Firefox narrows patch deployment window

Firefox narrows patch deployment window

Summary: Mozilla security chief Window Snyder has dismissed the counting of vulnerabilities as a "misleading metric," suggesting that the time it takes to release -- and deploy -- software patches should carry more weight.

TOPICS: Browser, Security

Mozilla security chief Window Snyder has dismissed the counting of vulnerabilities as a "misleading metric," suggesting that the time it takes to release -- and deploy -- software patches should carry more weight.

FirefoxSnyder, a former Microsoft security strategist, makes the argument that the number of vulnerabilities found is more influenced by external factors -- which researchers are looking and how good they are at finding flaws -- than by the number of bugs in the software package.

In a blog entry that introduces the "time to deploy" metric, Snyder released statistics to show that Mozilla's Firefox browser does an excellent job of automatically releasing patches to its millions of users.

"Time to Deploy is how long it takes for users to get a patch installed once the fix is available from the vendor," Snyder explained, nothing that the auto-updating mechanism built into Firefox helps to cut down on the time it takes to push a security upgrade down to end users.

Last year, according to Snyder, it took about 8 days for Firefox users to upgrade to Firefox "When I saw this last year I thought it was pretty fantastic. Firefox has millions and millions of users. Getting almost everyone updated in just eight days seemed pretty incredible to me," she said.

But, when Snyder looked again last month at the time-to-deploy statistics for users moving from Firefox to, she was even more surprised.

"This time it only took six days to update 90 percent of users. That’s a 25 percent decrease in Time to Deploy and a significant improvement in reducing the window of opportunity for attackers to take advantage of security vulnerabilities," Snyder said.

Snyder's data appears to be in line with patch deployment statistics from Secunia, a third-party security research outfit that keeps track of vulnerable products on desktop machines.

Of the three major browsers (Firefox, Internet Explorer and Opera), Secunia's stats showed that Firefox 2 was the least vulnerable with only 5.19% of all Firefox 2 installations missing security updates. By comparison, about 12% of all Opera 9.x installations miss security updates, and the numbers for IE6 and IE7 are 9.61% and 5.4% respectively.

Topics: Browser, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Although the time to patch speaks about ...

    ... how efficient the patch process is it does not speak to how secure the browser is. It is the unknown or at least the unknown to the security experts flaws that are the real threat. The bad guys are unlikely to let on to a problem they are actively using for exploits. They remain unpatched until the security experts catch on. Don't get me wrong, the stat is very favorable for Firefox, I just don't think it says what they are trying to construe it as.
    • I tend to agree

      I'm a firefox fan and therefore biased, but I don't see that the time to patch ONCE available is that important. It's important, but it's up to the user once it's available.

      I believe the time to RELEASE patches when a flaw is known is relevant and the time to FIND flaws is also relevant.

      The number of "critical" flaws is relevant, and the time taken to find and patch those flaws. Not the time it takes users to patch once a flaw is found, although the patching mechanism is important to those users.
    • Those creating exploits probably do care.

      I had much the same reservation as you mentioned in your post, but one thing came to mind that I didn't see already mentioned. If i were an exploit writer deciding on which browser to focus on, this would be a critical metric. Actually, the [i]right[/i] metric would be the number of days from exploit identified to patch (I would love to see this for both browsers). Why invest in creating an exploit that will cease to work in just a few days, if another browser remains unpatched for a longer period of time.
      • I disagree

        From the point of view of an exploit writer it doesn't matter if company A takes twice as long as company B to patch an exploit if company B takes twice as long to find it in the first place.

        I would suggest that the total time to patch is largely irrelevant to all exploit writers as it is unquantifiable. I would suggest they are driven by :

        1 - Exploits that are easy to exploit.
        2 - Exploits that affect are large userbase.
        3 - Exploits that provide the largest opportunity to undertake acts for financial gain.

        Not necessarily in that order.

