Feeds

Mozilla rubbishes IE Firefox security study

The fix is in

SANS - Survey on application security programs

Mozilla developers have hit back at a Microsoft study that suggests Internet Explorer is more secure than Firefox.

The study, Internet Explorer and Firefox Vulnerability Analysis, is based on a comparison between the number and severity of security updates issued for IE and Firefox since the release of Firefox in November 2004.

In the three years since then, Microsoft has fixed 87 vulnerabilities in various flavours of IE while Mozilla has patched 199 vulnerabilities in Firefox products.

The report, compiled by Jeff Jones, a security strategy director in Microsoft's Trustworthy Computing group, also found IE scored fewer vulnerabilities than Firefox across all categories of severity.

Mozilla said Microsoft's comparison is, at best, meaningless.

"Just because dentists fix more teeth in America doesn't mean our teeth are worse than in Africa," Mike Shaver, chief evangelist for Mozilla told eWEEK. Shaver took particular exception at Microsoft's decision to equate a large number of bug fixes with insecure software.

"It's something you'd expect from maybe an undergrad," he said. "It's very disappointing to see somebody in a senior security position come out and say that because an organisation is more transparent about their bugs and fixing them, they're somehow less secure."

Shaver added that even taken on its own merits the comparison between IE and Firefox is potentially misleading because Redmond often bundles multiple fixes in a single update, a phenomenon repeated to an even greater extent with the release of service packs.

Mozilla is putting an effort into encouraging users to update to the latest version of its software more quickly alongside greater emphasis on rapidly responding to security problems. Microsoft's efforts to suggest this is a bad thing are out of tune with the rest of the industry, Shaver argues.

"Shouldn't they be trying to fix more bugs, rather than writing reports that would 'punish' them for actively improving the security of their users rather than hoping that defects aren't found by someone who they can't keep quiet?"

"Microsoft should be embarrassed to be associated with this sort of ridiculous 'analysis'. We don't pretend that hiding the rate of fixes improves our users' security in any way, and we never will. We're transparent and aggressive in dealing with security issues, and 130 million Firefox users are safer for it every day," Shaver writes in a blog posting here.

Microsoft's Jones is no stranger to controversy. His previous study - a comparison between the number of security vulnerabilities in Windows Vista, Mac OS X, and Ubuntu Linux in the first six months of availability of the respective OSes - united Mac and Linux fans in opposition to Redmond's contention that Vista was more secure than its rivals. ®

3 Big data security analytics techniques

More from The Register

next story
Ubuntu 14.04 LTS: Great changes, but sssh don't mention the...
Why HELLO Amazon! You weren't here last time
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
Next Windows obsolescence panic is 450 days from … NOW!
The clock is ticking louder for Windows Server 2003 R2 users
Half of Twitter's 'active users' are SILENT STALKERS
Nearly 50% have NEVER tweeted a word
OpenBSD founder wants to bin buggy OpenSSL library, launches fork
One Heartbleed vuln was too many for Theo de Raadt
Got Windows 8.1 Update yet? Get ready for YET ANOTHER ONE – rumor
Leaker claims big release due this fall as Microsoft herds us into the CLOUD
Batten down the hatches, Ubuntu 14.04 LTS due in TWO DAYS
Admins dab straining server brows in advance of Trusty Tahr's long-term support landing
Red Hat to ship RHEL 7 release candidate with a taste of container tech
Grab 'near-final' version of next Enterprise Linux next week
Apple inaugurates free OS X beta program for world+dog
Prerelease software now open to anyone, not just developers – as long as you keep quiet
prev story

Whitepapers

Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.