Print 95 comment(s) - last by Tomcatter.. on Dec 9 at 11:55 PM

A recent Microsoft took a rather insulting stab at Mozilla, so the open-source firm decide to do some trash talking of its own.

Mozilla is all hustle and bustle these days, trying to fix the remaining bugs before it rolls out its final release of the third iteration of its popular Firefox browser.

Perhaps catching wind of the press on these bugs, Microsoft released a security report on November 30, titled "Internet Explorer and Firefox Vulnerability Analysis".  The report, which examined the quantity and threat level of vulnerabilities within the two browsers, came out very strongly skewed in Microsoft's favor.  It reported that Internet Explorer experienced fewer threats across all security levels (low, medium, and high) than Firefox.  It also reported that Mozilla had to fix 199 security vulnerabilities, while in the same period of time Microsoft only had to fix 87.

Microsoft products are not always known as secure platforms, largely because they are the market leader and the biggest target for malicious attacks.  Not so, the report indicates, when it comes to Internet Explorer.

The report was produced by Microsoft's Jeff Jones, a security strategy director in Microsoft's Trustworthy Computing group and is available, here.

Mozilla's Mike Shaver had some choice words in response to the report.

"Just because dentists fix more teeth in America doesn't mean our teeth are worse than in Africa," he said, said left handedly comparing Internet Explorer to a festering tooth.

He continued, "It's something you'd expect from maybe an undergrad.  It's very disappointing to see somebody in a senior security position come out and say that because an organization is more transparent about their bugs and fixing them, they're somehow less secure."

Shaver says the analysis is lazy and possibly "malicious."

He does raise a valid point that Microsoft often lump several security issues together into a single "threat" that gets fixed irregularly with the arrival of the service pack.  Shaver points out that Mozilla has constantly been working to roll out fixes far more quickly than Microsoft's.  Shaver explains:
"If Mozilla wanted to do better than Microsoft on this report, we would have an easy path: stop fixing and disclosing bugs that we find in-house. It is well known that Microsoft redacts release notes for service packs and bundles fixes, sometimes meaning that you get a single vulnerability 'counted' for, say, seven defects repaired. Or maybe you don't hear about it at all, because it was rolled into SP2 and they didn't make any noise about it."

Shaver says in his blog, that we would have to be in a "parallel universe" for Microsoft to even "approach Mozilla's standard of transparency.”

In an interview with eWeek, he continued to vent, saying, "The vast majority [of the Firefox user base] is updated to the most secure version of Firefox in less than a week;  those are the things we measure and talk about publicly. Reports like [Jones'] really point the industry in a dangerous direction, which is to say you're [given an incentive] to keep [browser security fixes] quiet. That doesn't keep you safer, it just helps companies hide the real nature of what they're doing."

Earlier last month Jones had published a report on how Windows Vista was far less vulnerable than Leopard OS X or most Linux OS distributions.

Many will be sick of Microsoft and Mozilla's bickering, but when they attack each other so publicly, it’s simply hard to ignore.  This is unfortunate as it simply leaves the user feeling less secure and unsure of who to trust.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

Perhaps but...
By FITCamaro on 12/3/2007 3:43:37 PM , Rating: 2
"The vast majority [of the Firefox user base] is updated to the most secure version of Firefox in less than a week;

While this may be true, you don't have many vast corporations using Firefox as the company approved web browser. The majority of Firefox users are people who use it on their own time. I have Firefox installed at work, but I don't use it for any company related task as the sites generally don't even work on Firefox. Our company intranet site doesn't. Our timecard systemd doesn't.

There's a big leap when a browser goes from being popular to being supported by large corporations. Firefox hasn't gotten there yet. Not because its a bad browser. Just because companies have invested time to develop their apps for IE since it was the standard for years, and they don't want to spend the money to redo their sites. Now granted, they wouldn't have to if Microsoft didn't do its own thing with IE. If IE followed all web language standards, sites that worked in IE would work the same in Firefox and vice versa.

RE: Perhaps but...
By mechBgon on 12/3/2007 3:54:47 PM , Rating: 4
IE is also manageable by design. It can be mass-audited across one's fleet using Microsoft Baseline Security Analyzer to see if the systems are up-to-date. It can be centrally mass-updated when (and only when) the I.T. staff want it to be updated, using WSUS. Browser settings, including add-on restrictions and security/privacy options, can be mandated by I.T. using local or domain Group Policy, whether the computers' users feel like cooperating or not.

I think designed-in manageability is one reason IE will continue to be very popular in the corporate arena.

RE: Perhaps but...
By Clauzii on 12/3/2007 3:56:31 PM , Rating: 2
Adding new themes and plug-ins in FF should be made possible only on the administrators demand.

"Mac OS X is like living in a farmhouse in the country with no locks, and Windows is living in a house with bars on the windows in the bad part of town." -- Charlie Miller

Copyright 2015 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki