Firefox Security Head Says Microsoft Obscures OS Holes

theranjan writes "When a Security Strategy Director at Microsoft decided to compare Internet Explorer security vulnerabilities with those of Mozilla Firefox, he may have forgotten that the Head Security Strategist of Mozilla was a former MS employee. In a rebuttal of the study, which finds IE more secure than Firefox, Mozilla said that the number of vulnerabilities publicly acknowledged was just a 'small subset' of all vulnerabilities fixed internally. The vulnerabilities found internally are fixed in service packs and major updates without public knowledge. 'For Microsoft this makes sense because these fixes get the benefit of a full test pass which is much more robust for a service pack or major release than it is for a security update. Unfortunately for Microsoft's users this means they have to wait sometimes a year or more to get the benefit of this work. That's a lot of time for an attacker to identify the same issue and exploit it to hurt users.'"

Well Duh!

[suso]

I mean come on, if they said they had no security holes, nobody would believe them. If they released too many security holes, their stock would go down. So they have to find a happy medium.

Re:Well Duh!

[j.sanchez1]

I mean come on, if they said they had no security holes, nobody would believe them. If they released too many security holes, their stock would go down. So they have to find a happy medium.

So do you agree with them in their belief that their stockholders are more important than their paying customers?

Re:Well Duh!

[suso]

So do you agree with them in their belief that their stockholders are more important than their paying customers?

No I don't. I think that's a major flaw with publicly traded companies and is one reason why I never want my own company to go public.

This is also one great thing about OSS, it doesn't have to appease to money for the most part. The other half for open source is probably reputation, but its the status quo to release vulnerabilities so its not as big of a deal.

Re:Well Duh!

[morgan_greywolf]

This is also one great thing about OSS, it doesn't have to appease to money for the most part.

I'm sorry. Anyone looking at my post history, personal link, etc., will notice that I'm an open source author in particular and a big advocate of Free/Libre/Open Source Software in general. But this statement just doesn't make much sense.

When companies invest money, features get added -- features that benefit the company investing the money. For example, there's Google's Summer of Code. And the money that Google invests in the Mozilla Foundation. What's the default search engine in Firefox? Oh, right, Google. What page does Firefox go to by default? A special Google/Firefox start page. What searches are in the default bookmarks? Google's.

And then there's the fact the open source software authors sometimes work for companies that demand certain things get added...like Andrew Tridgell of Samba who works for IBM's storage division. There's lots of stuff in Samba for IBM's NAS solutions.

Yes, open source authors definitely listen to their users...but they also know which side of their bread gets buttered.

Re:

[d'fim]

". . . for the most part." -vs- "But this statement just doesn't make much sense."

Your rebuttal agrees with your opponent's point.

Weasel words: they're not just for breakfast any more.

Re:

[Almahtar]

This is also one great thing about OSS, it doesn't have to appease to money for the most part.

vs.

This is also one great thing about OSS, it doesn't tend to appease to money for the most part.

Big difference. I think you responded to the latter, not the former. Yes, money impacts open source, but the difference is that open source projects can always choose not to listen to the money -- or get forked. You can't just fork Microsoft the moment their shareholders get annoying.

Re:

[rolfc]

Of course they are. The idea of the company is to make money, not to make happy customers.

Re:Well Duh!

[rudy_wayne]

"The idea of the company is to make money, not to make happy customers."

Too many people forget that without customers, there is no money and there is no company.

Re:Well Duh!

[rolfc]

That is not correct for monopolists, scammers and others. Happy customers is one way to make money, but it is not the only one, and certainly not the most lucrative.

Re:Well Duh!

[Calinous]

As AT&T answered to their customers? Or take any other monopolist, and see how they one day answered to their customers.

      Monopols answer only to the government, and in these times the US government doesn't seem to want answers from Microsoft

Aha!

[A nonymous Coward]

The only solution is a truly free market economy without the FED and other allied stupidity.

Yes, as long as it is the Adam Smith variety of free market. Once you get monopolies, the invisible hand goes *poof* and you no longer have a free market.

I personally believe we could throw out 999 out of 1000 laws and regulations and have a happier healthier economy and society. For instance, I would throw out all business licenses and the associated regulation, such as health inspections for restaurants; that's how much I distrust regulation and how it distorts the free market.

