Mozilla has reacted to a Symantec report issued on Monday which said serious vulnerabilities were being found in Mozilla’s browsers faster than in Microsoft’s Internet Explorer. The study was conducted over the first six months of 2005. Tristan Nitot, president of Mozilla Europe, hit back by claiming on Monday that when a vulnerability is found Mozilla’s “ability to react, find a solution and put it into the user’s hands is better than Microsoft.”
10 days since last security breach was found and we still don’t have a fix, and he’s talking about reactivity ?
. IE suffered from unpatched security holes for 359 days in 2004. According to Scanit, there were only 7 days out of 366 in 2004 during which IE had no unpatched security holes. This means IE had no official patch available against well-publicized vulnerabilities for 98% of the year.
Source: http://help.lockergnome.com/lofiversion/index.php/t34265.html
Nuff said…
a workaround was posted almost immediately. It simply involves an simple edit in the about:config dialogue.
That doesn’t mean much. Virtually any browser bug has a simple workaround: *use a different browser*. So statements like yours are a double-edged sword.
That is not always simple when it requires installing on 1000+ machines and making the users use it….
This is the same crap they spewed when they said OS X is vulnerable and ripe for a virus. Granted, nothing is secure but until a major security fault is found, there’s very little to worry about. (That doesn’t mean you shouldn’t practice smart computer use.)
I used to be a great believer in Symantec’s software, but now they seem to be as bad as MS when it comes to FUD. Anything to scare people into buying their products.
There was a time when I could use Windows without a firewall as long as I had all of the latest updates installed. There was even a time when I could install the latest Windows updates on a clean system without having to worry about a firewall. That was a time when the only time a virus ever got on my system was from an infected file that I downloaded intentionally or from a security problem in the browser. That was a time when I actually trusted Symantec to take care of my computer and it’s information for me.
That was also before I ever tried Linux. I still don’t need a firewall with Linux. I don’t even need an antivirus program with Linux.
Now, when I use Windows, I use a hardened firewall system, and I definitely use a good antivirus program. Unfortunately, Symantec’s program would get attacked directly by virii. So, I decided to use something more secure.
I still don’t need a firewall with Linux
Firewalls are there for more than just virus protection.
I realize that. I do use a firewall even with Linux, but I have never had a problem when for some reason it wasn’t on for a few minutes(/hours).
Any time I see a program that recommends turning off a firewall in Windows though, I try to find any other solution because I don’t trust Windows for even a minute without a good firewall.
In hindsight, I don’t think I stated myself well.
My point was that at one time I relied on Microsoft to provide the basis of my software, and I trusted Symantec to help keep my system clean. I don’t really trust either anymore, and even though I can’t get away from using MS products, I don’t use Symantec products.
The motivation behind Symantec’s “warning” is questionable in my mind especially when I haven’t seen any proof. I wonder where Symantec would be if MS wasn’t as dominant. And, when even Symantec’s products have vulnerabilities that have been exploited, they don’t seem like the best source for security information.
I wonder where Symantec would be if MS wasn’t as dominant.
Everybody knows it is Symantec that writes all the viruses anyway. It’s the software version of “protection money”. If Microsoft wasn’t so dominant, Symantec would just be writing viruses for some other platform.
was that a bad attempt at humour, or do you really belive that crap ?
Symantec makes a statement, Mozilla reacts, and Microsoft is the unfortunate victim in all this since they never made claims relating to such. Its going to be a biggest penis size contect between Symantec and Mozilla.
>Microsoft is the unfortunate victim
This expression sounds so strange… *head explodes*
Isn’t “Microsoft is the unfortunate victim” an oxymoron? 🙂
Released just today:
http://secunia.com/advisories/16869/
An “extremely critical” advisory (Linux/Unix systems)
Let’s hope for a 1-2 day turnaround…
Interesting to see an “extremely critical” advisory that only affects Linux/Unix systems. A friend of mine used to work at Microsoft a while back, and he said while fixing a bug in IE would be quick, there are a lot of applications (Quicken, Dreamweaver, Money, Visual Studio, etc) that embed the IE renderer in them, and they have to allow for regression testing of these products to make sure some side-effect doesn’t occur with the fix. Wonder if the same thing happens on the Linux side when it effects other apps (this advisory says Evolution).
Looking at their bugzilla link, it seems that it will affect any app that starts firefox by passing arguments to it that bash will apparently interpret as a command.
