Comments on: What Ordinary Users Think About IE: Debunked http://www.protocolostomy.com/2008/12/17/what-ordinary-users-think-about-ie-debunked/ Made with only the finest 1's and 0's Thu, 26 Jan 2012 21:20:45 +0000 hourly 1 http://wordpress.org/?v=3.2.1 By: Firefox not IE, Please! « Katamat at Home http://www.protocolostomy.com/2008/12/17/what-ordinary-users-think-about-ie-debunked/comment-page-1/#comment-37792 Firefox not IE, Please! « Katamat at Home Fri, 26 Mar 2010 18:27:29 +0000 http://www.protocolostomy.com/?p=437#comment-37792 [...] article says it all. Down with IE and up with [...] [...] article says it all. Down with IE and up with [...]

]]> By: Sander http://www.protocolostomy.com/2008/12/17/what-ordinary-users-think-about-ie-debunked/comment-page-1/#comment-6605 Sander Sun, 21 Dec 2008 18:45:05 +0000 http://www.protocolostomy.com/?p=437#comment-6605 @Sebastian: you're absolutely right that making assertions on software security needs to be done with accurate information. That accurate information would, for example, have to include Mozilla's policy of creating an advisory for _every_ security issue found, including the large number which are discovered by Mozilla developers themselves. Microsoft will frequently fail to creates advisories for those security issues which aren't reported to it from the outside. The number of reported security issues in an open product like Firefox will thus frequently be higher than those in a closed product like MSIE, and this is a _strength_ of the open product, not a weakness. For more on this, see for example this recent blog post by the Mozilla security team: http://blog.mozilla.com/security/2008/12/15/the-importance-of-good-metrics/ More importantly than that still is the issue m0j0 already mentioned: what's the average time between a security issue becoming publicly known (thus likely to be exploited), and when a release happens which fixes that security issue? I don't have any terribly recent data for this, but here's a report from early 2007 (so at least a year better than the one m0j0 posted above) which looks at the situation in 2006: http://blog.washingtonpost.com/securityfix/2007/01/internet_explorer_unsafe_for_2.html To summarize: During the entire year of 2006, IE had 284 days during which it was unpatched for a publicly known critical vulnerability, and 98 days during which it was known that those vulnerabilities were used in the wild for stealing personal or financial data. In contrast, Firefox had a grand total of 9 days in which it was unpatched for a publicly known critical vulnerability. @Sebastian: you’re absolutely right that making assertions on software security needs to be done with accurate information. That accurate information would, for example, have to include Mozilla’s policy of creating an advisory for _every_ security issue found, including the large number which are discovered by Mozilla developers themselves.
Microsoft will frequently fail to creates advisories for those security issues which aren’t reported to it from the outside. The number of reported security issues in an open product like Firefox will thus frequently be higher than those in a closed product like MSIE, and this is a _strength_ of the open product, not a weakness. For more on this, see for example this recent blog post by the Mozilla security team: http://blog.mozilla.com/security/2008/12/15/the-importance-of-good-metrics/

More importantly than that still is the issue m0j0 already mentioned: what’s the average time between a security issue becoming publicly known (thus likely to be exploited), and when a release happens which fixes that security issue?
I don’t have any terribly recent data for this, but here’s a report from early 2007 (so at least a year better than the one m0j0 posted above) which looks at the situation in 2006: http://blog.washingtonpost.com/securityfix/2007/01/internet_explorer_unsafe_for_2.html
To summarize: During the entire year of 2006, IE had 284 days during which it was unpatched for a publicly known critical vulnerability, and 98 days during which it was known that those vulnerabilities were used in the wild for stealing personal or financial data. In contrast, Firefox had a grand total of 9 days in which it was unpatched for a publicly known critical vulnerability.

]]> By: Jacob Santos http://www.protocolostomy.com/2008/12/17/what-ordinary-users-think-about-ie-debunked/comment-page-1/#comment-6528 Jacob Santos Fri, 19 Dec 2008 16:26:23 +0000 http://www.protocolostomy.com/?p=437#comment-6528 This article is hard to consume, mostly I wouldn't forward it to anyone, unless I was using it of an example of bias. You make no distinction of which IE version you are speaking of. If you would have said IE 6, then I would follow it immediately to everyone I know. You are right in that the majority of businesses do require IE 6 because of commercial products that require it. The good news is that once businesses have switched to Vista, IE 7, which is marginally better with standards and less annoying bugs (but other more obscure standards bugs). IE 8 is extremely better, with both security (of course there was a patch for Beta 2 a few days ago. The issue is that for end users, they don't really care. We care, but until they upgrade to new PCs, they are going to use what they have. This article is hard to consume, mostly I wouldn’t forward it to anyone, unless I was using it of an example of bias. You make no distinction of which IE version you are speaking of. If you would have said IE 6, then I would follow it immediately to everyone I know.

You are right in that the majority of businesses do require IE 6 because of commercial products that require it. The good news is that once businesses have switched to Vista, IE 7, which is marginally better with standards and less annoying bugs (but other more obscure standards bugs). IE 8 is extremely better, with both security (of course there was a patch for Beta 2 a few days ago.

The issue is that for end users, they don’t really care. We care, but until they upgrade to new PCs, they are going to use what they have.

