Re: List of 12 most vulnerable apps disputed.
"Experts are taking issue to a recent study which warned users of potential risk of using Firefox
A recent security study from Bit9 argued that Mozilla's
Firefox was the most vulnerable application and thus a major threat to businesses. One of the chief reasons it gave was the lack of a large-network patching system. For this reason, despite
recent security flaws, it did not consider Microsoft's Internet Explorer software, as it assumed that such a patching system dramatically lowered vulnerability.
Bit9 went as far as to suggest that enterprises block their employees from having access to Firefox and delete it from work computers.
Some firms, including Mozilla, were quick to take issue with Bit9's alarming comments. Representatives from Mozilla's security branch, Human Shield contacted
DailyTech with remarks on the topic. The company's Johnathan Nightingale states, "While we're always happy to see stories that focus on educating our users about security, there are some problems with Bit9's methodology that hinder its ability to draw any meaningful conclusions."
According to Mr. Nightingale, by raising the "risk" of companies which disclose critical vulnerabilities, Bit9's study punishes openness, a critical key to security. It rewards companies that keep their vulnerabilities secret, he argues.
He also criticizes Bit9's stance on patching, stating that the firm's claims fall short of reality. He states, "Bit9 seems to understand (the need for smarter metrics) in its focus on application support for updates, but again it fails to account for the real world experience. Firefox does not deliver WSUS updates, but our built-in update mechanism requires no user intervention, and we consistently see 90% adoption within six days of a new update being released."
He concludes, "The Firefox vulnerabilities Bit9 discusses are long-since fixed, with the majority of these fixes coming within days of it being announced. That is the real measure of application security: are known vulnerabilities fixed promptly, tested carefully, and deployed thoroughly? Bug counting is unfortunately common because it's easy, but it should not be a substitute for real security measurement."
Similar sentiments were also echoed by various readers on
DailyTech as well as several sources in the security business. While the Bit9 study certainly takes a controversial and interesting position, according to many its claims are overly broad and flawed. Whether this is the case is largely a matter of opinion, but one thing's for sure -- whether you're on Firefox, Opera, Chrome, or Internet Explorer, security is largely in the
hands of the user."
DailyTech - Mozilla Disputes Bit9's Claim That Firefox is "Most Vulnerable App"
I too believe this list is fundamentally flawed in that it identifies programs to be included on the list by the fact that they do not have a "patch" system, but rely on new versions to repair flaws. Given the number of critical patches issued by IE during the same period I don't believe the fact that a manual updated, compared to an automatic update is sufficient reason to justify a program as being "inherently insecure".
Take a look here :-
Mozilla Firefox 3.x - Advisories by Product - Secunia Advisories - Vulnerability Intelligence - Secunia.com
Microsoft Internet Explorer 7.x - Advisories by Product - Secunia Advisories - Vulnerability Intelligence - Secunia.com
Having said that, I agree, all browsers are unsafe by design, like a car you need to learn how to "drive" safely. The only perfectly safe system is a stand-alone with no external access. In this age it's not possible. We allow so many programs to go through our firewalls, both software and hardware, that reliance on a firewall for protection is like taking a shower in a raincoat. The only solution is to take sensible precautions that offer a reasonable measure of protection and allow you to do what you want to do, with minimised risk, and be prepared for the worst happening by backing up data etc. that you can't afford to lose.
Norm
shock:
