MESSAGE
| DATE | 2005-03-25 |
| FROM | Ruben Safir
|
| SUBJECT | Subject: [hangout] Note: If IE is insecure - WINDOWS is INSECURE
|
As Mozilla
and
Microsoft
executives
argue about
which
browser -
Firefox or
Internet
Explorer -
is more
secure, fans
of the
former have
numbers on
their side,
says a
security
firm.
By Gregg
Keizer
TechWeb News
As Mozilla
and
Microsoft
executives
argue about
which
browser --
Firefox or
Internet
Explorer --
is more
secure, fans
of the
former have
numbers on
their side,
a Belgian
security
consultancy
said this
week.
According to
Brussels-based ScanIT, users of Microsoft's Internet Explorer (IE) were "unsafe" 98 percent of the time during 2004, while Mozilla users -- which would include those using Mozilla and Firefox -- were "unsafe" only 15 percent of last year.
ScanIT
determined
the unsafe
periods by
examining
the life
spans of
vulnerabilities in IE, Mozilla, and Opera -- a Norwegian browser that has a nearly insignificant share of the U.S. market -- which could be exploited remotely by attackers. By documenting the time between the disclosure of the vulnerability and when a patch was issued, ScanIT calculated the total number of days each browser was vulnerable. It also matched those vulnerable dates against periods when out-in-the-wild exploits were making the rounds.
IE was
vulnerable
all but
seven days
of 2004, or
98 percent
of the year.
"There was
only one
period in
2004 when
there were
no publicly
known remote
code
execution
bugs," said
ScanIT's
report.
"Between the
12th and the
19th of
October.
That means a
fully
patched
Internet
Explorer
installation
was known to
be unsafe
for 98
percent of
2004."
During 200
days (54
percent of
the time),
there was a
worm or
virus on the
loose that
exploited
one of the
unpatched IE
vulnerabilities. (ScanIT's IE vulnerability timeline can be found here.)
In
comparison,
Firefox (and
the other
Mozilla
browsers)
was
vulnerable
only 56 days
in 2004 (15
percent of
the time)
during
off-and-on
stretches
starting in
May. At no
time in 2004
were worms
or viruses
circulating
that
exploited
one of the
unpatched
Firefox
vulnerabilities.
"In 2004,
Mozilla was
not targeted
by malware
writers,"
ScanIT's
report said
to explain
why Firefox
wasn't at
risk last
year. "But
this might
change as
Mozilla
software
gains
popularity."
Even then,
however,
ScanIT said
Mozilla/Firefox may still have an advantage over IE. "Security researchers seem to be more inclined to report vulnerabilities privately to the Mozilla development team rather than publish them immediately," said the report. "This might be because the Mozilla project produces free open-source software, and being nice to it is considered 'A Good Thing.'" ScanIT also considered Mozilla's bug bounty, which pays $500 to users reporting critical flaws, as playing a part.
Naturally,
Mozilla
Foundation
executives
touted the
ScanIT data.
"Their
research
points out
that
Microsoft's
IE was
'unsafe' for
98 percent
of 2004,
while we
were
'unsafe'
only 15
percent of
the time,"
said Chris
Hofmann,
chief of
engineering
at Mozilla.
"This is
really the
metric that
makes the
most sense
to most
users."
Earlier in
the week, in
fact,
Mitchell
Baker, the
president of
Mozilla,
claimed that
her
foundation's
browsers
were
inherently
more secure
because they
weren't tied
to the
Windows
operating
system, and
rejected the
idea that a
boost in
market share
would make
Firefox more
vulnerable.
Her head of
engineer
tweaked that
message a
bit in an
e-mail to
TechWeb.
"People
really
should be
looking at
the
architecture
of the
browsers and
the source
of potential
vulnerability," said Mozilla's Hofmann. "Browsers share many of the same architectural components, but it's been Microsoft proprietary extensions to the browser such as ActiveX, and the complex Microsoft Security Zone model, where the most severe exploits have surfaced in the past and continue to be exploited.
"Microsoft
has made
strides in
securing
these areas
in [Windows
XP] SP2, but
in some ways
they were
Band-Aids on
an insecure
architecture."
Microsoft,
of course,
doesn't see
it that way.
In his blog,
IE product
manager Dave
Massy first
defended his
browser. "As
we develop
IE we go
through very
thorough and
stringent
security
reviews to
ensure that
every change
is secure
and does not
expose the
user to
attack."
Next, he
took issue
with Baker's
claim that
IE would
always have
more bugs
because it
was tied so
tightly to
Windows.
"The
security of
any browser
is
irrelevant
if it is
part of the
operating
system,"
Massy said.
"If we are
to debate
security of
browsers
then let's
bring in
relevant
arguments
and accurate
details
about
different
possible
attacks
rather than
rely on the
irrational
fear that
because IE
is part of
the
operating
system it
must be
exposing OS
functionality to the Web."
Interestingly, a third party -- Alfred Huger, the vice president of engineering for Symantec's security research group -- isn't sure which browser will be less or more secure going forward, but is sure of one thing: attackers will continue to focus on browsers.
"Everyone
has a
browser, so
it's the
biggest
possible
audience,"
he said.
"Hackers
will be
targeting
Web clients
with greater
effort in
2005,
something
that's
definitely
going to get
a lot of
attention."
As Mozilla
and
Microsoft
executives
argue about
which
browser --
Firefox or
Internet
Explorer --
is more
secure, fans
of the
former have
numbers on
their side,
a Belgian
security
consultancy
said this
week.
According to
Brussels-based ScanIT, users of Microsoft's Internet Explorer (IE) were "unsafe" 98 percent of the time during 2004, while Mozilla users -- which would include those using Mozilla and Firefox -- were "unsafe" only 15 percent of last year.
ScanIT
determined
the unsafe
periods by
examining
the life
spans of
vulnerabilities in IE, Mozilla, and Opera -- a Norwegian browser that has a nearly insignificant share of the U.S. market -- which could be exploited remotely by attackers. By documenting the time between the disclosure of the vulnerability and when a patch was issued, ScanIT calculated the total number of days each browser was vulnerable. It also matched those vulnerable dates against periods when out-in-the-wild exploits were making the rounds.
IE was
vulnerable
all but
seven days
of 2004, or
98 percent
of the year.
"There was
only one
period in
2004 when
there were
no publicly
known remote
code
execution
bugs," said
ScanIT's
report.
"Between the
12th and the
19th of
October.
That means a
fully
patched
Internet
Explorer
installation
was known to
be unsafe
for 98
percent of
2004."
During 200
days (54
percent of
the time),
there was a
worm or
virus on the
loose that
exploited
one of the
unpatched IE
vulnerabilities. (ScanIT's IE vulnerability timeline can be found here.)
In
comparison,
Firefox (and
the other
Mozilla
browsers)
was
vulnerable
only 56 days
in 2004 (15
percent of
the time)
during
off-and-on
stretches
starting in
May. At no
time in 2004
were worms
or viruses
circulating
that
exploited
one of the
unpatched
Firefox
vulnerabilities.
"In 2004,
Mozilla was
not targeted
by malware
writers,"
ScanIT's
report said
to explain
why Firefox
wasn't at
risk last
year. "But
this might
change as
Mozilla
software
gains
popularity."
Even then,
however,
ScanIT said
Mozilla/Firefox may still have an advantage over IE. "Security researchers seem to be more inclined to report vulnerabilities privately to the Mozilla development team rather than publish them immediately," said the report. "This might be because the Mozilla project produces free open-source software, and being nice to it is considered 'A Good Thing.'" ScanIT also considered Mozilla's bug bounty, which pays $500 to users reporting critical flaws, as playing a part.
Naturally,
Mozilla
Foundation
executives
touted the
ScanIT data.
"Their
research
points out
that
Microsoft's
IE was
'unsafe' for
98 percent
of 2004,
while we
were
'unsafe'
only 15
percent of
the time,"
said Chris
Hofmann,
chief of
engineering
at Mozilla.
"This is
really the
metric that
makes the
most sense
to most
users."
Earlier in
the week, in
fact,
Mitchell
Baker, the
president of
Mozilla,
claimed that
her
foundation's
browsers
were
inherently
more secure
because they
weren't tied
to the
Windows
operating
system, and
rejected the
idea that a
boost in
market share
would make
Firefox more
vulnerable.
Her head of
engineer
tweaked that
message a
bit in an
e-mail to
TechWeb.
"People
really
should be
looking at
the
architecture
of the
browsers and
the source
of potential
vulnerability," said Mozilla's Hofmann. "Browsers share many of the same architectural components, but it's been Microsoft proprietary extensions to the browser such as ActiveX, and the complex Microsoft Security Zone model, where the most severe exploits have surfaced in the past and continue to be exploited.
"Microsoft
has made
strides in
securing
these areas
in [Windows
XP] SP2, but
in some ways
they were
Band-Aids on
an insecure
architecture."
Microsoft,
of course,
doesn't see
it that way.
In his blog,
IE product
manager Dave
Massy first
defended his
browser. "As
we develop
IE we go
through very
thorough and
stringent
security
reviews to
ensure that
every change
is secure
and does not
expose the
user to
attack."
Next, he
took issue
with Baker's
claim that
IE would
always have
more bugs
because it
was tied so
tightly to
Windows.
"The
security of
any browser
is
irrelevant
if it is
part of the
operating
system,"
Massy said.
"If we are
to debate
security of
browsers
then let's
bring in
relevant
arguments
and accurate
details
about
different
possible
attacks
rather than
rely on the
irrational
fear that
because IE
is part of
the
operating
system it
must be
exposing OS
functionality to the Web."
Interestingly, a third party -- Alfred Huger, the vice president of engineering for Symantec's security research group -- isn't sure which browser will be less or more secure going forward, but is sure of one thing: attackers will continue to focus on browsers.
"Everyone
has a
browser, so
it's the
biggest
possible
audience,"
he said.
"Hackers
will be
targeting
Web clients
with greater
effort in
2005,
something
that's
definitely
going to get
a lot of
attention."
____________________________
NYLXS: New Yorker Free Software Users Scene
Fair Use -
because it's either fair use or useless....
NYLXS is a trademark of NYLXS, Inc
|
|
