Firefox Security Head Says Microsoft Obscures OS Holes

theranjan writes "When a Security Strategy Director at Microsoft decided to compare Internet Explorer security vulnerabilities with those of Mozilla Firefox, he may have forgotten that the Head Security Strategist of Mozilla was a former MS employee. In a rebuttal of the study, which finds IE more secure than Firefox, Mozilla said that the number of vulnerabilities publicly acknowledged was just a 'small subset' of all vulnerabilities fixed internally. The vulnerabilities found internally are fixed in service packs and major updates without public knowledge. 'For Microsoft this makes sense because these fixes get the benefit of a full test pass which is much more robust for a service pack or major release than it is for a security update. Unfortunately for Microsoft's users this means they have to wait sometimes a year or more to get the benefit of this work. That's a lot of time for an attacker to identify the same issue and exploit it to hurt users.'"

Well Duh!

[suso]

I mean come on, if they said they had no security holes, nobody would believe them. If they released too many security holes, their stock would go down. So they have to find a happy medium.

Re:Well Duh!

[j.sanchez1]

I mean come on, if they said they had no security holes, nobody would believe them. If they released too many security holes, their stock would go down. So they have to find a happy medium.

So do you agree with them in their belief that their stockholders are more important than their paying customers?

Re:Well Duh!

[suso]

So do you agree with them in their belief that their stockholders are more important than their paying customers?

No I don't. I think that's a major flaw with publicly traded companies and is one reason why I never want my own company to go public.

This is also one great thing about OSS, it doesn't have to appease to money for the most part. The other half for open source is probably reputation, but its the status quo to release vulnerabilities so its not as big of a deal.

Re:Well Duh!

[rolfc]

Of course they are. The idea of the company is to make money, not to make happy customers.

Re:Well Duh!

[rudy_wayne]

"The idea of the company is to make money, not to make happy customers."

Too many people forget that without customers, there is no money and there is no company.

Re:Well Duh!

[rolfc]

That is not correct for monopolists, scammers and others. Happy customers is one way to make money, but it is not the only one, and certainly not the most lucrative.

Re:Well Duh!

[ePhil_One]

So do you agree with them in their belief that their stockholders are more important than their paying customers?

And how do paying customers benefit when MS reveals unknown security holes in their products, even after they are patched? Its already believed the unsavory element reverse engineers MS patches looking for ways to exploit vulnerable unpatched systems, how does MS flagging a patch as "fixes unreleased security vulnerability X" help anyone, including linux users? By increasing the size of botnets?

The problem isn't MS hiding its vulnerabilities, its a fundamentally flawed analysis. No proprietary software company airs its dirty laundry the way open source does, there's no benefit to it. The comparison was apples and oranges.

Re:Well Duh!

[morgan_greywolf]

This is also one great thing about OSS, it doesn't have to appease to money for the most part. I'm sorry. Anyone looking at my post history, personal link, etc., will notice that I'm an open source author in particular and a big advocate of Free/Libre/Open Source Software in general. But this statement just doesn't make much sense.

When companies invest money, features get added -- features that benefit the company investing the money. For example, there's Google's Summer of Code. And the money that Google invests in the Mozilla Foundation. What's the default search engine in Firefox? Oh, right, Google. What page does Firefox go to by default? A special Google/Firefox start page. What searches are in the default bookmarks? Google's.

And then there's the fact the open source software authors sometimes work for companies that demand certain things get added...like Andrew Tridgell of Samba who works for IBM's storage division. There's lots of stuff in Samba for IBM's NAS solutions.

Yes, open source authors definitely listen to their users...but they also know which side of their bread gets buttered.

Re:Well Duh!

[Calinous]

As AT&T answered to their customers? Or take any other monopolist, and see how they one day answered to their customers.

      Monopols answer only to the government, and in these times the US government doesn't seem to want answers from Microsoft

Re:Well Duh!

[BVis]

The problem is that Joe Sixpack doesn't understand the problem and/or doesn't care. In theory we've paid Microsoft for an OS that *should* have security as a core competency. Microsoft claims to provide a safe, secure OS, such that Joe Sixpack shouldn't have to worry about security holes. At the very least they're guilty of leaving open security holes that they KNOW about and COULD fix in a security patch, but deliberately don't in order to make their product look better (since the number of security patches put out on Patch Tuesday is something Joe Sixpack can understand, being that more patches = less secure is the only understanding needed.)

