Comments on: Apples, Oranges, and the truth

By: Tim

Tim — Fri, 07 Dec 2007 19:46:54 +0000

I just thought I’d point out the quote says “..the other browsers we compared.”, which may mean they did not include Firefox. Just as the information was not shared that the report was generated by an MS employee, it also doesn’t disclose what the “other” browsers were.

By: Schrep

Schrep — Mon, 03 Dec 2007 18:53:17 +0000

Nilotpal – we definitely believe in “responsible disclosure” which means the vulnerability should be disclosed first to the vendor to give them a chance to fix it before it is made public. However, we open up these bug reports once the fix is out, so that users, partners, and researchers can understand and verify the fix. We also open it if the issue becomes public before it is fixed. In addition, access to these bugs is provided the security group at Mozilla which includes trusted individuals and organizations outside of Mozilla who can help analyze, verify, and audit our work.

This means if we find and fix a security issue internally we still report it and open the bug and MSFT does not. This makes counting vulnerabilities meaningless since you are missing every internally found and fixed bug in MSFT’s case but not ours.

By: Paul

Paul — Mon, 03 Dec 2007 18:48:45 +0000

OBS: this blog doesn’t handle new lines correctly. Anyway, you said: “Bug counts are meaningless, what matters is whether you are at risk or not.”

That phrase remembers me of Ranum’s 3rd Dumbest Ideas in Computer Security.
http://www.ranum.com/security/computer_security/editorials/dumb/.

It reads: “The premise of the vendors is that they are doing the right thing by pushing out patches to fix the bugs before the hackers and worm-writers can act upon them. Both parties, in this scenario, are being dumb because if the vendors were writing code that had been designed to be secure and reliable then vulnerability discovery would be a tedious and unrewarding game, indeed!…

One clear symptom that you’ve got a case of “Penetrate and Patch” is when you find that your system is always vulnerable to the ‘bug of the week’…

Your software and systems should be secure by design and should have been designed with flaw-handling in mind.”

Basically what he is saying is that risk management is for hairy pointy bosses and that programmers should focus on security engineering.

I bet you agree that wu-ftpd is NOT more secure than djb’s “publicfile” or Postfix. Now substitute wu-ftp in that phrase by Firefox and publicfile by IE. Yes, what I am meaning is that maybe IE is getting as secure has DJB’s softwares and Firefox is getting has insecure as wu-ftp.

And independent of the number of vulnerabilities that IE has, what matters and what I want you to explain me is why Firefox has too many? Is it bad programming pratices or what?

Because while a low number of vulnerabilities is not a symptom of security, a high number is a symptom of insecurity. Now, tell again, how many vulnerabilities Firefox has? That’s penetrate and patch.

Why aren’t you writing code like Wietse Venema or Dan Bernstein?

PS: And I am actually an Firefox user, but I am just not happy patching my browser once a week.

By: CableGuy

CableGuy — Mon, 03 Dec 2007 12:38:00 +0000

Wow! One more great Microsoft study.

By: ktk

ktk — Sun, 02 Dec 2007 20:40:07 +0000

In your analysis of the operation of the Microsoft bug database you of course neglect to mention how Mozilla declares vulnerabilities “private” until they can fix them, thus denying the average user the ability to figure out if they are at risk – which I assume is the angle from where you were criticizing Microsoft.

By: Nilotpal

Nilotpal — Sun, 02 Dec 2007 18:43:55 +0000

Good to see this. I myself had done an analysis of the days unfixed numbers a few months back and had found IE to be more insecure and posted it on my blog, and was going to reanalyse but I suppose this page makes that unnecessary. And I appreciate your honesty in including Opera numbers in your analysis, reinforcing my belief in the transparency and security of Firefox. I would also like to point out that the whole point of vulnerability patching is preventive, it prevents exploits. These low numbers for IE have not actually prevented zero day exploits, have they? How about starting an “actual days of risk” study where user exposure to exploits inspite of using a fully patched product is used!

By: Schrep

Schrep — Sat, 01 Dec 2007 22:52:04 +0000

There were two issues:

https://bugzilla.mozilla.org/show_bug.cgi?id=389106

In which we were not escaping quotes (there seems to be some disagreement as to how the RFC’s state whether this is dangerous).

https://bugzilla.mozilla.org/show_bug.cgi?id=389580

Is changes in the behavior to ShellExec with IE7 installed. The fix for 389106 migated the known attacks for 389580. My point in the post that 389580 was believed to be a windows problem but wasn’t fixed for some time.†

By: Eric

Eric — Sat, 01 Dec 2007 19:37:34 +0000

You are misleading your readers.

There were ~two~ URI vulnerabilities, one in Firefox (expecting quotes), and one in Windows (ShellExec failed to check failures in URI parsing). There was no relationship between the two.

By: funTomas

funTomas — Sat, 01 Dec 2007 05:50:23 +0000

It’s hard to improve one’s reputation however “don’t be evil” is a must. Will MS get it?