But monopolies are just as bad on the business side as they are on the government side, and there has to be some way to prevent them and break them up. Rather than have a government monopoly to break up business monopolies, I would have some way for citizen lawsuits to do the trick. You have to prevent market domination via rackets like those practiced by Microsoft, or the old AT&T, Standard Oil, etc., or you no longer have a free market.

Re:

[mpe]

Yes, as long as it is the Adam Smith variety of free market. Once you get monopolies, the invisible hand goes *poof* and you no longer have a free market.

Also once this happens it is difficult for a free market to re-assert itself.

I personally believe we could throw out 999 out of 1000 laws and regulations and have a happier healthier economy and society. For instance, I would throw out all business licenses and the associated regulation, such as health inspections for restaurants; that's how much I dis

Re:

[Archangel Michael]

Monopolies are only temporary. I'm not so sure that having a monopoly is a bad thing, long term. In the short term perhaps it make things difficult, but that only opens to door for new opportunities. Before you mod me flamebait, wait.

Let us look at the result of breaking Big Oil (aka Standard Oil) apart, from today's perspective. We have Iran, Iraq and general instability in the middle east. We have global warming (or so they say). We have cities built for cars, and not pedestrian or mass transit. We have a

Re:Aha!

[gaspyy]

It's not just monopolies.
The free market model operates on several key principles:

• a very large number of sellers;
• a very large number of buyers;
• completely transparent and complete information;
• all agents (buyers and sellers) act independently

It's not difficult to demonstrate that in the real world, these things don't happen.
You have monopoly or monopsony (look it up) situations; Very rarely the buyers are informed; cartels and herd-like behaviours further alter the model.

In the end, the free-market model, which is based on the supply-demand equilibrium, is all fine and dandy on paper. In reality, a completely deregulated market is an utopia, just like the communist ideal was an utopia.

I know there are many libertarians on Slash, which is mostly an American thing; not being an American, my view may seem unpopular...

Re:

[innerweb]

For instance, I would throw out all business licenses and the associated regulation, such as health inspections for restaurants;

I work in the food industry, as a manager (one of two lines of work I do). I do not want an unregulated food industry. Do you have any idea how many people would get sick and/or die form bad food products or unsafe environments? Do you have any idea how many have in the past? I also have worked closely with the health care side in many projects involving pathogens. Do you r

Re:

[A nonymous Coward]

I know what you mean; no monopoly lasts forever. If they really are truly bad, they will suffocate themselves. If I really believe in a free market, then trying to prevent one aspect of that (monopolies) by fiat is unnecessary. That's why I don't want the government trying to regulate them -- you get politics and special interests involved and they find all sorts of excuses to justify new regulations to expand their bureaucratic territories.

But corporations themselves are a government creation. Not allo

Re:

[Znork]

"Sometimes such regulation is actually used to protect the interests of established businesses in a market"

Such as copyright. Which is the fundamental anti-free-market regulation that supports Microsofts market control and monopoly (and would support any other non-FOSS replacement just as well).

Re:

[A nonymous Coward]

How many of those problems you cite were caught by the regulators you espouse?

Each little step of regulation has a noble purpose, but the combined weight slows down the economy so much that we would be better off without the regulation. I would rather have restaurants brag about the inspection company they hire on their own than have the government force one bureaucracy on everybody.

Do you ever eat at friends' houses? How about a neighbor you hardly know? How about a potluck at school or church or work o

Please explain

[A nonymous Coward]

Please contribute facts or reasoning to back up your assertion. Blind assertions of faith don't make for a discussion. I have given my reasoning, that I think bureaucrats working for a monopoly (the government) are more interested in keeping their empire intact and even expanding than doing a good job, and that the recent food news was not discovered by government health inspectors. Now it's your turn to say something useful.

Re:

[A nonymous Coward]

I only comment because I often hear people spout off about Adam Smith, and when I do it often sounds quite naive given the broad spectrum of market forces competing with the invisible hand.

That' why I said there has to be more more opportunity for individual people to enforce freedom of choice and availability of information. One of the problems with government monopolies is that they enforce their monopoly status by superior firepower. Lawsuits and a litigious society suck, but they suck less than rule b

Re:

[innerweb]

As the post above you, thank you for pointing out the overlooked/ignored obvious realities of capitalism.

I am an American (USA variety), and I get sick and tired of the ignorance espoused by people who think the system will just work. It is so much like listening to some gibbering idiot go on about their perpetual motion device, or unlimited free energy device (or to date, flying cars). People seem to want to totally gloss over the greed, corruption, collusion, laziness, theft, graft, bribery and other b

Re:

[A nonymous Coward]

Exactly, and my point is that when a single government monopoly run by bureaucrats is the only defense against corporate bureaucracies, the situation is ripe for corruption and favoritism and plain old politics. If monopolies are evil, why should the government be the only one able to bring charges against monopolies, or any other corporate malfeasance which restricts choice and information? That's one point of weakness. I'd rather treat citizens as intelligent enough to take care of their own lives, and

Re:

[Archangel Michael]

Unix == Linux

Unix lost the war because of pricing and lack unified desktop environment. Linux is winning the long war by taking the best of Unix, offering it free (beer and speech) and having usable desktop GUI (Gnome/KDE).

Unix lost a war it could have won, Linux is winning the war for Unix like OSes, along with Apple for the BSDs.

Re:

[Logic and Reason]

The free market model operates on several key principles:

• a very large number of sellers;
• a very large number of buyers;
• completely transparent and complete information;
• all agents (buyers and sellers) act independently

It would be more correct to say that the free market operates "better" the more buyers and sellers there are, and the better the available information is. Your bullet points are not absolute requirements for the market to function. Furthermore, things like monopolies and uninformed market

Re:

[innerweb]

Absolutely correct.

Thank you for pointing out the often overlooked/ignored fundamental reality of capitalism and any form of government regulation.

InnerWeb

Re:

[ConceptJunkie]

Even monopolists such as microsoft will one day have to answer to their customers.

And how many billions of dollars will be swindled, how many thousands of companies will be destroyed, how many millions of customers will be abused, before this happens? Does the average person still have any idea that there is an alternative to Microsoft? I doubt it.

The definition of "monopoly" is that your position in the market is that you can pretty much call all the shots, regardless of what customers or competitors, (o

Re:

[MobileTatsu-NJG]

"Does the average person still have any idea that there is an alternative to Microsoft? I doubt it."

The average user hasn't heard of a Mac? Bullshit.

"In a sense, the battle of OSS against Microsoft is a mirror of the battle of individual freedoms against the tyranny of domination for "the public good" that is going on the U.S. and elsewhere. Right now, the good guys are losing, IMO. But they are not down and far from out."

If OSS really is 'losing' a battle against Microsoft, you might want to let them know

Re:

[CastrTroy]

What's the difference between Microsoft and a scammer? They keep on spouting lies, and the majority of people keep on falling for them.

Re:

[GodfatherofSoul]

The grandparent is absolutely correct. And, too many people follow the non sequitur that companies can only make money by satisfying their customers. Collusion, monopolies, FUD, vendor lock-in; some examples of ways that companies make money while delivering an inferior product. Also, IMO why the whole Libertarian "free market" argument is hogwash.

Re:

[j.sanchez1]

Of course they are. The idea of the company is to make money, not to make happy customers.

Don't you think that more happy customers would mean more money to Microsoft's bottom line?

Re:

[suso]

Don't you think that more happy customers would mean more money to Microsoft's bottom line?

I think you'd have a hard time convincing a company that has $40 billion in cash of that principle. Discount the Zune? Heck, they could just give away the Zune to everyone in America and still have cash left.

Re:

[j.sanchez1]

Discount the Zune? Heck, they could just give away the Zune to everyone in America and still have cash left.

I don't know if I'd expect them to go that far, but maybe they should think about their (existing)paying customers when dealing with bugs, firmware, licensing, pricing, etc...

Re:

[Anonymous Coward]

Don't you think that more happy customers would mean more money to Microsoft's bottom line?

No, as long as unhappy customers keep paying, because either: 1. They believe the alternatives are too hard to learn, or 2. Their games only run on Windows, having more happy customers won't change a thing.

It's not like happy customers pay more for Vista than unhappy customers.

Re:

[mpe]

The idea of the company is to make money, not to make happy customers.

Without customers there is no way a company is going to make any money. Happy customers tends to mean more money, through repeat business and positive word of mouth; unhappy customers tends to mean less money, due to negative word of mouth. Of course this only works when there is actual competition...

Re:

[BlueStraggler]

If *I* had 50 billion dollars in cash in the bank, I'm pretty sure I could make scads of money without a single customer.

