Trev
09-25-2005, 07:39 AM
Firefox Buggier than IE: Which is Safer?
September 22, 2005
By Sharon Gaudin
For all the grief Microsoft Corp. takes about having buggy software, a new study shows the Mozilla Foundation's Firefox actually had nearly twice as many reported vulnerabilities as Internet Explorer in a six-month span.
Does that make Explorer a safer browser to use?
Not necessarily, say security analysts. It just means IT administrators and users need to be on alert no matter what browser they're using.
''I can't say that Internet Explorer is more secure than Firefox, but it highlights the fact that no matter which browser you're using, they have vulnerabilities and it doesn't matter if they're open source or proprietary,'' says Gordon Haff, an analyst at Illuminata, an industry analyst firm based in Nashua, N.H. ''You have to keep everything up-to-date.''
Symantec's Internet Security Threat Report, a twice annual analysis of Internet security activity, shows that between January and June of this year, Mozilla's browser had 25 reported vulnerabilities -- 18, or 72 percent, were critical. In the same time period, Microsoft's Internet Explorer had 13 reported vulnerabilities -- eight, or 62 percent, were critical.
Patrick Martin, senior manager for security response at Symantec Corp., says Mozilla's numbers from the first half of this year, actually were an improvement over the second half of 2004, when it had 31 reported vulnerabilities. Internet Explorer also is doing better, since it had 30 in that same time frame. Mozilla has produced more than one browser, but Firefox is far and away it's most popular browser and the one mainly being measured in the study.
Martin says the report has ''raised a few eyebrows'' since Firefox, an open source browser, frequently is thought of as the safer alternative to Internet Explorer. Firefox has picked up a strong number of new users in the last year with many people looking to switch away from Microsoft's browser.
Apples and Oranges
Ken van Wyk, principal consultant for KRvW Associates, LLC and a columnist for eSecurityPlanet, says many people may now suspect Internet Explorer is a safer browser to use, but they should be careful about comparing apples and oranges.
''The Mozilla code is out there. Anybody can look at it,'' says van Wyk, who is a Firefox user and plans to stay that way. ''Microsoft source code is proprietary. It's not available for public scrutiny. You're comparing based on two very different sets of inputs.
''Firefox is a newer product that has been out in the open source space for a relatively short period of time,'' he adds. ''It hasn't been exposed to public scrutiny for all that long. It's not surprising to find that many bugs in a product so new. It's disappointing though.''
Ken Dunham, a senior engineer for VeriSign iDefense Intelligence based in Mountain View, Calif., says it also comes down to how many virus writers are attacking an application. Firefox has been relatively safe from attack, whereas Internet Explorer has taken more than its share of hits.
''If you look at the numbers, who gets attacked? Internet Explorer users, and especially IE users who are not patched,'' says Dunham. ''I can say that Firefox has fewer exploits to date and offers security through obscurity. That might change in the future. There's just not near as many attacks, but the reality is it has a number of vulnerabilities that can be exploited.''
Dunham, like the other analysts interviewed, says it comes down to being vigilant no matter what browser you're using.
''There's no magic bullet,'' says Dunham. ''If you're on the Internet, there are ways to be hit. Firefox offers security through obscurity. There has only been one malicious code to date for Firefox-related exploits. And there are hundreds for IE. People say, 'I use Firefox so I don't get viruses.' But this just shows that there is no magic bullet.''
http://itmanagement.earthweb.com/article.php/3550746
September 22, 2005
By Sharon Gaudin
For all the grief Microsoft Corp. takes about having buggy software, a new study shows the Mozilla Foundation's Firefox actually had nearly twice as many reported vulnerabilities as Internet Explorer in a six-month span.
Does that make Explorer a safer browser to use?
Not necessarily, say security analysts. It just means IT administrators and users need to be on alert no matter what browser they're using.
''I can't say that Internet Explorer is more secure than Firefox, but it highlights the fact that no matter which browser you're using, they have vulnerabilities and it doesn't matter if they're open source or proprietary,'' says Gordon Haff, an analyst at Illuminata, an industry analyst firm based in Nashua, N.H. ''You have to keep everything up-to-date.''
Symantec's Internet Security Threat Report, a twice annual analysis of Internet security activity, shows that between January and June of this year, Mozilla's browser had 25 reported vulnerabilities -- 18, or 72 percent, were critical. In the same time period, Microsoft's Internet Explorer had 13 reported vulnerabilities -- eight, or 62 percent, were critical.
Patrick Martin, senior manager for security response at Symantec Corp., says Mozilla's numbers from the first half of this year, actually were an improvement over the second half of 2004, when it had 31 reported vulnerabilities. Internet Explorer also is doing better, since it had 30 in that same time frame. Mozilla has produced more than one browser, but Firefox is far and away it's most popular browser and the one mainly being measured in the study.
Martin says the report has ''raised a few eyebrows'' since Firefox, an open source browser, frequently is thought of as the safer alternative to Internet Explorer. Firefox has picked up a strong number of new users in the last year with many people looking to switch away from Microsoft's browser.
Apples and Oranges
Ken van Wyk, principal consultant for KRvW Associates, LLC and a columnist for eSecurityPlanet, says many people may now suspect Internet Explorer is a safer browser to use, but they should be careful about comparing apples and oranges.
''The Mozilla code is out there. Anybody can look at it,'' says van Wyk, who is a Firefox user and plans to stay that way. ''Microsoft source code is proprietary. It's not available for public scrutiny. You're comparing based on two very different sets of inputs.
''Firefox is a newer product that has been out in the open source space for a relatively short period of time,'' he adds. ''It hasn't been exposed to public scrutiny for all that long. It's not surprising to find that many bugs in a product so new. It's disappointing though.''
Ken Dunham, a senior engineer for VeriSign iDefense Intelligence based in Mountain View, Calif., says it also comes down to how many virus writers are attacking an application. Firefox has been relatively safe from attack, whereas Internet Explorer has taken more than its share of hits.
''If you look at the numbers, who gets attacked? Internet Explorer users, and especially IE users who are not patched,'' says Dunham. ''I can say that Firefox has fewer exploits to date and offers security through obscurity. That might change in the future. There's just not near as many attacks, but the reality is it has a number of vulnerabilities that can be exploited.''
Dunham, like the other analysts interviewed, says it comes down to being vigilant no matter what browser you're using.
''There's no magic bullet,'' says Dunham. ''If you're on the Internet, there are ways to be hit. Firefox offers security through obscurity. There has only been one malicious code to date for Firefox-related exploits. And there are hundreds for IE. People say, 'I use Firefox so I don't get viruses.' But this just shows that there is no magic bullet.''
http://itmanagement.earthweb.com/article.php/3550746