Submitted by Mozilla has released updates for its Firefox browser, Thunderbird e-mail application and the SeaMonkey application suite to fix ‘critical’ security vulnerabilities. The vulnerabilities affect 1.5 versions of Firefox and Thunderbird as well as version 1 of the SeaMonkey suite, Mozilla said in its security advisories. The bugs do not affect Firefox 2.0, the latest version of the browser released late last month.
Not again!!
I have to admit though that 3 critical “own the box with no intervention” vulnerabilities are better than the usual 7 or 12.
There are 0 unless you’re still using an old version. I have to admit, I’m not too concerned about security issues in old products except to the extent that they might still be there in the new ones.
Firstly, None of the bugs affect the latest version of Firefox.
Take a look at the Microsoft Security Updates (all marked Critical and all patch 8-10 Corruption volnerabilities) – All affecting the latest versions of Internet explorer (IE6 with SP2):
These are from the last year:
MS06-042
MS06-021
MS06-013
MS06-021
MS05-054(Only 4 ‘own the box’ bugs fixed)
Now try browsing the internet with 6.0SP1 or 5.5 and see how many popups, pop-unders, attempted-downloads and javascript errors you get.
…Now try browsing the same sites using Firefox.
nuff said.
All affecting the latest versions of Internet explorer (IE6 with SP2)
The latest version is Internet Explorer 7, not 6 SP2. IE7 was released over three weeks ago.
Both FF2 and IE7.0 were pushed out(Ignoring Betas and Non-Automatic updates – 90% users don’t care enough to update themselves) to users around the beginning of November. (1st Nov. ie7, ~25th Oct FF2.0). Only one of the security alerts mentioned above were released after the 1st Nov, and even MS06-42 (released yesterday) was published 8 days after official automatic deployment of IE started.
The fact that NotRedmond is trying to take bites out of the fact that 3 flaws Only 2 are theoretical ‘own-the-box’ style flaws were fixed in FF1.5 is facaecious given that MS has just released 8 Critical own-the-box style patches for Internet Explorer 5.5.
Yes. And the versions of Firefox affected are old versions as well.
A comparison between an old Firefox release and an old IE release is quite reasonable, don’t you think?
for those (like me) that might be looking for firefox 1.5.0.8 as opposed to 2.0, downloads are here:
http://www.mozilla.com/en-US/firefox/all-older.html
Still, 34 Critical “own the box” vulnerabilities in 2006 alone (plus another 33 not as serious) is not a great track record.
Thats 34 patches for critical vulnerabilities.
The number of bugs fixed is unknown.
The 3 patches in this case are for 17 entries in Bugzilla.
Edited 2006-11-09 19:43
Let’s clarify what NotRedmond is saying:
34 Critical vulnerabilities were discovered in 2006 alone. 3 of which were NOT “own the box” type vulnerabilities.
Mozilla offers a $500 bounty for anyone finding a new vulnerability in its software. That’s quite an incentive to look for mistakes. Firefox is also Open source, meaning that anyone can comb the source code for vulnerabilities, therefore mistakes are 1000% more likely to be found by bounty-hunters, and fixed, than in MS products.
IE had 25 “own-the-box” vulnerabilities publically disclosed in 2006. http://www.microsoft.com/technet/security/current.aspx . No Joe public bounty hunter can examine the source for errors so finding vulnerabilities, also: Microsoft doesn’t agree with paying for vulnerability details – http://64.233.183.104/search?q=cache:t6NgN6yKNNEJ:news.com.com/2061…
even tho some limited bounty programs have been run for Microsoft Products, these have been short-lived.
The quality of code is not reflected by the number of vulnerabilities, especially when the code cannot be examined for one of the products.
Also, look at the MTTP (Mean time to Patch) figures.
http://www.symantec.com/specprog/threatreport/ent-whitepaper_symant…
Quote:“Internet Explorer had an average window of
exposure of nine days, the largest of any Web
browser. Apple Safari averaged five days, followed
by Opera with two days and Mozilla with one day.”
34 Critical vulnerabilities were discovered in 2006 alone. 3 of which were NOT “own the box” type vulnerabilities
34 were designated critical by the Mozilla team. Another 33 were less serious.
The Moxilla definition of critical is:
“Vulnerability can be used to run attacker code and install software, requiring no user interaction beyond normal browsing.”
