Are you safer with Firefox?

[Fuzzy Logic]

A lot of corp users too. I support 200 IE users and a day doesn't go by
that I have to run to someone's desktop because they loaded some spyware
and now their system is crawling.

I wonder what the "600" guy is doing differently than we are.

We have a corporate license for Ad-Aware and our users get security
training. We also lock down the browser fairly well at it installation and
via group policies. This doesn't mean we don't get spyware but it's getting
less and less frequent. Invariably it's something the user has downloaded
and installed that came with additional 'goodies'.

 

[=?ISO-8859-1?Q?=BBQ=AB?=]

While most are corporate users we still get to deal with their
home machines. In general we have to deal with spyware on those
machines. This is invariably installed by the user and not related
to any vulnerability in their browser.

How do you know whether any one of them were related to a browser
vulnerability, let alone know with such certainty that 0% were
related?

 

[John Hood]

We have a corporate license for Ad-Aware and our users get security
training. We also lock down the browser fairly well at it installation and
via group policies. This doesn't mean we don't get spyware but it's getting
less and less frequent. Invariably it's something the user has downloaded
and installed that came with additional 'goodies'.

....and you don't consider that a security issue?

John H.

 

[Mel]

...and you don't consider that a security issue?

No, without those incidents where would his Job Security be?

 

[Aaron]

Let's talk about the present not the past. I won't deny that IE was a
sieve in previous incarnations.

Not surprisingly you believe that we should ignore the past (in this case
about 6 months ago). But most rational people believe that the past does
provide some evidence on how the future will be, that is trackrecord
matters. Unless you have evidence to believe otherwise.

But given that you keep talking about how unknownable the future is, I
should have expected this attitude.

I will answer your question if tell me what YOU mean by 'more secure'
and the parameters to determine it?

Answer any way you please.

For example if we were to use this information:

Between July 1, 2004, and Dec. 31, 2004, the number of documented
vulnerabilities affecting the Mozilla browser and the Mozilla
Foundation's Firefox browser was higher than the number of
vulnerabilities affecting Microsoft's Internet Explorer, according to
the latest Internet Security Threat Report from Symantec released
Monday.

The report, which provides an update of Internet threat activity
worldwide every six months, noted 13 vulnerabilities affecting IE.
That compared with 21 vulnerabilities affecting the Mozilla and
Mozilla Firefox browsers during the survey period.

IE, however, still had a higher proportion of serious vulnerabilities,
with 9 of the 13 flaws rated as highly severe. By comparison, 11 of
the 21 Mozilla browser flaws were deemed highly severe, and just 7 of
the Firefox flaws were seen as highly severe. The IE flaws also took
longer to fix--an average of 43 days, compared with 26 days for
Mozilla browsers.

Source <http://www.pcworld.com/news/article/0,aid,120128,00.asp>

If you said number of vulnerabilties than IE is more secure. If you
said severity than Firefox wins. If you say time to patch than Firefox
wins.

Thank you. I'm sure any person with any common sense, would conclude that
a browser that has less critical exploits, less easily accessed and has
faster patches to solve the problem is the more secure browser.

Or do you subcribe to the "count the number of exploits" school?

Other factors are not even mentioned including likelihood,
configuration, actual breaches etc.

Yes, and you can conclude a large scale investigation into all these
factors, while the rest of us wait

The whole point of this post is what is 'more secure' and how is it
determined? Most of the popular press and news group postings
apparently have no idea about security metrics and are quite content
to state browser A is better or worse than browser B simply based on
number of unpatched vulnerabilities or their severity. It's just not
that simple.

The funny thing is, while I agree with you on principle, in many ways,
you are using this as a philisophical excuse to avoid saying what any
common sense reading of the situtation would say that is firefox is
safer.

Your post above where firefox "wins" is as much an admission than
anything. It seems to me that you are so deseperate to defend IE, that
you prefer to confess that you don't know anything about which is more
secure plus pleading about uncertainty of the future.

 

[Aaron]

Of course you are.