There's no excuse for delaying a security patch, even a couple weeks. They have the ability to patch vulnerabilities in a timely fashion, and are deliberately not doing so.

This should end up being a class action. Normally I'm not crazy about lawsuits, but there are far too many people and enterprises affected by this issue, and a multi-billion dollar settlement will definitely get everyone's attention. When the stockholders end up making less money as a result of the one-time charge, they'll demand that MS do something to keep it from happening again. Money is all they care about, and they'll scream bloody murder.

Hmm, maybe the stockholders (read: the fund managers) should sue. There's certainly precedent for them to do so.

touche...

[advocate_one]

Game, Set, Match... well, I think that's that argument well and truly settled... Microsoft will never dare to use that FUD again...

It's Probably Also Interesting to Note...

[explosivejared]

...that the study in question was done in collaboration with the Texas Department of Science Education. The department was called in when MS had concerns over the factual rigor that the test would be subjected to.

More vulnerabilities fixed != worse sw

[redscare2k4]

It's just me, or microsoft report (pdf available in the article) just says "Firefox fixes more problems than we do, so that must mean their software has more errors". That just a piece of crap. That only means that Firefox makes their vulnerabilities public or, worse for MS, that Mozilla team fixes things while MS just keeps IE vulnerable. Counting bugs means nothing. It's the overall quality and how fast those critical bugs get fixed what counts. And IMHO firefox still has a nice edge over MS.

Re:More vulnerabilities fixed != worse sw

[jollyreaper]

It's just me, or microsoft report (pdf available in the article) just says "Firefox fixes more problems than we do, so that must mean their software has more errors". That just a piece of crap. That only means that Firefox makes their vulnerabilities public or, worse for MS, that Mozilla team fixes things while MS just keeps IE vulnerable. Counting bugs means nothing. It's the overall quality and how fast those critical bugs get fixed what counts. And IMHO firefox still has a nice edge over MS. The American cattle industry has very few occurrences of Mad Cow Disease compared with British firms. American firms also test as little as possible but that's just because our cows are so damn clean. By extrapolation, Microsoft must have clean cows.

Not the first time...

[Bert64]

Microsoft have frequently used biased methods for "security comparisons"...

They have compared the published vulnerabilities between windows and various linux distributions, when the same applies as discussed in this article - issues found internally may or may not be fixed, but are not disclosed to the public.

Also many linux distributions typically include a massively larger set of packages than windows does, a distribution such as debian or gentoo supports more packages than microsoft do across their entire product line.

Whole section of the report not covered

[ta+bu+shi+da+yu]

I'm surprised that Snyder ignored a crucial argument in the PDF: that Microsoft supports their products for a lot longer than Firefox. He didn't rebut that point, which was actually pretty reasonable. I'd be interested to see what he has to say about that. In this regard, Microsoft seems far ahead of Mozilla.

Re:Whole section of the report not covered

[-noefordeg-]

I don't agree.

Since you don't pay for FireFox, there is really no reason not to upgrade.
With MS you have to pay for EVERY new version which is released. In my world that is kind of a huge difference. And if you are just talking about IE, well, you really shouldn't be using old versions anyway... :)

Obviously MS is just covering their OS...

[kiscica]

... what a bunch of OS-holes.

Re:Pot, kettle, black

[ozmanjusri]

I'd accept this from anyone but a Firefox security head.

Accept it from vulnerability-scanning company Qualys then.

Study: 'Huge jump' in Microsoft flaws since last year
"We have seen a huge jump in the vulnerabilities in Microsoft Office products," said Amol Sawate, manager of Qualys's vulnerability-management lab. "These charts show growth of nearly 300 percent from 2006 to 2007 http://news.zdnet.com/2424-9595_22-178018.html

Microsoft wants what's best for you

[El+Yanqui]

Firefox is spyware. At least according to Microsoft. http://img405.imageshack.us/my.php?image=msasmfph6.gif

Remove it immediately to prevent harm to your computer and protect your privacy!

Re:Anybody surprised?

[mh1997]

MS products never were the best on the market. They just convinced enough people to buy cheap at a cruical time.

I don't think MS ever tried to be best in their software. I think they just wanted to be the standard in software.

Prior to MS, there were several flavors of DOS, preventing different brands of computer from talking. There were 10 or so major players in the word processing market, preventing organizations from sharing documents from one sector to another, not to mention different companies. They, and other companies, ripped of visi-calc and the desk-top graphical user interface, but none were compatible with other brands.

MS came along and everyone could talk, and thanks to IBM, run the same programs on any brand of computer.

I think MS modeled itself after McDonald's. Want a good hamburger go to a good restaurant. Want a hamburger that will satisfy your hunger, taste ok at best, but most important, be exactly the same all over the world, go to McDonald's.

Firefox and Windows

[tristian_was_here]

So basically I have to be running Windows to get the full use of security holes? Why can't my "Free" OS be like Windows?

Re:Anybody surprised?

[miffo.swe]

"Prior to MS, there were several flavors of DOS, preventing different brands of computer from talking."

No, there wasnt prior to MS. The several flavours came about after MS started selling DOS. Most of the other flavours was much better than MS Dos. NCR Dos 3.2 was the best DOS version of them all because of all the bughunt NCR did on it. MS-DOS was a dead dog in comparison, funny thing was all MS apps ran much better on other DOS versions than their own. Hence the need for artificially make win not work on any other DOS than MS-Dos wich sucked big from day one up until it was dropped.

Sharing documents was no problem, anything external was sent in .txt mode. Formatting was for when you printed the document, not for just reading it as it has become today.

MS came along and anyone who had MS-DOS, Microsoft Word (the same version as the one communicating with had) could communicate. Thats not an improvement, its just a defacto standard.

Its a big insult to McDonalds to compare them with Microsoft. Should McDonalds be anything like MS i wouldnt dare to eat there ever. Actually McDonalds has very strict Q&A and an extremely well functioning organization.

Because they can make informed decisions

[shis-ka-bob]

how do paying customers benefit when MS reveals unknown ...

Central to any theory of efficient markets is the assumption that both consumers and producers can make informed decisions free of coercion. If the consumers do not have information, they cannot make an informed decision. Companies are not generally obliged to share all information about their products, but they are prohibited from intentionally deceiving customers. Cigarette makers were not sued because cigarettes cause cancers, but because they had determined internally that cigarettes caused cancers and they then made claims to the contrary. That is, they intentionally deceived both the consumer and the regularly agencies.

By analogy, Microsoft can say 'we build secure software' all day long. But if they claim, 'we develop more secure software than our competitors' they open themselves up for liability IF it is determined that they are making claims that they know to be false. In this case this seems to be hypothetical. But it is a testable hypothesis. And after reading the internal memos made public in Combs v. Microsoft, it is a quite plausible hypothesis.

Aha!

[A+nonymous+Coward]

The only solution is a truly free market economy without the FED and other allied stupidity.

Yes, as long as it is the Adam Smith variety of free market. Once you get monopolies, the invisible hand goes *poof* and you no longer have a free market.

I personally believe we could throw out 999 out of 1000 laws and regulations and have a happier healthier economy and society. For instance, I would throw out all business licenses and the associated regulation, such as health inspections for restaurants; that's how much I distrust regulation and how it distorts the free market.

But monopolies are just as bad on the business side as they are on the government side, and there has to be some way to prevent them and break them up. Rather than have a government monopoly to break up business monopolies, I would have some way for citizen lawsuits to do the trick. You have to prevent market domination via rackets like those practiced by Microsoft, or the old AT&T, Standard Oil, etc., or you no longer have a free market.

Re:Aha!

[gaspyy]

It's not just monopolies.
The free market model operates on several key principles:

• a very large number of sellers;
• a very large number of buyers;
• completely transparent and complete information;
• all agents (buyers and sellers) act independently

It's not difficult to demonstrate that in the real world, these things don't happen.
You have monopoly or monopsony (look it up) situations; Very rarely the buyers are informed; cartels and herd-like behaviours further alter the model.

In the end, the free-market model, which is based on the supply-demand equilibrium, is all fine and dandy on paper. In reality, a completely deregulated market is an utopia, just like the communist ideal was an utopia.

I know there are many libertarians on Slash, which is mostly an American thing; not being an American, my view may seem unpopular...

Re:Ah, the wonder of Slashdot moderation

[pintpusher]

How are we supposed to keep this all straight? Either the mods are on crack or the mods are geniuses of sardonic delayed humor or the mods... oh wait, I've got mod points!! d'oh!