Symantec adjusts browser bug count

A new report issued Tuesday by Symantec seeks to satisfy users of both Mozilla's Firefox browser and Microsoft's Internet Explorer (IE).

In its latest Internet Security Threat Report, covering the last six months of 2005, the company now features two different ways of counting browser bugs: one that finds IE has the most vulnerabilities, and a second that reports Firefox as the bug-leader.

Firefox had the highest number of "vendor-confirmed" vulnerabilities, with 13 bugs reported during the six months covered by the report, compared to IE's 12, said Dave Cole, a director with Symantec Security Response.

However, the latest report also includes a count of bugs found by security researchers that have not been confirmed by Microsoft or the Mozilla Foundation, which owns Mozilla. By that count, IE had the most security issues: 24, compared to Firefox's 17.

Symantec decided to begin counting the unconfirmed bugs "partially in response" to feedback from the Mozilla team after it published its previous report in September 2005. That report counted only confirmed bugs: 18 for Firefox and 13 for IE.

"We said, 'O.K. for the next report we'll look at them both,'" Cole said. "It's something we might have looked at anyway."

The report caused a stir amongst Firefox fans, who have long considered their browser more secure than IE.

At the time the Mozilla Foundation criticized Symantec's methodology, saying that counting only the number of confirmed flaws skewed things in Microsoft's favor, because the software vendor tends to group several vulnerabilities together, while Mozilla announces each one individually.

Cole would not say which browser Symantec considers to be the most secure. "The reality is, if there's enough motivation there, people are going to find some way to get in," he said. "The concept of the impervious technology is really a mistaken one."

Mozilla and Microsoft representatives were unavailable to comment.

The security company also found that denial-of-service (DOS) and phishing attacks continued to rise. DOS attacks were up 51 percent from the first half of the year, Cole said. On average, there were 1,400 such attacks each day.

Symantec also tracked a "dramatic growth in phishing," and blocked 1.5 billion phishing messages during the period, up 44 percent from the first half of the year.