Updated 5/15/2006 2:00 AM: I got an email today pointing out that there was a new "Firefox Security and Stability Update" from Mozilla and I decided to check it out. After following two links to "Several security fixes", I noticed there were quite a few vulnerabilities listed that were mostly rated by Mozilla as "critical". I then went to and some of the popular security disclosure sites to see what they said about it and I found "Mozilla Products Memory Corruption and Information Disclosure Vulnerability" on FRSIRT which listed 22 vulnerabilities in Mozilla products. Then as I was surfing the web for news, I noticed something that seemed a bit strange. I saw two news stories stating to the effect "large number of Mozilla Firefox flaws patched". Instead I saw the following headlines:
- Firefox update kills security bugs, adds Mac support - CNET News
- Mozilla Plugs Firefox Code Execution Hole - eWeek
As I see these headlines, I thought the titles were a bit odd so I clicked on them. Strangely, neither article mentioned the actual number of flaws. CNET's story did mention "several security issues" but didn't elaborate too much or say how many and eWeek's story went as far as saying that there was only one critical hole to worry about. [Update: As more information was released after his original story, Joris Evers did update his CNET News story the following morning on 5/14/2006 which included more detailed information on the vulnerabilities.] Both stories quoted Mozilla with comments like "Mozilla has released a new version of the Firefox Web browser with what is described as 'significant security and stability improvements.'" and both stories then diverged in to Intel-based Mac support for Mozilla Firefox. Now there doesn't really seem to be anything wrong with these two approaches if they are viewed in isolation, but last week the exact same two reporters took Microsoft to task with the following.
- 'Critical' megapatch sews up 10 holes in IE - CNET News
- MS Patch Day: 10 Flaws Fixed in Monster IE Update - eWeek
Right off the bat, both stories not only mention the number of flaws in the title but even uses words like "Monster" or "megapatch" to describe the flaws and we haven't even clicked on the articles yet. The actual stories themselves take Microsoft to task which was fine with me since I myself slammed Microsoft for not releasing an out-of-cycle patch for the latest zero-day flaw and in the past as well. However, taken in the context of their latest reports on Mozilla flaws, there would seem to be some inconsistencies and maybe a double standard for Microsoft and Mozilla though it may be an opinion call. But what do you think? Before you answer the question, let's try a little experiment first. What if I reversed the headlines? If there were no double standard, it shouldn't matter right? Well let's see:
- Microsoft update kills security bugs, adds Eolas compliance
- Microsoft Plugs IE Code Execution Hole
- 'Critical' megapatch sews up 22 holes in Mozilla
- Mozilla Patch Day: 22 Flaws Fixed in Monster Mozilla Update
Ok I admit that was a really fun exercise, but it certainly does seem to speak volumes.