]]> By: m0j0 http://www.protocolostomy.com/2008/12/17/what-ordinary-users-think-about-ie-debunked/comment-page-1/#comment-6469 m0j0 Thu, 18 Dec 2008 18:09:53 +0000 http://www.protocolostomy.com/?p=437#comment-6469 Right. Now go back and figure out the number of days that users of IE vs. Firefox were actually left vulnerable due to vulnerabilities being unpatched. This all comes back to users being vulnerable. It's not about flawed code. It's all flawed. It's about how many vulnerabilities are unpatched, multiplied by the number of days they are unpatched. I'm not sure if secunia has that information, and I can't take any more time today to find links for you, but if you really want to research it, don't think about the problem so much as an engineering problem but a customer service one. The question isn't how many vulnerabilities are reported, but how many are reported multiplied by the number of days they are left unpatched, thereby leaving a user at risk. Also, for the links I posted, the dating is mostly irrelevant. The fact is that there has never been a time when Firefox has spent a full year leaving users at risk 98% of the time. IE has. You'll remember that the initial discussion was "track record", which necessarily includes historical data. Right. Now go back and figure out the number of days that users of IE vs. Firefox were actually left vulnerable due to vulnerabilities being unpatched. This all comes back to users being vulnerable. It’s not about flawed code. It’s all flawed. It’s about how many vulnerabilities are unpatched, multiplied by the number of days they are unpatched. I’m not sure if secunia has that information, and I can’t take any more time today to find links for you, but if you really want to research it, don’t think about the problem so much as an engineering problem but a customer service one. The question isn’t how many vulnerabilities are reported, but how many are reported multiplied by the number of days they are left unpatched, thereby leaving a user at risk.

Also, for the links I posted, the dating is mostly irrelevant. The fact is that there has never been a time when Firefox has spent a full year leaving users at risk 98% of the time. IE has. You’ll remember that the initial discussion was “track record”, which necessarily includes historical data.

]]> By: Sebastien Lambla http://www.protocolostomy.com/2008/12/17/what-ordinary-users-think-about-ie-debunked/comment-page-1/#comment-6467 Sebastien Lambla Thu, 18 Dec 2008 17:55:28 +0000 http://www.protocolostomy.com/?p=437#comment-6467 Not being funny, but a reliable source would have to be up-to-date, and your link dates back from 2005. Secunia is fair enough, let's detail. Firefox 2 has been released at the same time as IE7, so I'll add up secunia's vulnerabilities for ff2+3 and compare to IE7. I have double-checked all the FF3 vulnerabilities and removed the one that was common to FF2 and FF3, so I think you'll find the numbers accurate. IE: 33 advisories, 70 vulnerabilities Firefox: 36 advisories, 195 vulnerabilities IE Extremely: 9% Firefox Extremely: 0% IE Highly: 36% Firefox Highly: 56% (20) IE Moderatly: 9% Firefox Moderatly: 5% (2) IE Less: 36% Firefox Less: 22% (8) IE Not: 9% Firefox Not: 17% (6) So according to secunia, Highly and Extremely critical together put IE at 45% of advisories, and FF at 56. Taking anything above moderate advisories puts it at 54% and FF at 61%. The number of advisories and vulnerabilities is also higher in the firefox family of products. Let's make it clear that I do not care much for the browser wars in general, whatever works for you. But making assertions on software security needs to be done with accurate information. The difference in numbers and seriousness of vulnerabilities between firefox and IE is not significant. What is significant is the number of attackers that choose to attack IE, and with that I will fully agree. If you want to recommend people to switch, it would be less of an insult to their intelligence to recommend a less mainstream browser because there are less attacks, not because there are less flaws. And certainly not for an alleged abyssimal security record. Not being funny, but a reliable source would have to be up-to-date, and your link dates back from 2005.

Secunia is fair enough, let’s detail. Firefox 2 has been released at the same time as IE7, so I’ll add up secunia’s vulnerabilities for ff2+3 and compare to IE7. I have double-checked all the FF3 vulnerabilities and removed the one that was common to FF2 and FF3, so I think you’ll find the numbers accurate.

IE: 33 advisories, 70 vulnerabilities
Firefox: 36 advisories, 195 vulnerabilities

IE Extremely: 9%
Firefox Extremely: 0%

IE Highly: 36%
Firefox Highly: 56% (20)

IE Moderatly: 9%
Firefox Moderatly: 5% (2)

IE Less: 36%
Firefox Less: 22% (8)

IE Not: 9%
Firefox Not: 17% (6)

So according to secunia, Highly and Extremely critical together put IE at 45% of advisories, and FF at 56. Taking anything above moderate advisories puts it at 54% and FF at 61%.

The number of advisories and vulnerabilities is also higher in the firefox family of products.

Let’s make it clear that I do not care much for the browser wars in general, whatever works for you. But making assertions on software security needs to be done with accurate information.

The difference in numbers and seriousness of vulnerabilities between firefox and IE is not significant. What is significant is the number of attackers that choose to attack IE, and with that I will fully agree.

If you want to recommend people to switch, it would be less of an insult to their intelligence to recommend a less mainstream browser because there are less attacks, not because there are less flaws. And certainly not for an alleged abyssimal security record.

]]>