Todd Spangler writes very good articles on InfoSec.  A recent one is on Mac Safari browser problems.  In it he blithely quotes as fact a comment by Cole of Symantec who is repeating a tired old rumor.

That statement is unsubstantiated, factually wrong and misleading.

H?kon Wium Lie

First of all Opera has been the safest browser for years, it has fewer vulnerabilities, a professional and careful development team, and is more standards compliant than any other browser.  CTO is Hakon Wium Lie, inventor of CSS, and ex systems designer for CERN where code mistakes can ruin experiments costing hundreds of millions.  He is good, his team is good.  In comparison, Microsoft's IE team blunders a lot.

A good article on browsers .

Dave Cole, you are just flat wrong.  Was it a motivated untruth or merely ignorance? 

Cole says the reasons we see browser problems is that they are popular.  He's wrong.  The etiology of browser problems is bad code shipped as product -- sloppy coding practices, bad or missing code reviews, bad or missing policies: bad management -- all describe Microsoft to a Tee.

There's an easy way to show this.  Buffer Overflows are a common vulnerability in Microsoft's products.   Buffer Overflows are entirely the result of untrained coders, no code reviews, poor policies and standards: inferior management. 

What are buffer overflows?

Its really simple, it is when you try to put a quart into a pint bottle.  Buffer overflows are about as simply dumb as that. 

Suppose you have a web page with space for the user's last name.  Your code allows 80 characters for last name.  So far so good.  Now a nasty person comes along and stuffs 30,764 bytes into your last name field (it is easy to do). 

There are two ways to do things, incompetently, as at Microsoft:

1. Browser:  I have the last name.
2. Coder: Put it in the 80 character buffer called lastname.
3. Result: Buffer overflow.
   

Competently, as at Opera:

1. Browser:  I have the last name.
2. Coder: How long is it?
3. Browser: 30,764 bytes.
4. Coder: Send the "Get Stuffed" message to the user.
5. Coder:  Disconnect the arsehole.
6. Result: No buffer overflow.
   

As IBM notes how easy it is for traine d programmers to avoid buffer overflows and summarizes, "Clearly, you would think by now that buffer overflow errors would be obsolete."   [ More info and link popup ]

So how are Microsoft and others doing?  In Mitre's CVE, Common Vulnerabilities and Exposures, database one can lookup buffer overflows, those simple to avoid errors that should have disappeared in the '90s, for Office, Browsers, Email packages and so on.

Microsoft Office has 11 recent buffer overflows:

Buffer overflows from Mitre, search on "openoffice buffer overflow" and compare to a search on  "Microsoft office buffer overflow".  CVE is Common Vulnerabilities and Exposures.

 Microsoft Office:

 OpenOffice.org has 2 recently:

You can do simlar searches for Opera, FireFox and Internet Explorer and get similar results. Microsoft is the worst.  

Is some of the effect because more hackers are looking at MS code?  Perhaps some of it.  However that does not explain how buffer overflows constantly introduced into Microsoft product releases.  The only things that explain buffer overflows are inferior management practices, bad policies and eak or unenforced standards. 

So, Dave Cole, here's a clue: 

No matter how popular the product, vulnerabilities won't be found if they are not introduced by bad code practice.  Buffer overflows show that Microsoft vulnerabilities are incontrovertably the result of bad code practice.

Dave Cole, here's a suggestion:

Stop prating about popularity as the problem is bad coding. Otherwise you will continue to look misinformed and willfully ignorant, or worse.

Why does Symantec publish garbage like this?  Well, even some journalists w ill take it as fact.  That is sufficient reason for the unethical marketeer.

Also, the disinformation bit about no browser being safer than another is very much in Symantec's interests to have people thinking that all code is alike and bad, and there aren't any good code organizations.  That way people will buy the heavily advertised and so far always inferior Norton products (not to mention derivative, that is 'pirated', works and designs).   

If people started looking at reliable, well designed, effective code for, for example for internet security, Symantec and McAfee would be out of business and F-Secure would own the market. 

 I wonder why Todd Spangler printed that Cole crap.