"At this very moment one browser MAY be 'more secure' than another but
in a blink of an eye a new vulnerability will be discovered and the
tables turned."

Heh. Using fuzzy logic, isnt playing fair

 

[Fuzzy Logic]

How do you know whether any one of them were related to a browser
vulnerability, let alone know with such certainty that 0% were
related?

Of course I cannot be 100% certain. But when the user tells us they recently
download this cool free program/screensaver that's a good clue.

 

[Fuzzy Logic]

...and you don't consider that a security issue?

Downloading is required as part of many peoples jobs here. We do have
policies against certain types of network activity but currently no policy
with respect to general downloads. The biggest security risk IMO is not the
OS or the browser but the person using it. We do security training but some
people are harder to train than others.

 

[Fuzzy Logic]

Answer any way you please.

I personally believe that either browser can be made very secure or
insecure depending on how it's configured. Without giving very specific
criteria on how the browser is configured, the OS used, plugins installed
etc. it's pretty much impossible to state which is "more secure".

Thank you. I'm sure any person with any common sense, would conclude
that a browser that has less critical exploits, less easily accessed and
has faster patches to solve the problem is the more secure browser.

Or do you subcribe to the "count the number of exploits" school?

I subscribe to the "it's not that simple" school. It's not just number of
vulnerabilities, or their criticality. A key metric that is missing is the
likelihood of the occurance. How serious is a critical vulnerability in a
browser that has never been exploited because the exploit is too difficult
to implement in the real world? Anti-virus vendors rate virus threats not
just on the damage they can do but on their actual infections. I would
like to see groups like Secunia do risk assessments similar to what McAfee
is doing with viruses and factor in the "prevelance rate":

http://www.networkassociates.com/us/security/resources/risk_assessment.htm
http://mast.mcafee.com/

As an analogy my house is vulnerable to a meteorite. Should I be
concerned? Should I try to correct this problem? Is this a design flaw?
Maybe I should live in a bunker?

Yes, and you can conclude a large scale investigation into all these
factors, while the rest of us wait

Or just take interested parties word for it?

The funny thing is, while I agree with you on principle, in many ways,
you are using this as a philisophical excuse to avoid saying what any
common sense reading of the situtation would say that is firefox is
safer.

Only according to popular press and interested parties. Here Symantec and
Mozilla quibble over what makes a browser "more secure":

http://www.techweb.com/wire/security/159905537

Note the mention of "no known real world exploits". Apparently that's
important as the Firefox spokesman used it to say the critical
vulnerability really wasn't.

Your post above where firefox "wins" is as much an admission than
anything. It seems to me that you are so deseperate to defend IE, that
you prefer to confess that you don't know anything about which is more
secure plus pleading about uncertainty of the future.

I am not desperate to defend IE or put down Firefox. I am desperate for
people to realize that the "more secure" issue is mostly smoke and
mirrors. Security is the new hot topic and not just in browsers.
Fear-mongering has worked very well in the past for Microsoft, more
recently by George Bush and now by Firefox supporters.

By simply stating your product is "more secure" than the competition you
can quickly gain market share and it's often difficult to dispute as the
average person apparently has a hard time processing anything bigger than
a sound bite while the popular press simply regurgitates press releases.

A good dose of skepticism might be the best security!

 

[=?ISO-8859-1?Q?=BBQ=AB?=]

Of course I cannot be 100% certain. But when the user tells us
they recently download this cool free program/screensaver that's a
good clue.

And they invariably tell you of some willful install?

 

[=?ISO-8859-1?Q?=BBQ=AB?=]

http://www.techweb.com/wire/security/159905537

Note the mention of "no known real world exploits". Apparently that's
important as the Firefox spokesman used it to say the critical
vulnerability really wasn't.

I note that he didn't claim the vulnerability was not critical. In
fact, the word 'critical' appears nowhere in the TechWeb article.

He points out that no harm was done (because the vulnerability was
fixed before it was publicly known). If to you that means the
vulnerability was not critical, so be it, but he did not say or imply
that it was not.

