Given Symantec's obsessive tendency to hit on the Firefox vs. IE subject, and yours in particular Mr. Lemos, we should really take a step back and examine the issue.

1) Difference in Vulnerability Reporting

Mozilla reports vulnerabilities that it fixes in its products. Period. Microsoft often issues huge multi-issue patches that fix a whole range of issues under the guise of eliminating "attack vectors" of one vulnerability. Microsoft also tends to release fixes for non-critical vulnerabilities in service packs (IE 6.0 SP1 fixed a number of such issues). Therefore, Microsoft's number of vulnerabilities is artificially deflated in comparison to Mozilla.

2) Difference in Risk Evaluation

What Mozilla reports as a "low-risk vulnerability", Microsoft might elect to fix in a service pack, or not to fix at all. Mozilla's "High risk" vulnerabilities are what draws a security bulletin from Microsoft.

Case in point: the "Set as Wallpaper" vulnerability. It was discovered that by clicking "Set as Wallpaper" on a malformed image in Firefox that arbitrary code could be executed. Such behavior is intrinsic to Microsoft's "Active Desktop", and is not defined as a security risk to IE users. Mozilla issued a "high risk" advisory on that issue.

3) Difference in Fundamental Responsiveness

Mozilla tends to have a response time around the two week timeframe for security issues that are publicly released. Microsoft often takes as many *months* to fix the same bug. There are numerous vulnerabilities in Microsoft's products that Redmond has simply failed to patch, despite some of them being known for months, and even years, in some cases.

4) Bug Bounty

Microsoft doesn't offer researchers any amount of money for their bug reports. It simply offers a voluntary reporting regime. That said, it is completely unfair to criticize Mozilla on the basis that is stingy with its bounty awards. Given the fact that its competitors offer no such awards, those who gripe and complain about the lack of bounty money are in this business for the wrong reason.

Tom Ferris was not "pushed around" by Mozilla. The Mozilla "bug bounty" program requires a proven remotely-exploitable vulnerability. Ferris did not provide such proof of exploitability. In light of the fact that a large portion of his advisory on the issue appears to have been plagiarized from Bugzilla records on the issue internal to Mozilla, Ferris only provided the information he did based on thievery.

Once again, Mr. Lemos... check your sources. Yet again, their credibility is not only questionable, but nil.

5) 1.0 vs. 7.0.

The fact is, Microsoft's IE 6.1 (aka IE 6.0 SV1, Internet Explorer 6.0 for Windows XP SP2, etc.) has a security record nearly identical to that of Firefox, and it is only at version 1.0. That's an accomplishment, if you ask me.

Your consistent trashing of Firefox, in the name of

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/11327/32512#32512