Mozilla: Critical vulnerability in Microsoft flaw-counting

Mozilla: Critical vulnerability in Microsoft flaw-counting

Summary: Mozilla security chief Window Snyder has dismissed Jeff Jones's IE vs Firefox flaw-counting exercise as a useless public relations exercise that ignores tons of bugs that aren't fixed until Microsoft ships service packs and major browser updates.

SHARE:
39

Critical vulnerability in Microsoft flaw-countingMozilla security chief Window Snyder has dismissed Jeff Jones's IE vs Firefox flaw-counting exercise as a useless public relations exercise that ignores tons of bugs that aren't fixed until Microsoft ships service packs and major browser updates.

Snyder (left), a former Microsoft security strategist, said Jones use of publicly available data in his side-by-side comparison of the two browsers is not an accurate measurement of a browser's security profile.

"Unfortunately for Microsoft (and for anyone trying to use this report as analysis of useful metrics) he does not count all the security issues. If he were able to count them all, Microsoft could get credit for all the bugs they fixed. He counts only the public issues, because that is all Microsoft will tell us about. Microsoft is worried that if it ever says it has fixed X security issues, the world will focus on that it had X vulnerabilities in the first place, not that they are now fixed and no longer a risk for users," Snyder said in a hard-hitting response to Jones's study.

Snyder, a pen-testing specialist who was responsible for security sign-off for Microsoft's Windows XP SP2 and Windows Server 2003,  argues that the data used by Jones is a "small subset of all the vulnerabilities" affecting Internet Explorer.

[ SEE: IE vs Firefox: Microsoft crunches security numbers ]

"[The] vulnerabilities that are found through the QA process and the vulnerabilities that are found by the security folks they engage as contractors to perform penetration testing are fixed in service packs and major updates. For Microsoft this makes sense because these fixes get the benefit of a full test pass which is much more robust for a service pack or major release than it is for a security update," she explained.

However,  Snyder adds, this means IE users have to wait sometimes a year or more to get the benefit of the QA work.

"That’s a lot of time for an attacker to identify the same issue and exploit it to hurt users. Sometimes it just takes time to put in a complicated fix. Anyone that has shipped a major piece of software can relate to that. But this is not the case for every internally found security issue. Extending this process to include fixes that are ready and just sitting on the tree waiting for the preferred vehicle to ship increases risk for users. But it sure keeps those bug count numbers down," she added.

[ SEE: Firefox narrows patch deployment window

"If we as an industry would just acknowledge that counting bugs is useless then vendors could feel safe talking about what they are doing to protect users. At Mozilla we fix our bugs openly. When you count Mozilla security bugs you are seeing not just those that are reported externally, but also the ones that would be considered internal if we acted like most other software vendors," Snyder said.

Mozilla vice president of engineering Mike Schroepfer also used his blog to offer a sharp response to Jones and call attention to the absence of real data on actual bugs affecting Microsoft products:

[T]here is no way for anyone outside of Microsoft to confirm how many vulnerabilities ever existed in Internet Explorer. In an earlier post the author of the study touts the benefits of the Software Developement Lifecycle (SDL) at Microsoft as a reason Vista is more secure. Surely one of the goals of this process is to identity and fix security bugs right? How many bugs were identified and fixed using the SDL during development? Your guess is as good as mine.

"Bug counts are meaningless, what matters is whether you are at risk or not," Schroepfer declared.

Instead of counting bugs, Mozilla has long suggested that the time it takes to release -- and deploy -- software patches should carry more weight.   Snyder has proposed a "time to deploy" metric a better way  to measure a software vendor's approach to securing customers.

"Time to deploy" is the length of time it takes for users to get a patch installed once the fix is available from the vendor.  This in effect gives Firefox a major advantage over IE because the browser's default auto-updating mechanism significantly cut down on the time it takes to push a security upgrade down to end users.

Topics: Browser, Microsoft, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

39 comments
Log in or register to join the discussion
  • I agree that vulnerability counts are mostly meaningless

    If browser A had 50 vulnerabilities and browser B had 100 vulnerabilities, can you definitively say that browser B is more dangerous? Of course not since you have to take into account the severity of the vulnerabilities, the ubiquity of the product (OS X has far more vulnerabilities than any other OS but is hardly used so it isn't a target), the amount of time to patch, etc.

