backtop


Print 95 comment(s) - last by Tomcatter.. on Dec 9 at 11:55 PM

A recent Microsoft took a rather insulting stab at Mozilla, so the open-source firm decide to do some trash talking of its own.

Mozilla is all hustle and bustle these days, trying to fix the remaining bugs before it rolls out its final release of the third iteration of its popular Firefox browser.

Perhaps catching wind of the press on these bugs, Microsoft released a security report on November 30, titled "Internet Explorer and Firefox Vulnerability Analysis".  The report, which examined the quantity and threat level of vulnerabilities within the two browsers, came out very strongly skewed in Microsoft's favor.  It reported that Internet Explorer experienced fewer threats across all security levels (low, medium, and high) than Firefox.  It also reported that Mozilla had to fix 199 security vulnerabilities, while in the same period of time Microsoft only had to fix 87.

Microsoft products are not always known as secure platforms, largely because they are the market leader and the biggest target for malicious attacks.  Not so, the report indicates, when it comes to Internet Explorer.

The report was produced by Microsoft's Jeff Jones, a security strategy director in Microsoft's Trustworthy Computing group and is available, here.

Mozilla's Mike Shaver had some choice words in response to the report.

"Just because dentists fix more teeth in America doesn't mean our teeth are worse than in Africa," he said, said left handedly comparing Internet Explorer to a festering tooth.

He continued, "It's something you'd expect from maybe an undergrad.  It's very disappointing to see somebody in a senior security position come out and say that because an organization is more transparent about their bugs and fixing them, they're somehow less secure."

Shaver says the analysis is lazy and possibly "malicious."

He does raise a valid point that Microsoft often lump several security issues together into a single "threat" that gets fixed irregularly with the arrival of the service pack.  Shaver points out that Mozilla has constantly been working to roll out fixes far more quickly than Microsoft's.  Shaver explains:
"If Mozilla wanted to do better than Microsoft on this report, we would have an easy path: stop fixing and disclosing bugs that we find in-house. It is well known that Microsoft redacts release notes for service packs and bundles fixes, sometimes meaning that you get a single vulnerability 'counted' for, say, seven defects repaired. Or maybe you don't hear about it at all, because it was rolled into SP2 and they didn't make any noise about it."

Shaver says in his blog, that we would have to be in a "parallel universe" for Microsoft to even "approach Mozilla's standard of transparency.”

In an interview with eWeek, he continued to vent, saying, "The vast majority [of the Firefox user base] is updated to the most secure version of Firefox in less than a week;  those are the things we measure and talk about publicly. Reports like [Jones'] really point the industry in a dangerous direction, which is to say you're [given an incentive] to keep [browser security fixes] quiet. That doesn't keep you safer, it just helps companies hide the real nature of what they're doing."

Earlier last month Jones had published a report on how Windows Vista was far less vulnerable than Leopard OS X or most Linux OS distributions.

Many will be sick of Microsoft and Mozilla's bickering, but when they attack each other so publicly, it’s simply hard to ignore.  This is unfortunate as it simply leaves the user feeling less secure and unsure of who to trust.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

RE: Chuck Norris>Opera> All other browsers
By Etsp on 12/3/2007 4:00:40 PM , Rating: 5
Those "rendering errors" are in fact, not errors. Items are displayed in a way that is much closer to the HTML standard. When you see a "rendering error" it is in reality, a page that was designed poorly with the general aim to get around the rendering errors in IE.

All browsers other than IE are often accused of not being able to render a page properly, when the truth is the reason the pages appear different is because these other browsers don't share in IE's deficiencies, which has sadly created it's own standard via brute force.


RE: Chuck Norris>Opera> All other browsers
By TomZ on 12/3/07, Rating: -1
RE: Chuck Norris>Opera> All other browsers
By tjwolf on 12/3/2007 9:14:38 PM , Rating: 5
It isn't a broad generalization just because you say it is. And you're telling us what the 'reality' is by simply giving 'broad generalizations' yourself.

Just about everyone who does Web development and who is familiar with HTML standards knows that IE has almost always been the least compliant of the major browsers. But lately there isn't *that* much of a difference, afaik (see below why).

Your comment about IE only straying from the path in the development of ActiveX and ActiveX being a "powerful and elegant solution" kind of gives away your "MS fanboy" status: ActiveX is a Microsoft product that goes against the grain of what the Web was designed for: the exchange of information among all its users. As ActiveX is an IE-only feature, people who employ it purposely exclude anyone who doesn't use IE. Furthermore, ActiveX is one of the reasons why IE is so insecure in the first place!

You describe people who have a negative view of ActiveX as "lay people". I am not such a person - I've designed Web based software since Mosaic 1.0 came out (around 1993)- I say ActiveX is bad technology whose primary goal was/is to push the Web into a proprietary (i.e. Microsoft-controlled) direction. It did/does so by luring lazy web developers with "easy, pre-built functionality" - never mind the security issues and the fact that the resulting application can only run on IE.

Thankfully, and partially due to the existence of alternative browsers, this has not worked. ActiveX is on the wane - being replaced by truly cross-platform solutions (e.g. HTML/CSS/AJAX/SVG/Java/Flash, etc.)


RE: Chuck Norris>Opera> All other browsers
By TomZ on 12/3/07, Rating: -1
By robinthakur on 12/4/2007 5:23:25 AM , Rating: 5
No. in the nicest possible way, you know nothing so please stop talking and misinforming people. I've been designing standards compliant web pages for several years, and IE7, while a big improvement on IE 6 (transparent PNG files anyone?) is not that great as a standards based browser as for example Firefox, Safari or Opera which are all streets ahead and embrace CSS3 standards in a way in which IE7 does not. The number of browser-specific hacks you used to have to work around in IE such as the breakage of the standard box model would have been laughable if it didn't make my life so miserable for so long. The problem in IE7 is a lack of innovation. If only they accepted the latest and greatest web standards agreed by the W3C then I would welcome it with open arms. The fact that the most widely used web browser's development effectively stalled around version 5-6 means that we are still using standards which are years out of date purely because nobody feels that they are safe to use them as there isn't enough support. Its not a proprietary thing.
As for Active X controls, are you even being serious?!? Do you actually work for Microsoft? Microsoft certainly understood that it needed to do something to stem the flow of developers going over in droves to Sun's java and the coming threat from Flash. I think when you say it was powerful, you mean it was insecure because that's what most developers remember about Active X, not the ease of implementation.
If everyone developed in XHTML and CSS and embraced the new powerful CSS3 standards then the world would be a better place [sniff...]
R
T


By retrospooty on 12/3/2007 10:25:47 PM , Rating: 5
"Your comment about IE only straying from the path in the development of ActiveX and ActiveX being a "powerful and elegant solution" kind of gives away your "MS fanboy" status:"

That and the fact that he vigorously defends MS at every step, regardless of logic provided, evidence presented, or anyone else's experience. :D


"So if you want to save the planet, feel free to drive your Hummer. Just avoid the drive thru line at McDonalds." -- Michael Asher














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki