Security Fixes Come Faster With Mozilla (aka Firefox)

I’ve been telling you for years to stop using IE and start using Firefox.  Firefox is a much better browser and according to this article, it’s more secure.  You owe it to yourself to at least download it and try for yourself.  The two features I like the best are tabbed browsing and a built-in pop-up blocker.  Mozilla is the company the originally built Netscape Navigator.

Security Fixes Come Faster With Mozilla

By Brian Krebs
Special to The Washington Post

Last month, I looked at how long it took Microsoft to issue security updates for known software flaws in the Windows software that powers most of today’s computers. Last week, I conducted the same analysis on free software produced by the Mozilla Foundation, perhaps best known for its Firefox Web browser.

Over the past year, Mozilla averaged about 21 days before it issued fixes for flaws in Firefox, compared with the 135 days it took for Microsoft to address problems.

The thing to remember is that Microsoft’s market reach has always made it the primary target for virus writers and online criminal groups. Windows runs about 90 percent of the world’s computers and Microsoft’s Internet Explorer still commands about 85 percent of the browser market. It’s difficult to say whether Firefox is inherently any more secure than Internet Explorer but you can’t discount the fact that most of the online bad guys tend to focus on Internet Explorer users.

For at least 38 days in 2005, Internet Explorer was vulnerable to unpatched critical security flaws that were being exploited actively by viruses, worms and spyware. For at least 256 days last year, Internet Explorer contained unpatched vulnerabilities where the exploit method had been publicly disclosed but was not necessarily being used.

By contrast, Firefox users were exposed to potential threats that might take advantage of publicly released exploit code for only 17 days. I could not find any public reports of viruses, spyware or worms using those exploits during the time that the Firefox vulnerabilities were unpatched.

The key word behind these revelations: public.

Mozilla had relatively few cases where security researchers disclosed critical flaws to the public instead of privately to Mozilla; this happened only a couple of times in 2005. Mozilla took an average of 16 days to release critical software updates after flaws were publicly reported.

Dan Veditz, a security researcher at Mozilla, said problems discovered by open-source community members—and addressed quickly—create less of a risk. He also noted that “unconscionable delays in fixing bugs will get criticized in public, which is both embarrassing and may discourage future reporters from going the ‘responsible disclosure’ route with us. . . . If they’re not seeing progress that indicates we’re upholding our end of the bargain, they could well go public, and then we’ve got a full-blown emergency.”

Veditz and other Mozilla researchers found themselves in emergency mode in September when a researcher published his findings just four days after notifying Mozilla about a critical flaw in Firefox. The exploit code for it was laughably simple, but the public disclosure nonetheless forced Mozilla to rapidly accelerate its fix process.

I wondered if there was something in the data we collected to support the contention that open-source vendors such as Mozilla react more nimbly than those that do not open their blueprints to researchers, but I was surprised to find little relevant empirical data or analysis other than our own.

Last month, several researchers from Carnegie Mellon University in Pittsburgh reported they had examined some 438 vulnerabilities in programs made by 325 software vendors and found the patching speed of open-source vendors was roughly 60 percent faster than that of the closed-source vendors they studied.

Posted by SPN on 02/13 at 11:29 AM in Personal

The trackback URL for this entry is: M20o93H7pQ09L8X1t49cHY01Z5j4TT91fGfr


M30o93H7pQ09L8X1t49cHY01Z5j4TT91fGfr M40o93H7pQ09L8X1t49cHY01Z5j4TT91fGfr


M50o93H7pQ09L8X1t49cHY01Z5j4TT91fGfr M60o93H7pQ09L8X1t49cHY01Z5j4TT91fGfr M70o93H7pQ09L8X1t49cHY01Z5j4TT91fGfr
M80o93H7pQ09L8X1t49cHY01Z5j4TT91fGfr M90o93H7pQ09L8X1t49cHY01Z5j4TT91fGfr

<< Back to main