Firefox Buggier, But IE Takes 9 Times Longer to Patch


Symantec's bi-annual Internet threat report shows vulnerabilities for IE, Firefox, and Safari have increased in the last six months.


By Gregg Keizer
TechWeb

Sep 25, 2006 03:42 PM

Browsers are the target of choice for hackers, Symantec said Monday in its bi-annual Internet threat report, which backed that up with data showing vulnerabilities for IE, Firefox, and Safari have increased in the last six months.

According to Symantec's Internet Security Threat Report, which was released Monday, 7 out of every 10 new vulnerabilities uncovered from January through June were bugs in Web applications. That's not good news, said Symantec, especially since the total number of vulnerabilities found in the six-month period hit 2,249, an 18 percent jump over the second half of 2005.

"The high number is due in part to the popularity of Web applications and to the relative ease of discovering vulnerabilities in Web applications compared to other platforms," went the report.

Bugs in browsers are the most significant of those Web application vulnerabilities. Here, too, the first half of 2006 was bad news for users, said Vincent Weafer, senior director of the Cupertino, Calif. security company's response team.

"The increase in vulnerabilities is a sign that attackers are targeting home and small business [users] through Web browsers," said Weafer.

Microsoft's Internet Explorer was pegged with 38 new vulnerabilities, a 52 percent increase over the previous period's 25 publicly-reported flaws. Apple's Safari sported an even dozen, a 100 percent jump over the 6 in the latter half of 2005.

But Mozilla's open-source browsers -- Firefox and the once flagship Mozilla -- took the new bug prize by Symantec's tally: 47 vulnerabilities in the first half of 2006, a 276 percent increase over the 17 disclosed during the July-December 2005 period. Mozilla Corp. released four security updates to its production edition of Firefox, v. 1.5, to fix those flaws.

Symantec has taken heat from Mozilla and its users for simply counting up the number of vulnerabilities. Weafer acknowledged that by pointing out that the attacks aimed at IE outnumbered those targeting Mozilla's browsers by more than 2 to 1.

"The lion's share of the attacks were against Internet Explorer," said Weafer.

Of all the attacks conducted against browsers, those that targeted IE were the largest: 47 percent the whole, said Symantec. Mozilla's browsers, meanwhile, were the target of 20 percent of the six months' attacks.

"That's not surprising, considering the sheer volume of [IE] users," added Weafer.

The second-largest target was dubbed "Multiple Browsers" by the report. "Some attacks target vulnerabilities that are present in more than one Web browser," stated the report. In June, for example, a JavaScript flaw in both IE and Firefox was noted by Symantec.

Weafer also noted that the open-source browser had a decided advantage over Microsoft's on a time-to-patch criteria. Firefox rivals such IE, Safari, and Opera were patched considerably faster in the first half of 2006 than they were in the last half of 2005, but Mozilla's beat them all. IE, for instance, had an average window of exposure, the time between an exploit appearing and a fix released, of 9 days, while Mozilla patched in 1 day. (Safari's window was 5 days, Opera's was 2.)

That news should make Mozilla Corp.'s new security chief, Window Snyder, happy. In an interview two weeks ago, Snyder argued that counting up the number of days users were vulnerable was a fairer comparison than tallying raw numbers of flaws. "Just counting up the bugs is not a good measure of how secure an application is," she said then.

Symantec's report can be downloaded in PDF format from the company's Web site.

Source:- Informationweek.com