The example from bugzilla: firefox http://local`find`host
states that it will execute a find command.
Not in Firefox 1.5 beta which lead to http://www.chicagotribune.com/
Same with Firefox 1.0.1
It only works from the CLI or passed as an arguement to Firefox through something like evolution. In an email, it might be possible, to get a url that exploits this undocumented feature.
It is kinda cool for non-malicious use, but is as wide a security hole as IE’s activeX controls. Luckily I don’t have to worry about it as long as I use Firefox to browse the web and use Thunderbird for my email client.
But this is something easy to fix. I could fix it myself today in less than 15 minutes.
Try and try as I might, I couldn’t get it to work through evolution. Tried sending emails to myself containing links with commands in them, but it didn’t seem to work. I don’t know what I did wrong.
Yeah, I suspected evolution would be more intelligent than that.
I use Evolution as my mail client and never worry about security problems. If I find a url in email I usually copy and paste it into my open browser instead of letting evolution launch whatever its configured for (I dont think its firefox atm)..
Anyway, I think I overplayed its risk. Probably not a problem unless someone has access to the console.
Actually, the problem, as stated by bugzilla is in some shell script, maybe I go check it out when I get home…
It would have been more honest of you (especially considering the topic) if you had noted that in your link, there also was the fix to this problem within a day of its discovery. Compared with the 7 days out of 365 that MSIE had fixes, that’s pretty good, don’t ya think?
http://secunia.com/advisories/16869/
Secunia Advisory: SA16869 Print Advisory
Release Date: 2005-09-20
Last Update: 2005-09-21
Solution:
Update to version 1.0.7.
http://www.mozilla.org/products/firefox/
Or you can download Mozilla Firefox 1.4 (Deerpark Beta1) from Mozilla.org.
It would have been more honest of you (especially considering the topic) if you had noted that in your link, there also was the fix to this problem within a day of its discovery.
“Honest” of me? There was absolutely no deception on my part. At the time I posted, the issue was listed as open. I see this morning that it has been closed with 1.07 being the fix released.
Please do not confuse the passage of time with an intent to deceive.
It is amazing how all of sudden high numbers mean progress, when just a short time ago it meant buggy software. Interesting…
It is also the case that OS on which the software runs. Since OS itself is crappy and not secure..how can you blame the software running on it ?
Also user has the choice of uninstalling Mozilla..or firefox..what about IE ? for years I want that but MS$$$ does not listen to me!
Read Brian Livingston’s article entitled “Is Firefox still safer than IE?”
http://www.windowssecrets.com/comp/050512/
A quote:
“• IE suffered from unpatched security holes for 359 days in 2004. According to Scanit, there were only 7 days out of 366 in 2004 during which IE had no unpatched security holes. This means IE had no official patch available against well-publicized vulnerabilities for 98% of the year.
• Attacks on IE weaknesses circulated “in the wild” for 200 of those days. Scanit records the first sighting of actual working hacker code on the Internet. In this way, the firm was able to determine how many days an IE user was exposed to possible harm. When Microsoft released a patch for an IE problem, Scanit “stopped the clock” on the period of vulnerability.
• Mozilla and Firefox patched all vulnerabilities before hacker code circulated. Scanit found that the Mozilla family of browsers, which share the same code base, went only 26 days in 2004 during which a Windows user was using a browser with a known security hole. Another 30 days involved a weakness that was only in the Mac OS version. Scanit reports that each vulnerability was patched before exploits were running on the Web. This resulted in zero days when a Mozilla or Firefox user could have been infected.”
Tristan Nitot, president of Mozilla Europe, hit back by claiming on Monday that when a vulnerability is found Mozilla’s “ability to react, find a solution and put it into the user’s hands is better than Microsoft.”
Translation: “Being able to fix bugs faster is better than having fewer bugs to begin with.”
I don’t buy it.
“Translation: “Being able to fix bugs faster is better than having fewer bugs to begin with.”
I don’t buy it”
What about having fewer bugs and fixing those you have faster? Hows that sound?
DHofmann > Stop your FUD.
It’s a proven fact, that FF has fewer bugs and fewer security issues. The safest you’ve got is FF.
Take a look at secunia and see for yourself, n00b!
“It’s a proven fact, that FF has fewer bugs and fewer security issues. The safest you’ve got is FF.
Take a look at secunia and see for yourself, n00b!”
