Security - IE vs Firefox



Steve
07-09-2005, 10:03 PM
http://windowssecrets.com/paid/0745465284 (subscription required?)


Some remarkable statistics comparing the major Web browsers have been
developed by Scanit NV, an international security firm. The company
painstakingly researched the dates when vulnerabilities were first
discovered in various browsers, and the dates when the holes were
subsequently patched.

The firm found that IE was wide open for a total of 200 days in 2004,
or 54% of the year, to exploits that were "in the wild" on the
Internet.

The Firefox browser and its older sibling Mozilla had no periods in
2004 when a security flaw went unpatched before exploits started
circulating on the Net. With the latest 1.0.4 upgrade, Firefox has
retained its "patch-before-hackers-can-strike" record so far in 2005,
as well.

These statistics are so important to understanding the "attack
surface" of the major browsers that we should break down this study
into its individual findings:

....IE suffered from unpatched security holes for 359 days in 2004.
According to Scanit, there were only 7 days out of 366 in 2004 during
which IE had no unpatched security holes. This means IE had no
official patch available against well-publicized vulnerabilities for
98% of the year.

....Attacks on IE weaknesses circulated "in the wild" for 200 of those
days. Scanit records the first sighting of actual working hacker code
on the Internet. In this way, the firm was able to determine how many
days an IE user was exposed to possible harm. When Microsoft released
a patch for an IE problem, Scanit "stopped the clock" on the period of
vulnerability.

....Mozilla and Firefox patched all vulnerabilities before hacker code
circulated. Scanit found that the Mozilla family of browsers, which
share the same code base, went only 26 days in 2004 during which a
Windows user was using a browser with a known security hole. Another
30 days involved a weakness that was only in the Mac OS version.
Scanit reports that each vulnerability was patched before exploits
were running on the Web. This resulted in zero days when a Mozilla or
Firefox user could have been infected.

The Opera browser also experienced no days during which unpatched
holes faced actual exploits, but Scanit began keeping statistics on
Opera only since September 2004.

Another security firm that tracks security holes in IE, Firefox, and
many other applications is Secunia. As of today, Secunia reports that
there are still 19 unpatched security flaws in IE, the most severe of
which is rated "highly critical." Firefox has only 4 unpatched flaws,
all of which are rated "less critical" or "not critical," the lowest
severity rating. Opera has none.

C A Upsdell
07-09-2005, 10:03 PM
Steve wrote:
> http://windowssecrets.com/paid/0745465284 (subscription required?)
>
>
> Some remarkable statistics comparing the major Web browsers have been
> developed by Scanit NV, an international security firm. The company
> painstakingly researched the dates when vulnerabilities were first
> discovered in various browsers, and the dates when the holes were
> subsequently patched.
>
> The firm found that IE was wide open for a total of 200 days in 2004,
> or 54% of the year, to exploits that were "in the wild" on the
> Internet.
>
> The Firefox browser and its older sibling Mozilla had no periods in
> 2004 when a security flaw went unpatched before exploits started
> circulating on the Net. With the latest 1.0.4 upgrade, Firefox has
> retained its "patch-before-hackers-can-strike" record so far in 2005,
> as well.

The stats would be more useful if they took into account the severity of
the security problems. It is more important to fix critical problems first.

JoeM
07-09-2005, 10:03 PM
This big thing I see is that firefox can fix the problems faster. But you
also have to consider that MSFT has to make sure pathes or fixes do not
break other programs, which is very hard to do. I did a little programing
and that was hard.

"Steve" <kh@mf.inv> wrote in message
news:seh981dd7v63rs28r4q6ss2gcqfgq6kqi3@4ax.com...
>
> http://windowssecrets.com/paid/0745465284 (subscription required?)
>
>
> Some remarkable statistics comparing the major Web browsers have been
> developed by Scanit NV, an international security firm. The company
> painstakingly researched the dates when vulnerabilities were first
> discovered in various browsers, and the dates when the holes were
> subsequently patched.
>
> The firm found that IE was wide open for a total of 200 days in 2004,
> or 54% of the year, to exploits that were "in the wild" on the
> Internet.
>
> The Firefox browser and its older sibling Mozilla had no periods in
> 2004 when a security flaw went unpatched before exploits started
> circulating on the Net. With the latest 1.0.4 upgrade, Firefox has
> retained its "patch-before-hackers-can-strike" record so far in 2005,
> as well.
>
> These statistics are so important to understanding the "attack
> surface" of the major browsers that we should break down this study
> into its individual findings:
>
> ...IE suffered from unpatched security holes for 359 days in 2004.
> According to Scanit, there were only 7 days out of 366 in 2004 during
> which IE had no unpatched security holes. This means IE had no
> official patch available against well-publicized vulnerabilities for
> 98% of the year.
>
> ...Attacks on IE weaknesses circulated "in the wild" for 200 of those
> days. Scanit records the first sighting of actual working hacker code
> on the Internet. In this way, the firm was able to determine how many
> days an IE user was exposed to possible harm. When Microsoft released
> a patch for an IE problem, Scanit "stopped the clock" on the period of
> vulnerability.
>
> ...Mozilla and Firefox patched all vulnerabilities before hacker code
> circulated. Scanit found that the Mozilla family of browsers, which
> share the same code base, went only 26 days in 2004 during which a
> Windows user was using a browser with a known security hole. Another
> 30 days involved a weakness that was only in the Mac OS version.
> Scanit reports that each vulnerability was patched before exploits
> were running on the Web. This resulted in zero days when a Mozilla or
> Firefox user could have been infected.
>
> The Opera browser also experienced no days during which unpatched
> holes faced actual exploits, but Scanit began keeping statistics on
> Opera only since September 2004.
>
> Another security firm that tracks security holes in IE, Firefox, and
> many other applications is Secunia. As of today, Secunia reports that
> there are still 19 unpatched security flaws in IE, the most severe of
> which is rated "highly critical." Firefox has only 4 unpatched flaws,
> all of which are rated "less critical" or "not critical," the lowest
> severity rating. Opera has none.
>


Security - IE vs Firefox