Mozilla hits back at browser security claim

[Mobo]

Mozilla 'is in much better shape' than Microsoft when it comes to fixing security problems, claims the organisation

Mozilla has reacted to a Symantec report issued on Monday which said serious vulnerabilities were being found in Mozilla's browsers faster than in Microsoft's Internet Explorer. The study was conducted over the first six months of 2005.

Tristan Nitot, president of Mozilla Europe, hit back by claiming on Monday that when a vulnerability is found Mozilla's "ability to react, find a solution and put it into the user's hands is better than Microsoft."

Nitot said that Mozilla's reaction time was faster than Microsoft's. "If you look at our ability to respond, we are in much better shape. On 6 September an IDN buffer issue was reported to Mozilla. On 8 September it was publicly disclosed. We ask our developers not to mention any problems until we have a fix for them, but for some reason he went public. On 9 September we had a configuration change that disabled the IDN problem, that users could implement manually, or they could use a patch. Within ten days we had a newer version that was fixed completely."

"If you look at Microsoft — this month they decided to skip a security patch," so any vulnerabilities won't be addressed, according to Nitot. "That's not the kind of thing that happens with us," he said.

He also argued that, according to security company Secunia's statistics, the Microsoft vulnerabilities were more critical, and had been so over a longer timescale. In the period 2003 to 2005 Secunia have issued 22 security advisories regarding Firefox 1.x, and rate it as "less critical". In the same period Microsoft Internet Explorer 6.x had 85 Secunia advisories, and is rated as "highly critical".

"Basically their vulnerabilities are more critical. With Firefox — yeah, you have holes, but they're much less serious." Nitot likened the differences between Firefox and IE vulnerabilities as being like injuries: "Which would you prefer, to have a broken finger, or your head ripped off?"

Ollie Whitehouse, a researcher at Symantec, thought that the results were surprising but were due to a number of factors, primarily the short uptake time for Firefox and the fact that it was open source.

"Firstly, there has been a wide adoption of Firefox in a short space of time. More security researchers and people with more nefarious motives have been able to look at the code base. Secondly, as Firefox is open source more people have access to the code base, so they are free to look for bugs. IE is closed source, and so it's more difficult to access the code."

"Rogue Web sites find Firefox is quite difficult to exploit because it runs on a large number of platforms."

When asked to comment on Nitot's point about the short timeframe of the study, Whitehouse responded, "Up until now Firefox has had a lot less holes [than IE] — but it has had a wider adoption in the last six months. It will be interesting to see whether this is a blip, or whether the trend will continue."

"As Firefox becomes more popular, it becomes a more attractive target. People who have swapped [from IE to Firefox], even if this is a blip, should ask whether the assumption that Firefox is more secure than IE is valid anymore. They shouldn't just rely on changing their browser, but may think about having to look at a different configuration."

[Melodi]

Don't call me an apple fanatic, but if you want a system that keeps hackers for the most, right now out of your computer an Apple is the way to go. Their browser is called Safari and the Apple platform is built on UNIX technology making it much more difficult for the average hacker to get in. The functionality is there too. I went into my Apple training as a true Windows user, but I came out with a better attitude about MAC. It's not perfect and eventually hackers will find a way in, but it's very secure.

It has been said that MAC's biggest vulnerability is a user running Mozilla Firefox. I'm a Firefox user for sure, over IE, but I liked the .09 version of Firefox, they should have stopped.

[Mobo]

I dont disagree but my philosophy is your safer with the devil you know that the devil you dont know..

Like my server here running windows. Some say im crazy that they are insecure so I sought some qualified advice. It can be secure and if anyone gets in I will know whereas on a nix server the hacker may go undetected because (A) I may not know the system well enough ([img]style_emoticons/<#EMO_DIR#>/cool.gif[/img] The hackers may be smart enough to cover tracks since they would be so far more nix wise.

[Melodi]

I was playing the devil's advocate Mobo, you KNOW I'm a windows user and it's my policy to put nothing on my computer that hackers would want and nothing that if the HDD suddenly fails, I would miss too terribly much. Security is almost a state of mind. Just like walking thru a dark alley at night in the gang part of town, you can do it, but it's not advisable and you really have to apply that philosiphy to everything in life.

If you live vulnerably, you will be vulnerable. and I still think that Firefox .09 was the best and they should stop trying to be so darned user friendly. Apple definately does not strive to be user friendly. :biggrin:
now answer my PM please