On 29 Sep 2005 at 12:58, Phil Daley wrote: > FYI: > > More Flaws in Firefox Than IE, Symantec Says > News Story by Todd R. Weiss
This is old news. And it's malarkey. The following is a lengthy post I made in another forum in response to reading Symantec's "security report" (which was really a glorified press release designed to generate fear, uncertainty and doubt (FUD) and, thus, $ALES of Symantec's products). The key point to remember here is that Symantec is not by any stretch of the imagination an unbiased participant in the discussion. It is in their corporate interests to make reliable and secure applications like FireFox look unreliable and insecure, as they are in the business of selling a feeling of security (though they don't really deliver on it, in reality). All of the articles that came out about this were based on a long security report that Symantec dresses up in pseudo-scientific garb, reporting lots of numbers and percentages, but never providing the actually underlying data. When Symantec says that FireFox has had 25 vulnerabilities and IE 13, WE HAVE NO IDEA WHETHER THIS EVALUATION IS CREDIBLE OR NOT, because nowhere in the report is there a list of the vulnerabilities. Given that other organizations (such as Secunia, which sells security services, so it's not completely unbiased, either; but you can see the specifics of their security reports on Secunia.com) have different numbers, with FireFox coming out ahead in the end, Symantec ought to be providing specifics. But they don't. Since there is no way to evaluate the data on which Symantec's conclusions are based, on has to discard their controversial conclusions entirely. Secondly, Symantec misses two main points: 1. FireFox 1.x is about a year old, and IE 6.x is 3 or 4 years old. Because of the product life cycle, one expects more problems to be discovered in the early period after an application's release. Yet, if you look at Secunia's data on IE6.x, there's been a fairly steady stream of vulnerabilities discovered over the past 3 years. 2. Symantec doesn't take account of how the vulnerabilities are corrected, or *if* they are corrected. Secunia provides data on this that shows that FireFox is much safer in that vulnerabilities are addressed more quickly, and that fewer serious vulnerabilities remain unpatched in FireFox than in IE6.x. Further, the impact of the vulnerabilities found in FireFox is less than the impact of those in IE6.x. Here's the text of the post that examines Symantec's report (if you want to skip the details and get to my conclusion, do a FIND for "MY CONCLUSIONS": Subject: "Press Release" Journalism and Symantec's Recent Claims About FireFox vs. IE Having read these articles reporting on claims made by Symantec about FireFox vs. IE as well as Mac vulnerabilities, I decided to see if I could go to the source. Below I quote at length from the report, because it's the text on which all the news reports appear to be based (you have to register to read the report, unfortunately). >From <https://ses.symantec.com/Content/displaypdf.cfm?SSL=YES&PDFID=2124&Pr omoCode=WP000ITR8>: Web browser vulnerabilities The Web browser is a critical and ubiquitous application that has, in the past few years, become a frequent target for vulnerability researchers. In the past, the focus of security has been on the perimeter: servers, firewalls, and other systems with external exposure. However, a notable shift has occurred, as client-side systemsprimarily end-user desktop hostsare becoming increasingly prominent. The Symantec Internet Security Threat Report has monitored this trend over the past several reporting periods. This metric will offer a comparison of vulnerability data for numerous browsers, namely: Microsoft Internet Explorer, the Mozilla browsers (including Firefox), Opera, Safari, and KDE Konqueror. However, when assessing the comparative data, the following important caveats should be kept in mind: Only verifiable vulnerabilities that were confirmed by the vendor were taken into consideration. Web browser vulnerability counts may not match one-to-one with security bulletins or patches issued by vendors. This is because of the complexity in identifying individual vulnerabilities in browser exploits. [In the Appendix, this caveat is worded rather differently: Individual browser vulnerabilities are notoriously difficult to pinpoint and identify precisely. A reported attack may be a combination of several conditions, each of which could be considered a vulnerability in its own right. This may distort the total vulnerability count. That's *very* different, is it not? Why was this much more qualified language not used in the body of the report, except in an effort to make their claims seem much stronger than they really are?] Not every vulnerability discovered is exploited. As of this writing, no widespread exploitation of any browser except Microsoft Internet Explorer has occurred. However, Symantec expects this to change as alternative browsers become increasingly widely deployed. As has been stated previously in this report, readers should be aware that this discussion is based on data that may change over time, as entries in the vulnerability database are constantly revised as new information emerges. As vendors confirm vulnerabilities and/or release patches, vulnerability totals may increase. As a result, statistics and percentages reported in one volume of the Internet Security Threat Report may not agree with the same information as it is presented