Mozilla security chief Window Snyder has dismissed the counting of vulnerabilities as a "misleading metric," suggesting that the time it takes to release -- and deploy -- software patches should carry more weight.
Snyder, a former Microsoft security strategist, makes the argument that the number of vulnerabilities found is more influenced by external factors -- which researchers are looking and how good they are at finding flaws -- than by the number of bugs in the software package.
In a blog entry that introduces the "time to deploy" metric, Snyder released statistics to show that Mozilla's Firefox browser does an excellent job of automatically releasing patches to its millions of users.
"Time to Deploy is how long it takes for users to get a patch installed once the fix is available from the vendor," Snyder explained, nothing that the auto-updating mechanism built into Firefox helps to cut down on the time it takes to push a security upgrade down to end users.
Last year, according to Snyder, it took about 8 days for Firefox 188.8.131.52 users to upgrade to Firefox 184.108.40.206. "When I saw this last year I thought it was pretty fantastic. Firefox has millions and millions of users. Getting almost everyone updated in just eight days seemed pretty incredible to me," she said.
But, when Snyder looked again last month at the time-to-deploy statistics for users moving from Firefox 220.127.116.11 to 18.104.22.168, she was even more surprised.
"This time it only took six days to update 90 percent of users. That’s a 25 percent decrease in Time to Deploy and a significant improvement in reducing the window of opportunity for attackers to take advantage of security vulnerabilities," Snyder said.
Snyder's data appears to be in line with patch deployment statistics from Secunia, a third-party security research outfit that keeps track of vulnerable products on desktop machines.
Of the three major browsers (Firefox, Internet Explorer and Opera), Secunia's stats showed that Firefox 2 was the least vulnerable with only 5.19% of all Firefox 2 installations missing security updates. By comparison, about 12% of all Opera 9.x installations miss security updates, and the numbers for IE6 and IE7 are 9.61% and 5.4% respectively.