backtop


Print 95 comment(s) - last by Tomcatter.. on Dec 9 at 11:55 PM

A recent Microsoft took a rather insulting stab at Mozilla, so the open-source firm decide to do some trash talking of its own.

Mozilla is all hustle and bustle these days, trying to fix the remaining bugs before it rolls out its final release of the third iteration of its popular Firefox browser.

Perhaps catching wind of the press on these bugs, Microsoft released a security report on November 30, titled "Internet Explorer and Firefox Vulnerability Analysis".  The report, which examined the quantity and threat level of vulnerabilities within the two browsers, came out very strongly skewed in Microsoft's favor.  It reported that Internet Explorer experienced fewer threats across all security levels (low, medium, and high) than Firefox.  It also reported that Mozilla had to fix 199 security vulnerabilities, while in the same period of time Microsoft only had to fix 87.

Microsoft products are not always known as secure platforms, largely because they are the market leader and the biggest target for malicious attacks.  Not so, the report indicates, when it comes to Internet Explorer.

The report was produced by Microsoft's Jeff Jones, a security strategy director in Microsoft's Trustworthy Computing group and is available, here.

Mozilla's Mike Shaver had some choice words in response to the report.

"Just because dentists fix more teeth in America doesn't mean our teeth are worse than in Africa," he said, said left handedly comparing Internet Explorer to a festering tooth.

He continued, "It's something you'd expect from maybe an undergrad.  It's very disappointing to see somebody in a senior security position come out and say that because an organization is more transparent about their bugs and fixing them, they're somehow less secure."

Shaver says the analysis is lazy and possibly "malicious."

He does raise a valid point that Microsoft often lump several security issues together into a single "threat" that gets fixed irregularly with the arrival of the service pack.  Shaver points out that Mozilla has constantly been working to roll out fixes far more quickly than Microsoft's.  Shaver explains:
"If Mozilla wanted to do better than Microsoft on this report, we would have an easy path: stop fixing and disclosing bugs that we find in-house. It is well known that Microsoft redacts release notes for service packs and bundles fixes, sometimes meaning that you get a single vulnerability 'counted' for, say, seven defects repaired. Or maybe you don't hear about it at all, because it was rolled into SP2 and they didn't make any noise about it."

Shaver says in his blog, that we would have to be in a "parallel universe" for Microsoft to even "approach Mozilla's standard of transparency.”

In an interview with eWeek, he continued to vent, saying, "The vast majority [of the Firefox user base] is updated to the most secure version of Firefox in less than a week;  those are the things we measure and talk about publicly. Reports like [Jones'] really point the industry in a dangerous direction, which is to say you're [given an incentive] to keep [browser security fixes] quiet. That doesn't keep you safer, it just helps companies hide the real nature of what they're doing."

Earlier last month Jones had published a report on how Windows Vista was far less vulnerable than Leopard OS X or most Linux OS distributions.

Many will be sick of Microsoft and Mozilla's bickering, but when they attack each other so publicly, it’s simply hard to ignore.  This is unfortunate as it simply leaves the user feeling less secure and unsure of who to trust.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

RE: Sometimes I wish
By TomZ on 12/3/2007 3:42:21 PM , Rating: 2
That's a pretty naive view. In reality, a browser's security is probably a function of the size of its functionality, it's popularity in the market, and the number of engineers who are available to perform security audits and to investigate and fix reported and suspected issues.

If I were to look into the future, I would guess that as Firefox continues to gain in popularity, it will be attacked more and more by hackers. The question then becomes, if Firefox is for example just as popular as IE, does Mozilla have the resources to keep ahead of the hackers or not, let alone keep ahead of Microsoft. Clearly Microsoft will invest those resources, and we know the hackers will, but will Mozilla? I kind of see it as simple as that.

What I don't see for Mozilla is a huge revenue stream that can be tapped to wage the good war. They have no silver bullet for security that will keep them out of the battle.


RE: Sometimes I wish
By fic2 on 12/3/2007 4:22:45 PM , Rating: 5
quote:
Clearly Microsoft will invest those resources


Why? If firefox went away tomorrow do you think that MS would invest any more money into IE? MS stopped updating IE when Netscape went away. How many years was it before there was any type of IE release between Netscape going away and FF coming into being? 3? 4? 5 years?


RE: Sometimes I wish
By TomZ on 12/3/2007 4:33:50 PM , Rating: 1
I disagree. Microsoft see IE as part of the "platform" and has made a commitment to building a more secure platform.

In terms of adding features and functions, I do agree that Microsoft's investment in adding these to IE will be strongest when there is a competitive threat, e.g., the one IE faces today with Firefox. "Competition is good."

But my point really is to ask whether Mozilla can afford to engage in a war against hackers for security issues and against Microsoft for competitive position - at the same time. I don't see a large revenue stream available to Mozilla for these types of activities.


