Neowin.net

Yes, they go with the reasoning that a product with more patches "obviously" had more bugs to begin with, which isn't true.
Not false either, just not true. Like, you cannot extract any conclusion out of that (other than maybe evaluating the developers response).

Saying that it isn't false, but isn't true sounds fanboyish to me.

Anyway, more patched vulnerabilities means there were lots of vulnerabilities, which in turn mean that there could, or should, be even more unknown ones.

Saying that it isn't false, but isn't true sounds fanboyish to me.

Anyway, more patched vulnerabilities means there were lots of vulnerabilities, which in turn mean that there could, or should, be even more unknown ones.

Is it "fanboyist" saying that a study based on incomplete data means squat?



On the other hand fewer patched vulnerabilities doesn't necessarily mean that there were fewer vulnerabilities.
Just an hypotetical situation that debunks any study based only on released patches:
- Take 2 programs with equal number of vulnerabilities.
- Patch all of them only in program 1.
- Apply the patch based rating and see the crap you've come up with.

I would describe it as "being realistic". It's neither true nor false, but partially both.

WLM always has those files being sent about from people who are stupid enough to accept and execute them.

Yep... Since I don't need any of the special features of WLM, I just use a free multi-protocol app like Pidgin.

Pidgin FTW! ^_^

Miranda IM FTW! ^_^_^_^

Anything that isn't a single client FTW! xD

Guest, can you please PM me. Thanks

It is one of the reason because i dropped off the domain and turned back to a workgroup.

Domain in theory is awesome but in the real world is impracticable, mainly because many (if not all) programs are not following the restrict microsoft rules. Domain just add a new level of bureaucracy in the organization, and bureaucracy cost money.

This study mainly say :if "x" program can't be controlled and updated using a central or unified panel, then its insecure.

changed, the author must have had buggering on the mind... not good!

Ah yes cause we suck, http://www.vnunet.com/vnunet/news/2232492/...p-vulnerability we were the only ones to post it yeah? http://blogs.zdnet.com/security/?p=2304

Translation, apps I use are on that list and I am too smart to use insecure apps to the list is rubbish.

where did i state you guys sucked ? i stated that the standards have slipped some what from when i first started reading this site , please creamhackered don't try putting words into my mouth i wasn't flaming anyone just stating my opinion on the standards of the site that's all , i am allowed to criticise arnt i ?

Yes for your information i do use firefox what does that not make me entitled to an op[inion that the article is still utter tripe without being called a fanboy ? what ever mate i don't really care but you obviously do not have a clue so i wont even bother wasting my time to try and explain to you why I think that this article is utter tripe

All you said was this is "utter tripe". Maybe if you had some constructive criticism then everyone wouldn't be jumping down your throat.

So reporting news is now 'slipping'?

LOL @ you being an idiot.

LOL @ the firefox fanboys for calling the rationals idiots cause they are too fanboyish to admit mistakes.

So still IE has this unpatched bug while Firefox doesn't (read the article, bugs are patched). Firefox wins lol

WOW so mature aint we..... No on wins. Only some child would make an answer like that, so stuck up over a bloody browser!

If you leave UAC on then you are safe. Also if i was to pick out the list of bugs that are patched in IE i bet it would be more than firefox, and the fact that IE can be updated via windows server is the reason why IE was not included in the findings.
Have you ever been able to update firefox over a network? NO because it's a major pain! Thats why companys stick with and USE IE. Because of the fact you can deply updates by pressing like 2 buttons.

Like, like, you are like, the one that is inmature. Glendi had a perfectly mature and logical point.

You need to lay off the MTV usage. It's bad enough when people use the word 'like' every other word but to type it is even more stupid. Just further proves who the immature one is.

"And those of you shouting oh but IE has this massive security flaw.... Well see if you run vista and leave UAC on and IE in protected mode then everything is near enough fine"

That's all well and good, but XP users are still SOL.

The default browser is IE. I made the change to Firefox. In terms of being stuck, you're the one who's got stuck to a browser who has been bloody in all aspects.

Another one who can't read!
And before you ask i am a user of safari, opera, ie and firefox. (depnding on my location etc) Since when did i state i use just IE?

I believe for it to count as every other word you would have to at-least use it more than ONCE. So alas we have another troll who can't learn to read posts.

You said I'm stuck with Firefox in the first reply.

SINCE WHEN DID I STATE I JUST USE FIREFOX? I said "Firefox wins over IE". What part of that means I use Firefox?

Learn to read well before telling others about reading. That's just hypocritical.

Yet another guy with a weak attempt to prove me wrong while you did the same thing before.

Compared to other browsers yes. And I mean YES.

Err, you seem to have forgotten Opera. "Compared to other browsers no. And I mean NO."

Firefox doesn't need any external updater, it updates on it's own.

See that all works fine and dandy until you sling it on a secured down network. Example user A may need firefox for what ever reason and can't install it, user asks IT tech. It tech installs it locally and user runs it on network account
Consider this - User has limited account, able to install programs but not able to have them then modify files inside the program files or updates etc, or there's a firewall blocking the updater etc.

The sooner these browsers get added to WSUS the better sanity us IT techs will have!

No, see my post below...

agree

Well thats a no brainer, when things get more popular, they will get attacked more. And Fanboys cannot get the news/media quiet about these kind of things. Companies do this kind of research all the time, not only Bit9. If fanboys could keep things quiet, they we would never hear anything about MS or Apple.

1) IE7 had a lot less vulnerabilities, it wasn't until the one in the news now that people have even found a way in via IE7, and technically it a flaw in a semi-external to IE7 data binding DLL.
2) IE is self updating or can be updated centrally by Administrators.

Amen!

This is very true. People that fight over browsers need to re-evaluate their priorities. The most vulnerable thing on a computer, the end user. The second most vulnerable, the browser. It doesn't matter which one you use, it is in fact the most vulnerable application on the computer. End of story.

IE and Fox' both have their strengths and weaknesses. What it really comes down to is your own personal preferences. Get over it.

Also their whole patch based logic is rediculous. Just because something is patched more does not necessarily mean it is more vulnerable then any other application. It just means that bugs and flaws have been found and fixed. What's to say that 'App B' is more secure then 'App A' simply because App A has patched more vulnerabilities. This makes no sense. What is to say that 'App B' has more un-patched vulnerabilities? See you really can't make any logical decision at all based on the data at hand.

Sorry if this post came off negatively to any one. I was not trying to single any one out or flame any one. Just giving my 2 cents. Have a good day every one.

So your point is this list is only for big workplaces?

Not exactly...

It is problematic for businesses more than home users, and the majority of computing is STILL done in workplace environments. This alone makes it a 'big' issue.

However, there are some things of serious side notes to consider:

Home users are also bad about updating software, and these applications don't always force updates on the users.

Code Quality is something else that everyone here is overlooking. When MS was pushing out TONS of updates a month for XP several years ago, there was a problem, there was a serious problem that there were as many security flaws being continually addressed.

Move forward to 2008, and now MS is pushing out a few updates a month.

Does this mean MS stopped caring about security in 2008 or they took time and redesigned not only their code, but their entire development and debugging processes. (The Windows 2003 Server delay timeframe) And XP SP2 was a result of this. They invested in new ways of testing software, adding new memory protection to compiled code (new compilers to check for things that were virtually unknown to be exploitable 10-20 years ago) and additional resources in literally hiring some of the best hacker minded security coders in the world.

So in 2008, MS having less patches is a result of less buggy and more solid code and more solid security throughout their OSes and products.


Now let's look at FireFox, instead of investing in more rigorous security trapping and better security coding guidelines, they have used the 'geek' popularity and obscurity to remain somewhat safe. This does not mean their code is better, but they are not MS and by proxy, less likely to be targeted.

So in 2008 if you look at Firefox or even OSes like OS X where each month there are massive security updates to the products, there is SOMETHING WRONG, just like there was something wrong with the massive updates that XP needed prior to SP2.

This is the result of lower quality code, buggy code, or less concern about security, and will continue to result in more and more security updates and 'fixed' exploits until the products take security and re-evaluate every bit of code from the ground up.


Think of it like this... Vista has been released for two years, OS X 10.5 has been out for one year. OS X 10.5 has had nearly 20x (times) the security updates to it in just one year than Vista has had in two years.

So the questions become:
-Which do you think has better code and probably has less 'unknown' exploits still open?
-Which would you think has a better model for security and the potential to expose less exploits in the future?
- Which OS code base is less buggy and has more security protections in the writing and compiling processes?


History does predict the future, and when you have 'consistent' high quantities of 'high risk' flaws, there is a problem.

In non-computer sense:
If your 6mo old car has been in the shop every month for numerous recall fixes or has been broke down, what do you think the next 6mo will be like? Chances are it is a lemon and that is why there are Auto Lemon laws.


If MS didn't do a complete development 'restart' for XP SP2 and Windows 2003 Server, the updates and bugs coming out of those products would still be huge. And Vista would have added a whole new set of millions of lines of code to exploit.

-Instead XP SP2 is fairly secure and Vista is highly secure.

You fail to take into account that Mozilla (maybe Google with Chrome now too) is the only one who does full disclosure on their security issues. If you take a look at all the Firefox vulnerabilities you'll notice that over 50% of them are actually found by Mozilla staff. Microsoft & co only disclose security issues that were found by 3rd party researchers. This is why comparing security by just summing up the fixed vulnerabilities is completely bogus.

You just ignored all the comments made above, if you would like a counter-argument of that, read.

I don't believe that they are valid.....that's why I made my own comment.....because I'm not a sheep that believes everything someone tells me. I just think the article is funny, that is all.

FF is more secure in the sense that there are MANY addons that help make it secure and it has a good popup blocker. Mozilla's staff does a good/fast job patching their software because they are a good company dedicated to fix their software and produce a good product. A lot of companies are fast to patch their software...doesnt mean its crap or has a lot of issues. No software is perfect.

And who is shooting down FF fanboys? The study by bit9 must if been done by a bunch of morons because if FF was the least secure Windws app, the news would be all over the net.

Besides, most people use FF because its easy to skin and has a ton of addons and ways to customize the browser.

Not trying to be a smart@ss, but I think this is news.....that's why it's being reported on neowin.

Aren't you acting like a Windows fanboy?
Hey, I'm not defending Firefox. Although I believe that it is one of the best browsers and one of the most secure.
Why? Open Source...
Anyone can exploit Firefox's source code... And you ask, is that good? Yeah, 'cause the hackers that exploit FF tell Mozilla about the issues.
I believe that hackers are no criminals. Of course some of them are, but there are lots of great security researchers that work in "freelance".

Just like people say Windows is very vulnerable, but if you keep applying the updates, which comes every patch tuesday (first tuesday of the month) or check web sites like Neowin for emergency patches, you'll stay on top of the issues, and have a very limited chance of being infected.

Mozilla does a great job of releasing updates for issues, just like Windows. Yet both Windows and Firefox are considered vulnerable to hackers, for the people who do not update their product.

The funny thing is Windows is the most popular OS, while Firefox isn't the most popular browser.

That's what has me scratching my head.

It has been impossible to logon with MSN Messenger 4.x or 5.0 for years now (unless you have a specific v5.0 build distributed exclusively for 95/NT4). And there has never been a v5.1 of MSN Messenger released.

So I did a search on the CVE, and found the info from Bit9 was incorrect. The vulnerabilities have nothing to do with MSN Messenger at all. They are exclusive to Windows Messenger.

Hardly anyone uses Windows Messenger any more. Before development ceased almost exactly four years ago, Windows Messenger had been re-tooled to be a more corporate-focused IM client, while MSN Messenger (later re-branded Windows Live) was the consumer IM client.

So with very few people using it, how did Windows Messenger crack the top 18 vulnerable apps with Bit9?

There must be some other criteria Bit9 used besides popularity. That would explain why Windows Messenger made the list, and Firefox beat Flash.

It doesn't stop there. VMWare is more popular than Java? Java is free and required on a lot of financial website while VMWare is commerical (yes, Player is free, but you can't create VM with it, so there must be at least a copy of Workstation).

What is "Aurigma Image Uploader, Lycos FileUploader" doing on a list of popular software for the enterprise?

Where are they getting the sample population from? Their (probably limited) customer base?