    What I didn't see Snyder mention though is any discussion of security in depth. Obviously, a product with 0 vulnerabilities is ideal but if we take it as a given that any software will have vulnerabilities, what [b]else[/b] does the product do to keep the user safe? Firefox + AppArmor (on Linux) and IE7 on Vista are the only combinations that offer you any security once you accept the fact that browsers have vulnerabilities and malware authors will try to exploit them. An exploited vulnerability in Safari grants the attacker write access to [b]all[/b] of the user's files. Comforting! An exploited vulnerability in IE7 on Vista or Firefox on Linux simply won't have the ability to do anything meaningful. Yes the exploit is there, yes the vulnerability is there, [b]but the user suffers no harm[/b]. And really, isn't that the most important measure?

    Right now, OS X is the [b]least[/b] safe platform for browsing the Internet since:
    1) there is no defense in depth
    2) Quicktime is installed by default and has too many holes to even count.
    3) marketshare has already grown to the point where malware authors are starting to pay attention and have already written active, in the wild malware targetting OS X

    Be safe, don't use OS X.
    NonZealot
    • Actually

      The only defense in depth is you, the user! Everything else is secondary, to make up for the mistakes you make!
      I have never used OSx, am a Linux and XP user (more Linux, less XP), but what you say is simply not true. If Apparmor works properly, Program access, write access will be lost, so is the case with IE7 in protected mode. That does not mean that information cannot be retrieved. And information stealing is becoming the main aim of the crackers. With Apparmor it is more difficult, but I do not think that having read access will be a problem if IE7 on Vista with protected mode is cracked.
      Maybe you have to ask Ryan this, but I really do think so!
      Furthermore, you can add a sandboxed environment comparable to Vista even on XP, use Sandboxie. I suppose sandboxes must be there for the Mac too.. or they can build one!
      I really do not understand where this criticism of Mac comes in on a post about security ethics and practices.
      BTW great post Ryan!
      nilotpal_c
    • One thing

      There is one thing I don not entirely agree with. QuickTime + OS X.

      I am a Vista, XP and Ubuntu user, so I'm not just trying to be mac apologetic :)

      Quicktime has a much larger installed base on Windows, through iTunes, which is very widely used due to the iPod market penetration. All of the holes in Quicktime provide malware developers with easy access to a very large base of Windows systems. And I'm willing to bet that on most of those systems iTunes + Quicktime are not blocked by a firewall due to useful features such as CDDB, iTunes store, etc. I, however, don't use iTunes for anything other than syncing to my iPod, so it is suitably restricted (I use FOSS software to rip CDs, and WMP to play my music in Vista, Amarok in Linux)
      Azriphale
    • As we say in Hawaii . . . "mo beh tah"

      What NonZealot [the Zealot] has been smoking is better than Santa Claus. I want some!
      brian ansorge
    • Defense in depth requires defense.

      "What I didn't see Snyder mention though is any discussion of security in depth."

      I can't see Microsoft opening that bag, not honestly.

      First of all, it's nothing more than the flipside of the old "Everyone uses Windows as Administrator" argument and while traditional UNIX local security is more solid, everything that you actually care about on your computer is inside the 'user acocunt' sandbox. So while UNIX (and OS X) has had this kind of defense-in-depth from the start, it's not as big a deal as many people make out... and that's equally true of the Vista sandbox, or AppArmor, whether they're leaky or not.

      And there have been demonstrations that the Vista sandbox is leaky.

      What Vista does for IE is take an inherently insecure program, one with a deliberately leaky sandbox, and put it inside another leaky sandbox. A leaky sandbox is false security: if there is a documented path out of the sandbox then it's not significantly more secure than having no sandbox at all.

      But even assuming it's not "leaky": assuming that there's no paths to the user's files, if you have an exploit for any of the inherently unfixable holes in IE (which Microsoft has refused to even consider for ten years now) an exploited vulnerability in IE in Vista still allows the attacker to:

      * Log everything the user does in IE.
      * Access any resources on the Internet that the user has access to.
      * Perform local network attacks on the user's other computers.
      * Provide botnet services to the attacker, including hosting kiddy porn and copyrighted music for the user to get blamed for.

      And all of these have been part of the payload of exploits in the past. Botnets are a huge criminal business.

      Security is like sex... once you're penetrated you're ****ed. Until Microsoft fixes the fundamental design of IE... removing the bridges between IE, ActiveX, Windows Explorer, and other applications through the MS HTML control... even "35 vulnerabilities this year" Quicktime is less of a worry.

      Responding to your specific points:
      1) UNIX inherently has "defense in depth" already, in user accounts and in network services... another place where Microsoft's "defense in depth" is really a single layer disguised as two.
      2) You can turn off Quicktime. You can't turn off ActiveX and retain a working system.
      3) There's about maybe three active exploits in the wild, all of which require a social engineering attack. You're talking about three orders of decimal magnitude difference in the number of exploits. 90% vs 6% market share doesn't explain that.

      Be safe, don't use Internet Explorer. Or anything else that uses Microsoft's HTML control. You *can* use Windows safely without crippling it... I've gone well over ten years now without antivirus and without infection... but you gotta be careful what software you run.
      Resuna
  • What Else Is New?

    Microsoft will skew the numbers any way they can to make it sound like they are a huge success...just like with Vista's numbers...since new computers don't come with Vista and people can't choose to have XP on them until after they purchase the machine with Vista on it and do a complete reinstall Microsoft sees this as a huge increase in Vista's popularity. They refuse to take into account the number of people who downgrade back to XP and report those numbers.

    Sad.
    itanalyst
    • You are so clueless...

      I can't believe you claim to work in IT.
      No_Ax_to_Grind
      • And You're The ZDNet Jackass

        I can't believe you think you run a company and have your own plane.
        itanalyst
    • New York, New Haven, New Jersey, New Mexico, New Hampshire, New ....

      anybody?...(kidding itanalyst)
      D T Schmitz
    • And I think the OSS will not accept any metric that...

      ...favors Microsoft. They'll always find some way to dismiss it. The OSS community is
      so conceited they'll never admit to being worse than Microsoft.
      ye
      • Isn't that what Microsoft did ?

        Take your METRIdS & shove it ZEALOT . Nice try though , I see when the lights go off ,
        da ROACHES are scurrying .
        Intellihence
      • NOBODY would ever admit being worse than Microsoft

        EVERYBODY knows that would be impossible.
        Well, except you and a few of your comrades,
        that is.
        Ole Man
      • Not accept???

        Let's see now! If I am counting all flaws disclosed publicly in two systems, one mine and one the other guy's, it should be considered fair and open when I refuse to disclose 70 percent of my flaws while the other guy has all of his flaws released.

        "ye" is flawed
        Update victim
  • Grains of salt

    As in, take all of the rhetoric from ALL sides with a grain of salt.

    If/when a users PC becomes infected one side saying my app is 3% safer (use any number that makes you feel good) than the other guys it doesn't matter a bit. And yes folks, LOTS of users have been infected with both browsers.

    Next is the fact that everyone has their methdology for calculating *possible* bugs, and you can be 100% ABSOLUTELY certain that the results will say their product is best. Honestly, the average user sees articles like this and say they are all full of **** and they all make the numbers come out in their favor. In other words, no one believes them at this point.

    Both organizations would do well to shut up about the other guy, work to make a better product, and let users decide which works best for them. Naw, that makes too much sense...
    No_Ax_to_Grind
    • Grains of salt are like vulnerabilities

      When rubbed into a wound they sting.

      When their vulnerabilities are rubbed into
      Microsoft's wounds, it stings, and all their
      lackeys must holler Owch!
      Ole Man
    • Yes! 87% of statistics are made up on the spot. (NT)

      NT
      I am Gorby
    • RE: Grains of salt

      Makes perfect sense to me.
      NCWeber_z@...
  • RE: Mozilla: Critical vulnerability in Microsoft flaw-counting

    I honestly believe it's time to snub the nose and say it
    like it is . Last accounting management is a mess :only
    like microsoft can do it:,Damn that URI!!! Apple don't
    have it , so what gives?
    Zealot you and the rest have me up to here with this
    bull.Big question: Until when ?

    (^: :^)
    Intellihence
  • Only untl the URI handler is handled

    DAMN THESE HACKS/CRACKS !!!


    This is persoanal ,,,,,
    Intellihence
  • And todays winner...

    Of the coveted "Red Herring" award goes to "Nonzealot" for his first message to the article pointing to a competitor. Hijacking the talkbacks and attempting to divert the attention away from Microsoft.

    Amazing how this always seems to happen...
    Cardinal_Bill