And given my experience running a business that depends on happy customers, if I could tell my customers to f*ck off, and yet still make unbelievable amounts of money off my $50bil in cash, I probably would.

Re:Well Duh!

[ePhil_One]

So do you agree with them in their belief that their stockholders are more important than their paying customers?

And how do paying customers benefit when MS reveals unknown security holes in their products, even after they are patched? Its already believed the unsavory element reverse engineers MS patches looking for ways to exploit vulnerable unpatched systems, how does MS flagging a patch as "fixes unreleased security vulnerability X" help anyone, including linux users? By increasing the size of botnets?

The problem isn't MS hiding its vulnerabilities, its a fundamentally flawed analysis. No proprietary software company airs its dirty laundry the way open source does, there's no benefit to it. The comparison was apples and oranges.

Re:

[j.sanchez1]

And how do paying customers benefit when MS reveals unknown security holes in their products, even after they are patched?

Transparency in things like security would go a long way in bettering Microsoft's reputation. Techies give their opinion to Joe Sixpack when asked, and I bet most of the opinions about Microsoft's security is lacking. One can only imagine what they haven't disclosed when it comes to security vulnerabilities. Maybe that is the way it has to be with closed-source, but it makes you wonder

Re:Well Duh!

[BVis]

The problem is that Joe Sixpack doesn't understand the problem and/or doesn't care. In theory we've paid Microsoft for an OS that *should* have security as a core competency. Microsoft claims to provide a safe, secure OS, such that Joe Sixpack shouldn't have to worry about security holes. At the very least they're guilty of leaving open security holes that they KNOW about and COULD fix in a security patch, but deliberately don't in order to make their product look better (since the number of security patches put out on Patch Tuesday is something Joe Sixpack can understand, being that more patches = less secure is the only understanding needed.)

There's no excuse for delaying a security patch, even a couple weeks. They have the ability to patch vulnerabilities in a timely fashion, and are deliberately not doing so.

This should end up being a class action. Normally I'm not crazy about lawsuits, but there are far too many people and enterprises affected by this issue, and a multi-billion dollar settlement will definitely get everyone's attention. When the stockholders end up making less money as a result of the one-time charge, they'll demand that MS do something to keep it from happening again. Money is all they care about, and they'll scream bloody murder.

Hmm, maybe the stockholders (read: the fund managers) should sue. There's certainly precedent for them to do so.

Re:

[Sancho]

There are two reasons for delaying patches that, if they aren't "good", are at least debatably good.

One is testing. You don't want to issue a patch that breaks critical functionality. Since we're talking about the OS, that means that you don't want to break anything. Who knows what people out there might be relying on?

The other is business, Microsoft's core clientele. Businesses want to test patches with their installation, then deploy them, and they want to do it on a predictable schedule. Patch Tuesd

Re:

[Sancho]

Then s/he shouldn't have said:

There's no excuse for delaying a security patch, even a couple weeks. They have the ability to patch vulnerabilities in a timely fashion, and are deliberately not doing so.

Re:

[cheater512]

The point of TFA was that these hidden security flaws are only released to the public in service packs in big but rare packages.

Because they can make informed decisions

[shis-ka-bob]

how do paying customers benefit when MS reveals unknown ...

Central to any theory of efficient markets is the assumption that both consumers and producers can make informed decisions free of coercion. If the consumers do not have information, they cannot make an informed decision. Companies are not generally obliged to share all information about their products, but they are prohibited from intentionally deceiving customers. Cigarette makers were not sued because cigarettes cause cancers, but because they had determined internally that cigarettes caused cancers and they then made claims to the contrary. That is, they intentionally deceived both the consumer and the regularly agencies.

By analogy, Microsoft can say 'we build secure software' all day long. But if they claim, 'we develop more secure software than our competitors' they open themselves up for liability IF it is determined that they are making claims that they know to be false. In this case this seems to be hypothetical. But it is a testable hypothesis. And after reading the internal memos made public in Combs v. Microsoft, it is a quite plausible hypothesis.

Re:

[Wylfing]

What are these "informed decisions" you speak of? Consumers not having information? Wha?

Capitalism works like this:

• Large monopoly or cartel decides how consumers will act.
• Government passes laws to back up these mandates and criminalize dissenters.

The monopolies and cartels already have all the information they need to decide how they want consumers to behave. I can't see what sort of "information" we as consumers need except to do what we're told.

Re:

[BlueStraggler]

Sorry can you please explain what this "capitalism" thing you speak of has to do with the free market?

Re:

[hpavc]

Works for safety flaws in other industries ... "5 star safety rating" "top in its class for safety".

Their Stockholders ARE the customers

[tbg58]

The people and companies who actually purchase software are just revenue units. Their real customers are the stockholders. That's who they're beholden to. The folks who buy software have been commoditized. We haven't been the customer for some time, and this inevitably leads to crass disregard of the purchaser of the good or service of a company in favor of the stockholder. This is a fundamental economic shift -- commoditization of purchasers and re-identification of "the customer" as the stockholder,

Re:

[drew]

I doubt Microsoft, or many other publicly traded companies, really care more about their shareholders than their paying customers, seeing as the shareholder value is almost always directly related to the number of paying customers, and how much they pay. Doing anything that decreases either of the latter is sure to decrease the former as well.

In this case, the stock doesn't go down just because they had too many security holes, the stock goes down because too many security holes make their products harder

Re:

[Sancho]

In this case, the stock doesn't go down just because they had too many security holes, the stock goes down because too many security holes make their products harder to sell.

Except that in this case, they don't, because Microsoft is a monopoly.

Re:

[yo_tuco]

"So do you agree with them in their belief that their stockholders are more important than their paying customers?"

There is no belief to it. It is a legal requirement that a corporation must put the interest of its shareholders above all else. The question that should be asked is who is #2. The company or its customers?

Re:

[Vexorian]

Their customers would probably pay them regardless of what MS does, so they have no reason to care. Sometimes monopoly is the consumer's fault.

Re:

[msuarezalvarez]

You are free to use any other browser. Btw, if patches annoy you, you may be interested in MS's IE, which, from what I hear, does not get patched that often...

touche...

[advocate_one]

Game, Set, Match... well, I think that's that argument well and truly settled... Microsoft will never dare to use that FUD again...

It's Probably Also Interesting to Note...

[explosivejared]

...that the study in question was done in collaboration with the Texas Department of Science Education. [slashdot.org] The department was called in when MS had concerns over the factual rigor that the test would be subjected to.

Ah, the wonder of Slashdot moderation

[Sockatume]

So, you've been modded +3 Informative for what is obviously a joke on the first reading, and is even more obviously a joke on closer examination. How's that feel?

Re:

[explosivejared]

It scares the life out of me. I hope to god that no one actually took that seriously. I sincerely hope that that informative mod was a sardonic joke in and of its self.

Re:Ah, the wonder of Slashdot moderation

[pintpusher]

How are we supposed to keep this all straight? Either the mods are on crack or the mods are geniuses of sardonic delayed humor or the mods... oh wait, I've got mod points!! d'oh!

deserved reputation ...

[tiananmen tank man]

True or not, this is the reputation the Texas Department of Science Education has given itself.

Window S.

[xtracto]

Funny for WindowS (working at Mozilla) to tell us that Microsoft software is buggier than Open Source :)

More vulnerabilities fixed != worse sw

[redscare2k4]

It's just me, or microsoft report (pdf available in the article) just says "Firefox fixes more problems than we do, so that must mean their software has more errors". That just a piece of crap. That only means that Firefox makes their vulnerabilities public or, worse for MS, that Mozilla team fixes things while MS just keeps IE vulnerable. Counting bugs means nothing. It's the overall quality and how fast those critical bugs get fixed what counts. And IMHO firefox still has a nice edge over MS.

Re:More vulnerabilities fixed != worse sw

[jollyreaper]

It's just me, or microsoft report (pdf available in the article) just says "Firefox fixes more problems than we do, so that must mean their software has more errors". That just a piece of crap. That only means that Firefox makes their vulnerabilities public or, worse for MS, that Mozilla team fixes things while MS just keeps IE vulnerable. Counting bugs means nothing. It's the overall quality and how fast those critical bugs get fixed what counts. And IMHO firefox still has a nice edge over MS.

The American cattle industry has very few occurrences of Mad Cow Disease compared with British firms. American firms also test as little as possible but that's just because our cows are so damn clean. By extrapolation, Microsoft must have clean cows.

