Hahaha….

Let me repeat : They are counting PATCHES and not VULNERABILITIES. It’s THIS simple. Please read dictionary or wikip definitions if you don’t believe me.

Please read their “reports” by putting the right words, and you will see there is no meaning at ALL.

And, oh… other words they mess with : “MS security chief” => “MS public-face-advertising-chief”
“report” => “advertising paper”.

Actually I think you’ll find plenty of serious researchers find it easier to see bugs in assembler rather than in C/C++, so raw binary or source code makes little difference.

Adopting a secure model is one thing. Creating something perfect is another. Either the author of those “dumb ideas” was exagerating or what I just read there is plain dumb. There is no such thing as “unhackable”. Developers are human beings. While it may be hard to introduce great security flaws in something like cp, creating a perfect >10.000 line software is far from possible. As he puts it, I understand that we should spend about 200 hours writing a software and distribute it as soon as it compiles (and it must compile in the first shot, as we adopted a good model, right?). Why, for God’s sake, would anyone want to test software? Oh, one more thing: don’t you dare compare a network to cp. That would be just plain stupid.

pd and Paul:
I’m waiting for a paper describing the flawed model of Firefox and the perfect model of IE (oh, and I would really love to find out how you managed to do that).

“I would argue (with no hard data to back me up of course) that the combination of hackers and security researchers reviewing Microsoft code probably beats the number and quality of eyes reviewing Firefox code, in which case more discovered bugs in IE would be the expected outcome surely?”

Of course, it’s so easy to find vulnerabilities in a binary, while, obviously, having the source code around can only make your life harder on this one. I wonder how many security experts Microsoft has reviewing IE…

“With the larger code churn of a service pack, Microsoft can fix un-exploited vulnerabilities without having to worry as much about putting the rest of their users (including past OSes sometimes) at risk.”

How exactly can you use “un-exploited” there? What makes you think that some other people won’t find the vulnerability independently? If you ask me, they are taking a huge risk if this is true…

A browser is just a gateway to the web. Until governments demand the removal of IE there is no danger of the computer illiterate masses downloading and installing Firefox.

Open source projects are always going to be more transparent regarding bugs. Commercial organisations are likely to get more criticism or be embarrassed by public disclosure of internal defects.

The whole argument about who writes better code, commercial organisations or the open source community is lost if commercial organisations reveal that their software is rushed and buggy.

And whilst I don’t believe that ‘hiding’ security fixes in a new release is a good thing, I do understand the need to roll these things up whereever possible when you have to deal with an enterprise market as well as a home user one. As a home user I will happily enable autoupdate on my machine, so the frequency of patches has little impact on me. But as an enterprise administrator, the last thing I want is a new security patch to test and deploy every couple of days with no particular schedule. This is why Microsoft’s patch Tuesday exists, and rolling patches into a service pack or new release is just an extension of this – balancing risk against convenience for me, the end customer.

I would also be careful at trying to subtly promote the many eyes argument:
‘Number of vulnerabilities identified is a function of how many bugs are present, but is probably more influenced by things like who is looking, and how good they are at finding security issues.’
I would argue (with no hard data to back me up of course) that the combination of hackers and security researchers reviewing Microsoft code probably beats the number and quality of eyes reviewing Firefox code, in which case more discovered bugs in IE would be the expected outcome surely?