Mozilla is all hustle and bustle these days, trying to fix
the remaining bugs before it rolls out its final release of the third
iteration of its popular Firefox browser.
Perhaps catching wind of the press on these bugs, Microsoft released a security
report on November 30, titled "Internet Explorer and Firefox Vulnerability
Analysis". The report, which examined the quantity and threat level
of vulnerabilities within the two browsers, came out very strongly skewed in
Microsoft's favor. It reported that Internet Explorer experienced fewer
threats across all security levels (low, medium, and high) than Firefox.
It also reported that Mozilla had to fix 199 security vulnerabilities, while in
the same period of time Microsoft only had to fix 87.
Microsoft products are not always known as secure platforms, largely because
they are the market leader and the biggest target for malicious attacks.
Not so, the report indicates, when it comes to Internet Explorer.
The report was produced by Microsoft's Jeff Jones, a security strategy director
in Microsoft's Trustworthy Computing group and is available, here.
Mozilla's Mike Shaver had some
choice words in response to the report.
"Just because dentists fix more teeth in America doesn't mean our teeth
are worse than in Africa," he said, said left handedly comparing Internet
Explorer to a festering tooth.
He continued, "It's something you'd expect from maybe an undergrad.
It's very disappointing to see somebody in a senior security position come out
and say that because an organization is more transparent about their bugs and
fixing them, they're somehow less secure."
Shaver says the analysis is lazy and possibly "malicious."
He does raise a valid point that Microsoft often lump several security issues
together into a single "threat" that gets fixed irregularly with the
arrival of the service pack. Shaver points out that Mozilla has
constantly been working
to roll out fixes far more quickly than Microsoft's. Shaver explains:
"If Mozilla wanted to do better than Microsoft on this report, we would
have an easy path: stop fixing and disclosing bugs that we find in-house. It is
well known that Microsoft redacts release notes for service packs and bundles
fixes, sometimes meaning that you get a single vulnerability 'counted' for,
say, seven defects repaired. Or maybe you don't hear about it at all, because
it was rolled into SP2 and they didn't make any noise about it."
Shaver says in his blog, that we would have to be in a "parallel
universe" for Microsoft to even "approach Mozilla's standard of
In an interview
with eWeek, he continued to vent, saying, "The vast majority [of
the Firefox user base] is updated to the most secure version of Firefox in less
than a week; those are the things we measure and talk about publicly.
Reports like [Jones'] really point the industry in a dangerous direction, which
is to say you're [given an incentive] to keep [browser security fixes] quiet.
That doesn't keep you safer, it just helps companies hide the real nature of
what they're doing."
Earlier last month Jones had published a report on how Windows
Vista was far less vulnerable than Leopard OS X or most Linux OS
Many will be sick of Microsoft and Mozilla's bickering, but when they attack
each other so publicly, it’s simply hard to ignore. This is unfortunate
as it simply leaves the user feeling less secure and unsure of who to trust.
quote: in summary, jump through a lot of hoops while suggesting the user is at fault.
quote: No, the user of a general purpose monopoly OS merely surfing the web should not have to be a security guru, and indeed it is fairly clear most are not so they are the target users, the standard against which a general purpose browser must be designed.