Feeds

Mozilla rubbishes IE Firefox security study

The fix is in

Boost IT visibility and business value

Mozilla developers have hit back at a Microsoft study that suggests Internet Explorer is more secure than Firefox.

The study, Internet Explorer and Firefox Vulnerability Analysis, is based on a comparison between the number and severity of security updates issued for IE and Firefox since the release of Firefox in November 2004.

In the three years since then, Microsoft has fixed 87 vulnerabilities in various flavours of IE while Mozilla has patched 199 vulnerabilities in Firefox products.

The report, compiled by Jeff Jones, a security strategy director in Microsoft's Trustworthy Computing group, also found IE scored fewer vulnerabilities than Firefox across all categories of severity.

Mozilla said Microsoft's comparison is, at best, meaningless.

"Just because dentists fix more teeth in America doesn't mean our teeth are worse than in Africa," Mike Shaver, chief evangelist for Mozilla told eWEEK. Shaver took particular exception at Microsoft's decision to equate a large number of bug fixes with insecure software.

"It's something you'd expect from maybe an undergrad," he said. "It's very disappointing to see somebody in a senior security position come out and say that because an organisation is more transparent about their bugs and fixing them, they're somehow less secure."

Shaver added that even taken on its own merits the comparison between IE and Firefox is potentially misleading because Redmond often bundles multiple fixes in a single update, a phenomenon repeated to an even greater extent with the release of service packs.

Mozilla is putting an effort into encouraging users to update to the latest version of its software more quickly alongside greater emphasis on rapidly responding to security problems. Microsoft's efforts to suggest this is a bad thing are out of tune with the rest of the industry, Shaver argues.

"Shouldn't they be trying to fix more bugs, rather than writing reports that would 'punish' them for actively improving the security of their users rather than hoping that defects aren't found by someone who they can't keep quiet?"

"Microsoft should be embarrassed to be associated with this sort of ridiculous 'analysis'. We don't pretend that hiding the rate of fixes improves our users' security in any way, and we never will. We're transparent and aggressive in dealing with security issues, and 130 million Firefox users are safer for it every day," Shaver writes in a blog posting here.

Microsoft's Jones is no stranger to controversy. His previous study - a comparison between the number of security vulnerabilities in Windows Vista, Mac OS X, and Ubuntu Linux in the first six months of availability of the respective OSes - united Mac and Linux fans in opposition to Redmond's contention that Vista was more secure than its rivals. ®

Boost IT visibility and business value

More from The Register

next story
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
NO MORE ALL CAPS and other pleasures of Visual Studio 14
Unpicking a packed preview that breaks down ASP.NET
Captain Kirk sets phaser to SLAUGHTER after trying new Facebook app
William Shatner less-than-impressed by Zuck's celebrity-only app
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
Apple fanbois SCREAM as update BRICKS their Macbook Airs
Ragegasm spills over as firmware upgrade kills machines
Cheer up, Nokia fans. It can start making mobes again in 18 months
The real winner of the Nokia sale is *drumroll* ... Nokia
EU dons gloves, pokes Google's deals with Android mobe makers
El Reg cops a squint at investigatory letters
Chrome browser has been DRAINING PC batteries for YEARS
Google is only now fixing ancient, energy-sapping bug
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.