Mozilla rages against Microsoft security report

 

Gallery

By Stuart Turton

Posted on 4 Dec 2007 at 12:14

A Mozilla executive has blasted claims made by a Microsoft security researcher that Internet Explorer is more secure than Firefox.

Jeff Jones, security strategy director of Microsoft's Trustworthy Computing Group, claims that Mozilla has been forced to fix more flaws in its browser over the last three years than Microsoft, indicating that the open-source browser is more vulnerable than Internet Explorer.

"Since the release of Firefox 1.0 in November 2004, Mozilla has fixed 199 vulnerabilities in supported Firefox products - 75 high severity; 100 medium severity; and 24 low severity. In the same timeframe, Microsoft has fixed 87 total vulnerabilities affecting all supported versions of Internet Explorer - 54 high severity, 28 medium severity; and five low severity," says Jones.

"While the data trends show that both Internet Explorer and Firefox security quality is improved in the latest version, it also demonstrates that, contrary to popular belief, Internet Explorer has experienced fewer vulnerabilities than Firefox," claims Jones.

However, responding on his blog, Mike Shaver, Mozilla's Director of Ecosystem Development, decries the findings, saying "Microsoft should be embarrassed to be associated with this sort of ridiculous analysis."

Shaver alleges that the discrepancy comes about due to Microsoft's policy of bundling its fixes together, and reporting the subsequent patch as being for a single vulnerability. In contrast, he says, Mozilla reports every fix distinctly.

"Even if the scales were the same, and we were living in a parallel universe in which Microsoft even approached Mozilla's standards of transparency and disclosure, the logic is just baffling: Jeff is saying that Mozilla's products are less secure than Microsoft's because Mozilla fixed more bugs. By that measure, IE4 is even more secure, because there were no security bugs fixed in that time frame; bravo to Microsoft for that!"