Symantec: Mozilla Suffers Twice The Flaws Of IE

Mozilla's popular Firefox browser has been subjected to nearly double the vulnerabilities of Microsoft's leading Internet Explorer, Symantec says, but Mirosoft's are more severe.

September 20, 2005

3 Min Read
NetworkComputing logo in a gray background | NetworkComputing

Mozilla's popular Firefox browser has been subjected to nearly double the vulnerabilities of Microsoft's leading Internet Explorer, Symantec said Monday as it released its semi-annual report on the state of Internet security and threats against personal computers.

According to Symantec's Internet Security Threat Report, which used stats from January through June, 2005, Mozilla's browsers suffered from 25 vendor-confirmed bugs in the first six months of the year. Internet Explorer, on the other hand, was pegged with only 13.

Of Mozilla's 25 vulnerabilities, 18, or 72 percent, were tagged as "high severity," up from the 14 most-severe flaws disclosed in the last half of 2004. Meanwhile, IE's total of 13 was fewer than half the 31 made public in the last six months of last year.

"Firefox's vulnerabilities are almost double that of IE," said Oliver Friedrichs, the senior manager of Symantec's security response research team. "[But] when you take a step back, two factors make that less severe."

First, he said, is that by nature IE vulnerabilities pose more problems to more people. "Because IE has a much larger base, a vulnerability within IE is far more widespread and generally has a much more severe impact than those in the Mozilla family," acknowledged Friedrichs.Second, Mozilla's browsers are almost always patched quickly, while IE's problems often languish for months before they're fixed, exposing users to possible "zero-day" attacks for months. "You're much more likely to have vulnerabilities fixed quickly with open-source software like Firefox," said Friedrichs. "So the exposure time is much less."

While the news of Firefox flaws will likely raise hackles of the Mozilla faithful, even with Friedrichs' caveats, that's not the only news in Symantec's report.

Bots, it seems, are on the upswing again after a temporary drop last year.

In March, when Symantec last published its twice-a-year report, it noted a significant drop in the number of bots, and theorized that the plunge was due to Windows XP SP2's rollout in the second half of 2004.

That fall-off in bots -- didn't last long, however. In the first half of 2005, the median bot count per day was 10,352, more than double the 4,348 bots per day in December, 2004.Strangely enough, now Symantec's saying that the increase is due to security being tightened in 2004.

"As hosts vulnerable to exploitation become less common, bot networks must work harder to maintain their current size and continue to grow," said the new report. "It's likely that in order to maintain viability, bot network owners stepped up their attack activity, resulting in increasingly coordinated efforts."

The good news is that while the median number of bots spotted per day is up substantially over 2004, the count actually peaked in February 2005, and trended down, more or less, from then through June.

Much of the rest of Symantec's threat report reiterated past warnings, including ones made by the Cupertino, Calif.-based security giant, by rivals, and by analysts at firms such as Gartner, that malicious code writers are increasingly motivated by profit, not notoriety.

"The general trend is that attackers aren't concentrating on 'far and wide,' worms, but on financial gain," said Friedrichs.Everything from the explosion in an number of worm variants to a boom in phishing to the rise of so-called "ransom-ware" threats is, claimed Friedrichs, tied to this over-arching movement by hackers to make money rather than front page headlines.

With attackers targeting smaller audiences in order to escape detection as they try to rip off consumers and corporations both, it's no surprise, said Friedrichs, that the day of the big Internet attack seems be over.

"So far this year, Symantec has labeled four category "3" threats," said Friedrichs, referring to his company's 1 through 5 ranking system. "In all of 2004, we had 33 category "3" threats.

"Attacks just aren't after the Internet as a whole," he said.

SUBSCRIBE TO OUR NEWSLETTER
Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like


More Insights