RE: Sometimes I wish
By Alexstarfire on 12/3/2007 5:40:41 PM , Rating: 4
What world do you live in? I don't see Microsoft making there platform THAT much more secure. It seems to me that they only make it secure enough so the majority of the mass doesn't complain about it. I know you can't predict all security threats on a piece of software, but you shouldn't be rolling out multiple updates per month to fix holes.


RE: Sometimes I wish
By TomZ on 12/3/2007 7:21:49 PM , Rating: 2
I guess you don't understand the nature of security threats. First, let me say that for Vista, Microsoft went through and did a lot of security audits and re-wrote a lot of old code to clean up security issues. IE7 and recent releases of Office got the same treatment.

Second, continuous updates are part of the security strategy. The reason is that the threat is continually changing, with hackers coming up with new types of exploits practically daily. Since it is literally impossible to anticipate all future attacks, to some degree it is necessary to fortify code based on emerging attack trends. The updates deliver these changes.

And I agree, Microsoft is not shooting for "perfect" security, because it is not actually possible to achieve that. That is why you see some security problems that are discovered not get updated since the possibility of them being exploited is so low. Microsoft focuses its resources on areas that are important, which is rational and reasonable.


RE: Sometimes I wish
By Targon on 12/3/2007 7:45:42 PM , Rating: 3
The problem still remains that Microsoft has yet to make a significant update to IE in terms of the engine....ever. It's almost impossible to fix problems with the fundamental design of a program by doing these little updates here and there. IE is flawed by design, and many so-called fixes are just work-arounds for that flawed design.


RE: Sometimes I wish
By TomZ on 12/3/07, Rating: 0
RE: Sometimes I wish
By Alexstarfire on 12/3/07, Rating: -1
RE: Sometimes I wish
By Rampage on 12/3/2007 10:35:58 PM , Rating: 5
RE: Sometimes I wish
By LogicallyGenius on 12/3/07, Rating: -1
RE: Sometimes I wish
By Master Kenobi (blog) on 12/4/2007 10:17:12 AM , Rating: 2
You have a rating of 0.8 with only 108 posts. The system prevents you from voting if your rating sinks too low, it's to prevent abuse by bots/trolls/bad people. Make a few posts (they start at 2) that aren't flaming someone, and it will be up past 1.0 in no time and voting works again.


RE: Sometimes I wish
By jamdunc on 12/4/2007 2:28:37 PM , Rating: 2
So how do I vote? Lurked herfe for ages and finally started posting but still can't work out how to vote :p

How thick am I?


RE: Sometimes I wish
By Master Kenobi (blog) on 12/4/2007 2:39:42 PM , Rating: 2
Well, you can't vote right away (Prevents abuse by bots, etc...) you have to post a few times (Not sure what the threshold is, but its something in the range of 25-50). Once you've crossed this threshold you will see the option to mark something as "Worth reading" or "Not worth reading", Being a Up or Down vote respectively. Now if you post in a topic, you will be unable to vote in that same topic, and any votes you had previously will be removed.

You know, as much as these questions get asked, maybe we should write an FAQ :P


RE: Sometimes I wish
By Master Kenobi (blog) on 12/4/2007 2:41:39 PM , Rating: 1
quote:
You know, as much as these questions get asked, maybe we should write an FAQ :P

Sorry, mean't to say "add to the FAQ". We have one, but your question isn't covered.


RE: Sometimes I wish
By misuspita on 12/4/2007 3:19:24 PM , Rating: 3
Yep, I think it would be an excellent ideea. You just cleared the missing vote mistery here at DT. At least for me. Thanks!


RE: Sometimes I wish
By Ryanman on 12/9/07, Rating: 0
RE: Sometimes I wish
By mmntech on 12/3/2007 8:24:33 PM , Rating: 5
Arguably, IE7 would not have come out when it did if it wasn't for Firefox. A lot of people adopted it in the early days due to the major security holes in IE6. Microsoft's biggest problem in recent years has been a failure to innovate. Competition is the best thing in a market that has long been dominated by monopolies and duopolies.


RE: Sometimes I wish
By GreenyMP on 12/4/2007 10:14:40 AM , Rating: 3
In the Netscape vs. Explorer days browsers evolved quickly. When the competition subsided Microsoft reallocated resources to other projects leaving the browser in almost a maintenance mode. When asked why it was almost abandoned their reply was always, "We provided so many features that were not being used. Finally we decided to let the web catch up." The problem with that approach was that developers became tired of dealing with the same bugs rolling from version to version. (Serious JavaScript memory leaks, select box zIndex issues, etc.) Eventually the market was prime. So along came Firefox with its faster render times, tabbed browsing, and superb development tools (beating Microsoft at their own game). In essence you can thank Microsoft for Firefox.


RE: Sometimes I wish
By Alexstarfire on 12/3/2007 5:38:21 PM , Rating: 2
What you say may be true. I have thought about that quite a bit.

The analogy they use is quite true, but it also completely disregards how bad the teeth are that they have to fix. Fixing a million cavities isn't as bad as having to pull teeth and do root canals.

The same can be said of the amount of vulnerabilities in each browser. I'd rather have 50 low level threats than 1 high level threat. Of course, I'd rather not have threats at all, but nothing is perfect. I'm also curious as to how many vulnerabilities IE would have if they didn't "lump" some of them together. If neither company lumps them together then you can at least see a bit more of the big picture.


RE: Sometimes I wish
By tjwolf on 12/3/2007 8:41:14 PM , Rating: 3
One could argue that yours is the naive view. Obviously security is partially a function of complexity: the more complex the application, the more likely it is to have bugs that can be exploited to circumvent security. But it is also one of design - which you entirely ignore: if one creates an application that only has one door through which exploits can be made, it is obviously more secure than an application which has a 100 doors. Firefox doesn't have 1 door, but it has a heck of alot less doors through which exploits can be made than IE with its tight integration with the operating system (via its inane ActiveX and other insecure extensions).

Secondly, you say that security is a function of the number of engineers working on the product to find these problems and assert that Microsoft has more resources to do so. Sure Mozilla is a small organization, but with back from Google, its financial resources aren't negligible. And since the browser is open source, absolutely anyone can not only help find bugs, they can help fix them! That includes engineers from many of the world's largest companies (including engineers from the aforementioned Google). So, it's pretty obvious to anyone that doesn't cling to the naive notion that it's Mozilla against Microsoft that Firefox development actually has more resources at its disposal than Microsoft.


RE: Sometimes I wish
By TomZ on 12/3/07, Rating: -1
RE: Sometimes I wish
By Zurtex on 12/3/2007 11:44:53 PM , Rating: 5
Mozilla hires about 100 full time staff...

And as for what you say about the rest of people who look over the code, visit bugzilla some time, seriously, it's an amazing place. With the build up to Firefox 3, I've been there a lot, tracking how my bugs have been doing and seeing if there's any others I'd like to have fixed.


RE: Sometimes I wish
By tjwolf on 12/4/2007 11:07:13 AM , Rating: 2
You seem to have heard of the feature called ActiveX (remember - you called it 'powerful' and 'elegant'?) That is a very complex feature - and it doesn't exist in Firefox. Therefore, IE is quite a bit more complex than Firefox. And for no good reason since, as I said, ActiveX shouldn't exist in a Web browser.

Your assertion that most people don't contribute to fixing bugs is based on no knowledge - have you ever gone to the bugzilla web site? Check out how many people file bugs, fix bugs, etc.


RE: Sometimes I wish
By TomZ on 12/4/2007 12:40:30 PM , Rating: 1
ActiveX is actually so simple it's stupid. It is easy to write an app that hosts an ActiveX control. I can't imagine that part adds much complexity to IE.


RE: Sometimes I wish
By tjwolf on 12/5/2007 8:25:17 PM , Rating: 2
You mistake the ease of programming with lack of complexity. ActiveX is a layer which allows access to the entire underlying OS. Therefore, IE with ActiveX carries with it the complexity of the entire Windows OS. That is why it's such a bad design! Any security vulnerability in the OS could, theoretically, be exploited by an attacker through ActiveX.

With regards to ActiveX's ease of use - it's MS' intent: to let every Joe Average program the Web by leveraging the entire OS' capability. Hordes of MS VB script kiddies became instant Web developers (at least Web developers in MS' mind).

...never mind any security concerns or adherence to standards or letting non MS IE users look at your info...


RE: Sometimes I wish
By Pythias on 12/9/2007 3:17:47 AM , Rating: 2
quote:
That's a pretty naive view. In reality, a browser's security is probably a function of the size of its functionality, it's popularity in the market, and the number of engineers who are available to perform security audits and to investigate and fix reported and suspected issues


A browser is only as safe as the actions of the person operating it.


RE: Sometimes I wish
By Tomcatter on 12/9/2007 11:55:07 PM , Rating: 2
quote:
by TomZ on December 3, 2007 at 3:42 PM

quote:
That's a pretty naive view. In reality, a browser's security is probably a function of the size of its functionality, it's popularity in the market, and the number of engineers who are available to perform security audits and to investigate and fix reported and suspected issues.

If I were to look into the future, I would guess that as Firefox continues to gain in popularity, it will be attacked more and more by hackers. The question then becomes, if Firefox is for example just as popular as IE, does Mozilla have the resources to keep ahead of the hackers or not, let alone keep ahead of Microsoft. Clearly Microsoft will invest those resources, and we know the hackers will, but will Mozilla? I kind of see it as simple as that.


Here's the big difference to my mind. If someone hacks Firefox, they've hacked Firefox. But, because of the way Microsoft integrated IE with the operating system to kill off Netscape, if you hack IE, you simultaneously mess up or take control of the operating system as well. This also makes IE a much bigger target and that much harder to fix (when MS chooses to develop fixes).


“And I don't know why [Apple is] acting like it’s superior. I don't even get it. What are they trying to say?” -- Bill Gates on the Mac ads














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki