Re: The Pros and Cons of Firefox

From: Fuzzy Logic (bob_at_arc.ab.caREMOVETHIS)
Date: 04/26/05


Date: Tue, 26 Apr 2005 18:26:27 GMT

Unruh <unruh-spam@physics.ubc.ca> wrote in
news:d4lii5$bra$1@nntp.itservices.ubc.ca:

> "xpyttl" <xpyttl_NOSPAM@earthling.net> writes:
>
>>"Michael Pelletier" <mjpelletier@mjpelletier.com> wrote in message
>>news:BMmbe.85293$A31.6971@fed1read03...
>
>>> Sure security problems that are here and now are the most important.
>>> However, when you look at the number, the pure number, of security
>>> vulnerabilities IE has had....it is scary. And if the trend
>>> continues...
>
>>Consider: IE currently has about 10X the market penetration of Firefox.
>>That makes it AT LEAST a 10X more appealing target. Probably a lot more
>>appealing because people love to hate Microsoft. *BUT*, it also means
>>that the defect discovery rate for IE should be about 10X that of
>>Firefox/Mozilla since it is getting that much more scrutiny. Now, go
>>fish through bugtraq for the past few months, and you will find a lot
>>more Firefox/Mozilla exploits than IE. One can only conclude that
>>Firefox is a lot less secure than IE.
>
>>Sure, with a lot longer history, and a lot more people looking, the
>>total historical bugs in IE of course are larger than Firefox. But
>>right now, today, any objective assessment would have to consider IE to
>>be more secure.
>
> In the old days, Sun would regularly publish security updates for it OS.
> HP would never do so. I found a glaring security fault in and HP
> operating system and reported it to CERT (anyone could get root shell in
> two simple moves). CERT never published it because HP refused to
> cooperate with them. Now which is the more secure system, Sun, who had
> lots of bugtraq entries, or HP who had very few?
>
> The Open source people purposely look through the code looking for
> potential problems and if they are found they are reported and fixed. Is
> that also true of MS? Can anyone but MS go through the source looking
> for flaws? Are flaws discovered reported publically, even if there have
> been no exploits? Are they immediately fixed?

The debate of open vs closed source and security could likely be debated
forever. In any case not having access to the code hasn't prevented bugs
from being detected.

As for announcing vulnerabilities Mozilla is doing similar stunts. For
example these 3 bugs rated as Highly Critical by Secunia
<http://secunia.com/advisories/14654/> were announced on March 24 (the day
the update to 1.0.2 was released to address them). The fact is these bugs
were discoved a few weeks earlier but nobody bothered to tell users. Here
are the original bug log reports:

https://bugzilla.mozilla.org/show_bug.cgi?id=285438 (March 11)
https://bugzilla.mozilla.org/show_bug.cgi?id=284627 (March 3)
https://bugzilla.mozilla.org/show_bug.cgi?id=285595 (March 10)

So basically Mozilla knew of 3 critical vulnerabilities but didn't bother
to make this general knowledge for a few weeks until they had the patches
to address them. As and added bonus Mozilla comes up smelling like roses
when people do stats on vulnerable days (time between the announced
vulnerability and it's patch).

Now if this was Microsoft you can be sure there would be a ton of enraged
people screaming about this. Apparently because it's Mozilla it's alright?



Relevant Pages