Firefox narrows patch deployment window

Summary:Mozilla security chief Window Snyder has dismissed the counting of vulnerabilities as a "misleading metric," suggesting that the time it takes to release -- and deploy -- software patches should carry more weight.

Mozilla security chief Window Snyder has dismissed the counting of vulnerabilities as a "misleading metric," suggesting that the time it takes to release -- and deploy -- software patches should carry more weight.

Firefox
Snyder, a former Microsoft security strategist, makes the argument that the number of vulnerabilities found is more influenced by external factors -- which researchers are looking and how good they are at finding flaws -- than by the number of bugs in the software package.

In a blog entry that introduces the "time to deploy" metric, Snyder released statistics to show that Mozilla's Firefox browser does an excellent job of automatically releasing patches to its millions of users.

"Time to Deploy is how long it takes for users to get a patch installed once the fix is available from the vendor," Snyder explained, nothing that the auto-updating mechanism built into Firefox helps to cut down on the time it takes to push a security upgrade down to end users.

Last year, according to Snyder, it took about 8 days for Firefox 1.5.0.5 users to upgrade to Firefox 1.5.0.6. "When I saw this last year I thought it was pretty fantastic. Firefox has millions and millions of users. Getting almost everyone updated in just eight days seemed pretty incredible to me," she said.

But, when Snyder looked again last month at the time-to-deploy statistics for users moving from Firefox 2.0.0.3 to 2.0.0.4, she was even more surprised.

"This time it only took six days to update 90 percent of users. That’s a 25 percent decrease in Time to Deploy and a significant improvement in reducing the window of opportunity for attackers to take advantage of security vulnerabilities," Snyder said.

Snyder's data appears to be in line with patch deployment statistics from Secunia, a third-party security research outfit that keeps track of vulnerable products on desktop machines.

Of the three major browsers (Firefox, Internet Explorer and Opera), Secunia's stats showed that Firefox 2 was the least vulnerable with only 5.19% of all Firefox 2 installations missing security updates. By comparison, about 12% of all Opera 9.x installations miss security updates, and the numbers for IE6 and IE7 are 9.61% and 5.4% respectively.

Topics: Browser, Security

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.