MESSAGE
| DATE | 2005-03-25 |
| FROM | Ruben Safir Secretary NYLXS
|
| SUBJECT | Re: [hangout] Note: If IE is insecure - WINDOWS is INSECURE
|
From owner-hangouts-destenys-at-mrbrklyn.com Fri Mar 25 20:18:34 2005
X-UIDL: Xil!!Xp6"!fj6"!%TG"!
Received: from www2.mrbrklyn.com (localhost [127.0.0.1])
by mrbrklyn.com (8.12.11/8.11.2/SuSE Linux 8.11.1-0.5) with ESMTP id j2Q1IYm3010784
for ; Fri, 25 Mar 2005 20:18:34 -0500
Received: (from mdom-at-localhost)
by www2.mrbrklyn.com (8.12.11/8.12.3/Submit) id j2Q1IYGF010783
for hangouts-destenys; Fri, 25 Mar 2005 20:18:34 -0500
X-Authentication-Warning: www2.mrbrklyn.com: mdom set sender to owner-hangouts-at-www2.mrbrklyn.com using -f
Received: from www2.mrbrklyn.com (localhost [127.0.0.1])
by mrbrklyn.com (8.12.11/8.11.2/SuSE Linux 8.11.1-0.5) with ESMTP id j2Q1IXZX010778;
Fri, 25 Mar 2005 20:18:33 -0500
Received: (from ruben-at-localhost)
by www2.mrbrklyn.com (8.12.11/8.12.3/Submit) id j2Q1IXbR010777;
Fri, 25 Mar 2005 20:18:33 -0500
Date: Fri, 25 Mar 2005 20:18:33 -0500
From: Ruben Safir Secretary NYLXS
To: Ruben Safir
Cc: "hangout-at-nylxs.com"
Subject: Re: [hangout] Note: If IE is insecure - WINDOWS is INSECURE
Message-ID: <20050326011833.GA10766-at-www2.mrbrklyn.com>
References: <1111799967.5335.0.camel-at-flatbush.mrbrklyn.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <1111799967.5335.0.camel-at-flatbush.mrbrklyn.com>
User-Agent: Mutt/1.3.27i
Sender: owner-hangouts-at-mrbrklyn.com
Precedence: bulk
Reply-To: Ruben Safir Secretary NYLXS
List: New Yorker GNU Linux Scene
Admin: To unsubscribe send unsubscribe name-at-domian.com in the body to hangout-request-at-www2.mrbrklyn.com
X-Spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on www2.mrbrklyn.com
X-Spam-Status: No, score=-5.9 required=4.0 tests=ALL_TRUSTED,AWL,BAYES_00
autolearn=ham version=3.0.0
X-Spam-Level:
X-Keywords:
X-UID: 39574
Status: RO
Content-Length: 10745
Lines: 201
Sorry - this is a better format
-----------------------------------
As Mozilla and Microsoft executives argue about which browser -- Firefox
or Internet Explorer -- is more secure, fans of the former have numbers
on their side, a Belgian security consultancy said this week.
According to Brussels-based ScanIT, users of Microsoft's Internet Explorer
(IE) were "unsafe" 98 percent of the time during 2004, while Mozilla
users -- which would include those using Mozilla and Firefox -- were
"unsafe" only 15 percent of last year.
ScanIT determined the unsafe periods by examining the life spans of
vulnerabilities in IE, Mozilla, and Opera -- a Norwegian browser that
has a nearly insignificant share of the U.S. market -- which could be
exploited remotely by attackers. By documenting the time between the
disclosure of the vulnerability and when a patch was issued, ScanIT
calculated the total number of days each browser was vulnerable. It
also matched those vulnerable dates against periods when out-in-the-wild
exploits were making the rounds.
IE was vulnerable all but seven days of 2004, or 98 percent of the
year. "There was only one period in 2004 when there were no publicly
known remote code execution bugs," said ScanIT's report. "Between the
12th and the 19th of October. That means a fully patched Internet Explorer
installation was known to be unsafe for 98 percent of 2004."
