News Story by Robert McMillan

After flap, Symantec adjusts browser bug count

Depending on how you count flaws, either IE or Firefox could be considered less secure


MARCH 07, 2006 (IDG NEWS SERVICE) - A report issued today by Symantec Corp. seeks to satisfy users of both Mozilla Corp.'s Firefox browser and Microsoft Corp.'s Internet Explorer.

In its latest Internet Security Threat Report, covering the last six months of 2005, the company now features two different ways of counting browser bugs: one that finds that Internet Explorer has the most vulnerabilities, and a second that reveals Firefox as the bug leader.

Firefox had the highest number of "vendor-confirmed" vulnerabilities, with 13 bugs reported during the six months covered by the report, compared with Internet Explorer's 12, said Dave Cole, a director of Symantec Security Response.

However, the latest report also includes a count of bugs found by security researchers that have not been confirmed by Microsoft or the Mozilla Foundation, which owns Mozilla Corp. By that count, Internet Explorer had the most security issues: 24, compared with Firefox's 17.

Symantec decided to begin counting the unconfirmed bugs "partially in response" to feedback from the Mozilla team after publishing its previous report in September 2005. That report counted only confirmed bugs, with 18 for Firefox and 13 for Internet Explorer.

"We said, 'OK, for the next report we'll look at them both,'" Cole said. "It's something we might have looked at anyway."

The report caused a stir among Firefox fans, who have long considered their browser to be more secure than Internet Explorer.

At the time the Mozilla Foundation criticized Symantec's methodology, saying that counting only the number of confirmed flaws skewed the results in Microsoft's favor, because the software vendor tends to group several vulnerabilities together, whereas Mozilla announces each one individually.

Cole would not say which browser Symantec considers to be the more secure. "The reality is, if there's enough motivation there, people are going to find some way to get in," he said. "The concept of the impervious technology is really a mistaken one."

Mozilla and Microsoft representatives were unavailable to comment.

Symantec also found that denial-of-service and phishing attacks continued to rise during the last six months of 2005. DOS attacks were up 51% from the first half of the year, Cole said. On average, there were 1,400 such attacks each day.

Symantec also tracked a "dramatic growth in phishing" and blocked 1.5 billion phishing messages during the period, up 44% from the first half of the year.

main page ATTRITION feedback