        Of course this won't hold true for all exploit writers, but I believe that the bulk of them that are producing exploits for commercial reason will primarily use these metrics.
        • makes sense, I agree

          yeah, even if some exploits are usable only for a few days, it'd make sense to invest effort into the ones which offer the biggest returns(usually commercial). the time factor might count, but it'd be more worthwhile for the person writing the exploit to concentrate on something which would enable him/her to target more users, and if it's the sort of thing which lets you steal pvt info of commercial value like credit card details, so much the better.
  • Here's a question

    When you download FireFox are all the security updates to that date in that version you download. Seems it is this way as I just download FireFox and there were no updates but my other box has had several in the past couple of months.

    If this is true that's a boon, in my opinion, to security. After all you know how well people patch things.
    • Yes, you get all the patches

      When a Firefox update is released, the download servers get the updated version at the same time - so whenever you download Firefox, you get a fully-patched version.
  • What about before the patch is available?

    Time to deploy is one thing, but that doesn't address how long it took to make a patch available. Once a patch is available it should be automatically pushed out, but if the patch isn't available for months, who cares if it takes 2 days less to deploy?
    • Agreed, and I think it should be less than a week, not a month (nt)

      nt = no text
  • time to deploy, time to patch, not the pronblem

    All of the published numbers are based on one thing that makes all of the numbers worthless anyway, they come from the vendor. Microsoft spins their numbers so they look good, Firefox, while I like them do the same. And the numbers mean nothing anyway because most of the time the issue is that the user did something they souldn't have anyway.
    Uswer fall for stupid tricks, they click on things they shouldn't and they tell people things they should never tell (like passwords).
    The number one security issues with computers: Problem exists between keyboard and chair.

    I'm starting to think the question should not be, how can we protect these users but instead be, "What would Darwin do?"
  • Wow, didn't expect 12% for Opera

    IE doing worse than Firefox for patch deployment is expected - but Opera? Why are they so slow to upgrade to the latest patch? 12%?

    Wow, that was unexpected.

    I agree, though: The sooner this stuff is patched, the better. I want less than a week for patches, not a whole month like Microsoft does.
  • This has more to do with user types than patch methods or models

    Firefox, not being a default piece of software on a PC is [i]chosen[/i] by users, for a variety of reasons, one of those being the perception (true or not) that it's more secure than IE. A [b]very[/b] large percentage of Firefox users, while not necessarily technically inclined, are what I would call "technically interested". This is evidenced by the fact that they were not happy with the default browser(s) offered to them and actively sought out an alternative.

    IE users, on the other hand, may or may not be "technically interested". While many may "choose" IE, a much larger percentage than Firefox users use it simply because "it's there". It's a de facto. To them, IE [b]is[/b] the Internet, and they may not even be aware that alternatives exist, and many do not care or even consider security. It is not a factor to them. Their PC is simply a tool that they give little thought to the upkeep on.

    I would argue therefore that the average Firefox user is much more likely to actively monitor and manage security updates for the browser, making getting Firefox installations patched a much easier task for the "vendor" than getting IE installations patched, and this, combined with the difference in market share, make it unremarkable and not at all surprising that on a percentage basis Firefox installations get patched more quickly than IE.

    I'm not commenting on the value of the methods of either company. I'm merely saying that there is another explanation for why Firefox machines get patched faster than IE machines, other than the patch roll-out method. I'd be willing to bet that the OSes and other software unrelated to browsers also gets patched faster, on average, on PCs running Firefox than on machines just running IE. Millions of IE users patch diligently and in a timely fashion. Millions more don't even think about it.

    Two different user types.
    • I think the auto update distribution mechanism helps

      I think there is a qualitative difference in both the users (see above) and in the frequency of patch/update releases. I have seen "updates are available" messages right after I start up my browser, well before I have checked my email and read about the latest exploit and patch.

      I chose to use Firefox because I am concerned about my computer's security, but having said that, I think Firefox updates are produced very quickly after an exploit has been found. I think Microsoft is not able to respond and get IE patches distributed to their end users as quickly as the Firefox team does.