During 200 days (54 percent of the time), there was a worm or virus on the
loose that exploited one of the unpatched IE vulnerabilities. (ScanIT's
IE vulnerability timeline can be found here.)
In comparison, Firefox (and the other Mozilla browsers) was vulnerable
only 56 days in 2004 (15 percent of the time) during off-and-on stretches
starting in May. At no time in 2004 were worms or viruses circulating
that exploited one of the unpatched Firefox vulnerabilities.
"In 2004, Mozilla was not targeted by malware writers," ScanIT's report
said to explain why Firefox wasn't at risk last year. "But this might
change as Mozilla software gains popularity."
Even then, however, ScanIT said Mozilla/Firefox may still have an
advantage over IE. "Security researchers seem to be more inclined to
report vulnerabilities privately to the Mozilla development team rather
than publish them immediately," said the report. "This might be because
the Mozilla project produces free open-source software, and being nice to
it is considered 'A Good Thing.'" ScanIT also considered Mozilla's bug
bounty, which pays $500 to users reporting critical flaws, as playing
a part.
Naturally, Mozilla Foundation executives touted the ScanIT data. "Their
research points out that Microsoft's IE was 'unsafe' for 98 percent of
2004, while we were 'unsafe' only 15 percent of the time," said Chris
Hofmann, chief of engineering at Mozilla. "This is really the metric
that makes the most sense to most users." Earlier in the week, in fact,
Mitchell Baker, the president of Mozilla, claimed that her foundation's
browsers were inherently more secure because they weren't tied to the
Windows operating system, and rejected the idea that a boost in market
share would make Firefox more vulnerable.
Her head of engineer tweaked that message a bit in an e-mail to
TechWeb. "People really should be looking at the architecture of the
browsers and the source of potential vulnerability," said Mozilla's
Hofmann. "Browsers share many of the same architectural components,
but it's been Microsoft proprietary extensions to the browser such as
ActiveX, and the complex Microsoft Security Zone model, where the most
severe exploits have surfaced in the past and continue to be exploited.
"Microsoft has made strides in securing these areas in [Windows XP] SP2,
but in some ways they were Band-Aids on an insecure architecture."
Microsoft, of course, doesn't see it that way. In his blog, IE product
manager Dave Massy first defended his browser. "As we develop IE we
go through very thorough and stringent security reviews to ensure that
every change is secure and does not expose the user to attack."
Next, he took issue with Baker's claim that IE would always have more bugs
because it was tied so tightly to Windows. "The security of any browser
is irrelevant if it is part of the operating system," Massy said. "If we
are to debate security of browsers then let's bring in relevant arguments
and accurate details about different possible attacks rather than rely
on the irrational fear that because IE is part of the operating system
it must be exposing OS functionality to the Web."
Interestingly, a third party -- Alfred Huger, the vice president of
engineering for Symantec's security research group -- isn't sure which
browser will be less or more secure going forward, but is sure of one
thing: attackers will continue to focus on browsers.
"Everyone has a browser, so it's the biggest possible audience," he
said. "Hackers will be targeting Web clients with greater effort in 2005,
something that's definitely going to get a lot of attention." As Mozilla
and Microsoft executives argue about which browser -- Firefox or Internet
Explorer -- is more secure, fans of the former have numbers on their side,
a Belgian security consultancy said this week.
According to Brussels-based ScanIT, users of Microsoft's Internet Explorer
(IE) were "unsafe" 98 percent of the time during 2004, while Mozilla
users -- which would include those using Mozilla and Firefox -- were
"unsafe" only 15 percent of last year.
ScanIT determined the unsafe periods by examining the life spans of
vulnerabilities in IE, Mozilla, and Opera -- a Norwegian browser that
has a nearly insignificant share of the U.S. market -- which could be
exploited remotely by attackers. By documenting the time between the
disclosure of the vulnerability and when a patch was issued, ScanIT
calculated the total number of days each browser was vulnerable. It
also matched those vulnerable dates against periods when out-in-the-wild
exploits were making the rounds.