in subsequent volumes. During the first half of 2005, more vulnerabilities were disclosed for the Mozilla browsers, including Firefox, than for any other browser (figure 19). During this period, 25 vulnerabilities affecting the Mozilla family of browsers were disclosed, compared to 32 in the second half of 2004. During the first half of that year, only two vulnerabilities were disclosed for the Mozilla browsers. The average severity of the Mozilla vulnerabilities in the first half of 2005 was high. 18 of the 25 Mozilla vulnerabilities in this period, or 72%, were rated high severity. This is up from 44% in the second half of 2004. There was a single high-severity vulnerability associated with Mozilla browsers in the first half of 2004. The increase of high-severity vulnerabilities may be due to attention being paid by researchers to the Firefox browser, which has been widely touted as a secure alternative to Microsoft Internet Explorer. During the first six months of 2005, there were 13 vendor confirmed vulnerabilities disclosed for Microsoft Internet Explorer. This is a sharp decrease from the 31 documented in the second half of 2004. (It should be noted that in the last Internet Security Threat Report, only 13 vulnerabilities associated with Internet Explorer were classified as vendor confirmed. After publication, this number was revised to 31 due to delayed confirmation of the vulnerabilities by the vendor.) During the first half of 2004, seven Internet Explorers vulnerabilities were disclosed and confirmed by Microsoft. The average severity rating of the vulnerabilities associated with Internet Explorer during the first six months of 2005 was high. During the first half of 2005, eight of the 13 Internet Explorer vulnerabilities, or 62%, were considered high severity. This is an increase over the 58% in the last six months of 2004 and the 57% of vulnerabilities that were rated high severity in the first half of that year. During the first six months of 2005, six new vulnerabilities were disclosed for the Opera browser. This is a decrease from the previous reporting period, during which Symantec documented 11 Opera vulnerabilities. In the first half of 2004, five vulnerabilities were found for Opera. The Opera vulnerabilities disclosed during the first half of 2005 had an average severity rating of moderate. Of the six vulnerabilities documented in the current reporting period, three were rated as high severity, or 50%. 27% of Opera vulnerabilities disclosed in the second half of 2004 were considered high severity. There were no high-severity Opera vulnerabilities documented by Symantec in the first half of 2004. Between January 1 and June 30, 2005, two vendor confirmed vulnerabilities were disclosed for Apples browser for Mac OS X, Safari, the same number as in the preceding six-month reporting period. In the first half of 2004, three vulnerabilities for Safari were disclosed. The average severity rating for Safari vulnerabilities disclosed during the first half of 2005 was moderate. Only one of the two Safari vulnerabilities disclosed during this period was considered high severity. There were no high-severity Safari vulnerabilities disclosed in 2004. For the first time, in this volume of the Internet Security Threat Report Symantec is assessing vulnerabilities for the Konqueror browser. Between January 1 and June 30, 2005, two vendor confirmed vulnerabilities were discovered in this browser. This is a decline from the six reported in the preceding six-month period. Konqueror was associated with a single vulnerability published in the first half of 2004. The average severity rating for Konqueror vulnerabilities disclosed during the first half of 2005 was moderate. Of the two Konqueror vulnerabilities documented by Symantec in the first half of 2005, only one was rated high severity. In the previous six-month period, only one out of the six Konqueror vulnerabilities was considered high severity. The lone vulnerability associated with Konqueror from the first half of 2004 was not high severity. Fig 20. Browser vulnerabilities by severity, Jan 1June 30, 2005 Severity MSIE Mozilla Opera KDE/Konqueror Safari Moderate 8 18 3 1 1 High 5 7 3 5 1 The fact that Mozilla browsers had the most vendor confirmed vulnerabilities over the past two six-month periods may suggest that Mozilla is currently acknowledging and fixing vulnerabilities more quickly than other vendors. This could be because the Mozilla browsers are open source and may be more responsive to reports of new vulnerabilities and subsequently developing and delivering associated patches. For instance, except in certain instances,[60] Microsoft releases fixes on a relatively fixed schedule rather than as needed, potentially increasing their acknowledgement time. Overall, there are fewer high-profile Web-browser vulnerabilities in the current reporting period than have been seen in previous reports; this is particularly notable in the case of Internet Explorer. This may reflect the preventative security measures being taken by many vendors in response to widely exploited security threats. Drive-by-downloadingthe use of vulnerabilities in browsers to force software installs (such as spyware, which itself has come to be associated with browser insecurity)has also become common, forcing vendors to act quickly in response to user complaints. Footnote 60: For instance, MS04-037, a vulnerability exploitable through MSIE, was released outside of their regular cycle. See: http://www.microsoft.com/technet/security/advisory/903144.mspx *** Now, nowhere in this report does Symantec identify what the vulnerabilities are that they are counting so that one may check the validity of their classification. Secondly, the caveat quoted from he appendix very much calls into question the reliability of their classifications, simply by admitting that investigators of good will can disagree on the classification. But since Symantec doesn't provide the data, there's no way to judge whether they are just making it up or not. But the "quality" of this Symantec report seems to me to be indicated by the section discussing adware that is installed through web browsing. It includes a paragraph on the vulnerabilities of ActiveX that is completely silent on the FACT that only Internet Explorer is vulnerable to these controls, because only IE natively interfaces with ActiveX controls. My bet is that most (if not all) of the spyware/adware that was installed in the test described below would *not* have been installed in any browser *except* Internet Explorer. But there's no way to know, as they don't indicate that information. A real investigation would have compared visiting these websites with IE to visiting the same web sites with FireFox and Safari. Then it would have been bloody clear that whatever the number of "vulnerabilities" announced for FireFox vs. IE, it is clearly IE that is the dangerous web browser, and not FireFox or Safari. INTERNET EXPLORER IS THE PROBLEM, and Symantec is apparently TOO AFRAID OF MICROSOFT to say so. Web browsing Adware is often installed through the users Web browser. This can be done through pop-up ads offering free software to download. The pop-up sometimes offers the user a choice of clicking Yes or No to accept or reject the offer. In reality, though, clicking anywhere on the ad often results in the download of adware. Browser-installed adware may also be installed through ActiveX[104] controls or browser helper objects (BHOs).[105] Eight of the top ten adware programs reported to Symantec in the first six months of 2005 were installed through Web browsers (table 7). This is an increase over the five reported in the last six months of 2004. Symantec has conducted an internal study designed to determine the relationship between the types of sites visited and the adware or spyware downloaded on the users machine. Symantec security researchers spent one hour surfing well known Web sites and found that after one hour of navigating childrens Web sites, 359 adware programs had been installed on the users computer. Of all the categories of Web sites visited, this was far and away the highest number of adware programs installed.[106] This indicates that sites targeting children may have a disproportionately high rate of adware installation. This could be because children are more likely to click on prompts or buttons in order to quickly get to the activities they wish to explore. It is possible that machines used predominately by children may not be regularly updated. To reduce the risk from adware that is installed through a Web browser, users should consider disabling ActiveX. It is important to note, however, that doing so may also affect the functionality of the Web browser and may prevent certain Web sites and pages from rendering correctly. Some users require ActiveX, in which case they should configure their browser to require a prompt for ActiveX controls to execute. If the browser presents a dialogue box that is not expected, the user should not click anywhere on the dialogue box. Instead, they should close the browser window immediately. Footnote 104: ActiveX is set of Microsoft technologies that allows users to share information among different programs. For more information on ActiveX, please visit: http://msdn.microsoft.com/library/default.asp?url=/workshop/componen ts/activex/intro.asp Footnote 105: Browser helper objects (BHOs) are add-on programs that can add legitimate features to a users browser (Internet Explorer 4.X and up). For example, document readers that used to read programs within the browser do so through BHOs. Footnote 106: Other categories of Web sites include: sports, gaming, news, reseller (auction), shopping, and travel. *** Then there's the Mac section. It would appear that the Yahoo article conflated the section on Mozilla "vulnerabilities" with the Mac section, to end up with a headline that made it sound like the supposed Mozilla "threat" was a Mac issue. So, chalk that one up to bad journalism (or a bad editor). Continued security concerns for Mac OS(R) In the Future Watch section of the previous Internet Security Threat Report,[155] Symantec advised readers that Apples Mac OS X was an emerging target for attacks. During the current reporting period, Symantec documented a noteworthy number of vulnerabilities and attacks directed at Mac OS X. An ever-increasing number of users are adopting Mac OS X. Many of these users believe that this operating system and the applications that run on it are immune to traditional security concerns. However, evidence suggests that, increasingly, they may be operating under a false sense of security.[156] Mac OS X is based on a Berkeley Systems Design (BSD) UNIX-like environment. Many of the security concerns that UNIX users face are now shared by those who have adopted Mac OS X.