Is Firefox the Most Secure Web Browser?--Part 3
Microsoft's Jeff Jones discusses Mozilla's Mike Shaver's point that "You Can Only Count What The Vendor Wants You to See."
The answer to the main question seems clear in any case. Mozilla seems to fix multiple similar issues and variants while bundling the under one identifier.
Check #3—Does Mozilla Silently Fix Issues in New Versions?
There was one final concern which Mozilla raised in Counting Still Easy: "Or maybe you don't hear about it at all, because it was rolled into SP2 and they didn't make any noise about it."
Is it a bad thing to roll lower severity fixes into the less frequent service packs? I have my own thoughts, but I don't want to digress. From the comment, it seems to me that Mozilla frowns on this behavior in others.
I organized the vulnerability list from above into groups for each of the Firefox versions from Mozilla that has reached end-of-life (EOL). None of these are mentioned in any MFSA that I could find and each of them was publicly disclosed before the product reach EOL. So, what happened with these vulnerabilities? I don't expect any patches for these versions since they are no longer supported, however, the code base does carry forward to the new version.
| Firefox 1.0 | Firefox 1.5 | Firefox 2.0 |
|---|---|---|
| CVE-2005-2114 | CVE-2005-4685 | CVE-2006-6585 |
| CVE-2005-2395 | CVE-2006-2613 | CVE-2006-6970 |
| CVE-2005-4685 | CVE-2006-2788 | CVE-2006-6971 |
| CVE-2005-4720 | CVE-2006-4310 | CVE-2007-0802 |
| CVE-2005-4809 | CVE-2006-4561 | CVE-2007-1004 |
| CVE-2006-0496 | CVE-2007-0801 | CVE-2007-1084 |
| CVE-2006-2788 | CVE-2007-1084 | CVE-2007-1116 |
| CVE-2007-1084 | CVE-2007-1256 | |
| CVE-2007-1736 | ||
| CVE-2007-1762 | ||
| CVE-2007-2162 | ||
| CVE-2007-2671 | ||
| CVE-2007-3072 | ||
| CVE-2007-3073 | ||
| CVE-2007-3074 | ||
| CVE-2007-4038 | ||
| CVE-2007-4041 | ||
| CVE-2007-4357 | ||
| CVE-2007-5335 | ||
| CVE-2007-5415 | ||
| CVE-2007-5691 | ||
| CVE-2007-5896 | ||
| CVE-2008-0367 | ||
| CVE-2008-2419 | ||
| CVE-2008-2786 |
Logically, three possibilities occur to me:
- The code was not carried forward to the next version, possibly replaced. This would basically be a fix (intentional or unintentional) via reimplementation.
- The vulnerability is patched, silently. CVE-2007-3072 looks like a possible case of this, for example. There is no MFSA, but the NVD has a link to a bugzilla entry listed in the NVD.
- The vulnerability is still unfixed. CVE-2006-4561 and CVE-2007-1736 appears to be an example of this.
You may want to look into these yourself, maybe these were fixed and I just can't find an advisory. Silently fixed? Unfixed? Either way, it seems to be the very type of decision that Mozilla used to redirect attention away from the vulnerability counts for the first year of Firefox.
Let me reiterate that I'm not making any claims, I am simply testing the claims made by Mozilla, who asserts that their product is "The Safest Web Browser."
For the issues I looked into here, I think the results are telling. While it is true that you can only see what the vendor wants you to see, the statement also applies equally to Mozilla, who in spite of their strong words, appear to bundle fixes and silently fix issues where convenient to their development process.
Are any of these decisions unreasonable? Probably not. What it emphasizes to me is something that I've heard said in the hallways many times over the past several years—delivering on a commitment to improve security is a hard problem, not just for Microsoft, but for the entire industry.
security
Receive the latest security news as it breaks.
