Symantec: Mozilla browsers more vulnerable than IE

[Shao Feng-Li]

http://news.zdnet.com/2100-1009_22-5873273.html?tag=nl.e589

Mozilla Web browsers are potentially more vulnerable to attack than Microsoft's Internet Explorer, according to a Symantec report.

But the report, released Monday, also found that hackers are still focusing their efforts on IE.

The open-source Mozilla Foundation browsers, such as the popular Firefox, have typically been seen as more secure than IE, which has suffered many security problems in the past. Mitchell Baker, president of the foundation, said earlier this year that its browsers were fundamentally more secure than IE. She also predicted that Mozilla Foundation browsers would not face as many problems as IE, even as their market share grows.

Symantec's Internet Security Threat Report Volume VIII contains data for the first six months of this year that may contradict this perception.

According to the report, 25 vendor-confirmed vulnerabilities were disclosed for the Mozilla browsers during the first half of 2005, "the most of any browser studied," the report's authors stated. Eighteen of these flaws were classified as high severity.

"During the same period, 13 vendor-confirmed vulnerabilities were disclosed for IE, eight of which were high severity," the report noted.

The average severity rating of the vulnerabilities associated with both IE and Mozilla browsers in this period was classified as "high", which Symantec defined as "resulting in a compromise of the entire system if exploited."

The Mozilla Foundation did not immediately respond to requests for comment.

Symantec reported that the gap between vulnerabilities being reported and exploit code being released has dropped to six days on average. However, it's not clear from the report how quickly Microsoft and Mozilla released patches for their respective vulnerabilities, or how many of the vulnerabilities were targeted by hackers, though Microsoft generally releases patches only on a monthly basis.

Symantec admitted that "at the time of writing, no widespread exploitation of any browser except Microsoft Internet Explorer has occurred," but added that it "expects this to change as alternative browsers become increasingly widely deployed."

There is one caveat: Symantec counts only those security flaws that have been confirmed by the vendor. According to security monitoring company Secunia, there are 19 security issues that Microsoft still has to deal with for Internet Explorer, while there are only three for Firefox.

The report also highlighted a trend away from the focus of security being on "servers, firewalls, and other systems with external exposure." Instead, "client-side systems--primarily end-user systems--(are) becoming increasingly prominent targets of malicious activity."

Web browser vulnerabilities are becoming a preferred entry point into systems, the report stated. It also highlighted the trend of hackers operating for financial gain rather than recognition, increased potential exposure of confidential information, and a "dramatic increase in malicious code variants".

[blkmage]

And for those who are interested, here is Mozilla's response: http://news.zdnet.co.uk/0,39020330,39219186,00.htm

[Locke]

Oooh, Mozilla's got spunk. I like that.

[Slater]

lol browser wars.

IE: *attacks Mozilla*
Firefox: *retaliates with incendary bombs*
IE: *requests backup from WinXP SP3*
Firefox: *sends troops to guard security holes*
IE: *tries to take over the internet*
Firefox: *supporters of Firefox thwart IE's plans*
IE: *upgrades to IE version 28 build 5932, which isn't supposed to come out for another 8 and a half years*
Firefox: *laughs as users' computers can't handle load*
IE: *launches nukes*
Firefox: *launches ICBMs*

...
err... uh...

[calbhach]

Oooooh, yeah...I heard about this over at another forum I visit. I'm glad the people at Mozilla responded like that.

[Arnobius]

Well, I did get a virus that got through Firefox (luckilly PC Cillin caught it right away)... I don't like it's certificate handling. You click no when it asks if you want to accept it and half the time it seems like it installs the applet anyway.

However, to make IE like Firefox would take a lot of bloated third party software so the advantage goes to Firefox right now

[Fsiphskilm]

My my...

[Slater]

I've gotten lots of viri through Firefox, now that I think about it... but Norton caught them all.

[Fsiphskilm]

Well if

[Slater]

oh no, I don't get viruses by downloading. I get them by browsing.

[shooraijin]

Eh? I use Firefox on the desktop PC they force me to use at work, and I haven't had any such thing. What was the name of the virus(es) that was/were detected?

[Slater]

mostly worms like bloodhound. I guess that's what I deserve for surfing warez sites tho ^^;;;;;

[shooraijin]

But Norton uses Bloodhound to indicate possible viruses detected by its heuristics ... ? That means they're either unnamed or misdetected, unless you're not using Norton.

http://securityresponse.symantec.com/avcenter/venc/data/bloodhound.html

Unless you mean this, which is a VB virus and so can't spread through Firefox, since it doesn't use VBA.

http://www.virusthreatcenter.com/virus.aspx?virus=42

[Slater]

I really wasn't paying attention to details. I'd just be browsing through a site that was still loading and Norton would pop up saying "Oh hey, I deleted this virus thing for you." I remember seeing the name Bloodhound a lot, but I wasn't paying much attention, just glad the viruses were deleted.

[shooraijin]

It's a hard jump to say you're getting it through Firefox, though (to be fair, though, it's hard to say where you're getting it at all unless there's a virus known to spread through a particular application vulnerability). You might take note of what subtype of Bloodhound Norton is reporting, because based on how it seems to be getting around, you can cross some names off your list (for example, VBS-based viruses can't be communicated through Mozilla [unless you download and run them] because it has no Visual Basic scripting host).

[Fsiphskilm]

I kno

[Arnobius]

Eh? I use Firefox on the desktop PC they force me to use at work, and I haven't had any such thing. What was the name of the virus(es) that was/were detected?

JAVA_BYTEVER.R

This got picked up when a site wanted to install an applet. Firefox asked if I wanted to accept the certificate, and I said no... and Firefox installed it anyway

At any rate it looks like this is the info on it: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=JAVA%5FBYTEVER%2ER&VSect=P

[shooraijin]

The acceptance of the certificate, as I understand it, only allows it to do certain privileged operations, and doesn't affect anything else. I don't use much Java in Firefox, but I don't think saying "no" completely prohibits the applet from running -- it just can't do operations that need advanced or secured credentials.

The ByteVerify malware exploits a flaw of the Microsoft JVM, so whether Firefox lets it run or not, it's still ultimately Microsoft's bug.

[Kaligraphic]

I know that, using Opera, I've seen alerts about IE browser exploits. It turns out to be the copy of the page cached by Opera. Turns out, though, Opera isn't exploit-compatible, so it doesn't work. The AV program just recognizes the signature because it matches the cached page, which is unmodified.

[fanboi=Opera]Of course, Opera is still the best[/fanboi], but if you're getting that kind of message, it may be the same kind of situation.

[Shao Feng-Li]

On my laptop I use Firefox and I don't have any virus protection at all. There's not a thing wrong with it.

[Arnobius]

The acceptance of the certificate, as I understand it, only allows it to do certain privileged operations, and doesn't affect anything else. I don't use much Java in Firefox, but I don't think saying "no" completely prohibits the applet from running -- it just can't do operations that need advanced or secured credentials.

The ByteVerify malware exploits a flaw of the Microsoft JVM, so whether Firefox lets it run or not, it's still ultimately Microsoft's bug.

Makes sense I guess. Of course I think my Java is from Sun... I think the legal stuff between MS and Sun means JVM can't be gotten directly from MS, and supposedly is only for IE, so I'm not sure what the significance is for this on Firefox.

Well, Trend Micro nailed it anyway, so no harm done. Did catch me by suprise though.

[Steeltemplar]

Firefox is what I use and it's always been fantastic.

I think most of the guys in the tech shop I work in also use it.

[Arnobius]

I had a site hijack Firefox (1.0.7) this evening. I think it was one of those popup security sites. No matter what I clicked it tried to scan my computer. I had to use Task Manager to shut Firefox down to escape.

Admittedly the score is 1 hijack for firefox and a whole bunch for IE, but I think people should be aware nothing is 100% safe.

[shooraijin]

Give me the URL. I want to look at that. If legit, it should be reported. (You can PM me if you'd rather not post it in public; I'll be looking at it with a Mac first to read the HTML and/or JavaScript.)

EDIT: Also, Flash can be a variable. Even with pop-ups disabled, Flash applets can trigger new windows and/or run and do things. Firefox, or for that matter any browser, can't enforce behaviour on plug-ins because plug-ins run as native code, not within the browser's security model.

[animegirl1]

um i dont get all this technical stuff but yeah i have mozilla firefox

[Arnobius]

[quote="shooraijin"]Give me the URL. I want to look at that. If legit, it should be reported. (You can PM me if you'd rather not post it in public]
Ahh crud... that would have been the smart thing to do. At the time though, my main concern was putting a stop to it (In retrospect, disconnecting the DSL would have been smarter than the 3 finger salute). Unfortunately, I pretty well did everything short of wiping the hard drive to make sure there was nothing on my computer. So unless you know of some place that tends to get overlooked on Windows that would keep tabs on that after the History/Cache gets cleared out, I can't give the URL.

Hmm, the applet thing may have been a factor. it was one of those windows box things that appeared

[shooraijin]

Nothing comes to mind. If you do hit it again, though, let's get to the bottom of it. Maybe it's an annoyance that only looks like it's causing trouble, but if it's real, we should definitely make sure whatever flaw is behind it gets fixed.

[Arnobius]

Nothing comes to mind. If you do hit it again, though, let's get to the bottom of it. Maybe it's an annoyance that only looks like it's causing trouble, but if it's real, we should definitely make sure whatever flaw is behind it gets fixed.

Right... next time I make a note and PM you

Sorry for dropping the ball there