Firefox Security Head Says Microsoft Obscures OS Holes

theranjan writes "When a Security Strategy Director at Microsoft decided to compare Internet Explorer security vulnerabilities with those of Mozilla Firefox, he may have forgotten that the Head Security Strategist of Mozilla was a former MS employee. In a rebuttal of the study, which finds IE more secure than Firefox, Mozilla said that the number of vulnerabilities publicly acknowledged was just a 'small subset' of all vulnerabilities fixed internally. The vulnerabilities found internally are fixed in service packs and major updates without public knowledge. 'For Microsoft this makes sense because these fixes get the benefit of a full test pass which is much more robust for a service pack or major release than it is for a security update. Unfortunately for Microsoft's users this means they have to wait sometimes a year or more to get the benefit of this work. That's a lot of time for an attacker to identify the same issue and exploit it to hurt users.'"

It's Probably Also Interesting to Note...

[explosivejared]

...that the study in question was done in collaboration with the Texas Department of Science Education. The department was called in when MS had concerns over the factual rigor that the test would be subjected to.

More vulnerabilities fixed != worse sw

[redscare2k4]

It's just me, or microsoft report (pdf available in the article) just says "Firefox fixes more problems than we do, so that must mean their software has more errors". That just a piece of crap. That only means that Firefox makes their vulnerabilities public or, worse for MS, that Mozilla team fixes things while MS just keeps IE vulnerable. Counting bugs means nothing. It's the overall quality and how fast those critical bugs get fixed what counts. And IMHO firefox still has a nice edge over MS.

Not the first time...

[Bert64]

Microsoft have frequently used biased methods for "security comparisons"...

They have compared the published vulnerabilities between windows and various linux distributions, when the same applies as discussed in this article - issues found internally may or may not be fixed, but are not disclosed to the public.

Also many linux distributions typically include a massively larger set of packages than windows does, a distribution such as debian or gentoo supports more packages than microsoft do across their entire product line.

Re:Well Duh!

[rolfc]

That is not correct for monopolists, scammers and others. Happy customers is one way to make money, but it is not the only one, and certainly not the most lucrative.

Whole section of the report not covered

[ta+bu+shi+da+yu]

I'm surprised that Snyder ignored a crucial argument in the PDF: that Microsoft supports their products for a lot longer than Firefox. He didn't rebut that point, which was actually pretty reasonable. I'd be interested to see what he has to say about that. In this regard, Microsoft seems far ahead of Mozilla.

Re:Well Duh!

[ePhil_One]

So do you agree with them in their belief that their stockholders are more important than their paying customers?

And how do paying customers benefit when MS reveals unknown security holes in their products, even after they are patched? Its already believed the unsavory element reverse engineers MS patches looking for ways to exploit vulnerable unpatched systems, how does MS flagging a patch as "fixes unreleased security vulnerability X" help anyone, including linux users? By increasing the size of botnets?

The problem isn't MS hiding its vulnerabilities, its a fundamentally flawed analysis. No proprietary software company airs its dirty laundry the way open source does, there's no benefit to it. The comparison was apples and oranges.

Re:Well Duh!

[morgan_greywolf]

This is also one great thing about OSS, it doesn't have to appease to money for the most part. I'm sorry. Anyone looking at my post history, personal link, etc., will notice that I'm an open source author in particular and a big advocate of Free/Libre/Open Source Software in general. But this statement just doesn't make much sense.

When companies invest money, features get added -- features that benefit the company investing the money. For example, there's Google's Summer of Code. And the money that Google invests in the Mozilla Foundation. What's the default search engine in Firefox? Oh, right, Google. What page does Firefox go to by default? A special Google/Firefox start page. What searches are in the default bookmarks? Google's.

And then there's the fact the open source software authors sometimes work for companies that demand certain things get added...like Andrew Tridgell of Samba who works for IBM's storage division. There's lots of stuff in Samba for IBM's NAS solutions.

Yes, open source authors definitely listen to their users...but they also know which side of their bread gets buttered.

Because they can make informed decisions

[shis-ka-bob]

how do paying customers benefit when MS reveals unknown ...

Central to any theory of efficient markets is the assumption that both consumers and producers can make informed decisions free of coercion. If the consumers do not have information, they cannot make an informed decision. Companies are not generally obliged to share all information about their products, but they are prohibited from intentionally deceiving customers. Cigarette makers were not sued because cigarettes cause cancers, but because they had determined internally that cigarettes caused cancers and they then made claims to the contrary. That is, they intentionally deceived both the consumer and the regularly agencies.

By analogy, Microsoft can say 'we build secure software' all day long. But if they claim, 'we develop more secure software than our competitors' they open themselves up for liability IF it is determined that they are making claims that they know to be false. In this case this seems to be hypothetical. But it is a testable hypothesis. And after reading the internal memos made public in Combs v. Microsoft, it is a quite plausible hypothesis.