Secunia has IE6 with 14 vulnerabilities in 2006, of which only 9 were critical or highly critical.
http://secunia.com/product/11/?task=advisories_2006
34 for Firefox vs. 9 for IE6. (Critical)
Edited 2006-11-09 21:17
Firstly, If you read the descriptions of the mozilla bugs, 2 of them allow you to spoof certificates (doesn’t allow code execution) and another one crashes the browser (again, no code execution). Obviously Mozilla are mis-using their definition of the critical state.
Secondly, Secunia has FF1.x with only 11 Vulnerabilities in 2006. of which only 1 is unpatched, and 7 were Critial, NONE were highly critical.
You must learn to compare like with like. You can’t compare data from 2 different sites, collected with different criterion.
Comparing
ie6: http://secunia.com/product/11/?task=advisories_2006
with
firefox 1.x: http://secunia.com/product/4227/?task=statistics_2006
Let’s have some quotes:
“Microsoft Internet Explorer 6.x, with all vendor patches applied, is rated Extremely critical”
“Mozilla Firefox 1.x, with all vendor patches applied, is rated Less critical”
IE: Affected By 106 Secunia advisories
FF: Affected By 37 Secunia advisories
Advisories allowing System Access:
IE: out of 14, 56% = 7.84 or ~8 System Access Vulnerabilities.
FF: out of 11, 22% = 2.43 or ~2 System Access Vuln.
So, to sum up, according to Secunia:
IE: 14 vulns. 5 Unpatched, 9 critical or above, 1 Highly Critical still UNPATCHED
FF: 11 vulns. 1 Unpatched, 7 critical (none above).
HMM. Tsk Tsk( http://www.osnews.com/permalink.php?news_id=16415&comment_id=180470 ) to you I say.
Secondly, Secunia has FF1.x with only 11 Vulnerabilities in 2006. of which only 1 is unpatched, and 7 were Critial, NONE were highly critical.
You must learn to compare like with like. You can’t compare data from 2 different sites, collected with different criterion.
Most of ones on Secunia state “multiple vulnerabilities” and if you click on them you will get a better picture.
I went to Secunia/Microsoft/Mozilla and picked the site with the largest number of vulnerabilities assuming that if the number was smaller it meant some were missed or miscategorized, not that some were fabricated.
Secunia had a few more vulnerabilities in IE 6 than Microsoft did because of categorization.
If you disagree with Mozilla’s count of vulnerabilities in their own products, so be it. But they tend to be accurate.
Again, the point is that in 2006 Firefox had an atrocious record of security.
Most of ones on Secunia state “multiple vulnerabilities” and if you click on them you will get a better picture.
The same applies for IE
not that some were fabricated
You have to compare numbers from the same site. When different sites say ‘critical’, they mean different things. I don’t think that any of the alerts have been fabricated.
Secunia had a few more vulnerabilities in IE 6 than Microsoft did because of categorization.
And?
If you disagree with Mozilla’s count of vulnerabilities in their own products, so be it. But they tend to be accurate.
I don’t I’m just pointing out that if you read the information about each alert, some of those marked critical are not to do with ‘own the box’ vulnerabilities. Point of fact.
Again, the point is that in 2006 Firefox had an atrocious record of security.
If this is your view, then bully for you. But Firefox’s security record is no worse than Internet Explorers, just Firefox has more people publicizing each vulnerability AND people are used to Inernet Explorer being a vulnerable peice of software.
What I can’t work out is whether NotParker hates Linux or Firefox more. Not that I care.
lol. it’s not that, it’s any thing that competes with Microsoft.
I can’t believe he actually thinks you can compare numbers gathered by different people at different sites with different criteria and actually get useful information out of it.
Firefox certainly didn’t have a great year security-wise, and I hope they get better in the future. It sounds like Firefox 4 may be quite a bit better in this area, but we’ll have to wait and see.
I would still argue that it is doing much, much better than IE6. While the # of vulnerabilities were somewhat similar Firefox’s time to patch is understandably much better. In the end, I guess I would have to say the proof is in the pudding – I’ve never heard of anyone in real life getting owned through a security hole in Firefox, and the same can’t be said of IE6. I realize that is due to many factors, like hackers possibly targeting IE6 more heavily, but for the end user that doesn’t matter.
Edited 2006-11-09 23:38
I love this part (of the Symantec security threat report)
(paraphrase)
During second half 2005, the mean window of exposure for Internet Explorer users was 25 Days. Firefox MWE was -2 days.
This means that the person who updates his software every day (Automatic updates) could be exposed to Expoits for Vulnerabilities for 25 days before a patch is released. Firefox users tend to have the patch 2 days BEFORE the exploit gets written.