Safest you’ve got is FF? Think again.
IE: 19 unpatched out of 85
http://secunia.com/product/11/
Firefox: 3 unpatched out of 23
http://secunia.com/product/4227/
Opera: 0 unpatched out of 8
http://secunia.com/product/4932/
Fair to say that Opera has fewer security issues and the ones it has get fixed more quickly, and so I guess the safest isn’t Firefox now is it. n00b.
Opera has hardly any users, and is close sourced. It needs a userbase approx. 8 times the size it has at the moment before statistics fpr Opera can be considered useful.
But security through obscurity is still security. And Opera is a good choice for security. But mostly through obscurity.
dylansmrjones
What a load of bull.
Why does it take them so much longer for Mozilla to fix problems than Opera does, it being an evil closed source product? I mean Firefox has an army of volunteers working on it, spreading the goodwill and peace of OSS throughout the world yet they leave vulnerabilities unpatched for weeks at a time sometimes.
Hell a couple of those (4) vulnerabilities date back to August/September last year. Leaving them on the go for a year.
Obsequious blindly parrotting the party line Firefox users really get on my nerves. Ugh.
RE:”This expression sounds so strange… *head explodes*”
you know duct tape will prevent that
Looking at Bugzilla, It seems that there’s already a patch of some sort, I just hope it makes it in time for 1.07
Finnaly mozilla strikes back, right in the face of microsoft
About firewall in linux, you should get one, you don’t need to get conserned about virus, however you CAN be attacked by rootkits and hackers. If you use a 2.6-kernel, make sure you have the needed kernel-modules/kernel-options and install iptables. Then I can borrow you my setup, mostly token from the book “Linux Security Cookbook”:
1) To disable spoofing, add this to /etc/sysctl.conf:
net.ipv4.conf.all.rp_filter = 1
Then, type this to apply the changes without rebooting:
sysctl -p
2) Then apply the iptables-rules by typing this in a terminal:
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -p tcp -i lo -j ACCEPT
iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -j DROP
iptables -A FORWARD -j DROP
That would give you a in-kernel firewall, blocking all incoming new connections, except for incoming connections from your own box (over device “lo”) and new connections related to current connections. All output is accepted, and forward dropped. Try that and some box-scanning page!
3) To save the firewall-config, do one of these (they usually should work, however it may not work on some distros. In that case, either find the location of the init-script or manually save it. Remember to activate iptables at boot by adding it to the init-scripts!
/etc/rc.d/iptables save
_OR_
/etc/init.d/iptables save
Good luck,
— jaboua
Thank you – this is awesome!
I’ll do this tonight when I get home!
Hum i don’t remember if it was Mcafee or symantec’s that a long time ago in the 386 era
, released virus and days after the relesead the antivirus, so people bought ther antivirus programs
what people miss is this. numbers and quantity of bugs don’t matter. if an application has fewer bugs but these have a bigger impact on a system then that is mpre serious.
in windows bugs in IE tend to leave the whole system wide open.
in linux/bsd bigs in an apps such as firefox tend to limit damage to the scope of the (hopefully non-root) user.
in linux/bsd bigs in an apps such as firefox tend to limit damage to the scope of the (hopefully non-root) user
I don’t know about you, but having all my personal files damaged (stuff that can’t be replaced) is worse than system files (files that can be replaced). That’s why I still see limiting damage to the non-root user as being just as bad. You act like me losing all my e-mail/work/photos/music isn’t such an awful thing.
Ever hear of backup? Wow! Good luck with your data!
Limiting damage to a non-root user means that you only have to restore your account’s. files from backup, as opposed to a complete system restore.
In addition, a root exploit can hide itself from you, as opposed to a userland trojan.
That is the difference.
Besides that, losing the whole system means you also lose all your documents. THINK THINK! When all parts of the system is gone, then you’re document is gone too.
And look at it from company perspective.
*Lose system on 3452 computers and lose documents from 12564 users on a Windows system.*
versus
*Only lose data from one (1) user.*
If you’re writing in here, you ought to know enough to make backups, enough to know that root exploits means access to everything and not only “replaceable system files”.
You’re a n00b.
dylansmrjones
I don’t know about you, but having all my personal files damaged (stuff that can’t be replaced) is worse than system files (files that can be replaced). That’s why I still see limiting damage to the non-root user as being just as bad. You act like me losing all my e-mail/work/photos/music isn’t such an awful thing.
You sir, are the biggest idiot I’ve heard in a long time.
If you bother to have a think about it, no system is invulnerable to attack. If the attack is successful, do you prefer to lose the ENTIRE system or just one account?
Here’s an analogy…If your country is attacked, would you prefer to lose a city, instead of the whole country?
And have you ever heard of a word called “backup”?
Its a pretty ingenius way to be able to still keep the data you value if something goes wrong.
I sure hope no one puts you in charge of any servers…Because god help us all, with the amazing logic you have inside your head.
And one more thing: the myth of “secure browser” goes down the toilet. So much about Firefox, OSS, etc.
Humans created IE, humans created FF. I neve believed that FF is much more secure than IE.
Not to mention compatibility issues with every new Firefox release (yeah, they don’t call it “patch”, they call it “new version”. Go figure.)
Just shows you that IE is a much better browser
There method is not better than MS’s.
Although it will be with Deer Park.
Everyone is counting numbers, but no one sees this as an _advantage_ of open source development. Because Mozilla is open source, everyone can look at the code and find bugs, thus bugs are discovered MUCH faster. I see this as the reason why we see there are more Mozilla bugs being discovered recently (regardless of their severity), as they are found much quicker than IE. I see this as an advantage, rather than claiming Mozilla as “insecure”. By identifying bugs and fixing them at a much quicker rate, there are less unknown bugs, and Mozilla products simply get better.
I suppose this actually leads to an interesting study that could be done.
Someone should gather all the data for the lifetime of the IE codebase and for the mozilla code base. Then do some analysis to see if problems are found faster and if they are fixed faster.
The bugs and security holes for an open source software should be high after first and then slop down twords zero as the coder base grows and the product matures.
The closed source software should be low at first then then either rise and level out or keep going up because errors will be found later through trial and error.
That is what I believe it will show if your statements are true. Then again IE vs FF is a bad example because the user base is not similar in size and the overall life time of the codebase is not the same.
Is there any opensource vs closesource that could be compared? I cannot think of any. Linux vs Windows has the same issues as above.
I trust Symantec not even as far as I can throw them!
Their report is lame. Anyone knows that it takes a good 3-10x more time for IE to be patched, in comparison to mozilla. The main reason being that IE is integrated into windows, so the repercussions of a patch need to be more than just tested against IE, but the whole of windows as well!
Irrespective of how many vulnerabilities, all I know is Firefox gets patched at the most 1-2 weeks from the vulnerability being made public. IE usually flounders for a few months before they get around to fixing it.
Anyone else noticed that having the source code for FF/Mozilla has resulted no HUGE boom in security problems that the proprietary zealots spout?
IMHO the “security by obfuscation” argument is offically dead !
Yes and this security shits are full of crap for Unix/Linux systems, i intentionaly use old versions and no problem at all !!!!!! Maybe this is very critical about M$ crap OS so don;t put finger and say linux/unix is vulnerable. Well guess what IT’s NOT !!!!!!!!!!!!
2 Thoughts:
Symantec makes money by selling products that claim to patch holes in Windows. The more people that choose Windows the more money they make. Easy to see why they would want more
people to use internet explorer and other Windows-only sieves …..sorry products.
Myself and 99% of the people I know use Windows as Administrator. A vulnerability is a lot more serious when you have root access to a computer. All the people I know who use Linux/Unix run it as non-administrator. That is the way *nix are built from the ground up with security in the design not an afterthought
I administer 100 servers and 500 desktops. All of the desktop users run as non admin accounts with no problems. Your network is really on as good as the people running it. Whether it’s *nix or Windows if the guys managing it don’t know what they’re doing then it’s going to have problems either way. In Windows case 90% of people who run the OS think they know as much as a professional. And the other problem is that the guys that do the hiring in corporations can’t always tell the difference between an idiot that can sell himself well and a good admin that knows his stuff.
Sorry Im not computer savy as those here on the board. My computer crashed months ago, I had a computer tech here fix it, Mozilla is my browser by his installation. He also put in Norton System Works for anti-virus protection. First couple time Norton scan the whole computer, now it stops at 64 files, no Master Reboot, nothing, and errors out when finished. Also some sites I cant access says I need IE 5.5 or higher installed. Is this his doing or a problem with the browser? Norton says now Im “missing components to complete the full scan” . How the heck did the components start disappearing? Somebody help me please.