Mozilla Patches Fastest. NOT!

If you ignore most Firefox vulnerabilities, Mozilla may patch flaws faster than Microsoft, however, there are more important criteria not being considered.

By Jeff Jones
Thu, March 05, 2009

CIO — [DISCLOSURE: Jeff Jones is a director at Microsoft. You can learn more about him at his technet blog.]

If you take away one thing from reading this, I hope that you take away skepticism. The Mozilla team focuses on security and that is a relatively rare thing in the software industry—and I heartily applaud them for their intent and efforts. I wish more would follow their example. However, I think the vulnerability picture for Firefox may not be quite as rosy as some would wish.

A couple of days ago, Secunia published their Secunia 2008 Report, and one of their tables garnered quite a bit of attention:

In one way, I am quite excited that Mr. Krebs thinks "fixing quickly" is the metric that matters most. I am in the process of updating my H1 2008 report to cover all of 2008, and you may recall, in the previous report Microsoft fixed operating system issues at least twice as fast as other vendors.

On the other hand, I just happen to be in the middle of analyzing Mozilla Firefox vulnerabilities for 2007 and 2008 and results being touted just didn't ring quite true for what I've observed so far in my analysis. So, first, let's take a look at those three vulnerabilities listed by the Secunia report.

Examine the Three Firefox Report Vulnerabilities

SA32192 Disclosed(2008-10-14) Fixed(2008-11-13) Days Before Patch(30) (This affected Firefox 2)

I was able to identify this one as CVE-2008-4582, addressed in MFSA2008-47. However, though the Secunia Advisory did post on 10/14/2008, my findings are that LIUDIEYU disclosed this issue publicly in his blog entry on 9/27/08. That would be an additional 17 days.

SA32040 Disclosed(2008-10-01) Fixed(2008-12-26) Days Before Patch(86) (This affected Firefox 3)

I was able to identify this one as CVE-2008-4324. Though the Secunia advisory lists "vendor patch" under solution, a status change made on 12-26-2008, Mozilla has not released a security advisory that mentions either the Secunia advisory or the vulnerability identifier. SA32040 advises that upgrading to Firefox 3.0.4 or later will fix the issue. I am going to assume that 3.0.4 did silently fix the issue, however that version was released on 11/12/08. That means days before patch should be 42, rather than 86.

Continue Reading

Our Commenting Policies