Microsoft claims that the reason IE has the most vulnerbilities is because it's the most popular not because there is inherently wrong with IE per se. They argue, if firefox became the most popular people would start finding vulnerbilities in it and exploit them. Do you agree with this? People often say that with linux there is very low market penetration so people don't bother writing viruses for it though it is very simple.
Another thing, if software is closed source does that make it generally more secure than open source software? If you have the source code available does this make it easier to find vulnerbilites than closed source?
Microsoft claims that the reason IE has the most vulnerbilities is because it's the most popular not because there is inherently wrong with IE per se.
Somewhat true. Those interested in compromising most machine would search for bugs in popular software than they would in less popular ones. They argue, if firefox became the most popular people would start finding vulnerbilities in it and exploit them.
People are finding vulns in Firefox and are writing malware which exploits Firefox, but to a lesser degree. People often say that with linux there is very low market penetration so people don't bother writing viruses for it though it is very simple.
There are many exploits for software which runs on Linux and other *nix'es. Remote services sometimes have vulnerabilities that are discovered. Popular software written in badly designed languages like PHP tends to be a very common target as well for attackers interested in compromising servers, and you have local root exploits for just about every Linux kernel version which is not the latest(yet to be discovered). Another thing, if software is closed source does that make it generally more secure than open source software?
That's not really true. It's perfectly possible to analyze closed source software for vulns. There is much research and many tools for doing this. For example, if you encounter some crash, you can start reverse engineering the application at the state of the crash until you find the cause, and if it's something exploitable, you can make an exploit. There are also static binary analysis tools and many other ways of locating vulnerabilities. Auditing binaries is harder than auditing sources, but those are different topics. Sometimes, auditing a live application can be even easier than understanding a mess of SEPPLES source code. If you have the source code available does this make it easier to find vulnerbilites than closed source?
Sometimes, but the ways of auditing source code and auditing binaries differ. Having source code just means someone can audit the source without using more unconventional methods involved in auditing binaries.
I don't think it makes a huge difference.
An application's security depends on how it was designed, the libraries used, the language used, and how well the programmers followed their ``best practices'' and how well they know their language/libs/platform. Code auditing and testing can help, but some practices can make programmers more prone to commiting some errors. For example, compare the amount of vulnerabilities found in software written in C, C++, PHP, Perl to that in software written in Java/C#, Haskell, Smalltalk, Scheme, Common Lisp.
Name:
Anonymous2010-01-17 11:09
if software is closed source does that make it generally more secure than open source software
If you lock your door, is your house more secure than if you leave it open?
People often say that with linux there is very low market penetration so people don't bother writing viruses for it though it is very simple.
Viruses(executable infectors) are usually written for desktop platforms where the user runs as an administrator. There are some viruses for Linux, but there's little point in them as people don't run stuff as run as often, nor do they use the box as a desktop OS that often. Linux is used more on servers. If some distro like Ubuntu really becomes a popular alternative for a desktop OS, we might see more of them written, but I doubt it'll happen anytime soon.
Name:
Anonymous2010-01-17 11:15
Another good reason to target IE is that Microsoft takes fucking ages to patch security holes sometimes.
Name:
Anonymous2010-01-17 11:38
I doubt it'll happen anytime soon
2010 YOTLD !
Name:
Anonymous2010-01-17 11:38
In terms of security issues per user, MSIE is the most secure browser.
Name:
Anonymous2010-01-17 11:42
security issues per user
Unique issues or total issues? The former I'll believe, but not the latter.
if software is closed source does that make it generally more secure than open source software
No, security comes from developers who understand security not the development process. If OpenBSD was closed source, I doubt it would be less secure thanks to Herr de Raadt