I am not desperate to defend IE or put down Firefox. I am
desperate for people to realize that the "more secure" issue is
mostly smoke and mirrors.

Then you should probably post some evidence that it's smoke and
mirrors.

 

[Aaron]

yet.

I regularily run AV and spyware scans and both return 0 results. I just
ran the latest browser security test and had 0 vulnerabilities. In
addition I ran the rootkit detector and that came up clean as well.

RootkitRevealer

<http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml>

Do i really need to point out links where rootkits are invisible to this?

Of course none of these guarantee there isn't something lurking on my
machine but I'm fairly confident that isn't the case.

Yes, funny you still use these tools, even though you don't have a
perfect guarantee that they can detect everything.

The way you talk about browsers, I would think that you wouldnt borther
since on some performance measure I'm sure your normal Antivirus
outperforms rootkit revealer

 

[Fuzzy Logic]

I note that he didn't claim the vulnerability was not critical. In
fact, the word 'critical' appears nowhere in the TechWeb article.

My mistake. He's just trying to understate the threat since it was never
announced to Firefox users until after the patch was released.

Secunia rated the vulnerabilities as "highly critical" due to the ability to
allow the execution of arbitrary code:

http://secunia.com/advisories/14654/

So apparently ISS and Firefox developers new of the risk but didn't bother
to inform anyone else until they had a fix.

He points out that no harm was done (because the vulnerability was
fixed before it was publicly known). If to you that means the
vulnerability was not critical, so be it, but he did not say or imply
that it was not.


Then you should probably post some evidence that it's smoke and
mirrors.

How about this (I'm sure you'll like it):

http://story.news.yahoo.com/news?tmpl=story&ncid=1817&e=1
&u=/cmp/20050326/tc_cmp/159906119&sid=96120750

The above is one long url that's likely been wrapped.

I've regularly run ScanIT's browser security test (all tests) and always get
a 100% secure rating but apparently I've been at risk for most of 2004?!

Since these stats are based on "the time between the disclosure of the
vulnerability and when a patch was issued" the above Firefox patch may be
classified as a 0 day patch since it wasn't even disclosed to the public
until a patch was available. Again no mention is made of exploits in the
wild. I may be vulnerable but if no one is taking advantage of it because
it's just to darn hard to do, how serious is it?

I will certainly say that Mozilla has the best intentions with regard to
security whereas it's easy to question Microsofts. This in itself doesn't
imply that Mozilla makes a "more secure" product.

 

[=?ISO-8859-1?Q?=BBQ=AB?=]

My mistake. He's just trying to understate the threat since it was
never announced to Firefox users until after the patch was
released.

Understate the threat? He didn't state the threat at all.

/You/ just pointed out again the fact that the vulnerability was not
publically known before being fixed; does this mean that /you/ are
trying to 'understate the threat'?

Secunia rated the vulnerabilities as "highly critical" due to the
ability to allow the execution of arbitrary code:

I agree with them. The Moz spokesperson in no way disagreed with
them. I haven't heard of anyone saying that an
arbitrary-code-execution vulnerability is not critical.

So apparently ISS and Firefox developers new of the risk but
didn't bother to inform anyone else until they had a fix.


How about this (I'm sure you'll like it):

http://story.news.yahoo.com/news?tm...u=/cmp/20050326/tc_cmp/159906119&sid=96120750

I've regularly run ScanIT's browser security test (all tests) and
always get a 100% secure rating but apparently I've been at risk
for most of 2004?!

What leads you to the conclusion that you have been at risk for most
of 2004? Did you read the article? It makes explicitly clear what
the numbers being reported mean; there is no obfuscation or 'smoke
and mirrors'.

Since these stats are based on "the time between the disclosure of
the vulnerability and when a patch was issued" the above Firefox
patch may be classified as a 0 day patch since it wasn't even
disclosed to the public until a patch was available.

Yes, wrt to the vulnerabilities which were undisclosed. (That Fx
version fixed both disclosed and undisclosed ones.) The same
goes for Microsoft patches they release before disclosing
vulnerabilities.

Again no mention is made of exploits in the wild.

??? ITW exploits are specifically addressed in the article.

I retract my question about whether or not you actually read the
article. Clearly, you didn't. Normally, I would not harp on this,
but to hold up an article you haven't read as an example of the
alleged 'mostly smoke and mirrors' seems a bit beyond the pale.

To save you the trouble of scrolling up to click the link you
posted, here's the part that mentions ITW exploits:

During 200 days (54 percent of the time), there was a worm
or virus on the loose that exploited one of the unpatched IE
vulnerabilities.
. . .
At no time in 2004 were worms or viruses circulating that
exploited one of the unpatched Firefox vulnerabilities.

I may be vulnerable but if no one is taking advantage of it
because it's just to darn hard to do, how serious is it?

Hmm.

 

[Fuzzy Logic]

I retract my question about whether or not you actually read the
article. Clearly, you didn't. Normally, I would not harp on this,
but to hold up an article you haven't read as an example of the
alleged 'mostly smoke and mirrors' seems a bit beyond the pale.

How can ScanIT have a browser security test that claims my browser is 100%
secure and at the same time say it was insecure 98% of 2004? I probably ran
the test once a month during 2004.

Is my browser secure or not? The same source is giving me two different
stories.

 

[=?ISO-8859-1?Q?=BBQ=AB?=]

How can ScanIT have a browser security test that claims my browser
is 100% secure and at the same time say it was insecure 98% of
2004? I probably ran the test once a month during 2004.

It makes no such claim when I run the tests. Quoting from the results
page after tests have completed:

The Browser Security Test is finished. Please find the results
below:

High Risk Vulnerabilities 0
Medium Risk Vulnerabilities 0
Low Risk Vulnerabilities 0

It looks an awful lot like a tally of vulnerabilities found by the
testing rather than an assertion that the browser is "100% secure".

Given your history in this thread, I can only guess that you made up
the thing about their scanner telling you that your browser is 100%
secure. If you were actually confused about the results of the test,
you might have browsed their FAQ.

Why don't you show the vulnerability statistics by browser type?

We don't provide this statistics for a reason. This kind of
statistics would be misleading, because it will reflect what
vulnerabilities we test, rather then [sic] what browsers are
vulnerable.

I hope that clears things up for you somewhat.

Is my browser secure or not?

I now believe you when you say there is no way for you to tell how
secure your browser is. Fortunately, this applies only to you.

The same source is giving me two different stories.

No, it is not. You took two pieces of information from the same
source and read them in a very strange way, perhaps willfully.

 

[Fuzzy Logic]

It makes no such claim when I run the tests. Quoting from the results
page after tests have completed:

The Browser Security Test is finished. Please find the results
below:

High Risk Vulnerabilities 0
Medium Risk Vulnerabilities 0
Low Risk Vulnerabilities 0

It looks an awful lot like a tally of vulnerabilities found by the
testing rather than an assertion that the browser is "100% secure".

Given your history in this thread, I can only guess that you made up
the thing about their scanner telling you that your browser is 100%
secure. If you were actually confused about the results of the test,
you might have browsed their FAQ.

My mistake, I was having a rough day at work. What I meant to say is it
found no vulnerabilities in my browser. Of course no browser is 100% secure.

Yet at the same time ScanIT claims my browser had vulnerabilities for most
of 2004. To me this either means they were unable to come up with a way to
exploit the vulnerability via their test pages (no real world exploit?) or
there assertion that I was vulnerable is wrong.

 

[=?ISO-8859-1?Q?=BBQ=AB?=]

Yet at the same time ScanIT claims my browser had vulnerabilities
for most of 2004. To me this either means they were unable to come
up with a way to exploit the vulnerability via their test pages
(no real world exploit?) or there assertion that I was vulnerable
is wrong.

There is no reason to assume that their web service tests for every
vulnerability that has an in-the-wild exploit.

They say that for 200 days of 2004, there were IE vulnerabilities
which were both unpatched and exploited by something in the wild.
The fact that your IE passed their tests on a monthly basis in 2004
does not contradict that in any way.