Mozilla has released updates for its Firefox browser, Thunderbird e-mail application and the SeaMonkey application suite to fix 'critical' security vulnerabilities. The vulnerabilities affect 1.5 versions of Firefox and Thunderbird as well as version 1 of the SeaMonkey suite, Mozilla said in its security advisories. The bugs do not affect Firefox 2.0, the latest version of the browser released late last month.
Post a Comment
Member since:
2006-06-01
Fans: 4
Member since:2005-10-13
Fans: 0
Member since:2006-06-03
Fans: 2
Firstly, None of the bugs affect the latest version of Firefox.
Take a look at the Microsoft Security Updates (all marked Critical and all patch 8-10 Corruption volnerabilities) - All affecting the latest versions of Internet explorer (IE6 with SP2):
These are from the last year:
MS06-042
MS06-021
MS06-013
MS06-021
MS05-054(Only 4 'own the box' bugs fixed)
Now try browsing the internet with 6.0SP1 or 5.5 and see how many popups, pop-unders, attempted-downloads and javascript errors you get.
...Now try browsing the same sites using Firefox.
nuff said.
Member since:2005-07-06
Fans: 1
Member since:2006-06-03
Fans: 2
Both FF2 and IE7.0 were pushed out(Ignoring Betas and Non-Automatic updates - 90% users don't care enough to update themselves) to users around the beginning of November. (1st Nov. ie7, ~25th Oct FF2.0). Only one of the security alerts mentioned above were released after the 1st Nov, and even MS06-42 (released yesterday) was published 8 days after official automatic deployment of IE started.
The fact that NotRedmond is trying to take bites out of the fact that 3 flaws Only 2 are theoretical 'own-the-box' style flaws were fixed in FF1.5 is facaecious given that MS has just released 8 Critical own-the-box style patches for Internet Explorer 5.5.
Member since:2005-10-02
Fans: 21
Member since:
2005-08-28
Fans: 0
for those (like me) that might be looking for firefox 1.5.0.8 as opposed to 2.0, downloads are here:
http://www.mozilla.com/en-US/firefox/all-older.html
Member since:
2006-06-01
Fans: 4
Still, 34 Critical "own the box" vulnerabilities in 2006 alone (plus another 33 not as serious) is not a great track record.
Thats 34 patches for critical vulnerabilities.
The number of bugs fixed is unknown.
The 3 patches in this case are for 17 entries in Bugzilla.
Edited 2006-11-09 19:43
Member since:2006-06-03
Fans: 2
Let's clarify what NotRedmond is saying:
34 Critical vulnerabilities were discovered in 2006 alone. 3 of which were NOT "own the box" type vulnerabilities.
Mozilla offers a $500 bounty for anyone finding a new vulnerability in its software. That's quite an incentive to look for mistakes. Firefox is also Open source, meaning that anyone can comb the source code for vulnerabilities, therefore mistakes are 1000% more likely to be found by bounty-hunters, and fixed, than in MS products.
IE had 25 "own-the-box" vulnerabilities publically disclosed in 2006. http://www.microsoft.com/technet/security/current.aspx . No Joe public bounty hunter can examine the source for errors so finding vulnerabilities, also: Microsoft doesn't agree with paying for vulnerability details - http://64.233.183.104/search?q=cache:t6NgN6yKNNEJ:news.com.com/2061...
even tho some limited bounty programs have been run for Microsoft Products, these have been short-lived.
The quality of code is not reflected by the number of vulnerabilities, especially when the code cannot be examined for one of the products.
Also, look at the MTTP (Mean time to Patch) figures.
http://www.symantec.com/specprog/threatreport/ent-whitepaper_symant...
Quote:"Internet Explorer had an average window of
exposure of nine days, the largest of any Web
browser. Apple Safari averaged five days, followed
by Opera with two days and Mozilla with one day."
Member since:2006-06-01
Fans: 4
34 Critical vulnerabilities were discovered in 2006 alone. 3 of which were NOT "own the box" type vulnerabilities
34 were designated critical by the Mozilla team. Another 33 were less serious.
The Moxilla definition of critical is:
"Vulnerability can be used to run attacker code and install software, requiring no user interaction beyond normal browsing."
Secunia has IE6 with 14 vulnerabilities in 2006, of which only 9 were critical or highly critical.
http://secunia.com/product/11/?task=advisories_2006
34 for Firefox vs. 9 for IE6. (Critical)
Edited 2006-11-09 21:17
Member since:2006-06-03
Fans: 2
Firstly, If you read the descriptions of the mozilla bugs, 2 of them allow you to spoof certificates (doesn't allow code execution) and another one crashes the browser (again, no code execution). Obviously Mozilla are mis-using their definition of the critical state.
Secondly, Secunia has FF1.x with only 11 Vulnerabilities in 2006. of which only 1 is unpatched, and 7 were Critial, NONE were highly critical.
You must learn to compare like with like. You can't compare data from 2 different sites, collected with different criterion.
Comparing
ie6: http://secunia.com/product/11/?task=advisories_2006
with
firefox 1.x: http://secunia.com/product/4227/?task=statistics_2006
Let's have some quotes:
"Microsoft Internet Explorer 6.x, with all vendor patches applied, is rated Extremely critical"
"Mozilla Firefox 1.x, with all vendor patches applied, is rated Less critical"
IE: Affected By 106 Secunia advisories
FF: Affected By 37 Secunia advisories
Advisories allowing System Access:
IE: out of 14, 56% = 7.84 or ~8 System Access Vulnerabilities.
FF: out of 11, 22% = 2.43 or ~2 System Access Vuln.
So, to sum up, according to Secunia:
IE: 14 vulns. 5 Unpatched, 9 critical or above, 1 Highly Critical still UNPATCHED
FF: 11 vulns. 1 Unpatched, 7 critical (none above).
HMM. Tsk Tsk( http://www.osnews.com/permalink.php?news_id=16415&comment_id=18... ) to you I say.
Member since:2006-06-01
Fans: 4
Secondly, Secunia has FF1.x with only 11 Vulnerabilities in 2006. of which only 1 is unpatched, and 7 were Critial, NONE were highly critical.
You must learn to compare like with like. You can't compare data from 2 different sites, collected with different criterion.
Most of ones on Secunia state "multiple vulnerabilities" and if you click on them you will get a better picture.
I went to Secunia/Microsoft/Mozilla and picked the site with the largest number of vulnerabilities assuming that if the number was smaller it meant some were missed or miscategorized, not that some were fabricated.
Secunia had a few more vulnerabilities in IE 6 than Microsoft did because of categorization.
If you disagree with Mozilla's count of vulnerabilities in their own products, so be it. But they tend to be accurate.
Again, the point is that in 2006 Firefox had an atrocious record of security.
Member since:2006-06-03
Fans: 2
I love this part (of the Symantec security threat report)
(paraphrase)
During second half 2005, the mean window of exposure for Internet Explorer users was 25 Days. Firefox MWE was -2 days.
This means that the person who updates his software every day (Automatic updates) could be exposed to Expoits for Vulnerabilities for 25 days before a patch is released. Firefox users tend to have the patch 2 days BEFORE the exploit gets written.
That is what good communities are for. 
Member since:
2006-06-01
Fans: 4
Ok. I get it:
Mozilla is lying about the number and the criticality. Their list is unreliable. The number of vulnerabilities is actually ... 3 ... no 6 ... no 14 .... anything less than IE!!!
And if Mozilla says "Critical" they mean "Not Critical".
In fact ... there has never, ever been a vulnerability in Firefox. Its all lies.
You cultists are a laugh!
Firefox is a sieve.
Edited 2006-11-10 00:55
Member since:2005-10-13
Fans: 0
NotParker - are you really this clueless? These lists are not carved in stone facts, the severity rating of the bugs are to some degree subjective, which is why all the lists are different. Subjective == not comparable.
So, why is IE6 better? Because it has about the same # of vulnerabilities, takes longer to fix them, and has more people trying to attack it?
Name me a single person in the real world who was infected through a Firefox security flaw, and I'll stop posting about this immediately. The truth is, you can't, and while theoretically Mozilla might be behind IE in some areas and ahead in others there is no comparison when it comes to practice.
Mozilla can obviously improve a lot, but you seem to be focusing on 1 really unimportant stat - the # of vulnerabilities. Tell me why you think this is so much more important than what actually matters - the time an exploit is in the wild before it has been patched. Firefox kills IE6 in this stat and that is why it is so much safer.
Edited 2006-11-10 01:22
Member since:2006-06-01
Fans: 4
Name me a single person in the real world who was infected through a Firefox security flaw
How about the next best thing ... hacker kits attacking Firefox flaws.
http://www.techweb.com/wire/security/186700508
"A dirt-cheap, do-it-yourself hacking kit sold by a Russian Web site is being used by more than 1,000 malicious Web sites, a security company said Monday.
Those sites have confiscated hundreds of thousands of computers using the "smartbomb" kit, which sniffs for seven unpatched vulnerabilities in Internet Explorer and Firefox, then attacks the easiest-to-exploit weakness."
Member since:2006-06-03
Fans: 2
Member since:2006-06-03
Fans: 2
Mozilla is lying about the number and the criticality. Their list is unreliable. The number of vulnerabilities is actually ... 3 ... no 6 ... no 14 .... anything less than IE!!!
Nobody is claiming that.
And if Mozilla says "Critical" they mean "Not Critical".
Nobody is saying that. Being able to spoof a security certificate IS a critical problem. Your suggestion that all Critical bugs are 'Own-the-box' bugs IS what we are disputing. Besides, This only covers 3 out of 30 bugs. It's really not worth ranting about.
Firefox is a sieve.
I'm not sure anyone believes that. Try hacking any up-to-date version of FF. Now try it with IE (There's at least one unpatched 'own-the-box' bug still left open.) Nobody is saying that FF is perfect, we're just saying that IE's security record (in the public domain) is worse.
Member since:2006-06-01
Fans: 4
Your suggestion that all Critical bugs are 'Own-the-box' bugs IS what we are disputing.
My suggestion?
It says so explicity on the Mozilla security page!
Are you suggesting:
a) Mozilla lies
or
b) Anything that makes OSS look bad on the Mozilla site is a lie, and everything else is true?
My guess is that the cultists pick (b) every time.
Member since:2006-06-03
Fans: 2
You are a troll.
1) This point was just a side-argument to my main attack , it only affect 3 bugs out of 34.
2) Noone is lying, 2/3 Bugs on the Mozilla page were mis-classified, because they didn't fit into any of the categories apart from the 'Moderate' category and they were deemed more important than Moderate. This is understandable. Given that most people aren't half as pedantic as you.
Member since:2006-06-01
Fans: 4
Member since:
2005-07-06
Fans: 0
why is camino never mentioned in these sorts of things... isn't it a mozilla project too? I know the interface is different but I'm not sure of how much of the rest is shared with the rest of the moz projects. Is it that camino is mac only so it's thought of as secure (that's not so smart) or is it just forgotten? Or maybe it's the lucky project that somehow is not affected? It worries me... I really don't want to use safari 
Member since:
2006-09-25
Fans: 1
Member since:2006-06-01
Fans: 4
Member since:2006-06-03
Fans: 2
In fact, its more every year
From secunia.com (a website that you introduced into the debate) in 2005, there were 22 vulnerabilites for FF1.x. In 2006, 11 (50% less). How is that more every year?
IE 6.x had 17 in 2005 and 14 in 2006. That's only an 18% drop.
I'd say that the bounty hunters are rapidly running out of bugs to discover in Firefox. I'd say that IE still has a long way to go.
Or ... there are 10,000 remaining or 1000 or some such high number.
And how many in Microsoft Code? Making random figures up helps no one.
Member since:
2005-11-11
Fans: 2
How many web sites are actually trying to exploit vulnerabilities in FF 1.5 or 2.0? How many web sites are trying to exploit IE 6 or 7? My suspicion is that the numbers are grossly slanted towards sites exploiting IE over firefox. Is there any data out there to show this?
My guess is that IE is responsible for compromising huge numbers of boxes but FF is not many at all, relatively. Having a critical bug is one thing but if few or no sites are exploiting it, then it doesn't matter so much.