• United States



by Paul Kerstein

Symantec Report Sparks Safe-Browser Debate

Sep 20, 20053 mins
CSO and CISOData and Information Security

In its latest Internet Security Threat Report, released Monday,security vendor Symantec Corp. noted that in the first six months of2005, the open-source Firefox Web browser had more confirmedvulnerabilities than Microsoft Corp.’s Internet Explorer browser. Sodoes that mean that the Mozilla-based browser is less secure thanproponents have said and that Internet Explorer is more secure thanbelieved?

Not exactly, according to security experts.

Symantec reported that during the first half of 2005, 25vendor-confirmed vulnerabilities were disclosed for Mozilla browsers,including 18 that were classified as highly severe. During the samesix-month period, 13 vendor-confirmed vulnerabilities were disclosedfor Internet Explorer, eight of which were considered highly severe.

But that’s not the whole story, said Vincent Weafer, senior director ofSymantec’s Security Response Team. Even though more confirmedvulnerabilities were reported for Mozilla browsers, he said, thewidespread use of Internet Explorer means that whatever vulnerabilitiesaffect it have the potential to affect a much larger user base.

“No technology by itself is safer,” Weafer said. “It really is aboutsecuring it all to the max. None of them are immune to attack.”

Internet Explorer has been a target of hackers for many years as themost widely used Web browser worldwide, he said, meaning it has beenattacked so many times that the easiest-to-target flaws have alreadybeen uncovered. That makes it harder for hackers to find and takeadvantage of vulnerabilities.

With the recent popularity of Firefox, hackers are beginning to goafter it in larger numbers in an effort to uncover — and exploit –any vulnerabilities, he said.

Mike Schroepfer, director of engineering for the Mozilla open-sourceproject, which develops the Firefox browser, questioned the Symantecnumbers.

“Vendors tend to report vulnerabilities differently,” Schroepfer said.Microsoft tends to group several confirmed vulnerabilities together inone announcement and patch, whereas Mozilla announces each confirmedvulnerability individually. That skews the number of confirmedvulnerabilities.

Other security monitoring companies, such as Secunia in Copenhagen,Denmark, show different results, he said. Recent Secunia vulnerabilityreports show 19 unpatched Internet Explorer 6 vulnerabilities, comparedto three unpatched Firefox 1.0 vulnerabilities, he said.

“In general, we still believe Firefox is the safest browser around,” hesaid. In addition, the open-source development model used for Mozillaallows vulnerabilities to be found and fixed much faster, making iteasier to patch. “It speeds the time when we discover and patch thesevulnerabilities, which I think is more important.”

Analyst Pete Lindstrom, of Spire Security in Malvern, Pa., said thearguments over the number of vulnerabilities in the competing productsis overrated.

“The whole game we play about counting vulnerabilities is kind of sillyto begin with,” Lindstrom said. “The entire security industry ought tobe slapped on the wrist for saying Firefox was more secure than IEabout a year ago” because Firefox wasn’t out long enough to prove itsstealth and hackers hadn’t yet had enough time to attack it.

“Firefox and every application that receives some sets of informationcan also be attacked” successfully by hackers, Lindstrom said. Usersneed to take the approach that every single application must beproperly configured for defense. “If someone wants to, they can protecttheir applications,” he said, though it costs money and takes time todo it properly.

Symantec’s semiannual Internet Security Threat Report covers Internetthreat data from Jan. 1 to June 30, 2005, according to the Cupertino,Calif.-based security and maintenance software vendor. The reportprovides analysis of network-based attacks, a review of knownvulnerabilities and highlights of malicious code and additionalsecurity risks.

By Todd R. Weiss – Computerworld (US online)