Re:

[secPM_MS]

The analysis is lacking a component. If MS fixes an issue in a bulletin, it knows that it has started the attack on that issue because the vast majority of attackers use bindif-type tools to reverse engineer the issue. Frequently, they will have exploits available within hours of the patch release. Thus, if MS is aware of an issue but monitoring tools do not report circulating exploits, it is better for the customer, to wait until either exploits start against the issue or a larger release is available to c

Re:

[msuarezalvarez]

While that may be reasonable, it is not that they do not include it as a factor in their "we have less bugs than they do" analyses...

Re:

[99BottlesOfBeerInMyF]

Microsoft's responsibility is to the vast majority of its customers...

And they serve those customers by deceiving them and claiming to have fewer holes because they keep a lot of their holes secret even after they are fixed? You're also ignoring the number of holes MS finds that they don't fix. I know some people who used to work at MS and even after they started their security drive, the majority of bugs with security implications were not prioritized high enough to be fixed... ever. Sorry, but MS tried to deceive people by pretending holes they did not publicly acknowledg

Not the first time...

[Bert64]

Microsoft have frequently used biased methods for "security comparisons"...

They have compared the published vulnerabilities between windows and various linux distributions, when the same applies as discussed in this article - issues found internally may or may not be fixed, but are not disclosed to the public.

Also many linux distributions typically include a massively larger set of packages than windows does, a distribution such as debian or gentoo supports more packages than microsoft do across their entire product line.

Re:

[BlueStrat]

How many IE vulnerabilities are actually in IE and how many are the OS? It is two distinct bits of source code and all the low level bugs probably belong to the OS rather than the browser. I am just saying there are lies, damn lies and statistics.

But, remember..according to MS, IE *IS* a part of the OS.

Cheers!

Strat

Whole section of the report not covered

[ta bu shi da yu]

I'm surprised that Snyder ignored a crucial argument in the PDF: that Microsoft supports their products for a lot longer than Firefox. He didn't rebut that point, which was actually pretty reasonable. I'd be interested to see what he has to say about that. In this regard, Microsoft seems far ahead of Mozilla.

Re:

[MelloDawg]

He didn't rebut that point, which was actually pretty reasonable. I'd be interested to see what he has to say about that.

s/He/She/

Re:Whole section of the report not covered

[-noefordeg-]

I don't agree.

Since you don't pay for FireFox, there is really no reason not to upgrade.
With MS you have to pay for EVERY new version which is released. In my world that is kind of a huge difference. And if you are just talking about IE, well, you really shouldn't be using old versions anyway... :)

Re:

[Tim C]

With MS you have to pay for EVERY new version which is released. In my world that is kind of a huge difference. And if you are just talking about IE, well, you really shouldn't be using old versions anyway... :)

Of course he's just talking about IE - unless the Mozilla Foundation released an OS recently that I hadn't heard about...

Besides, it's not as easy as "you shouldn't be using old versions". Some third parties develop software targeted specifically at a given version of IE. If they won't fix their so

It depends...

[Lonewolf666]

Good point about software that needs a particular version of IE, but there are more reasons:

-Standardization in large user groups. If you are an IT department that supports a few thousand users, you probably want the same (tested in advance) set of applications on all PCs so you can cut down on the complexity of your support issues.

-Regulatory requirements in safety critical applications:
If you do stuff like medical devices, the above becomes mandatory because you have to show a validation of the software c

Re:

[mpe]

Besides, it's not as easy as "you shouldn't be using old versions". Some third parties develop software targeted specifically at a given version of IE. If they won't fix their software when a new version comes out (I'm looking at you Tridion, amongst many, many others) then you have the choice to either replace that software or stay with the old version of IE.

It isn't that easy to have multiple versions of MSIE on one Windows machine either. As well as the utter stupidity of software which insists that th

Re:

[mpe]

Since you don't pay for FireFox, there is really no reason not to upgrade.

An upgrade may break an extension/addon. Though the Open Source nature of the software means that such things tend to get fixed PDQ.

With MS you have to pay for EVERY new version which is released.

Typically you don't. IIRC Windows XP originally shipped with IE5. At least in terms of money. The problem is more along the lines that upgrading MSIE tends to come bundled with all sorts of updates to Windows. Whereas Firefox tends to k

Re:

[RebelWebmaster]

Wrong. Windows XP has always included IE6 from the initial gold release to the forthcoming SP3.

Re:

[kryten_nl]

... because you're still waiting for those security patches for Phoenix 0.1?

Re:

[ArtDent]

The simple answer would have been that even Firefox's major versions are non-disruptive. Microsoft seemingly can't deliver a new version of IE without changing the way they think the Internet should work.

I work at a large corporation with two standard supported browsers: IE and Firefox. When IE 7 was released, we received an e-mail warning us not to upgrade, as doing so would break critical applications. Similar thing with XP SP2. New releases of Firefox just get pushed out without problem.

Re:

[ArsonSmith]

I think it is more incremental due to the quick release cycle of Firefox.

To construct my own strawman: If you do a small change every day for a year it wont be very disruptive, but if you release 365 changes on Dec. 31st that will be rather disruptive.

Re:

[asa]

First, Window Snyder is a she, not a he.

Second, it takes us about 4 or 5 days to automatically update 90+% of our users and with a couple of week's time, we get about 99% of them moved forward. Because there's no cost to updating, and because it's automatic, we don't need to support older versions for years and years.

Ask Microsoft what their updated percentages are across their various releases. My guess is they won't tell you. And even if they did, I'm sure they'd be just as misleading about this as about

Re:

[99BottlesOfBeerInMyF]

I'm surprised that Snyder ignored a crucial argument in the PDF: that Microsoft supports their products for a lot longer than Firefox. He didn't rebut that point, which was actually pretty reasonable. I'd be interested to see what he has to say about that. In this regard, Microsoft seems far ahead of Mozilla.

The earliest version of IE you can get support for is 5.0, released in 1998. InfoSpan, the leading company providing Firefox support, will do phone support for version 0.9, released in 1999. So IE has about a year on them. However, MS will not actually do bug fixes to IE 5, which in my mind is a critical part of support. With Firefox, you can not only get bug fixes to any version, you can take bids on the fix from multiple vendors or use internal resources. Not only that, but the cost is often not even ve

Obviously MS is just covering their OS...

[kiscica]

... what a bunch of OS-holes.

Microsoft wants what's best for you

[El Yanqui]

Firefox is spyware. At least according to Microsoft. http://img405.imageshack.us/my.php?image=msasmfph6.gif [imageshack.us]

Remove it immediately to prevent harm to your computer and protect your privacy!

Re:

[BlueStrat]

Firefox is spyware. At least according to Microsoft. http://img405.imageshack.us/my.php?image=msasmfph6.gif [imageshack.us] [imageshack.us]

Remove it immediately to prevent harm to your computer and protect your privacy!

A convicted monopolists' anti-spyware program marking the competitions' web browser as spyware/a security risk? Wow. They just have no fear, do they?. If they have the Justice Department and the politicians that well-bought that they feel they can get away with things like this, one has to wonder how long it

Re:

[recoiledsnake]

Relax. It's a doctored screenshot.

Re:

[BlueStrat]

Relax. It's a doctored screenshot.

D'OHH!!!

Firefox and Windows

[tristian_was_here]

So basically I have to be running Windows to get the full use of security holes? Why can't my "Free" OS be like Windows?

OSholes??

[xtracto]

So what? does Firefox illuminates their Oossholes?

*rimshot*

Thank you thank you

The problem with buggy security patches...

[Effugas]

...is that people stop installing the patches at all.

You really only get to screw up a few times, before the risk of broken patches exceeds the risk of getting hit by a non-public vulnerability. Then, people won't install patches, even when the exploit is public!

One real problem is that this entire engineering model is very, very new. The rules of physics do not change, day to day, but what's happening on the Internet transforms remarkably, moment to moment. It really is a war out there, and the bad guys

Prove It

[ThinkFr33ly]

He offers no evidence to back up his claims.

Attacks on other software packages, including Office and Firefox, have risen dramatically. If Windows and IE were still so easy to exploit, why would that be the case?

What this suggests is that hackers are having a harder and harder time exploiting these more traditional attack vectors. If there was such a huge library of holes that Microsoft patches silently, one would think that those would continue to be a great attack vector, and hackers wouldn't bother researching other vectors.

One could surmise that the bad guys just don't happen to know about these stealth-patched holes, and that's why they're turning to other attack vectors.

But guess what: if the bad guys don't know about them, they do no damage. Security through obscurity works great if the holes stay hidden. And, as I mentioned before, it appears that they are staying hidden, if they exist it all.

This guy has great motivation to make shit up, as does Microsoft. I know virtually everybody here will assume he is telling the truth, but that's an assumption. There is no evidence to back it up.

Re:

[dave420]

"Well, you get what you pay for" - did you mean to write that?

Re:

[gweihir]

Yes. Refers to the ''cheap'' in the sentence before.

Re:Anybody surprised?

[mh1997]

MS products never were the best on the market. They just convinced enough people to buy cheap at a cruical time.

I don't think MS ever tried to be best in their software. I think they just wanted to be the standard in software.

Prior to MS, there were several flavors of DOS, preventing different brands of computer from talking. There were 10 or so major players in the word processing market, preventing organizations from sharing documents from one sector to another, not to mention different companies. They, and other companies, ripped of visi-calc and the desk-top graphical user interface, but none were compatible with other brands.

MS came along and everyone could talk, and thanks to IBM, run the same programs on any brand of computer.

I think MS modeled itself after McDonald's. Want a good hamburger go to a good restaurant. Want a hamburger that will satisfy your hunger, taste ok at best, but most important, be exactly the same all over the world, go to McDonald's.

Re:

[miffo.swe]

"Prior to MS, there were several flavors of DOS, preventing different brands of computer from talking."

No, there wasnt prior to MS. The several flavours came about after MS started selling DOS. Most of the other flavours was much better than MS Dos. NCR Dos 3.2 was the best DOS version of them all because of all the bughunt NCR did on it. MS-DOS was a dead dog in comparison, funny thing was all MS apps ran much better on other DOS versions than their own. Hence the need for artificially make win not work on

Re:

[jollyreaper]

I think MS modeled itself after McDonald's. Want a good hamburger go to a good restaurant. Want a hamburger that will satisfy your hunger, taste ok at best, but most important, be exactly the same all over the world, go to McDonald's.

Gates looks like Hamburgler, dunno who Ronald would be. Balmer is Grimace, of course. And I guess Mayor McCheese will be whichever politician has sucked the most Microsoft cock that year.

Re:

[howlingmadhowie]

no, no, no. microsoft came along and there was one more voice speaking its own language for anything other than ascii. people began to be able to talk when the internet took off.

Re:Pot, kettle, black

[ozmanjusri]

I'd accept this from anyone but a Firefox security head.

Accept it from vulnerability-scanning company Qualys then.

Study: 'Huge jump' in Microsoft flaws since last year
"We have seen a huge jump in the vulnerabilities in Microsoft Office products," said Amol Sawate, manager of Qualys's vulnerability-management lab. "These charts show growth of nearly 300 percent from 2006 to 2007

http://news.zdnet.com/2424-9595_22-178018.html [zdnet.com]

Re:

[Actually, I do RTFA]

Study: 'Huge jump' in Microsoft flaws since last year "We have seen a huge jump in the vulnerabilities in Microsoft Office products," said Amol Sawate, manager of Qualys's vulnerability-management lab. "These charts show growth of nearly 300 percent from 2006 to 2007

It seems unfair to claim that there is a 300 percent vulnerability increase between two versions (fairly dramatic differences) without mentioning that as the cause. Further, Office != IE, anymore than OpenOffice's problems can be laid at FireF

Re:

[secPM_MS]

It is not so much that there has been an increase in the vulnerabilities of Office products, but that as the OS has been progressively hardened, the low hanging fruit is now the applications. Office 2003 was designed for feature richness, not withstanding spearfishing attacks. Office 2007 is the first Office release where the SDL was applied and has far fewer vulnerabilities. In my opinion, despite the change in UI, the upgrade from Office 2003 to 2007 is justified on security grounds alone. There is reason

Re:

[UnknowingFool]

There's a difference. Firefox acknowledges flaws but may not fix them right away. When Firefox does fix the flaw, it discloses that fact. MS does not disclose some flaws and MAY fix later. When they do fix them, they may not disclose that they did. One process is in the open. The other is kept hidden.

Re:

[msuarezalvarez]

Never add a link to this comment to your CV if you intend to work on security...

Re:

[asa]

One thing that worries me about Firefox being open sourced is that hackers are basically "gifted" with the information about the security holes in previous versions meaning that anyone running the previous versions is more vulnerable until they update which may be never - especially as there's plenty of people still running Firefox 1.x. , not all Linux distros have an auto-update and earlier versions of FF didn't auto-update either. In this respect, for me, closed source is more secure.

Actually, Firefox is

Re:

[account_deleted]

Comment removed based on user account deletion