By Tom Espiner, 20 September 2005 08:45
NEWS Mozilla web browsers are potentially more vulnerable to attack than Microsoft's Internet Explorer, according to a Symantec report.
But the report, released on Monday, also found that hackers are still focusing their efforts on IE.
The open source Mozilla Foundation browsers, such as the popular Firefox, have typically been seen as more secure than IE, which has suffered many security problems in the past. Mitchell Baker, president of the foundation, said earlier this year that its browsers were fundamentally more secure than IE. She also predicted that Mozilla Foundation browsers would not face as many problems as IE, even as their market share grows.
Symantec's Internet Security Threat Report Volume VIII contains data for the first six months of this year that may contradict this perception.
According to the report, 25 vendor-confirmed vulnerabilities were disclosed for the Mozilla browsers during the first half of 2005 - "the most of any browser studied", the report's authors stated. Eighteen of these flaws were classified as high severity.
The report noted: "During the same period, 13 vendor-confirmed vulnerabilities were disclosed for IE, eight of which were high severity."
The average severity rating of the vulnerabilities associated with both IE and Mozilla browsers in this period was classified as "high", which Symantec defined as "resulting in a compromise of the entire system if exploited".
The Mozilla Foundation did not immediately respond to requests for comment.
Symantec reported that the gap between vulnerabilities being reported and exploit code being released has dropped to six days on average. However, it's not clear from the report how quickly Microsoft and Mozilla released patches for their respective vulnerabilities, or how many of the vulnerabilities were targeted by hackers, though Microsoft generally releases patches only on a monthly basis.
Symantec admitted that "at the time of writing, no widespread exploitation of any browser except Microsoft Internet Explorer has occurred", but added that it "expects this to change as alternative browsers become increasingly widely deployed".
There is one caveat: Symantec counts only those security flaws that have been confirmed by the vendor. According to security monitoring company Secunia, there are 19 security issues that Microsoft still has to deal with for Internet Explorer, while there are only three for Firefox.
The report also highlighted a trend away from the focus of security being on "servers, firewalls, and other systems with external exposure". Instead, "client-side systems - primarily end-user systems - [are] becoming increasingly prominent targets of malicious activity".
Web browser vulnerabilities are becoming a preferred entry point into systems, the report stated. It also highlighted the trend of hackers operating for financial gain rather than recognition, increased potential exposure of confidential information, and a "dramatic increase in malicious code variants".
CNET News.com's Joris Evers contributed to this report
Tom Espiner writes for ZDNet UK
Comments
There are 7 comments. Join the discussion
1. anonymous
Seeing as Firefox is multi platform and not even officially on version 1.5 there are bound to be some issues.
IE is not multi platform (I know previous versions were available on the Mac as well) and it is now on version 6.
Does this mean IE is 6 times more secure? No.
Also there are bounties by Mozilla/Firefox to encourage people to seek out security issues and other bugs. This should mean that most major bugs will be fixed sooner, so the fact there were more found is the last 6 months isn't a surprise.
This should drop off and when MS release IE 7 then their figures will undoubtedly change.
2. anonymous
but does firefox give you spyware by the dozen and all the other nice!!! features that IE gives. when you take this into comparison as well as in comparison to IE firefox is still in its infancy.
I personally would rather have firefox with problems with do occur (and usually fixed quickly), rather than go with all the other issues like loads of spyware I used to get from IE.
3. Andrew Rice
IE is inherently the least secure browser due to all the extra embedded functionality and OS integration and it's "security zones".
This is not bashing IE, simply a statement of obvious fact.
To make it comparable to other browsers you would have to remove all the additional functionality. Unfortunatly Netscape has taken the step of enabling access to IE functionality via it's browser therfore negating the need to use it.
4. Stephen Walker (Apex Web Solutions)
The Symantec report fails to distinguish patched and unpatched flaws. According to Secunia, Mozilla Firefox 1.0.6 has only 4 unpatched flaws, whereas MSIE 6.0 has 19 security flaws.
Besides, Opera 8.6 has zero security flaws, and it's now completely free (no more Google ads).
Opera is safest, followed by Firefox, and MSIE is (still) in 3rd.
As usual, the media fails to report the entire story, but misleads the public. Perhaps the biases of Symantec (who produces lots of software that runs on Windows) are also to blame.
5. Dimitri
In addition to the previous comments, Firefox 1.0 was launched in a comparable feature state & richness to IE6 (in fact IE7, as Firefox has more advanced features which IE7 will try to duplicate). The comprison therefore should be between all the vulnberabilities discovered since the forefox project begun and IE4 which was live at the time, or at least since last year when Firefox begun gaining market share with version 0.96. These comparisons would show a few dozen firefox flaws compared with a few *Hundred* IE security flaws.
6. anonymous
How can you take seriously the opinions of someone who doesn't even know how to use "its"?
7. Simon
Surely one aspect that seems to be overlooked is that Firefox doesn't run as an integral part of the OS with the ability to do anything that the OS itself can do - thus automatically reducing the ability to use a vulnerability to make arbitrary changes to the system.