That is what good communities are for.
Ok. I get it:
Mozilla is lying about the number and the criticality. Their list is unreliable. The number of vulnerabilities is actually … 3 … no 6 … no 14 …. anything less than IE!!!
And if Mozilla says “Critical” they mean “Not Critical”.
In fact … there has never, ever been a vulnerability in Firefox. Its all lies.
You cultists are a laugh!
Firefox is a sieve.
Edited 2006-11-10 00:55
NotParker – are you really this clueless? These lists are not carved in stone facts, the severity rating of the bugs are to some degree subjective, which is why all the lists are different. Subjective == not comparable.
So, why is IE6 better? Because it has about the same # of vulnerabilities, takes longer to fix them, and has more people trying to attack it?
Name me a single person in the real world who was infected through a Firefox security flaw, and I’ll stop posting about this immediately. The truth is, you can’t, and while theoretically Mozilla might be behind IE in some areas and ahead in others there is no comparison when it comes to practice.
Mozilla can obviously improve a lot, but you seem to be focusing on 1 really unimportant stat – the # of vulnerabilities. Tell me why you think this is so much more important than what actually matters – the time an exploit is in the wild before it has been patched. Firefox kills IE6 in this stat and that is why it is so much safer.
Edited 2006-11-10 01:22
Name me a single person in the real world who was infected through a Firefox security flaw
How about the next best thing … hacker kits attacking Firefox flaws.
http://www.techweb.com/wire/security/186700508
“A dirt-cheap, do-it-yourself hacking kit sold by a Russian Web site is being used by more than 1,000 malicious Web sites, a security company said Monday.
Those sites have confiscated hundreds of thousands of computers using the “smartbomb” kit, which sniffs for seven unpatched vulnerabilities in Internet Explorer and Firefox, then attacks the easiest-to-exploit weakness.”
Funnily, the exaple screenshots in the article you linked show only successfull attacks on MICROSOFT windows and MICROSOFT Internet Explorer.
Mozilla is lying about the number and the criticality. Their list is unreliable. The number of vulnerabilities is actually … 3 … no 6 … no 14 …. anything less than IE!!!
Nobody is claiming that.
And if Mozilla says “Critical” they mean “Not Critical”.
Nobody is saying that. Being able to spoof a security certificate IS a critical problem. Your suggestion that all Critical bugs are ‘Own-the-box’ bugs IS what we are disputing. Besides, This only covers 3 out of 30 bugs. It’s really not worth ranting about.
Firefox is a sieve.
I’m not sure anyone believes that. Try hacking any up-to-date version of FF. Now try it with IE (There’s at least one unpatched ‘own-the-box’ bug still left open.) Nobody is saying that FF is perfect, we’re just saying that IE’s security record (in the public domain) is worse.
Your suggestion that all Critical bugs are ‘Own-the-box’ bugs IS what we are disputing.
My suggestion?
It says so explicity on the Mozilla security page!
Are you suggesting:
a) Mozilla lies
or
b) Anything that makes OSS look bad on the Mozilla site is a lie, and everything else is true?
My guess is that the cultists pick (b) every time.
You are a troll.
1) This point was just a side-argument to my main attack , it only affect 3 bugs out of 34.
2) Noone is lying, 2/3 Bugs on the Mozilla page were mis-classified, because they didn’t fit into any of the categories apart from the ‘Moderate’ category and they were deemed more important than Moderate. This is understandable. Given that most people aren’t half as pedantic as you.
2/3 Bugs on the Mozilla page were mis-classified
Ha ha ha ha ha ha ha ha ha ha ha.
You cultists are soooooo pathetic in your denial!
NotParker, every post you have made was either a misrepresentation, flat out wrong or simply a personal attack on others. You cultists are soooooo pathetic in your denial! You’ve repeatedly refused to answer the questions I have posed – why is the # of vulnerabilities more important than the amount of time exploits have been in the wild before it is patched?
Mozilla does have some security problems, but it’s clear you are doing nothing but trolling here.
Edited 2006-11-11 02:17
why is the # of vulnerabilities more important than the amount of time exploits have been in the wild before it is patched?
What is most important to me is the type of vulnerability and the number of critical vulnerabilities that allow malware to “own the box”.
I don’t worry too much about a couple of days of vulnerability to a cross site scripting vulnerability that may allow some site to read what I’m doing on another site.
I do worry about vulnerabilities that allow your PC to be taken over. It appears you do not. Or you are the troll.
It isn’t trolling to point our Firefox’s vulnerabilities in a thread about Firefox’s vulnerabilities.
