There is a perception (or perhaps misconception) that open-source-software (OSS) is inherently less secure than closed source software. Because “once a hacker can see the code behind the application they can exploit it.” Many counter-argue that OSS means more people have access to the code and thus more people can correct the problems.
Looking at this chart tells me that the later is correct. Here you see the closed source web browsers (Internet Explorer) share 29 advisories that are not patched from over a year ago. While the OSS web browsers (Safari, Firefox) share only 2 advisories that are not patched from over a year ago.
Not only that, but of the outstanding advisories, the closed source advisories are deemed “Highly Critical” while Safari has a “Not Critical” rating and Firefox a “Less Critical” rating.
All three teams have had a year to solve these issues, and publish the solutions. Microsoft has a very critical responsibility to it's users to put out solutions that solve these problems completely and in a timely manner. It is most critical that they do this because they are closed-source and because the browser is used around 90% of the market. They have failed to realize this it seems.
Firefox and Safari need to realize that they too can fall under the problems that IE is currently suffering. If they fail to keep designs simple and testable, then they will start seeing a larger amount of advisories racketed up against them as well.
People often say that the reason IE is so insecure is that it has the most people using it and this is somewhat true. But the popularity of an application does not imply vast number of security holes. Instead it means more advisories are likely to be found by the hackers who look for them. It's hard to find security holes in a closed source application, and these guys and gals have really done an excellent job in doing so.
The problem of finding security holes in an open-source system is a little bit easier as you have the code in front of you and you can trace through all the routes that the application takes. Bugs can be found sooner and hopefully squashed before the application is made public. Many bugs don't make it to the light of day because of the understanding that "more eyes on the code mean less bugs."
What this data also shows is also how long it takes for the teams to correct the advisories. It is apparent that Microsoft's IE team does not solve these issues in a timely manner. Perhaps it is the sheer nuadviserviseries against them or perhaps the architecture of IE makes it difficult to find bugs and correct them without breaking another part of the browser.
The problem is we don't know if it is an architecture or human resource problem. What we do know is that the browser is deficient in handling the issues known about it. We don't know what activities Microsoft does to prevent bugs like these from being released to the public. But we do know that thereawfuln aweful lot of bugs slipping by.
Secunia has the following description for “Highly Critical” advisories.
“Typically used for remotely exploitable vulnerabilities, which can lead to system compromise. Successful exploitation does not normally require any interaction but there are no known exploits available at the time of disclosure. Such vulnerabilities can e.g. exist in services like FTP, HTTP, and SMTP or in client systems like email programs or browsers.”
Secunia has he following description for “Not Critical” advisories.
“Typically used for very limited privilege escalation vulnerabilities and locally exploitable Denial of Service vulnerabilities. This rating is also used for non-sensitive system information disclosure vulnerabilities (e.g. remote disclosure of installation path of applications).”
Secunia has the following description for “Less Critical” advisories.
“Typically used for cross-site scripting vulnerabilities and privilege escalation vulnerabilities. This rating is also used for vulnerabilities allowing exposure of sensitive data to local users.”
For more information on this data, please see the Secunia Vulnerability Reports below:
IE 5.01
IE 5.5
IE 6.x
Safari 1.x
Safari 2.x
Firefox 1.x
No comments:
Post a Comment