|
http://blogs.zdnet.com/Ou/?p=108Detailed Firefox and IE vulnerability report -Posted by George Ou @ 3:17 am
When I wrote "Is the Firefox honeymoon over" two weeks ago, it stirred up a huge debate that continued for days. Yesterday, Dan Farber interviewed the 20-year-old co-creator of Firefox Blake Ross in a podcast where he addressed the criticism of Firefox in the media and my blog in particular. Ross criticized the analysis in my blog on two main points.
* No comparisons in the severity of the flaws * No comparisons in the response time to fix the flaws.
On the first point, Ross is absolutely right that the severity of a vulnerability is critical. Because I didn't set out to do a formal security analysis of Firefox and Internet Explorer, I created an overly simplified comparison. Since this has sparked a huge debate, my original analysis is not sufficient to be conclusive. Ross believes that Internet Explorer's vulnerabilities are much worse than Firefox vulnerabilities so we'll have to see if he's right.
On the second point, Ross believes Firefox is more responsive to security vulnerabilities and delivers more timely patches. Ross even quoted that Internet Explorer had about "10 to 15" unpatched vulnerabilities, so we'll have to see if he's right. (...)
On the issue of vulnerability severity, it appears that either camp can claim victory depending on when you look at the numbers. If you look at vulnerability activity before March of 2005, Microsoft Internet Explorer had a consistent drip of monthly vulnerabilities and a huge rash of problems in October 2004. During that same period of time, Firefox was fairly quiet. After March of 2005, the trend reversed and Firefox had a continuous drip of monthly vulnerabilities while Internet Explorer was relatively quiet. Internet Explorer appears to have had an ugly history but seems to be maturing and stabilizing while Firefox appears to be going through some growing pains in the last seven months. From these results, it is clear is that there is no clear victor and neither camp has anything to be proud of with all these security vulnerabilities.
On the issue of patch responsiveness, Ross appears to have a point in that Firefox holds an edge in this department. While it isn't the "10 to 15" unpatched Internet Explorer vulnerabilities that Ross talked about if you exclude the low risk flaws that were omitted for both browsers in this comparison, Microsoft has five "moderately critical" issues that have not been addressed yet. There is even a "highly critical" vulnerability from October 2003 that Microsoft has not addressed yet, but I'm not sure if this old vulnerability still applies to Windows XP SP2 (...) More at link.
|