Symantec: Mozilla Has Twice The Flaws Of IE - InformationWeek
IoT
IoT
News
News
9/19/2005
04:37 PM
50%
50%

Symantec: Mozilla Has Twice The Flaws Of IE

Mozilla's popular Firefox browser has been subjected to nearly double the vulnerabilities of Microsoft's leading Internet Explorer, Symantec says, but Microsoft's are more severe.

Mozilla's popular Firefox browser has been subjected to nearly double the vulnerabilities of Microsoft's leading Internet Explorer, Symantec said Monday as it released its semi-annual report on the state of Internet security and threats against personal computers.

According to Symantec's Internet Security Threat Report, which used stats from January through June, 2005, Mozilla's browsers suffered from 25 vendor-confirmed bugs in the first six months of the year. Internet Explorer, on the other hand, was pegged with only 13.

Of Mozilla's 25 vulnerabilities, 18, or 72 percent, were tagged as "high severity," up from the 14 most-severe flaws disclosed in the last half of 2004. Meanwhile, IE's total of 13 was fewer than half the 31 made public in the last six months of last year.

"Firefox's vulnerabilities are almost double that of IE," said Oliver Friedrichs, the senior manager of Symantec's security response research team. "[But] when you take a step back, two factors make that less severe."

First, he said, is that by nature IE vulnerabilities pose more problems to more people. "Because IE has a much larger base, a vulnerability within IE is far more widespread and generally has a much more severe impact than those in the Mozilla family," acknowledged Friedrichs.

Second, Mozilla's browsers are almost always patched quickly, while IE's problems often languish for months before they're fixed, exposing users to possible "zero-day" attacks for months. "You're much more likely to have vulnerabilities fixed quickly with open-source software like Firefox," said Friedrichs. "So the exposure time is much less."

While the news of Firefox flaws will likely raise hackles of the Mozilla faithful, even with Friedrichs' caveats, that's not the only news in Symantec's report.

Bots, it seems, are on the upswing again after a temporary drop last year.

In March, when Symantec last published its twice-a-year report, it noted a significant drop in the number of bots, and theorized that the plunge was due to Windows XP SP2's rollout in the second half of 2004.

That fall-off in bots -- didn't last long, however. In the first half of 2005, the median bot count per day was 10,352, more than double the 4,348 bots per day in December, 2004.

Strangely enough, now Symantec's saying that the increase is due to security being tightened in 2004.

"As hosts vulnerable to exploitation become less common, bot networks must work harder to maintain their current size and continue to grow," said the new report. "It's likely that in order to maintain viability, bot network owners stepped up their attack activity, resulting in increasingly coordinated efforts."

The good news is that while the median number of bots spotted per day is up substantially over 2004, the count actually peaked in February 2005, and trended down, more or less, from then through June.

Much of the rest of Symantec's threat report reiterated past warnings, including ones made by the Cupertino, Calif.-based security giant, by rivals, and by analysts at firms such as Gartner, that malicious code writers are increasingly motivated by profit, not notoriety.

"The general trend is that attackers aren't concentrating on 'far and wide,' worms, but on financial gain," said Friedrichs.

Everything from the explosion in an number of worm variants to a boom in phishing to the rise of so-called "ransom-ware" threats is, claimed Friedrichs, tied to this over-arching movement by hackers to make money rather than front page headlines.

With attackers targeting smaller audiences in order to escape detection as they try to rip off consumers and corporations both, it's no surprise, said Friedrichs, that the day of the big Internet attack seems be over.

"So far this year, Symantec has labeled four category "3" threats," said Friedrichs, referring to his company's 1 through 5 ranking system. "In all of 2004, we had 33 category "3" threats.

"Attacks just aren't after the Internet as a whole," he said.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
2018 State of the Cloud
2018 State of the Cloud
Cloud adoption is growing, but how are organizations taking advantage of it? Interop ITX and InformationWeek surveyed technology decision-makers to find out, read this report to discover what they had to say!
News
6 Tech Trends for the Enterprise in 2019
Calvin Hennick, Technology Writer,  11/16/2018
Commentary
Tech Vendors to Watch in 2019
Susan Fogarty, Editor in Chief,  11/13/2018
Commentary
How Automation Empowers the CIO to Think Outside the IT Department
Guest Commentary, Guest Commentary,  11/20/2018
Register for InformationWeek Newsletters
Video
Current Issue
Enterprise Software Options: Legacy vs. Cloud
InformationWeek's December Trend Report helps IT leaders rethink their enterprise software systems and consider whether cloud-based options like SaaS may better serve their needs.
White Papers
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll