Submitted by “The growing popularity of open-source browsers and software may be responsible for the increasing gap between the exposure of a vulnerability and the provision of patch to fix it, security software vendor Symantec has said.”
“The growing popularity of open-source browsers and software may be responsible for the increasing gap between the exposure of a vulnerability and the provision of patch to fix it, security software vendor Symantec has said.”
get yer hand of it
“…”As soon as large banks started using Linux, Linux vulnerabilities started to get exploited.”…”
<Sarcasm>
Also, as soon large companies start using Apache, Apache vulnerabilities start to get exploited….
Oh wait! Never mind, Apache is already widely used!
</Sarcasm>
This is FUD, until someone statistically proves this its nothing but a MYTH that MSlovers dearly hold on to with all their mite HOPING AND PRAYING that it will come true so Microsoft products secrurity does not look as bad as we all know it to be.
This makes about as much sense as using the average patch time for all proprietary software in existance. It really doesn’t tell you much of anything. What matters is the patch times of individual companies and projects, which can actually be used when choosing software.
“…with the open source development model itself part of the problem”
This is the key sentence and the reason for the article…coming from Symantec, it’s understandable. They are interested in fighting OSS as far and wide as Microsoft is. FUD FUD FUD.
The post above about Apache is correct.
This is the key sentence and the reason for the article…coming from Symantec, it’s understandable. They are interested in fighting OSS as far and wide as Microsoft is. FUD FUD FUD.
EXACTLY…not only is Symantec married to Windows, but they are also feeling the threat from an OS where people (meaning the userbase as a whole, not necessarily YOU) can fix things on their own.
Or the fact that the OS has less vulnerability from viruses and spyware … which is the bread and butter of Symantec anyway.
— “The Mozilla family of browsers had the highest number of vulnerabilities during the first six months of 2005, with 25,” the Symantec report says. “Eighteen of these, or 72 per cent, were rated as high severity. Microsoft Internet Explorer had 13 vendor confirmed vulnerabilities, of which eight, or 62 per cent, were considered high severity.”
Oh really? Well they didn’t get their numbers here:
http://secunia.com/product/4227/#statistics_criticality
And since we don’t get to know where their numbers came from at all, they strike me as questionable.
Oh really? Well they didn’t get their numbers here:
http://secunia.com/product/4227/#statistics_criticality
And since we don’t get to know where their numbers came from at all, they strike me as questionable.
Well, in either case .. I think it’s pretty save to say that Opera had far fewer vunerabilities than either Firefox or Internet Explorer
Not that I’m advertising here, but it just goes to show you that the development model doesn’t necessarily make your app any more or less ssecure.
To me, Flavor of the month software will be exploited. Granted, software can be built to withstand specific types of attacks but in the end, whatever software is currently being used by “everyone” it will be exploited.
Linux and Friends is getting their 15 minutes of fame, MS had theirs and failed horribly (they’re slowly losing it), we’ll see how FOSS handles this…
To me, Flavor of the month software will be exploited. Granted, software can be built to withstand specific types of attacks but in the end, whatever software is currently being used by “everyone” it will be exploited.
some people are full of mad-dog’s shit.
do you not comprehend the security model in place with linux ?
your post confirms that obviously you do not.
You’re the troll my friend. No real response, no arguments, no logic, no tact and no grammar.
You post obviously confirms you’re not willing to win converts (I already use Gentoo Linux, and fully understand the “security model” you’re talking about, it’s far better than Windows) you just want to start a pissing contest. If you’d laid out your claim, or at least been funny in flaming me (ESR style), I might have been more apt to listen to you.
Instead you gave this pathetic excuse for a comment.
I’ll refrain from insulting you further. Go back to /. where you came from.
And BTW, don’t attribute that security model the “linux”. It’s UNIX thing mostly, but the difference is that GPL (and most BSDs) like to disclose their vulnerabilities. Which, is a Good Thing.
We need to tell people that more disclosed vulnerabilities is a good thing. Just because more are found in firefox does not mean that it is less Secure.. We must get the word out! More disclosed vulnerabilities are good!
It seems that the questionable claims about Firefox’ code quality are now being applied to OSS in general. What about OSS applications/software that are in use in critical places already? Apache, Samba and all the protocols/standards that run that thing called the internet are all open and use open development models. The difference between the Firefox exploits/vulnerabilities and IE’s is that Firefox is not married to the kernel of any OS. Firefox is actually rated safer by Secunia, where alot of people pull this sort of data from. Firefox is also in its first generation, where IE is, oh, over a decade old. I hate to make claims about MS this or MS that, but it seems fishy that there is this marketing push around these Firefox vulnerabilities. But, look at the Secunia pages and judge for yourself.
IE: http://secunia.com/product/11/
Firefox: http://secunia.com/product/4227/
This is a company whose entire revenue is based on spreading FUD, and I would want to listen to what they have to say, because….?
http://secunia.com/product/12/
Lets all make the switch today!
SYSTEM ACCESS: 61%
ROFL!
Man … if you do that I’ll break into your house and plug in a usb stick; then install my driver which takes advantage of “Microsoft Windows Unspecified USB Device Driver Vulnerability.”
Ahem, in case you’re a complete idiot; or have something permanently fixated somewhere: I’m kidding
. Laugh.
“Man … if you do that I’ll break into your house and plug in a usb stick; then install my driver which takes advantage of ‘Microsoft Windows Unspecified USB Device Driver Vulnerability.’ ”
I wouldn’t count on that. I’d bet that Windows 98 would go bluescreen, crash, and corrupt itself into a phase with no other option than reinstalling the whole system before you could do anything (Microsoft Automatic Self-Defence System).
Just because an application installed in Linux has a vulnerability does not make the issue a “Linux” vulnerability.
I remeber when bind resolver libraries were exposed. Pretty much every vendor, Microsoft, Compaq Alpha, HP-UX, *BSD, *Linux all were vulnerable. The root cause was a design flaw in bind, *not* in any of the vendors above.
This article attacks Firefox, for good reason, but they forget that the same Mozilla flaw affects multiple operating systems.
I very much prefer virus and spyware to Symantec’s products. They’re a pain in the ass and spread the same FUD this guy do, constantly telling you “your system is under threat”.
Thanks, jbauer…It got to the point that I just couldn’t use those products anymore. I have been steering people to other things for about 3 years now…Symantec is completely bloated and full of bugs and it takes over your computer worse than anything AOL could come up with…
This is BS.
But their suggestion that windows is as secure as mac and mozilla browsers is valid. Windows may be more secure based on the idea that since it’s so popular its targeted more and thus is patched better.
I assume that if mozilla became 99% of browser market and mac OS jumped up there it would be the same.
The truth is…. choose whatever companies releases patches FASTER and what your comfortable with.
would that be…. mac and firefox? HMmmmmmm
i choose ’em!
If what you say is correct then why is the only OS spreading worms and viruses and spyware and adware Windows?
I’ve never got any of those problems on OSX or Linux. And I run Linux without a firewall, antivirus software, or any kind of protection from these types of exploits. Hell, I even run it unpatched. I don’t dare run Windows unpatched. That would be asking for trouble.
I know countless Windows users who do purchase these products to protect their system and still get compromized.
How do I know so many Windows users? I’m a systems administrator. I know everything about our systems and networks.
my point is whatever is popular will always have more exploits.
mac and firefox are just gaining in popularity.
that or children are getting bored these days.
“my point is whatever is popular will always have more exploits.”
Thus kind of thinking is pure ignorance.
OSS is and will continue to be more secure because it’s code is constantly auditited and 100% open.
Closed source like Symantec and MS is a breeding ground for exploits, most of which hackers know about years before they are discovered by their authors.
If you still don’t understand, visit openbsd.org
If you are correct, then IIS is horribly insecure and no one should switch to it
.
Interesting you should say that since Microsoft has frequently ignored security holes and left problems unpatched for months or even years even though there were already exploits in the wild.
Windows can be made more secure though firewalls and AV software, but then Linux is already solid and usually comes with a firewall installed by default. I thought maybe Windows could include a good firewall with the OS by default too, but then they would either get sued by company A and B for including their own product, or get sued by company B for including company A’s product in Windows. In some cases Microsoft might not be able to win no matter what.
This is completely utter bullshit.
Symantec needs people to use unsecure systems. Hell, it is their only business to secure unsecure systems. So if people start to use open source, they lose those as customers.
So what is the best proof that open source software seems a lot more secure than Windows and whats running there? Right, its just that Symantec sells several tools to “secure” a windows system, but none to secure a unix/linux system with free software on it.
If there would be a need for that, there would also be a market (see all the servers running linux [and apache on top of it
]), so there would be Symantec trying to have this brand new market for themselves. As there is no market, as there is no need, they have to save their own market by telling everyone “those other alternatives are unsecure as hell, stay with your somewhat unsecure software, we secure it for you (for cash)!”
Regards,
Ford Prefect
An local access firefox exploit on windows == root exploit == cdrom opens:), but the same on linux (bsd) is just user’s documents are in danger.
> An local access firefox exploit on windows == root
> exploit == cdrom opens:), but the same on linux (bsd)
> is just user’s documents are in danger.
cdrom opens –> I don’t care, it’s annoying at worst.
“just user’s documents” deleted, modified or leaked –> serious damage! Passwords, phone numbers, programming experiments, etc. are in danger.
Think about it.
– Morin
“just user’s documents” deleted, modified or leaked –> serious damage! Passwords, phone numbers, programming experiments, etc. are in danger.
And with a proper SELinux policy, you could limit that too just the documents and files Firefox is allowed to touch or even see. E.g. the files in a download folder.
“”just user’s documents” deleted, modified or leaked –> serious damage! Passwords, phone numbers, programming experiments, etc. are in danger.”
The point being, only YOUR passwords, phone numbers, programming experiments etc. are in danger. In Linux (or similar) your stupidity doesn’t put other users’ personal files in danger. In Windows, in addition to system files and other people’s personal files, your files will be in danger too, and the computer may be used to hack other computers with many more users with many more personal files.
Get the idea?
Security is a process, not a quality. The reason why F/OSS/Linux appears more secure is a result of a more security minded community that uses it and goes through the process of keeping their systems secure.
The permission system in place in Linux has always been one of my favorite security features. With root exploits it is possible to get around that with difficulty, but at least it stops your average users from running e-mail attachments with just one click, and it can be used to stop most people from accessing something or doing something you don’t want them to.
You can say that Linux is more secure because the users know more, but it most certainly also has something to do with the extra features that accomodate that knowhow very nicely.
If I remember well(it’s a bit dated now), Symantec has spread some month ago that MacOS X will see lots and lots of virii. Well.
I’m still waiting…
So this society wants to sell their softwares. Well. I don’t trust them so I’m not going to buy this FUD
In addition to the points raised above, I have to wonder about the recent trends regarding the premature disclosure of exploits for open source vulnerabilities. Now, Mozilla and the Firefox development community isn’t completely off the hook for the recent vulnerabilities. However, this article is about patch lag, and a previous article was about number of exploits publically available.
If the OSS model has anything to do with the increase in patch lag or number of exploits, it concerns the lack of an ability to control the premature disclosure of exploits. As flavor of the week, Firefox is not only the target of security analysis, but it is the target of gray hats, masquerading as “security researchers,” publishing exploit code before they give the software developers even a few hours to investigate the vulnerability.
There is no question that the increased spotlight on Firefox will only made the browser stronger in the long run. This is sort of like the vetting process that political candidates go through. A few issues inevitably come to light, but it is the response to those allegations that shape the campaign.
In the context of the current situation, I feel that someone from the Mozilla Foundation should reach out to the security community to improve the way they communicate and resolve potential vulnerabilities. Give some blanket statement like, “The Mozilla community is dedicated to providing a secure web browsing experience. With this goal in mind, it is important that members of the security community adhere to our security guidelines when reporting any potential vulnerabilities.”
It’s not patch time that’s the potential issue, it’s getting said patches out to the users quick. One of the main problems I’ve noticed is the long time it takes within Distros to test the new versions on all supported archs and then push them out.
To bad this article is just FUD and bashing the FOSS ideals, expectible from Symantec who makes their money on fixing the broken MS model.
Like Debian, which has a fully seperate tree for security fixes?
I’m seen quite a few security patches for gimp over the past few months. I haven’t seen any for photoshop. So, either photoshop has to vurnerabilities or the gimp code is just more thoughly examined.
Firefox will probably have more vunerabilities discovered for quite a while. Having lots of people having access to the code makes this so. But, with each patch sent out firefox gains security.
Firefox OS (Browser is not the correct word for something that can run tetris) is very large and complex. Lots of room for bugs…lots of old netscape code.
– Jesse McNelis
The symantec products are overbloated, they slow down Windows nearly at 50% speed compared to better and cheaper antivirus solutions (avast for example)
I find the article very amusing. I used to beta test just about every program Symantec put out a few years back. And they had some extremely good programs at one time. Over the years their philosophy changed from putting out good software to making more money.
I stopped testing for Symantec a few years ago and the reason I did so is why I would be highly skeptical of anything they say. That being that we were reporting major flaws in the programs than not only were not fixed before the software was released, but the same major flaws would be present in the beta for the next major release. Many of these flaws were security related and to the best of my knowledge were never aired in public. Seems to me they may have an axe to grind here.
This alone would lead me to doubt anything they had to say on coding flaws. Add to that the fact that they are closely tied to MS and you have to wonder whose interests they have at heart here.
If you count the time from the oldest IE security whole until now, I think you’ll see a much more constant average (constantly increasing). If you look at the oldest vulnerability for all software Symantec helps you fix (including NT 4); wow you don’t wanna think about that average.
Of course, what’s a “high security” flaw. Is that a javascript error giving access? Is that cross tab/window scripting? Is it a certain site name that will let arbitrary code execute?
Next problem. Why again is it a problem with OSS? Mozilla isn’t a fully bazaar project; it has paid developers and a lot of money coming at it…
This is not a flame, but Symantec knows nothing about OSS.
This article has no credibility and I suspect is pure FUD from Symantec.
opera is more secure than firefox so what’s the point?
saying that linux=fort knox is wrong and naive, script kiddies get their kicks out of hacking linux machines (hello, wargaming?).
windows is such a mess because of it’s own ignorant click-happy users, in the hands of good users it’s just like any other OS.