Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox Security Head Says Microsoft Obscures OS Holes

Posted by Zonk on from the a-feudin-and-a-fussin dept.

theranjan writes "When a Security Strategy Director at Microsoft decided to compare Internet Explorer security vulnerabilities with those of Mozilla Firefox, he may have forgotten that the Head Security Strategist of Mozilla was a former MS employee. In a rebuttal of the study, which finds IE more secure than Firefox, Mozilla said that the number of vulnerabilities publicly acknowledged was just a 'small subset' of all vulnerabilities fixed internally. The vulnerabilities found internally are fixed in service packs and major updates without public knowledge. 'For Microsoft this makes sense because these fixes get the benefit of a full test pass which is much more robust for a service pack or major release than it is for a security update. Unfortunately for Microsoft's users this means they have to wait sometimes a year or more to get the benefit of this work. That's a lot of time for an attacker to identify the same issue and exploit it to hurt users.'"

2 of 214 comments (clear)

  1. Re:Pot, kettle, black by ozmanjusri · · Score: 3, Interesting
    I'd accept this from anyone but a Firefox security head.

    Accept it from vulnerability-scanning company Qualys then.

    Study: 'Huge jump' in Microsoft flaws since last year
    "We have seen a huge jump in the vulnerabilities in Microsoft Office products," said Amol Sawate, manager of Qualys's vulnerability-management lab. "These charts show growth of nearly 300 percent from 2006 to 2007 http://news.zdnet.com/2424-9595_22-178018.html
    --
    "I've got more toys than Teruhisa Kitahara."
  2. Re:Well Duh! by BVis · · Score: 3, Interesting

    The problem is that Joe Sixpack doesn't understand the problem and/or doesn't care. In theory we've paid Microsoft for an OS that *should* have security as a core competency. Microsoft claims to provide a safe, secure OS, such that Joe Sixpack shouldn't have to worry about security holes. At the very least they're guilty of leaving open security holes that they KNOW about and COULD fix in a security patch, but deliberately don't in order to make their product look better (since the number of security patches put out on Patch Tuesday is something Joe Sixpack can understand, being that more patches = less secure is the only understanding needed.)

    There's no excuse for delaying a security patch, even a couple weeks. They have the ability to patch vulnerabilities in a timely fashion, and are deliberately not doing so.

    This should end up being a class action. Normally I'm not crazy about lawsuits, but there are far too many people and enterprises affected by this issue, and a multi-billion dollar settlement will definitely get everyone's attention. When the stockholders end up making less money as a result of the one-time charge, they'll demand that MS do something to keep it from happening again. Money is all they care about, and they'll scream bloody murder.

    Hmm, maybe the stockholders (read: the fund managers) should sue. There's certainly precedent for them to do so.

    --
    Never underestimate the power of stupid people in large groups.