| |
In Focus
Microsoft Compares IE and Firefox
People can't resist arguing about whether one browser is better than another, and invariably the argument centers on Mozilla Firefox versus Microsoft Internet Explorer (IE). Last week, I came across a study conducted by Microsoft Strategy Director Jeff Jones that compares the two browsers. The study would have been better if it had included Opera. I guess omission is one good way to marginalize the competition.
My assumption was that because someone from Microsoft produced the report, it would try to show that Microsoft's strategy for IE development and support results in a better, safer product. The report didn't convince me that IE is superior to the open-source Firefox.
Jones said that he examined vulnerabilities in Firefox and IE over the past three years, broke them down by severity, looked at each browser version by version, and examined each browser in terms of unfixed vulnerabilities. Right away, Jones said that according to his findings, more security problems have been found and fixed in Firefox than in IE. Jones' findings point out that the Internet community is finding problems and Mozilla is fixing those problems both openly and quickly. The findings cause me to ponder a thought: If people can find 199 security problems in Firefox, then imagine how many might be found if Microsoft opened the IE source. Well Microsoft isn't about to do that, and even without the source, people have found at least 87 problems in IE, according to Jones.
Next, Jones takes aim at Mozilla's support life cycle for Firefox, which is shorter than Microsoft's for IE. What Jones failed to mention is that IE is--according to Microsoft--tightly integrated into the OS. So Microsoft has no choice but to support its browser versions longer. Updates to the loosely integrated Firefox are unlikely to break a dozen other applications or the OS itself. Therefore, Mozilla can enjoy the luxury of short support periods, which in turn streamline development and speed up browser innovation.
Jones wrote that Novell is shipping SUSE Linux Enterprise Desktop 10 with support until 2013, Red Hat is shipping Enterprise Linux 5 with support until 2014, and Ubuntu 6.06 was shipped with support until 2009. All three OSs include Firefox 1.5. Mozilla ended support for Firefox 1.5 back in May, but that was announced well in advance, so each vendor should have been aware of the support timeline. Now they have to decide how to handle ongoing support by either choosing to patch Firefox 1.5 on their own or have users upgrade to Firefox 2.x.
Jones also argues that frequent upgrades are risky for businesses. Microsoft releases a batch of security patches and other product patches nearly every month, many of which have broken various aspects of Windows. I've been using Firefox since it was released. The browser tells me when an update is available via a nonintrusive pop-up box, and I click OK. The entire upgrade process takes about 20 seconds over a broadband link. Never once has a Firefox upgrade ever broken anything on my systems. I bet others have similar success stories. As for businesses, administrators can upgrade Firefox on any number of systems and most likely experience similar results.
Jones stated that part of his motive for creating the report was to refute Mozilla's statement that those who use Firefox "won't harbor nearly as many security flaws as those that have Microsoft's Internet Explorer." While Jones did do that, the proof is relatively meaningless. At the end of his report, Jones summarizes by saying that IE has experienced fewer vulnerabilities over time than IE, which left me wondering, "So what?" If Windows runs on 80-something percent of all desktops, then by default IE also runs on 80-something percent of all desktops. It seems obvious that a major vulnerability in IE will cause more widespread damage than a similar vulnerability in Firefox or any other browser. So that needs to be kept in mind when comparing the number of vulnerabilities in each browser.
Jones also failed to point out that Mozilla fixes vulnerabilities faster than Microsoft. Of course, Microsoft is more limited in what it can do in terms of patch releases because it carries a much larger responsibility due to its a huge Windows user base and because IE is tied to various other aspects of the OS.
One thought that came to mind after reading the report is that maybe Microsoft is bothered by the fact that Firefox is a very good browser, that it's growing in popularity, that it's free, and that it's open source. Any great open-source program makes open source look attractive to people. And naturally that's problematic for Microsoft.
If you're interested in Microsoft's spin, then head over to Jones' blog at the URL below where you'll find his report available in PDF format.
blogs.technet.com/security/archive/2007/11/30/download-internet-explorer-and-firefox-vulnerability-analysis.aspx
HTML Option for Security UPDATE
Editor's Note: Security UPDATE and Security UPDATE Alert are now available in HTML format, as an alternative to text format. To change your preference to HTML, go to www.windowsitpro.com/email. Note that you'll need to log on or register on our Web site to change your format preference.
Security UPDATE also is now mailed from a different IP address range and has a different From address. Please adjust your email service provider and spam filter whitelists accordingly to avoid missing an issue.
The new IP address range from which the newsletter originates is:
204.92.180.[85-86]
The new From address is:
Security_UPDATE@email.windowsitpro.com
Sponsor Kroll Ontrack
Crashed server? You have a need for speed!
Ontrack Data Recovery services provide the fastest, most cost-effective recovery solutions available utilizing the industry's only lab-quality, remote data recovery service.
* No need to ship any equipment
* Fast, secure connection allows engineers to begin data recovery work in minutes
Special Offer: For a limited time, if you need data recovery service on any server or RAID system, you will receive:
* Free initial consultation with a data recovery engineer to help you determine the fastest, most cost-effective course of action
* Free service upgrade to our Priority-level Service
* Free comprehensive, remote evaluation of your storage media
For immediate assistance, call 800 872 2599 - or visit: www.ontrackdatarecovery.com/1107_need-for-speed/?promo=1207-winitpro-pc
|
Security News and Features
Secunia and Autonomy Duke It Out Over Vulnerability Reporting
Secunia, well-known for publishing vulnerability reports, has drawn the ire of Autonomy over publication of historic security advisories.
To view the rest of this article, click here
Grisoft to Enhance AV Software with Acquisition
Antivirus solution provider Grisoft announced that it will acquire Exploit Prevention Labs, maker of real-time URL-scanning technologies.
To view the rest of this article, click here
Microsoft's HealthVault Initiative Takes on Securely Storing Health Care Data
Microsoft says its new health information storage product lets customers securely store health data--including notes from doctor visits, lab reports, and test results--online. Brian Moran offers his perspective on the technology in this article on our Web site.
To view the rest of this article, click here
Recent Security Vulnerabilities
If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these
discoveries at www.windowsitpro.com/departments/departmentid/752/752.html.
Sponsor Symantec
Messaging Management
Guarding against the growing threats to the corporate email and IM environment has become an ever-consuming task of the IT professional. Now is the turning point for IT security professionals to look at their mainstays in their defense strategy and make sure they are pulling their weight. In scrutinizing your messaging management solutions, this valuable guide shows that securing a mail and messaging infrastructure should not be an afterthought. A secure mail and messaging infrastructure is fundamental to your business and any organization should plan for the appropriate message hygiene, availability, and control services from the start.
Download this free resource before evaluating message management solutions.
www.windowsitpro.com/go/ebook/symantec/messagingmanagement/?code=secmid1212
|
Give and Take
SECURITY MATTERS BLOG: SWFIntruder -- A Cool Security Tool for Flash Applications
Flash can be a great multimedia tool. It can also be a dangerous thing when in the wrong hands. SWFIntruder helps cut through the veil so you can see if Flash applications might be dangerous.
To view the rest of this article, click here
FAQ: The Microsoft Terminal Services /admin Switch
Q: What is the /admin switch in Microsoft Terminal Services Client (MSTSC) for Windows 2008 and Vista?
For the answer, go to www.windowsitpro.com/Article/ArticleID/97716
FROM THE FORUM: Removing LM hashes from Windows
A forum participant has a Windows Server 2003 Active Directory (AD) domain and wants to delete all existing LAN Manager (LM) hashes from the AD database. He knows that there's a way to use Group Policy to stop AD from creating LM hashes, but he also needs to remove LM hashes that already exist. Join the discussion at forums.windowsitpro.com/web/forum/messageview.aspx?catid=42&threadid=88375&enterthread=y.
SHARE YOUR SECURITY TIPS AND GET $100
Share your security-related tips, comments, or problems and solutions in Security Pro VIP's Reader to Reader column. Email your contributions to r2r@securityprovip.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length.
Sponsor NetIQ
Assess Unix Configurations with NetIQ
Learn how Secure Configuration Manager can help with compliance requirements in the IT controls areas of entitlement reporting & segregation of duties. Discover how to make your compliance program more sustainable & repeatable, while gaining visibility into sources of vulnerability & risk exposure.
www.findtechinfo.com/as/acs?pl=399&ca=700
|
Products
Gateway Appliance's HTTP Proxy Gains Speed
Astaro announced the availability of version 7.1 of its Astaro Security Gateway appliance, a unified threat management (UTM) solution providing network security, Web filtering, and email security. The new version has a proprietary HTTP proxy engine that's faster and that supports directory single-sign-on (SSO) via NTLMv2 and Kerberos authentication, blacklists and whitelists, and streaming media capability. In internal performance tests, the new proxy showed performance improvements of up to 80 percent. For more information, go to www.astaro.com.
Resources and Events
Learn the Fundamentals of Messaging Management Systems
IT security pros need to review their messaging defense strategy and make sure it pulls its weight. A secure mail and messaging infrastructure is fundamental to your business, and every organization needs to plan for message hygiene, availability, and control services from the start. Download this free resource before evaluating a message management solution. www.windowsitpro.com/go/ebook/symantec/messagingmanagement/?code=120507er
If there's a "killer app," it's email. Businesses rely on it, and mobile users and clients have lowered the tolerance for email downtime. View this Web seminar and hear Paul Robichaux share information to help you meet your enterprise's high-availability needs. Tune in for useful tips and a guide to disaster recovery planning resources.
www.windowsitpro.com/go/seminars/xosoft/exchangeHA/?partnerref=120507e&r
You can't predict disasters, but you can be prepared with a solid response if one occurs. This free Data Protection and Disaster Recovery Tips eBook explains how to prepare a disaster plan that will work for your organization. Download it now.
www.windowsitpro.com/go/ebooks/ca/disaster/?code=120507er
Featured White Paper
Find out how you can extend Active Directory to non-Microsoft environments.
A mixture of Windows, UNIX, Linux, and Mac environments are a fact of life for most IT organizations. This white paper introduces a solution that can help you centralize identity and policy management and build a secure, connected computing environment from heterogeneous systems. Find out more about extending Active Directory so you can centrally manage your systems. Download this white paper today! www.windowsitpro.com/go/wp/centrify/directcontrol/?code=120507er
Announcements
Exchange 2007 Mastery Series: January 28, 2008
Three info-packed eLearning seminars for only $99 ($79 before December 15)!
Hosted by Windows IT Pro.
Mark Arnold--MCSE+M, Microsoft MVP--will coach you through Exchange 2007 storage solutions: planning for archiving and compliance, optimizing your iSCSI network storage, and finding the sweet spot between memory and spindles.
www.windowsitpro.com/go/elearning/masteringexchange2007
Packed with thousands of articles, bonus content, and loads of expert advice, the Windows IT Pro Master CD is like having your very own team of professional Windows consultants in your pocket. Get real-world solutions lightning-fast--order the Windows IT Pro Master CD today. Includes a one-year subscription to all online content at WindowsITPro.com!
store.pentontech.com/index.cfm?promocode=EU227AOC&
| | If you use a product that has made a tremendous impact in your organization and is a product that you can't live without, tell us about it at whatshot@windowsitpro.com and we'll feature your review in a future issue of the magazine, under the "What's Hot" section.
| |
No comments:
Post a Comment