November 30, 2007
By Lisa Vaas
Microsoft has issued a report on Internet Explorer in which it pats itself on the back for having fewer vulnerabilities in its browser than are in the No. 1 competitor, Mozilla's Firefox—a stance that the Mozilla Foundation finds, to put it diplomatically, puzzling.
"Just because dentists fix more teeth in America doesn't mean our teeth are worse than in Africa," Mike Shaver, chief evangelist for Mozilla, said in an interview with eWEEK. Indeed, Shaver said, the biggest thing that Microsoft got wrong is that the study equates bugs being fixed in a browser with that browser being less secure.
"It's something you'd expect from maybe an undergrad," he said. "It's very disappointing to see somebody in a senior security position come out and say that because an organization is more transparent about their bugs and fixing them, they're somehow less secure."
Microsoft's Jeff Jones, a security strategy director in Microsoft's Trustworthy Computing group, issued the report, titled "Internet Explorer and Firefox Vulnerability Analysis," on Nov. 30.
The report examines the volume and severity of vulnerabilities in the two browsers since Firefox was launched in November 2004. Its findings: Microsoft has fixed 87 total vulnerabilities (across all supported versions of Internet Explorer) while Mozilla has fixed 199 vulnerabilities in supported Firefox products. Also, Jones said, IE experienced a lower volume of reported vulnerabilities across all categories of severity (high, medium, low).
The analysis is lazy at best, Shaver said, and, taken in the worst light, is "malicious."
One problem Mozilla has with the study is that it doesn't take into account undocumented patches or those included in service packs. Also, Shaver questioned whether the study counted each individual fix contained in each of Microsoft's security advisories. Microsoft's individual security advisories have been known to contain up to seven fixes.
"If Mozilla wanted to do better than Microsoft on this report, we would have an easy path: stop fixing and disclosing bugs that we find in-house. It is well known that Microsoft redacts release notes for service packs and bundles fixes, sometimes meaning that you get a single vulnerability 'counted' for, say, seven defects repaired. Or maybe you don't hear about it at all, because it was rolled into SP2 and they didn't make any noise about it," Shaver wrote in a Nov. 30 blog post.
Mozilla is particularly sensitive on the issue given that it's worked hard to shrink the time between patch availability and user adoption, decreasing that time by 25 percent in the past year.
"The vast majority [of the Firefox user base] is updated to the most secure version of Firefox in less than a week," Shaver told eWEEK. "Those are the things we measure and talk about publicly. Reports like [Jones'] really point the industry in a dangerous direction, which is to say you're [given an incentive] to keep [browser security fixes] quiet. That doesn't keep you safer, it just helps companies hide the real nature of what they're doing."
This is the second study that Jones has put out in the past few months that claims that Microsoft technology is more secure than its open-source counterparts. In June, he published a study that concluded that Windows Vista had blown away all the major enterprise Linux distributions and Mac OS X as far as having the smallest number of serious security vulnerabilities in the first six months following its release.
That earlier study received an equivalent number of raspberries compared with today's browser security study.
Microsoft hadn't responded to queries by the time this article was posted.
http://www.eweek.com/print_article2/0,1217,a=220675,00.asp
Copyright (c) 2007Ziff Davis Enterprise Inc. All Rights Reserved.
By Lisa Vaas
Microsoft has issued a report on Internet Explorer in which it pats itself on the back for having fewer vulnerabilities in its browser than are in the No. 1 competitor, Mozilla's Firefox—a stance that the Mozilla Foundation finds, to put it diplomatically, puzzling.
"Just because dentists fix more teeth in America doesn't mean our teeth are worse than in Africa," Mike Shaver, chief evangelist for Mozilla, said in an interview with eWEEK. Indeed, Shaver said, the biggest thing that Microsoft got wrong is that the study equates bugs being fixed in a browser with that browser being less secure.
"It's something you'd expect from maybe an undergrad," he said. "It's very disappointing to see somebody in a senior security position come out and say that because an organization is more transparent about their bugs and fixing them, they're somehow less secure."
Microsoft's Jeff Jones, a security strategy director in Microsoft's Trustworthy Computing group, issued the report, titled "Internet Explorer and Firefox Vulnerability Analysis," on Nov. 30.
The report examines the volume and severity of vulnerabilities in the two browsers since Firefox was launched in November 2004. Its findings: Microsoft has fixed 87 total vulnerabilities (across all supported versions of Internet Explorer) while Mozilla has fixed 199 vulnerabilities in supported Firefox products. Also, Jones said, IE experienced a lower volume of reported vulnerabilities across all categories of severity (high, medium, low).
The analysis is lazy at best, Shaver said, and, taken in the worst light, is "malicious."
One problem Mozilla has with the study is that it doesn't take into account undocumented patches or those included in service packs. Also, Shaver questioned whether the study counted each individual fix contained in each of Microsoft's security advisories. Microsoft's individual security advisories have been known to contain up to seven fixes.
"If Mozilla wanted to do better than Microsoft on this report, we would have an easy path: stop fixing and disclosing bugs that we find in-house. It is well known that Microsoft redacts release notes for service packs and bundles fixes, sometimes meaning that you get a single vulnerability 'counted' for, say, seven defects repaired. Or maybe you don't hear about it at all, because it was rolled into SP2 and they didn't make any noise about it," Shaver wrote in a Nov. 30 blog post.
Mozilla is particularly sensitive on the issue given that it's worked hard to shrink the time between patch availability and user adoption, decreasing that time by 25 percent in the past year.
"The vast majority [of the Firefox user base] is updated to the most secure version of Firefox in less than a week," Shaver told eWEEK. "Those are the things we measure and talk about publicly. Reports like [Jones'] really point the industry in a dangerous direction, which is to say you're [given an incentive] to keep [browser security fixes] quiet. That doesn't keep you safer, it just helps companies hide the real nature of what they're doing."
This is the second study that Jones has put out in the past few months that claims that Microsoft technology is more secure than its open-source counterparts. In June, he published a study that concluded that Windows Vista had blown away all the major enterprise Linux distributions and Mac OS X as far as having the smallest number of serious security vulnerabilities in the first six months following its release.
That earlier study received an equivalent number of raspberries compared with today's browser security study.
Microsoft hadn't responded to queries by the time this article was posted.
http://www.eweek.com/print_article2/0,1217,a=220675,00.asp
Copyright (c) 2007Ziff Davis Enterprise Inc. All Rights Reserved.
全站熱搜
留言列表
