Re: (IE/SCOB) Switching Software Because of Bugs: Some Facts About Software and Security bugs
Drew, you make some valid points. However, i believe your conclusion is off
the mark nonetheless. Admittedly, IE's vast installed user base and MS's
arrogance regarding security (and many other matters) have influenced the
number of bugs that come to light. No argument there. However, there *are*
valuable security advantages inherent to the more platform-independent
development style of a product like Mozilla, and inherent to the fact that
it's open source as well.
Developing across platforms leads to a more modular product, with the effect
that a security vulnerability in one component will not typically extend into
another. In this situation, bugs can be patched without fuss, and simple
workarounds are often available. It is the highly interlaced, interdependent
architecture of Windows and its apps and clients, and the way they're
designed to interact, that often makes patching so time consuming and
difficult, and so deplorably slow, as you noted. A browser that doesn't have
as much access to the guts of the system is simply more secure by design.
It's less of a threat to begin with, and it can be patched more easily.
Also important is the simple fact that it's open source and therefore
transparent: anyone is welcome to review the source code and see for himself
exactly what it does and how it works. There are no secrets in Mozilla.
On the other hand, Internet Explorer and Outlook Express (and Netscape and
Opera) are closed-source products. Microsoft doesn't permit consumers to look
under the hood, so to speak. All we're told about these products is what's
stated in the documentation, but Microsoft has for decades included
undocumented functions in many of its products. Obviously, any software
containing secret functions is an obstacle to good security.
Furthermore, Mozilla offers users more control over potentially risky features
like JavaScript. It doesn't run ActiveX controls, a dangerous, powerful
gimmick with which Microsoft is much enamored. It offers superior user
privacy with better management of the URL history, page cache, cookies,
plugins, and passwords. It doesn't store data traces in the Registry, or clog
up the system with index.dat files, thereby making data hygiene easier and
more certain. And it doesn't use MS's preposterous security 'zones' that are
so confusing to novices, and easily exploitable with scripts anyway. It's
ludicrous to expect users to know which Web sites they can trust. Any site
can be malicious, and even a 'trustworthy' one can be compromised. Scob
showed people how essentially stupid the 'zone' scheme is, just in case
anyone was fool enough to doubt it.
Finally, Mozilla is produced by people who *wish* to work on it, not people
who have merely been commissioned to work on it. The developers care about
what they're doing, and it shows. Firefox and Thunderbird are even better, as
you noted, though some users prefer a more feature-rich product. For them,
Mozilla is vastly a superior replacement for IE and OE.
Your memo was indeed factual, as promised; but your facts failed to support
your conclusion that Mozilla is no more secure than IE and OE. It's immensely
more secure. And that's a fact ;-)
chrz,
tom
==============
Thomas C. Greene
Associate Editor
The Register
http://basicsec.org
http://theregister.co.uk
-------------------------
There has been a great deal of talk about people
switching to Mozilla because of this recent Internet
Explorer issue.
This is a serious misunderstanding about security
that comes about because of people's ignorance and
because they "believe the hype" but do not look at
the details.
An example:
http://slate.msn.com/id/2103152/
***
In less than a day, Internet administrators sterilized
the infection by shutting down the Russian server that
hosted the spyware. But not before a barrage of scary
reports had circled the world. "Users are being told
to avoid using Internet Explorer until Microsoft patches
a serious security hole," the BBC warned.
<..>
Scob didn't get me, but it was enough to make me ditch
Explorer in favor of the much less vulnerable Firefox
browser.
***
The issue has been found not to utilize the zero day spyware
worm we have seen of late, but utilizes a known and patched
IE bug. Previous attacks used this same vulnerability before
it was patched, this is true. That attack and the latest spyware
zero day attack were both unreported. The latest attack was
way over reported and there was a great deal of wrong information
in a lot of these news stories.
Disclaimer: * I like Mozilla. I use it nearly daily for Usenet. I
use it as a secondary browser. I used it as a primary mail client
for years. I have worked at an open source company and have been
involved in several major open source security projects over
several years. *
[Primary Caveat to what I am about to say: Microsoft has an atrocious
record of fixing bugs. They routinely take six months to fix security
issues given to them. Some issues they simply leave open with
absolutely no explanation, such as the adodb stream issue which
has been used in all of the latest IE attacks. There is absolutely
no excuse for this kind of behavior, and people should consider
leaving Internet Explorer for this kind of reason... not because
because bugs were found.]
This said, people should not change browsers "because of the Scob",
nor should they assume Mozilla is more secure. Change because of
the features or to support Open Source. But, don't change any
software because someone found a bug in it... unless that bug
was horribly stupid to find.
Very often I see people saying "Because of this recent security
hole, I am changing to Mac, they are safer". The same argument
remains true.
Mozilla is safer in some regards. Its' lack of activex is not
really the reason, though. For one thing, it has "plug ins". This
is how Shockwave runs on it. One of the Shockwave bugs I found
also worked in Mozilla. Maybe others did -- I did not even bother
to test it.
Here are some facts:
-> Bug finders want attention. Bug finders want to find bugs that
will affect the systems they use and the systems everyone else uses.
-> Internet Explorer, for several years, has had 94% of the browsing
population. That is everyone. It may not be the most visible majority,
but it is definitely the majority. If you have ever managed a large
site, you - like me - have likely seen the very same stats. This is
a huge majority of the Internet population.
-> The very same people are finding these big bugs. It is not like
there are a whole ton of unexperienced people finding these bugs. These
are the best. They are experts at finding them. They may not always
be cognizant of this themselves, the act of finding them may not
seem difficult to them, but it is -- and this is clearly shown by
the fact that the same people keep finding these bugs.
So, what I am saying is: it could be Internet Explorer or it could
be Mozilla. Whichever is more popular, ultimately. If these bugfinders
spend their time trying to break it, it will be broken.
Professional QA and open source QA can not find security bugs
like security researchers can. If you want to break an application,
you do not hire QA to do it. You hire hackers to do it, people
with proven experience.
-> It is true. A lot of top IE bugfinders have it in with Microsoft.
Liu Die Yu was ripped off by them in China. One top bugfinder had
a very bad experience with them as a new computer user. Guninski was
viciously attacked by them for a long period of time -- I watched
as he became slowly more and more anti-Microsoft until it became
an obsession for him.
So, Microsoft's PR campaign has made them some pretty hardened
enemies. This is true. Companies like Netscape tend to not do this
kind of thing because they are used to getting free help and
appreciating it.
-> Using a Mac used to be far more secure then it is now, because
now it is based on the BSD kernel and is far more accessible. Using
a Commodore 64 or an Apple II or a TI-99/4A - if these things were
possible - would be the most secure of all. This is "security by
obscurity".
-> Applications which have less foothold, less code, will have less
bugs. Applications which have more code and more "landscape" will
have more bugs. It does not matter who is developing it. There may
be some freaks out there, mutants, who can write flawless, absolutely
safe code. But, most of us are human beings.
-> Anyone that has worked in the software development field
knows and understands that applications have bugs. This is a fact
of life in these fields. End users are extremely buffeted from this
fact of life because everything that goes into selling the products
tries to keep that from them. Yet, what end user could forget just
how often their application crashes or their system?
It happens all the time. And, if you are using a certain application
or OS all the time, you may think it only happens to you and only
with this software.
This is not true.
(It may be true that some users on some OS's do experience less bugs,
but they well know they do not do the kinds of things which require
software with more "foothold" or code for which bugs might happen -- you
shouldn't expect to see a lot of bugs in your experience if all you
use is notepad.)
Conclusion: Mozilla may be better. I think there is some strong
chance of that. But only marginally. It has had bugs. It has a lot
of features, which means a lot of potential for security issues. They
have kept their browser more conservative then Microsoft has kept
Internet Explorer. Traditionally, Mozilla developers have been
far more "RFC compliant" - as the saying goes then Microsoft.