Of course I understand that the cult thinks this is OSSnews and is only to be used to discuss perceived problems with Microsoft software and never to be used to discuss any shortcomings in OSS software. But this isn’t OSSnews is it?
What is most important to me is the type of vulnerability and the number of critical vulnerabilities that allow malware to “own the box”.
So (theoretically) if one piece of software has 10 own-the-box flaws which are all patched before anyone can actually take advantage of them, that would be worse than another piece of software that has 5 own-the-box flaws that are vulnerable to malware for months before they are patched? This just doesn’t make sense to me – I suppose in theory the 1st piece of software started out less secure, but in practice it is virtually 100% secure and the second piece of software is the one that is the one you need to actually worry about.
It isn’t trolling to point our Firefox’s vulnerabilities in a thread about Firefox’s vulnerabilities.
No, and you’re 1st posts started out all right. However, posts like:
Ha ha ha ha ha ha ha ha ha ha ha.
You cultists are soooooo pathetic in your denial!
without any evidence to back them up – I thought the post you were replying to was correct in spirit if not fact, although I’m sure you could construct a good argument against it – is trolling.
So (theoretically) if one piece of software has 10 own-the-box flaws which are all patched before anyone can actually take advantage of them
The problem is that not everyone patches immediately. Just because the patch is out does not mean people aren’t vulnerable. Therefore the number of critical holes is most important.
I firmly believe only trolls would claim Mozilla was lying about the seriousness and quantity of their security holes.
I had the courtesy of picking the site with the largest number of critical security holes for IE and Mozilla. In Mozilla’s case it was the Mozilla site.
You cultists kept claiming I was lying. The cultist behavior was pathetic.
The problem is that not everyone patches immediately. Just because the patch is out does not mean people aren’t vulnerable. Therefore the number of critical holes is most important.
Well, I suppose I can see that as being a concern. You’re wrong, of course, but at least I can see where you are coming from now. One thing to remember is that Firefox now has an auto-update, so most people do upgrade immediately when they are prompted to. The ones who don’t have at least been warned.
I firmly believe only trolls would claim Mozilla was lying about the seriousness and quantity of their security holes.
I had the courtesy of picking the site with the largest number of critical security holes for IE and Mozilla. In Mozilla’s case it was the Mozilla site.
You cultists kept claiming I was lying. The cultist behavior was pathetic.
Except in post after post, people repeatedly explained that they didn’t think anyone was lying. They simply said that certain bugs weren’t easy to classify and that different sites classified them differently. Therefore, the different sites can’t be directly compared. No ones lying, they just have a different way of classifying the severity of bugs. The fact is, you ignored all of these posts and replied with a “you cultists are pathetic” post and claimed everyone except you must be lying.
Edited 2006-11-11 22:28
why is camino never mentioned in these sorts of things… isn’t it a mozilla project too? I know the interface is different but I’m not sure of how much of the rest is shared with the rest of the moz projects. Is it that camino is mac only so it’s thought of as secure (that’s not so smart) or is it just forgotten? Or maybe it’s the lucky project that somehow is not affected? It worries me… I really don’t want to use safari
More bugs discovered and fixed means less bugs remain. So lots of critical vulnerabilities found in software is actually better then no vulnerabilities found (which may mean there are none, but almost always means there are more undiscovered ones).
More bugs discovered and fixed means less bugs remain.
Since Firefox is based on Mozilla that should mean less critical vulnerabilities every year.
In fact, its more every year.
Or … there are 10,000 remaining or 1000 or some such high number.
In fact, its more every year
From secunia.com (a website that you introduced into the debate) in 2005, there were 22 vulnerabilites for FF1.x. In 2006, 11 (50% less). How is that more every year?
IE 6.x had 17 in 2005 and 14 in 2006. That’s only an 18% drop.
I’d say that the bounty hunters are rapidly running out of bugs to discover in Firefox. I’d say that IE still has a long way to go.
Or … there are 10,000 remaining or 1000 or some such high number.
And how many in Microsoft Code? Making random figures up helps no one.
How many web sites are actually trying to exploit vulnerabilities in FF 1.5 or 2.0? How many web sites are trying to exploit IE 6 or 7? My suspicion is that the numbers are grossly slanted towards sites exploiting IE over firefox. Is there any data out there to show this?
My guess is that IE is responsible for compromising huge numbers of boxes but FF is not many at all, relatively. Having a critical bug is one thing but if few or no sites are exploiting it, then it doesn’t matter so much.