[157] As Mac OS X users demand more features and implement more ports[158] of popular UNIX applications, vulnerabilities and exploits targeting this operating system and its underlying code base are likely to increase. Over the past two reporting periods, the number of vendor-confirmed vulnerabilities in Mac OS X has remained relatively constant. None of these have been widely exploited. However, this could change in the near future. During the writing of this report, an analysis was performed on a rootkit[159] designed to take advantage of Mac OS X.[160] Mac OS X/Weapox[161] is a rootkit based on the AdoreBSD rootkit. While there have been no reports of widespread infection to date, this Trojan serves to demonstrate that as Mac OS X increases in popularity so too will the scrutiny it receives from potential attackers. The discovery of Mac OS X/Weapox indicates that Mac OS X may no longer be immune from widespread attack. As such, system administrators, security administrators, and end users should employ defense indepth. Though vulnerabilities and malicious code targeting other operating systems continue to outnumber those on Mac OS X, Symantec recommends that users continue to apply security patches as they become available and continue to educate themselves on security issues affecting Mac OS X. Footnote 154: An IP-PSTN gateway translates voice and data carried over a VOIP network to conventional telephone signaling so that calls can be routed over a conventional telephone network. Footnote 155: Symantec Internet Security Threat Report, Volume VII (March 2005): http://enterprisesecurity.symantec.com/content.cfm?articleid=1539 Footnote 156: See the following URL, for instance: http://www.securityfocus.com/swsearch?query=OS+X&sbm=bid&submit=Sear ch%21&metaname=swishtitle&sort=swishlastmodified Footnote 157: A recent announcement surrounding an audit of the underlying source code in Darwin, the implementation of UNIX that underlies Apple Computer Inc.s Mac OS X operating system, revealed kernel level vulnerabilities that could be exploited by remote attackers. (For more details, see: http://www.eweek.com/article2/0,1759,1752632,00.asp) Footnote 158: A port is application or piece of code written on one platform that is then modified to run on another. Footnote 159: A rootkit is a collection of tools that allows an attacker to provide a back door into a system, collect information on other systems on the network, mask the fact that the system is compromised, and perform other activities as desired by the attacker. Footnote 160: Virus Bulletin July 2005: http://www.virusbtn.com Footnote 161: http://pferrie.tripod.com/vb/weapox.pdf *** MY CONCLUSIONS All the news articles posted to the list the last couple of days appear to simply rehash the information in this Symantec security report, which seems to me to be little more than a glorified press release. The report seems to me to be masquerading as a scientific study, an analysis of data, when the data are not actually presented in the report itself. This is a glorified press release, extremely cleverly designed public relations material produced for the purpose of making people worry about the security of their systems so they consider buying Symantec's products. YOU DON'T NEED SYMANTEC'S PRODUCTS. You need better software. And, despite the clear message of this FUD-filled press release, the best solution for Windows users is to COMPLETELY AVOID USING INTERNET EXPLORER. That conclusion is buried in the 3rd caveat at the head of the subsection discussing browser exploits: Not every vulnerability discovered is exploited. As of this writing, no widespread exploitation of any browser except Microsoft Internet Explorer has occurred. However, Symantec expects this to change as alternative browsers become increasingly widely deployed. Let me repeat that: AS OF THIS WRITING, NO WIDESPREAD EXPLOITATION OF ANY BROWSER EXCEPT MICROSOFT INTERNET EXPLORER HAS OCCURRED. So, despite all the evidence they adduce about the time from announcement of vulnerabilities to the appearance of exploits, they explicitly choose *not* to connect the dots and say up front: The average time from announcement to discovery of an exploit is almost all due to Internet Explorer, because THERE ARE NO EXPLOITS FOR OTHER BROWSERS. So, in reality, if you read between the lines, the headline for this report *ought* to be "Despite twice the number of recently discovered vulnerabilities, FireFox is *still* much safer as a web browser than Internet Explorer." It's too bad that what's-his-name's Virus Myths website no longer exists -- he'd have a field day debunking this one. Don't trust the AV software companies. They make money off of your vulnerability, and it's in their interests to make you feel unsafe. It's good for their business to hide the truth, that you *don't* need to pay money to compute safely -- you just need to choose your software carefully. Symantec and McAfee are like the oil companies and the auto makers. Their interests are completely at odds with the interests of their customers and the long-term health of the economy. Symantec and McAfee flourish when security problems are *not* solved, just as the oil companies and the auto companies make more money from the sale of SUVs and other inefficient automobiles. Don't trust them! They don't have your safety or interests in mind when they make announcements like these, nor when they design their products. -- David W. Fenton http://www.bway.net/~dfenton David Fenton Associates http://www.bway.net/~dfassoc _______________________________________________ Finale mailing list Finale@shsu.edu http://lists.shsu.edu/mailman/listinfo/finale