Read past the headlines - Firefox is fixed faster
01.17.08 - 06:29pm
Secunia released a report this week that discusses a few aspects of the security landscape for 2007. Techworld ran a story based on this report with this headline: “Red Hat and Firefox more buggy than Microsoft.” While the headline is misleading, the Techworld article actually tells an interesting story.
Counting security vulnerabilities to compare the security of different software projects is flawed. It is only a useful metric if you are comparing a project to itself over time. I’ve discussed this topic here and here. It’s even more ridiculous to try and compare an open source bug count to a closed source project because you can see all the bugs in an open source project. You can only see the publicly found security issues for a closed source product, like Internet Explorer.
So what is interesting in the Techworld article is the measures of real risk to users:
“‘[Z]ero-day’ security bugs in Firefox were patched more quickly than in Microsoft Internet Explorer…”
“[I]n an examination of zero-day flaws - reported by third parties before a patch was available - Secunia found that Firefox tended to get more patches, sooner, compared to IE.”
“Out of eight zero-day bugs reported for Firefox in 2007, five have been patched, three of those in just over a week. Out of 10 zero-day IE bugs, only three were patched and the shortest patch time was 85 days.”
At Mozilla we work as hard as we can to ship fixes as soon as possible to minimize the exposure to our users. It is great to see that the efforts we are making to minimize risk to users are paying off.
Isn’t it equally flawed to compare a product with one that controls over 80% of the market and nearly 100% in business environments?
“Counting security vulnerabilities to compare the security of different software projects is flawed.”
Do you mean that to compare the number of vunerabilities in BIND and in DJBDNS is useless? To compare Qmail vulnerabilities to Sendmail is useless? To compare WU-ftp vulnerabilities to vsftp is useless?
“It’s even more ridiculous to try and compare an open source bug count to a closed source project because you can see all the bugs in an open source project.”
So maybe Mozilla should release a report stating what vulnerabilities are found internally and externally. How many of that 64 Mozilla vunerabilities were found internally? Subtract that from the total and compare this number to IE. Now you are comparing apples to apples.
“So what is interesting in the Techworld article is the measures of real risk to users”
There’s actually NO risk for IE users due to that 10 IE vunlerabilities in Secunia’s report. They are all “not critical” or “less critial”.
I keep hearing/reading about how Firefox is the most secure browser. While I am not disputing this assertion, I certainly have some reservations about FF. First, when I download FF, I can’t figure out where to validate the download via md5 or sha1. Are these hash values even available to help verify that I got an authentic version of FF? If they are available, why do you insist on “hiding” them. There should be a link to the secure hash values on the very same page as the link to download FF. I should not have to do a web search to find such info. The URL I went to to D/L FF is http://www.mozilla.com/en-US/firefox/
No where on this page is a link to a secure hash. Clicking the D/L lin takes me to the following URL:
http://www.mozilla.com/en-US/products/download.html?product=firefox-2.0.0.11&os=linux&lang=en-US
No where on this page is a link to a secure hash.
I had an older version of FF and did Help->check for updates. I had a packet sniffer running while the updates were being performed. Two IP addresses from which I received a ton of data from while doing the update were 203.200.188.111 and 205.188.226.54. Running whois tells me that 203.200.188.111 belongs to “Asian Pacific Network Information Center” and 205.188.226.54 belongs to AOL. Why would I be getting FF updates from these two entities? How do I verify that I don’t have a rogue program that looks & feels like FF?
Hi Firefox. I am on the Internet since 1995! I have used Internet Explorer for the first 3/5 years, then Netscape 3, that was in 1996. Then Neoplanet, Opera and now Firefox. What a plesure working with Firefox.
Started only in 1998 with Norton Virus scanner! Now using Trend-Micro for the past 5 years!
The upgrades of Firefox are more frequently than IP!
Thanks a lot from Newcastle, South Africa.
Ps, first 9 years using the Net in the Netherlands.