say ‘Hello, surprise! Give us your money or we will shut you down!' Screw them. Seriously, screw them. You can quote me on that.” -- Newegg Chief Legal Officer Lee Cheng referencing patent trolls














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki