Network News

X My Profile
View More Activity

Blogfight: IE Vs. Firefox Security

I'm writing this to set the record straight on some statements made earlier this month by Jeff Jones, a security strategy director at Microsoft.

In analysis published on his Technet Security Blog and at cio.com, Jeff picked apart research I conducted in 2007, which found that Microsoft's Internet Explorer browser was unsafe for 284 days in 2006.

According to Jones's analysis, Firefox users were instead more "at risk" than their IE counterparts in 2006 -- albeit just by a single day -- 285 days in 2006, he concludes.

What Jones neglected to mention was that in my analysis I only examined the longevity of unpatched browser vulnerabilities that by each company's definition earned the most dangerous security ratings.

In the case of Internet Explorer, for example, I counted only flaws that Microsoft said were "critical," for one or more versions of the browser or closely-tied component of the Windows operating system. Microsoft defines a vulnerability as critical -- its most dire label -- if bad guys can use the flaw to hack into a vulnerable machine remotely without any help from the victim -- save for perhaps convincing the user to visit a hacked or malicious Web site.

In the case of Firefox, I looked exclusively at browser vulnerabilities that Mozilla classified as "critical," or "high" in severity. Again, the point was to focus only on vulnerabilities that could be exploited remotely and did not require much - if anything - in the way of user interaction.

In contrast, Jones appears to arrive at 285 days of vulnerability for Firefox by focusing exclusively on flaws that were considered by Mozilla and other security experts to be far less severe.

joneschart.jpg

For example, three of the seven flaws he includes -- CVE-2005-4134, CVE-2006-1942, and CVE-2006-6077 -- are vulnerabilities Mozilla assigned "low" severity ratings. Another vulnerability he cites -- CVE-2006-2894 - earned a moderate rating from Mozilla.

Jones concludes: "So, based upon these items above, we can now come up with a new "at risk" chart for Firefox users during 2006, modeled after their chart. 31 + 45 + 209 = 285 days "at risk" (check out the chart he uses above, from his cio.com article.)

In short, Jones's conclusion is correct if you count all these lesser vulnerabilities. If you discount these three less severe flaws in Firefox, Jones's 285 days disappear.

In response to a query sent by Security Fix, Jones said he was not aware that I had focused my research solely on the most severe security vulnerabilities for both browsers.

"I read your article and it wasn't clear to me that you included Critical issues," Jones wrote in an e-mail to Security Fix. "You did use that wording in some place when talking about IE issues and exploits, but I couldn't tell on the others."

Jones, however, does not respond to the more disturbing part of my research, which found that there were at least 98 days in 2006 in which no software fixes from Microsoft were available to fix IE flaws that criminals were actively using to steal personal and financial data from users.

While my research indeed showed that there was a period of nine days during that year in which exploit code for a critical or high-severity flaw in Firefox was available online, there were no indications I could find that hackers were taking advantage of that flaw to attack Firefox users.

By Brian Krebs  |  January 29, 2009; 8:00 AM ET
Categories:  From the Bunker , Latest Warnings , Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Security Fix Pop Quiz, Reality-Show Style
Next: Troubled Ukrainian Host Sidelined

Comments

So he actually counted CVE-2007-0995? What a joke given that those are some XSS mitigation measures - meant to make security holes in websites and other applications (*not* Firefox itself) harder to exploit. Also interesting to note that trivial issues in Internet Explorer parser comparable to the first two problems listed were never fixed. We will only be able to consider some of them as fixed when Internet Explorer 8.0 comes out. Really, people should stop talking about things they know nothing about.

Posted by: WladimirPalant | January 29, 2009 8:49 AM | Report abuse

Heh, I got confused by your link in the article. He counted CVE-2006-6077, not CVE-2007-0995. Which invalidates my claims about the issue not being fixed in Internet Explorer - but it is still XSS mitigation so it requires the website to be vulnerable in the first place (and then you are already in trouble).

But I remembered something about CVE-2006-2894: Hong found out there that Mozilla didn't entirely fix the problem reported by Michal Zalewski. The original problem is multi-browser and tracked by Secunia as SA20449 - and it hasn't been fixed in Internet Explorer at all! So, if we count CVE-2006-2894 for the days where Firefox was vulnerable then we must admit that Internet Explorer users have been vulnerable for almost three years straight now.

Posted by: WladimirPalant | January 29, 2009 9:46 AM | Report abuse

@Wladimir -- Which link confused you? I'm confused by your post.

Posted by: BTKrebs | January 29, 2009 9:54 AM | Report abuse

You link to MFSA2007-02 which happens to cover more issues than just CVE-2006-6077 (and all but CVE-2006-6077 affect Internet Explorer as well but weren't fixed there). That was the source of my confusion. I didn't realize at first that most issues listed there are post-2006.

Posted by: WladimirPalant | January 29, 2009 10:00 AM | Report abuse

Let me see if I understand this...

A Microsoft security director reads a report that you put together in 2007(!) and is just now responding to it? I would have thought that MS would have made their response known way before now, well over a year later.

Could this be a reason why Microsoft is seeing their share of the desktop marketplace drop?

Posted by: blasher | January 29, 2009 4:39 PM | Report abuse

Did you ever review Opera? Safari?

Posted by: lembark | January 30, 2009 3:40 AM | Report abuse

Somewhat unrelated, but last night I was updating Vista with some security patches and.... when restarting, the entire OS had become corrupted and failed to restart, in any mode. All restore points were gone as well. Thank God for Norton Ghost.

Posted by: Rational4vr | January 30, 2009 6:33 AM | Report abuse

Plain and simply, no body should be using any iteration of IE as their primary browser at all. There are way too many other better alternatives; FF, Opera, Chrome, or Safari. I exclusively use FF 3.0.5.

Posted by: jabreal00 | January 30, 2009 9:45 AM | Report abuse

Jeff Jones is an infamous Microsoft propagandist. He uses the approach of engaging in lawyeristic word games in an endless effort to alway make the MS product look good, and the competing products look bad, without regard to the actual performance characteristics.
Given Mr. Jones history, folks who are interested in the actual big picture and facts should just pass by anything that Mr. Jones publishes.
Mr. Jones appears to be a product of MS's internal culture which values winning at any cost, and facts are to be kicked to the gutter and and methodically distorted any time they are found to be inconvenient.

Posted by: dfolk | January 30, 2009 10:25 AM | Report abuse

With regard to Firefox and its sister browser, Sea Monkey, I use to like Sea Monkey for its being faster than Firefox.

The new version, however, does not appear to show the address line at the top of the browser [a real pain in the a$$] or have I somehow 'missed it?' LOL

I know it can be brought up in the sidebar, but keeping the sidebar up all the time shrinks working screen area.

SUGGESTIONS ANYONE ???

Posted by: brucerealtor@gmail.com | January 30, 2009 10:46 AM | Report abuse

I, too, would like to see a comparison of Safari. I started using it when I got a MacBook, but it turned out to be buggy. I switched to Firefox and it runs fine, with the ironic exception of on WashingtonPost.com where it frequently fails to correctly load pages. Closing the browser and opening it again fixes the problem.

Posted by: hisroc | January 30, 2009 10:52 AM | Report abuse

I see. So the MS crony decided to double check *all* vulnerabilities for FireFox, but not IE. What is the running time for all, including low risk, vulnerabilities being active within IE?

That is certainly disingenuous on MS's part.

Posted by: wwc4g | January 30, 2009 11:11 AM | Report abuse

Sounds like both of these dorks need to begin worrying about more important things like how to convert the rest of the world away from MS

Posted by: indep2 | January 30, 2009 11:13 AM | Report abuse

@brucerealtor: I think you'll find most people on this blog won't answer general computer problem questions here, even if you post it more than once. Have you tried to find the answer to your question using other methods, like a general search engine search, or searching for a computer application discussion board that fits the subject matter that interests you?

I hope you'll find the information you desire.

Posted by: Heron | January 30, 2009 11:34 AM | Report abuse

@brucerealtor, you may want to check out this site, if you haven't already:

http://www.seamonkey-project.org/community

Sometimes, if an application doesn't work as you expect it to, the best you can do is post a suggestion where "the powers that be" will see it, and hope they'll take your feedback into consideration the next time they do an update.

Posted by: Heron | January 30, 2009 11:40 AM | Report abuse

I take Jeff Jones telling us that IE6 was more secure than Firefox about as seriously as the Zimbabwean Electoral Commission announcing that Mugabe won the last election fairly and squarely.

^dfolk's comment.

Posted by: FreewheelinFrank | January 30, 2009 12:01 PM | Report abuse

Makes me more than happy that we are an Apple family. Yeah, there are weaknesses in their OS, but nothing like Windows and Microsoft to bring out the criminals.

Since Superbowl Sunday is coming up, go Apple!!

Posted by: CaptainJohn2525 | January 30, 2009 12:35 PM | Report abuse

@brucerealtor:

I use SeaMonkey as my workhorse browser (although I use Firefox, too). I like having the POP mail client and HTML editor all in one place.

Perhaps one of your SeaMonkey settings was changed. In the "View" menu, select "Show/Hide" and make sure that the "Navigation Toolbar" is selected on.

Posted by: 54Stratocaster | January 30, 2009 1:25 PM | Report abuse

jabreal00 says "Plain and simply, no body should be using any iteration of IE as their primary browser at all. There are way too many other better alternatives; FF, Opera, Chrome, or Safari." I would agree, except for the fact that there are still a disturbingly large number of e-commerce and other interactive websites that don't work fully - or in some cases not at all - with anything other than Internet Exploiter.

Posted by: darrellcochran | January 30, 2009 3:30 PM | Report abuse

darrellcochran said...
"there are still a disturbingly large number of e-commerce and other interactive websites that don't work fully - or in some cases not at all - with anything other than Internet Exploiter."

Send an email to the webmaster to complain, then send another email to the webmaster to complain, then send another email to the webmaster to complain (spaced out every so often, of course), and repeat as necessary, as often as necessary.

Then avoid those sites like the plague unless there is absolutely NO other way to do what you want to do. And even then, try to find a method to avoid those sites until the dense webmaster gets the point (emphasized by emailed complaints) that IE is not the one and only true god of browsers.

Posted by: critter69 | January 30, 2009 9:02 PM | Report abuse

Whenever I'm doing a clean install of a Microsoft operating system, the VERY FIRST thing that I do with the newly-installed operating system is to point the Internet Explorer browser to http://www.mozilla.com and download the Firefox browser. Then I point the Firefox browser to http://www.avast.com and go to the download section and select the (free) home version anti-virus package.

OF COURSE, ALL OF THE ABOVE IS UNNECESSARY IF ONE USES THE LINUX OPERATING SYSTEM!!!!! (If you require some serious hand holding, then use the Red Hat flavor/version of Linux.)

Posted by: nbahn | January 30, 2009 10:33 PM | Report abuse

By secure, I think MS means, secure from criticism.

Posted by: editor2 | January 31, 2009 7:30 AM | Report abuse

@lembark and hisroc:

I did a minor bit of security-based research on browsers back in 2005, and included Opera in the article here:
http://itdiaries.com/2005/12/09/browser-security-2005/

Surprising results actually.

Posted by: lachelp | February 1, 2009 6:37 PM | Report abuse

Part of the safety of non-Microsoft products is a combination of there being too few users for the bad guys to spend time on, and of those users on average being more savvy. But there is currently a Mac trojan being spread by BitTorrent, and Linux trojans exist, too. The greater the market share of non-Windows OS's, the more it's going to happen.

Even so, as far as risk, IE is in a class by itself. I hate to visit sites that require it. When I must, it's because I have to do business with companies so powerful that if they insist on IE, the rest of us have no choice. And then I really wonder how safe my data is with a system administrator so stupid and arrogant as to force everyone else to have their entry level employees use IE.

Posted by: AlphaCentauri | February 1, 2009 9:49 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company