Symantec: Mozilla Has Twice The Flaws Of IE - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

04:37 PM

Symantec: Mozilla Has Twice The Flaws Of IE

Mozilla's popular Firefox browser has been subjected to nearly double the vulnerabilities of Microsoft's leading Internet Explorer, Symantec says, but Microsoft's are more severe.

Mozilla's popular Firefox browser has been subjected to nearly double the vulnerabilities of Microsoft's leading Internet Explorer, Symantec said Monday as it released its semi-annual report on the state of Internet security and threats against personal computers.

According to Symantec's Internet Security Threat Report, which used stats from January through June, 2005, Mozilla's browsers suffered from 25 vendor-confirmed bugs in the first six months of the year. Internet Explorer, on the other hand, was pegged with only 13.

Of Mozilla's 25 vulnerabilities, 18, or 72 percent, were tagged as "high severity," up from the 14 most-severe flaws disclosed in the last half of 2004. Meanwhile, IE's total of 13 was fewer than half the 31 made public in the last six months of last year.

"Firefox's vulnerabilities are almost double that of IE," said Oliver Friedrichs, the senior manager of Symantec's security response research team. "[But] when you take a step back, two factors make that less severe."

First, he said, is that by nature IE vulnerabilities pose more problems to more people. "Because IE has a much larger base, a vulnerability within IE is far more widespread and generally has a much more severe impact than those in the Mozilla family," acknowledged Friedrichs.

Second, Mozilla's browsers are almost always patched quickly, while IE's problems often languish for months before they're fixed, exposing users to possible "zero-day" attacks for months. "You're much more likely to have vulnerabilities fixed quickly with open-source software like Firefox," said Friedrichs. "So the exposure time is much less."

While the news of Firefox flaws will likely raise hackles of the Mozilla faithful, even with Friedrichs' caveats, that's not the only news in Symantec's report.

Bots, it seems, are on the upswing again after a temporary drop last year.

In March, when Symantec last published its twice-a-year report, it noted a significant drop in the number of bots, and theorized that the plunge was due to Windows XP SP2's rollout in the second half of 2004.

That fall-off in bots -- didn't last long, however. In the first half of 2005, the median bot count per day was 10,352, more than double the 4,348 bots per day in December, 2004.

Strangely enough, now Symantec's saying that the increase is due to security being tightened in 2004.

"As hosts vulnerable to exploitation become less common, bot networks must work harder to maintain their current size and continue to grow," said the new report. "It's likely that in order to maintain viability, bot network owners stepped up their attack activity, resulting in increasingly coordinated efforts."

The good news is that while the median number of bots spotted per day is up substantially over 2004, the count actually peaked in February 2005, and trended down, more or less, from then through June.

Much of the rest of Symantec's threat report reiterated past warnings, including ones made by the Cupertino, Calif.-based security giant, by rivals, and by analysts at firms such as Gartner, that malicious code writers are increasingly motivated by profit, not notoriety.

"The general trend is that attackers aren't concentrating on 'far and wide,' worms, but on financial gain," said Friedrichs.

Everything from the explosion in an number of worm variants to a boom in phishing to the rise of so-called "ransom-ware" threats is, claimed Friedrichs, tied to this over-arching movement by hackers to make money rather than front page headlines.

With attackers targeting smaller audiences in order to escape detection as they try to rip off consumers and corporations both, it's no surprise, said Friedrichs, that the day of the big Internet attack seems be over.

"So far this year, Symantec has labeled four category "3" threats," said Friedrichs, referring to his company's 1 through 5 ranking system. "In all of 2004, we had 33 category "3" threats.

"Attacks just aren't after the Internet as a whole," he said.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
2021 State of ITOps and SecOps Report
2021 State of ITOps and SecOps Report
This new report from InformationWeek explores what we've learned over the past year, critical trends around ITOps and SecOps, and where leaders are focusing their time and efforts to support a growing digital economy. Download it today!
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Pandemic Responses Make Room for More Data Opportunities
Jessica Davis, Senior Editor, Enterprise Apps,  5/4/2021
10 Things Your Artificial Intelligence Initiative Needs to Succeed
Lisa Morgan, Freelance Writer,  4/20/2021
Transformation, Disruption, and Gender Diversity in Tech
Joao-Pierre S. Ruth, Senior Writer,  5/6/2021
Register for InformationWeek Newsletters
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll