DISCLAIMER: Logging other people's keystrokes or breaking
into other people's computer without their permission can
be considered illegal by the courts of many countries.
The monitoring software reviewed here is ONLY for authorized
system administrators and/or owners of computers.
We assume no liability and are not responsible for any misuse
or damage caused by the keylogging software. The end user of
this software is obliged to obey all applicable local, state,
federal and other laws in his country of residence.
December 04th, 2007
IE trumps Firefox in Microsoft safety study
Internet Explorer is more secure than Firefox, according to a senior Microsoft executive, who compared how many vulnerabilities were found in the two browsers — but critics say his study is flawed.
Jeff Jones, security strategy director of Microsoft's Trustworthy Computing Group, released a study last week comparing the flaws in Microsoft's Internet Explorer to Mozilla's Firefox browser — unsurprisingly, he concluded that Microsoft is doing a better job than Mozilla.
Challenging early predictions that Mozilla's Firefox browser would experience fewer vulnerabilities than IE, Jones concedes that both vendors' browsers have experienced significant flaws.
Jones claims Mozilla has fixed more flaws in its browser than Microsoft during equivalent periods, which he said renders Firefox more vulnerable than IE.
‘Since the release of Firefox 1.0 in November 2004, Mozilla has fixed 199 vulnerabilities in supported Firefox products — 75 high severity; 100 medium severity; and 24 low severity. In the same timeframe, Microsoft has fixed 87 total vulnerabilities affecting all supported versions of Internet Explorer — 54 high severity, 28 medium severity; and five low severity,’ said Jones.
Comparing Microsoft's 2004 release, IE6 (Service Pack 2), to Firefox 1.0, Jones said Microsoft fixed 79 flaws while Mozilla fixed 88.
He also compared IE7 to Firefox 2.0 over a 12 month period, during which he said Mozilla fixed 56 flaws while Microsoft fixed only 17 in IE7.
‘While the data trends show that both Internet Explorer and Firefox security quality is improved in the latest version, it also demonstrates that, contrary to popular belief, Internet Explorer has experienced fewer vulnerabilities than Firefox,’ said Jones.
However, Jonathan Oxer, technical director and founder of web application development company, Internet Vision Technology, and president of Linux Australia, claims the study is flawed because Microsoft tends to bundle its fixes, which lead to a lower count over the period being compared.
‘For example, when fixing a vulnerability there might be several issues being resolved in one go. So it decreases the bug count.’
Oxer explained that the way in which levels of security are reported is frequently different. ‘In the case of Firefox there may be issues that Mozilla has reported for which there is no known exploit — a theoretical exploit — so it's not necessarily accurate to directly compare fixed exploits without an understating of how the numbering or definition of an exploit is determined,’ he said.
Oxer believes that a more valid way to score software in terms of security is to give each exploit a value depending on the number of days from discovery of a bug to the release of a fix, multiplied by a severity factor.
‘Two products that have a similar number of exploits fixed over a certain period may actually be very different in terms of the number of days of exposure to which users are subjected,’ said Oxer.
The Microsoft data also raises the issue of support for legacy versions of the software. While Mozilla ends support for each version six months after a new release of Firefox, Microsoft maintains support for up to a decade after the version ends, in line with its cycle for operating systems.
‘If Microsoft had this same policy, then support of Internet Explorer 6 would have ended in May 2007, or similarly Internet Explorer 5.01 support would have ended in 2001. In contrast, Microsoft generally releases a browser in conjunction with a new operating system release and commits to supporting that version for the lifecycle of the product — now 10 years for business products,’ said Jones.
Support issues also affect third-party distributors, Jones said. Despite Mozilla ending support for Firefox 1.5 in May 2007, Ubuntu 6.06 LTS — which integrates that version of Firefox — has committed to providing security support until 2009. Likewise, Novell Suse Linux offers support for Firefox 1.5 until 2013. While Ubuntu and Red Hat released patches for Firefox version 1.5, Jones said: ‘The vulnerabilities patched by each vendor only overlap partially.’
‘Lifecycle considerations are likely to be more important to corporate enterprises, as they sometimes have custom web applications and are hesitant to upgrade between major releases very often, and even then may have a relatively long transition plan,’ said Jones.
However, Linux Australia's Oxer reckons this manner of delivering support is a benefit of the open-source model, because it allows customers greater flexibility throughout a contract.
‘One of the major differences between the proprietary and open-source models is when multiple vendors are providing support for a single code base… even though Mozilla may end its support, there are software vendors — such as Linux distribution providers — that are committed to providing support to enterprise customers,’ said Oxer.
‘What it means is that end users get to choose the level of support they want. If you choose a company with long-term support for maintaining a stable operating environment for desktops, that's one option they can take. Or they may want a distributor with more frequent updates,’ he said.
The disadvantage of using a proprietary software company such as Microsoft, said Oxer, is that enterprise customers are shackled to the schedule of a single vendor, which may not fit the organisation's timetable.
Source: ZDNET
All news for December, 2008
All news for 2008 year
All news for 2007 year
All news for 2006 year
All news for 2005 year
All news for 2004 year
DONATION: Keylogger.org is an independent research
project supported by a team of enthusiasts. If you find this
project useful or would like to help foster its continued
development please consider making a donation using PayPal`s
online secure payment service. A PayPal account is not required.
All major credit cards are accepted (MasterCard/Eurocard,
Visa/Delta/Electron, American Express, Switch/Maestro, Solo).
Simply click the button below.
Any amount would be useful and appreciated!
Thanks in advance for your support!
|
