Categories
Asides

Double Standards

A lot of the same people who rant and rave every time Internet Explorer has another security snafu are being strangely silent about Firefox’s recent flaws. I wonder how many of the web technorati are willing to give Firefox a pass every now and then because of its superior standards support? The Firefox team is also to be commended for their rapid response to the issue on the only site that’s vulnerable by default.

20 replies on “Double Standards”

That’s rather the point, isn’t it? With Firefox we can be sure we don’t have to wait months for a fix to critical security problems. Its Microsoft’s tardiness in plugging holes that garners the most complaints in my experience.

There is already a fix out there and it’s really not a problem unless you are visiting untrusted sites (hey, stop surfing born sites and clicking on casino ads!). Seriously tho, David is right, it’s kind of like the difference between apples and oranges. Mozilla takes a day to recognize and fix the problem, Microsoft takes a few months. Either way, I have long since stopped posting about any bugs of this nature in any browser… it’s a waste of blog space for a non-security related blog.

Ya… And Mozilla makes how many programs? Something in the range of 5?

On the flip side Microsoft makes how many programs? I don’t really know, but I assure you it’s a lot more then 5…

And what’s that huge thing they do… Oh Windows…

So… Keep all their programs very up to date, or just 5…

With out pretending like I know for sure (because I can’t) I would say under the same conditions as that of Mozilla Microsoft would have many more security fixes.

All software has flaws – we (that code them) are flawed. The difference perhaps, is how flaws are dealt with. Microsoft is only now seriously starting to pick up speed as far as vulnerability plugging is concerned.

There have been only a few instances of ‘sluggish’ response times from firefox developers – considering the differences in budget, it pretty much speaks volumes.

Microsoft often go for weeks or months even before plugging known vulnerabilities. They have a massive budget compared to the Firefox team – yet the FF team seem to be on top of issues shortly after they become apparent.

Perhaps it’s that ‘fix first, ask questions later’ philosophy, versus the ‘fix it, but only if a large number of people notice’ method that causes folk to cut the FF team some slack – we know they’re aware and plugging the problem, with MS, you just never can tell. 🙂

There is a huge difference.

Mozilla in general is very quick about patching security holes, especially ones that have exploits in the wild. Microsoft has taken as much as 6 months (if not longer) to patch known security holes that have exploits in the wild.

Let’s face it, just about any piece of software has security holes (WordPress even). The key is how fast they are fixed and the design of the software to prevent security holes (or at least lessen the danger posed by them).

Compare yourself with Spamford Wallace. When people found out you were doing spammy things, you were treated very lightly because it was an unusual, out-of-character situation. Wallace, on the other hand, continually spammed people over and over while making millions.

The difference is in the two types of behaviour. One (yours and Mozilla’s) is ethical, although mistakes are made. The other (Wallace’s and Microsoft’s) is unethical because they don’t have their priorities right and don’t correct their behaviour to act better in the future.

An IE user made mention of it to me, and my response was basically that if we waited a few hours/days, we’d see a fix from Mozilla Org, and in contrast to that, if we waited for an IE security fix, we’d be waiting months/years for Microsoft to do something about it…

“Ya”¦ And Mozilla makes how many programs? Something in the range of 5?

On the flip side Microsoft makes how many programs? I don’t really know, but I assure you it’s a lot more then 5″¦

And what’s that huge thing they do”¦ Oh Windows”¦

So”¦ Keep all their programs very up to date, or just 5″¦

With out pretending like I know for sure (because I can’t) I would say under the same conditions as that of Mozilla Microsoft would have many more security fixes. “

I normally hate responding to trolls, but I’m not certain that this is meant to be a troll, so…

See, Microsoft has these things called “billions of dollars” and “thousands of employees”. The Mozilla Foundation has, I think, somewhere under ten full-time employees. I would assume that Microsoft has at least that many people dedicated to maintaining IE.

Mozilla have only covered over half the problem with changes to their website. The cross-site hole combined with the privilege escalation will lead to a critical threat from _any_ website.

So much for Firefox being secure by design – Secunia.com reports 12 FF vulnerabilities found so far in 2005, vs. six for IE. And this is despite the fact that there are an order of magnitude more people using IE (hence bigger target and more people to report bugs). These damning statistics also confound Mozilla’s secretive bug-reporting policy and make me wonder how many other critical bugs are lurking in Firefox.

Glad to see Matt recognises the hypocricy surrounding Firefox advocacy, although “double standards” doesn’t even begin to describe it.

Their superior standards support would help, even if their bug fixing was on par with Microsoft. eBay phishing I can handle… lack of CSS2 support is unforgivable.

“These damning statistics”

Chris, a new product is certain to have more bugs found than an established, million time patched app like IE.

However, as has already been stated, the difference is that Mozilla will react quickly to any public or non-public security hole found in their products, where-as MS usually doean’t do anything for months or until there is a public outcry.

However, the MS attitude does seem to be changing – they have recognised that they need to be pro-active with security and semm to be fixing problems before they become big issues.

But in the end, I think it comes down to motives – the MS motive is to make profits, the Mozilla motive is to build a reputation for producing good sfotware.

It’s another one of those unwinnable holy wars – and although I’m a big Firefox fan, I won’t be getting involved in any crusades.

Comparing IE and FF based on the number of bugs found this year is useless since IE has been around 3> years. Speed of patching says more imho, and also the fact that FF is not woven into the OS.

On the other hand I find it harder to get information about strange FF behaviour (program starts but doesn’t show, or buggy profiles/screwed up themes) than it is to find a solution for similar IE behaviour. But that is probably a matter of the number of users.

But I will never switch back. The only real issue with FF is that a clean fresh install is hard to do. It picks up where you left before uninstalling and reinstalling. But hey, try uninstalling IE is impossible without risking your computers stability 🙂

> So much for Firefox being secure by design – Secunia.com reports 12 FF vulnerabilities found so far in 2005, vs. six for IE.

Chris, compare like and like. The last major release of Internet Explorer was in 2001. The last (only) major release of Firefox was in 2004.

Microsoft have had four years to find and fix all the security holes in Internet Explorer 6.0. The fact that they are STILL finding them on a regular basis is damning. The fact that there are some in a relatively new piece of software like Firefox is expected and nothing out of the ordinary.

I’m not too pleased with Firefox’s security record myself. But it’s worlds apart from Internet Explorer’s.

SHARE YOUR THOUGHTS