IE was vulnerable all but seven days of 2004, or 98 percent of the
year. "There was only one period in 2004 when there were no publicly
known remote code execution bugs," said ScanIT's report. "Between the
12th and the 19th of October. That means a fully patched Internet Explorer
installation was known to be unsafe for 98 percent of 2004."
During 200 days (54 percent of the time), there was a worm or virus on the
loose that exploited one of the unpatched IE vulnerabilities. (ScanIT's
IE vulnerability timeline can be found here.)
In comparison, Firefox (and the other Mozilla browsers) was vulnerable
only 56 days in 2004 (15 percent of the time) during off-and-on stretches
starting in May. At no time in 2004 were worms or viruses circulating
that exploited one of the unpatched Firefox vulnerabilities.
"In 2004, Mozilla was not targeted by malware writers," ScanIT's report
said to explain why Firefox wasn't at risk last year. "But this might
change as Mozilla software gains popularity."
Even then, however, ScanIT said Mozilla/Firefox may still have an
advantage over IE. "Security researchers seem to be more inclined to
report vulnerabilities privately to the Mozilla development team rather
than publish them immediately," said the report. "This might be because
the Mozilla project produces free open-source software, and being nice to
it is considered 'A Good Thing.'" ScanIT also considered Mozilla's bug
bounty, which pays $500 to users reporting critical flaws, as playing
a part.
Naturally, Mozilla Foundation executives touted the ScanIT data. "Their
research points out that Microsoft's IE was 'unsafe' for 98 percent of
2004, while we were 'unsafe' only 15 percent of the time," said Chris
Hofmann, chief of engineering at Mozilla. "This is really the metric
that makes the most sense to most users." Earlier in the week, in fact,
Mitchell Baker, the president of Mozilla, claimed that her foundation's
browsers were inherently more secure because they weren't tied to the
Windows operating system, and rejected the idea that a boost in market
share would make Firefox more vulnerable.
Her head of engineer tweaked that message a bit in an e-mail to
TechWeb. "People really should be looking at the architecture of the
browsers and the source of potential vulnerability," said Mozilla's
Hofmann. "Browsers share many of the same architectural components,
but it's been Microsoft proprietary extensions to the browser such as
ActiveX, and the complex Microsoft Security Zone model, where the most
severe exploits have surfaced in the past and continue to be exploited.
"Microsoft has made strides in securing these areas in [Windows XP] SP2,
but in some ways they were Band-Aids on an insecure architecture."
Microsoft, of course, doesn't see it that way. In his blog, IE product
manager Dave Massy first defended his browser. "As we develop IE we
go through very thorough and stringent security reviews to ensure that
every change is secure and does not expose the user to attack."
Next, he took issue with Baker's claim that IE would always have more bugs
because it was tied so tightly to Windows. "The security of any browser
is irrelevant if it is part of the operating system," Massy said. "If we
are to debate security of browsers then let's bring in relevant arguments
and accurate details about different possible attacks rather than rely
on the irrational fear that because IE is part of the operating system
it must be exposing OS functionality to the Web."
Interestingly, a third party -- Alfred Huger, the vice president of
engineering for Symantec's security research group -- isn't sure which
browser will be less or more secure going forward, but is sure of one
thing: attackers will continue to focus on browsers.
"Everyone has a browser, so it's the biggest possible audience," he
said. "Hackers will be targeting Web clients with greater effort in
2005, something that's definitely going to get a lot of attention."
-- __________________________ Brooklyn Linux Solutions
So many immigrant groups have swept through our town that Brooklyn, like
Atlantis, reaches mythological proportions in the mind of the world -
RI Safir 1998
DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
http://fairuse.nylxs.com
http://www.mrbrklyn.com - Consulting http://www.inns.net <-- Happy
Clients http://www.nylxs.com - Leadership Development in Free Software
http://www2.mrbrklyn.com/resources - Unpublished Archive or stories and
articles from around the net http://www2.mrbrklyn.com/downtown.html -
See the New Downtown Brooklyn....
____________________________
NYLXS: New Yorker Free Software Users Scene
Fair Use -
because it's either fair use or useless....
NYLXS is a trademark of NYLXS, Inc
|
|
