Robert Hensing's Blog

Software Security . . . and stuff.

USA Today writes an article about FF 3.0 - hilarity ensues . . .

USA Today writes an article about FF 3.0 - hilarity ensues . . .

  • Comments 6
  • Likes

http://www.usatoday.com/tech/news/computersecurity/2008-06-17-mozilla-window-snyder_N.htm 

Boy why bother with facts when it's so easy to make stuff up and to throw out randomly generated numbers like these:

"Organized cybercrime gangs are more highly focused than ever on taking control of your computer through browser-based hacks. They've already turned some 40% of the world's 800 million Internet-connected PCs into obedient "bots" used to spread spam, harvest your sensitive data and commit fraud."

Emphasis above is mine of course.  Yes folks - 320 million PCs are in USA Today's botnet out there on the Internets.

More comedy:

"In setting out to elevate Firefox's basic security, Snyder is also compelling Microsoft and Apple, maker of the Safari browser, to follow her lead — or get out of the way."

Hmm - let's see what sort of lead we should be following by having a look at the 2007 CVE counts for IE7 and FF 2.0 in the National Vulnerability Database shall we?
http://nvd.nist.gov/statistics.cfm

It seems that for 2007:

  • IE7 had 40 unique CVEs
  • FF 2.x had 67 unique CVEs

Hmm . . . so we were already better than FF 2.x last year . . .
Okay so let's see how we're doing so far in 2008:

  • IE7 has 3 unique CVEs listed so far this year
  • FF 2.x has 24 unique CVEs listed so far this year 

So we've gone from ~4 CVEs/month on average in 2007 to .5 CVEs/month on average in 2008 a noticeable improvement.  
Meanwhile FF 2.x has gone from ~5.6 CVEs/month on average in 2007 down to a mere ~4.3 CVEs/month on average this year . . . not quite as good.

Of course I'm not sure how much faith to put in those numbers as according to our own bulletin count for IE7 on Vista for the last 6 months we've patched 6 CVE's that had "CVE-2008" in the description and 7 CVEs total . . . still - that's way less than FF 2.x has patched this year.

Finally let us not forget that IE7 on Vista runs at LOW integrity preventing write access to the majority of the file system and registry so standard off the shelf exploits written for IE7 that assume the user has write access to various ASEPs will fail to install persistent malicious software on Vista whereas that's not the case with FF 2.x and 3.x which run at Medium IL and therefore have write access to the per-user ASEPs on the system allowing exploits to quite easily backdoor a users profile.

So not only is IE7 less likely to have a security defect than FireFox - it's also a safer browser to run on Vista.  IMHO this is probably one of the biggest reasons Vista is so much less likely to have malware on it when compared to even XPSP2.

We'll see how FF 3.x fairs over the next year and whether it's any better than its predecessor . . . I for one will keep using IE7 on Vista - and download IE8 the day it comes out. :)

Comments
  • and open source vs closed source has how much to do with this? How many CVEs in the first two weeks do you think IE would have if the source became public?

  • Maybe it's just me, but I'm not going to say browser security is good enough until the CVE count drops to zero, and even then bugs patches aren't a good metric, etc, etc.

    Having said that; props on protected mode on Vista. Though this doesn't mean that having exploitable vulns is ok. And there's also clearly still room for improvement with it, and the fact that you say _most_ rather than all still leaves me a bit uneasy (even though I'm assuming this is just to write to the cache), and I would personally prefer it if IE couldn't read from most of the disk either, but it's a step in the right direction (being a web guy; if I can get you to perform actions on your bank site with your credentials, etc, etc, it's still bad).

  • Robert Hensing posts an interesting piece on his blog, with a take on a recent USAToday article. http

  • I've learned over the years to avoid bragging about how much more secure something is than something

  • We wtorek swoją premierę miał Firefox 3. W jednej wypowiedzi Window Snyder powiedziała: In setting out to elevate Firefox's basic security, Snyder is also compelling Microsoft and Apple, maker of the Safari browser, to follow her lead — or get ou

  • In the same MyITForum.com newsletter where I got this other tantalizing piece of IE info, I also read a pass-through post where Robert Hensing deconstructs some misinformation posted by the USA Today. Specifically, he finds that in reading through the

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment