Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox Security Head Says Microsoft Obscures OS Holes

Posted by Zonk on from the a-feudin-and-a-fussin dept.

theranjan writes "When a Security Strategy Director at Microsoft decided to compare Internet Explorer security vulnerabilities with those of Mozilla Firefox, he may have forgotten that the Head Security Strategist of Mozilla was a former MS employee. In a rebuttal of the study, which finds IE more secure than Firefox, Mozilla said that the number of vulnerabilities publicly acknowledged was just a 'small subset' of all vulnerabilities fixed internally. The vulnerabilities found internally are fixed in service packs and major updates without public knowledge. 'For Microsoft this makes sense because these fixes get the benefit of a full test pass which is much more robust for a service pack or major release than it is for a security update. Unfortunately for Microsoft's users this means they have to wait sometimes a year or more to get the benefit of this work. That's a lot of time for an attacker to identify the same issue and exploit it to hurt users.'"

3 of 214 comments (clear)

  1. Aha! by A+nonymous+Coward · · Score: 3, Informative

    The only solution is a truly free market economy without the FED and other allied stupidity.

    Yes, as long as it is the Adam Smith variety of free market. Once you get monopolies, the invisible hand goes *poof* and you no longer have a free market.

    I personally believe we could throw out 999 out of 1000 laws and regulations and have a happier healthier economy and society. For instance, I would throw out all business licenses and the associated regulation, such as health inspections for restaurants; that's how much I distrust regulation and how it distorts the free market.

    But monopolies are just as bad on the business side as they are on the government side, and there has to be some way to prevent them and break them up. Rather than have a government monopoly to break up business monopolies, I would have some way for citizen lawsuits to do the trick. You have to prevent market domination via rackets like those practiced by Microsoft, or the old AT&T, Standard Oil, etc., or you no longer have a free market.

    --
    Infuriate left and right
  2. Mozilla aslo sits on critical internal bugs by Anonymous Coward · · Score: 1, Informative

    If a critical bug is discovered internally or externally and the reporter does not leak the info, Mozilla will not push the update sometimes for up to 2-3 months. This is not much different from MS policy and gives according to the blog "a lot of time for an attacker to identify the same issue and exploit it to hurt users".

  3. Re:And why Microsoft wins... by asa · · Score: 2, Informative

    One thing that worries me about Firefox being open sourced is that hackers are basically "gifted" with the information about the security holes in previous versions meaning that anyone running the previous versions is more vulnerable until they update which may be never - especially as there's plenty of people still running Firefox 1.x. , not all Linux distros have an auto-update and earlier versions of FF didn't auto-update either. In this respect, for me, closed source is more secure.

    Actually, Firefox is pretty darn up to date. Our stats show less than 2% of Firefox users are still on 1.5. If your linux distro doesn't do updates, I suggest getting a new linux distro or getting Firefox directly from Mozilla so we can keep you up to date.

    The number of Firefox users who aren't up to date is so tiny compared to the number of IE users who aren't up to date as to be mostly ignored by hackers -- remember that hacking today is a financial enterprise. It's not script kiddies trying to impress their friends, it's organized and profitable crime and targeting a few hundred thousand hard to identify Firefox users wouldn't make any sense to those people.

    We're always working to keep our users up to date and I think our record is extremely good. Our security updates reach 90+% of our users in a matter of days 99% of our users in a matter of weeks. Our major updates, like from 1.5 to 2 reached 98% of our users in less than a year. How many users are still on IE6 when 7 offers so much more security? Public stats from web analysts put that number between 65 and 75%. If you were building a serious criminal endeavor online, would you target hundreds of thousands of users or hundreds of millions?

    - A