Am 20. Sep, 2005 schwätzte Anthony so: > Here is one that I keep seeing mentioned. > > http://news.zdnet.com/2100-1009_22-5873273.html That article doesn't mention how the reports from Mozilla are being counted. Does an exploit common to both Mozilla and Firefox count as a single bug or as two bugs? Also, consider that they're comparing 3 browser products from Mozilla against one from m$. Even if Symantec were non-biased and could be trusted to give a fair comparison that article only compares a particular 6 month period. It doesn't mention which vendor had the most issues the 6 month period before or the period before that. When we look long term at the number of security issues that have been discovered m$ is definitely first in class with no competition... There are several security holes that m$ has refused to acknowledge, so they won't make the list from Symantec. Mozilla, OTOH, is open about bugs. They have to be because their bug tracking is open for people to look at and add to. "resulting in a compromise of the entire system if exploited." I hope people aren't running web browsers as root. Hmm, I guess that's really just an issue on m$ boxen and the browser is irrelevant for that particular security problem. The real telling piece is that exploits now need less than 6 days to appear. The report doesn't say anything about how long it takes m$ or Mozilla to respond to security holes. I would count on Mozilla having a fix out to at least block the problem in less than 6 days. If the exploit is described at the beginning of the month it'll be weeks before m$ has a fix out. If the exploit comes out at the end of the month it'll likely be at least a month before any kind of fix comes out. Mozilla is designed to be secure. There are still security issues, but overall Mozilla is doing a good job and the security issues get addressed quickly. eXploder wasn't designed to be secure. It still has many engineering flaws. For example, activeX. Having web sites install a bunch of software into your browser is a really, really bad idea. Even worse activeX isn't in any type of sandbox, so they can fully exploit the client machine. Mozilla is also better if there is an exploit as you can stop using or even remove its web browsers if you need. m$ has bolted the OS onto eXploder, so you can't remove it and some security holes can be exploited even if you stop using it. The best thing we could do for Internet security is to ban m$ Internet Explorer and Outlook products. They are designed to not be secure. They are the most exploited programs. Additionally, they do not follow standards. The Internet requires standards to work. A quick question for those who use m$ desktops but don't use eXploder and LookOut: do you still have to run anti-spyware and anti-virus stuff all the time? If you do run them, do you constantly find stuff that needs to be removed? Outlook and IE are so insecure that even my grandma knows how to run anti-spyware and anti-virus programs! ciao, der.hans -- # https://www.LuftHans.com/ # "I decry the current tendency to seek patents on algorithms. There are # better ways to earn a living than to prevent other people from making use # of one's contributions to computer science." -- Donald E. Knuth --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change you mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss