I was going by the pie chart http://secunia.com/graph/?type=sol&period=all&prod=4227 they have on the URL I gave http://secunia.com/product/4227/ . As you can see, it states "75% unpatched" which sounds pretty bad at least as far as percentages go. That's all I was going by since I didn't see any actual numbers. Of course if we are dealing with low numbers, like 9 out of 12 for example, that's 75% and of course is not as bad as for example another browser having a "better" "50% patched", yet being 50 out of 100 unpatched which of course is worse. However, if IE has 19 out of 77 unpatched, that's only 24% unpatched, but still 10 more things unpatched than the hypothetical 9 out of 12 example. Yes, percentages are not everything. -Clint
God Bless Clint Hamilton, Owner http://OrpheusComputing.com ) http://ComputersCustomBuilt.com ----- Original Message ----- From: "Peter Kaulback" Sorry Clint but I've yet to find these CVS repositories myself. As to the security of Firefox over/under IE consider that Secunia lists FF 1.0 as having 6 of 8 vulverabilities as unpatched (1 or more is moderately critical) while IE 6 has 19 of 77 vulnerabilites as unpatched (1 or more is highly critical), 1 of these is highly critical and is unpatched since August 2003. Comparatively IE 6 is far more insecure than FF 1.0, as Secunia shows that IE 6 has had 15% of 61 vulnerabilities listed as extremely critical while FF 1.0 has none in that range or the highly critical range either. Clint, you should read the advisories completely before passing judgement, they will serve you more efficiently in the future. Peter Kaulback Support-OrpheusComputing.com wrote: > Maybe someone can explain what "have been fixed in the CVS > repository" means. I don't know what good that does those > that > are using FF or Mozilla, unless that means that a "nightly > build" has the patch in it. Note that FF is LESS SECURE than > IE. 75% of FF vulnerabilities have NOT been fixed! > http://secunia.com/product/4227/ > ------------------------- > > TITLE: > Mozilla / Firefox Three Vulnerabilities > > SECUNIA ADVISORY ID: > SA14160 > > VERIFY ADVISORY: > http://secunia.com/advisories/14160/ > > CRITICAL: > Less critical > > IMPACT: > Security Bypass, Cross Site Scripting, Manipulation of data > > WHERE: >>From remote > > SOFTWARE: > Mozilla Firefox 1.x > http://secunia.com/product/4227/ > Mozilla Firefox 0.x > http://secunia.com/product/3256/ > Mozilla 1.7.x > http://secunia.com/product/3691/ > Mozilla 1.6 > http://secunia.com/product/3101/ > Mozilla 1.5 > http://secunia.com/product/2478/ > Mozilla 1.4 > http://secunia.com/product/1481/ > Mozilla 1.3 > http://secunia.com/product/1480/ > Mozilla 1.2 > http://secunia.com/product/3100/ > Mozilla 1.1 > http://secunia.com/product/98/ > Mozilla 1.0 > http://secunia.com/product/97/ > Mozilla 0.x > http://secunia.com/product/772/ > > DESCRIPTION: > mikx has discovered three vulnerabilities in Mozilla and > Firefox, > which can be exploited by malicious people to plant malware > on > a > user's system, conduct cross-site scripting attacks and > bypass > certain security restrictions. > > 1) Mozilla and Firefox validate an image against the > "Content-Type" > HTTP header, but uses the file extension from the URL when > saving an > image after a drag and drop event. This can e.g. be exploited > to > plant a valid image with an arbitrary file extension and > embedded > script code (e.g. .bat file) on the desktop by tricking a > user > into > performing a certain drag and drop event. > > 2) Missing URI handler validation when dragging a > "javascript:" > URL > to another tab can be exploited to execute arbitrary HTML and > script > code in a user's browser session in context of an arbitrary > site by > tricking a user into dragging a malicious link to another > tab. > > 3) An error in the restriction of URI handlers loaded via > plugins can > be exploited to link to certain restricted URIs (e.g. > about:config). > > This can further be exploited to trick a user into changing > some > sensitive configuration settings. > > The vulnerabilities have been confirmed in Mozilla 1.7.5 and > Firefox > 1.0. Other versions may also be affected. > > SOLUTION: > The vulnerabilities have been fixed in the CVS repository. > > ORIGINAL ADVISORY: > 1) http://www.mikx.de/index.php?p=8 > 2) http://www.mikx.de/index.php?p=9 > 3) http://www.mikx.de/index.php?p=10 > > OTHER REFERENCES: > 1) https://bugzilla.mozilla.org/show_bug.cgi?id=279945 > 2) https://bugzilla.mozilla.org/show_bug.cgi?id=280056 > 3) https://bugzilla.mozilla.org/show_bug.cgi?id=280664 ============= PCWorks Mailing List ================= Don't see your post? Check our posting guidelines & make sure you've followed proper posting procedures, http://pcworkers.com/rules.htm Contact list owner <[EMAIL PROTECTED]> Unsubscribing and other changes: http://pcworkers.com =====================================================
