Microsoft Report on IE Security Draws Mozilla Rebuttal

By Lisa Vaas  |  Posted 2007-11-30 Print this article Print

Microsoft is patting itself on the back for having had fewer vulnerabilities in IE than have been found in Firefox.

Microsoft has issued a report on Internet Explorer in which it pats itself on the back for having fewer vulnerabilities in its browser than are in the No. 1 competitor, Mozillas Firefox—a stance that the Mozilla Foundation finds, to put it diplomatically, puzzling. "Just because dentists fix more teeth in America doesnt mean our teeth are worse than in Africa," Mike Shaver, chief evangelist for Mozilla, said in an interview with eWEEK. Indeed, Shaver said, the biggest thing that Microsoft got wrong is that the study equates bugs being fixed in a browser with that browser being less secure. "Its something youd expect from maybe an undergrad," he said. "Its very disappointing to see somebody in a senior security position come out and say that because an organization is more transparent about their bugs and fixing them, theyre somehow less secure."
Microsofts Jeff Jones, a security strategy director in Microsofts Trustworthy Computing group, issued the report, titled "Internet Explorer and Firefox Vulnerability Analysis," on Nov. 30.
The report examines the volume and severity of vulnerabilities in the two browsers since Firefox was launched in November 2004. Its findings: Microsoft has fixed 87 total vulnerabilities (across all supported versions of Internet Explorer) while Mozilla has fixed 199 vulnerabilities in supported Firefox products. Also, Jones said, IE experienced a lower volume of reported vulnerabilities across all categories of severity (high, medium, low). The analysis is lazy at best, Shaver said, and, taken in the worst light, is "malicious." Click here to read about DNS and URI handling flaws in Windows XP and Windows Server 2003. One problem Mozilla has with the study is that it doesnt take into account undocumented patches or those included in service packs. Also, Shaver questioned whether the study counted each individual fix contained in each of Microsofts security advisories. Microsofts individual security advisories have been known to contain up to seven fixes. "If Mozilla wanted to do better than Microsoft on this report, we would have an easy path: stop fixing and disclosing bugs that we find in-house. It is well known that Microsoft redacts release notes for service packs and bundles fixes, sometimes meaning that you get a single vulnerability counted for, say, seven defects repaired. Or maybe you dont hear about it at all, because it was rolled into SP2 and they didnt make any noise about it," Shaver wrote in a Nov. 30 blog post. Mozilla is particularly sensitive on the issue given that its worked hard to shrink the time between patch availability and user adoption, decreasing that time by 25 percent in the past year. Read details here about bug fixes to a recent Firefox upgrade. "The vast majority [of the Firefox user base] is updated to the most secure version of Firefox in less than a week," Shaver told eWEEK. "Those are the things we measure and talk about publicly. Reports like [Jones] really point the industry in a dangerous direction, which is to say youre [given an incentive] to keep [browser security fixes] quiet. That doesnt keep you safer, it just helps companies hide the real nature of what theyre doing." This is the second study that Jones has put out in the past few months that claims that Microsoft technology is more secure than its open-source counterparts. In June, he published a study that concluded that Windows Vista had blown away all the major enterprise Linux distributions and Mac OS X as far as having the smallest number of serious security vulnerabilities in the first six months following its release. That earlier study received an equivalent number of raspberries compared with todays browser security study. Microsoft hadnt responded to queries by the time this article was posted. Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.
Lisa Vaas is News Editor/Operations for and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel