Mozilla Patches Fastest. NOT!
If you ignore most Firefox vulnerabilities, Mozilla may patch flaws faster than Microsoft, however, there are more important criteria not being considered.
Thu, March 05, 2009
If you take away one thing from reading this, I hope that you take away skepticism. The Mozilla team focuses on security and that is a relatively rare thing in the software industry—and I heartily applaud them for their intent and efforts. I wish more would follow their example. However, I think the vulnerability picture for Firefox may not be quite as rosy as some would wish.
- Brian Krebs, Washington Post, Fanning the Flames of the Browser Security Wars
- Brian Prince, eWeek, Security Report Ignites Firefox vs. Internet Explorer Feud
- Ryan Naraine, CNET, Report: Firefox buggier, but issued fixes quicker
In one way, I am quite excited that Mr. Krebs thinks "fixing quickly" is the metric that matters most. I am in the process of updating my H1 2008 report to cover all of 2008, and you may recall, in the previous report Microsoft fixed operating system issues at least twice as fast as other vendors.
On the other hand, I just happen to be in the middle of analyzing Mozilla Firefox vulnerabilities for 2007 and 2008 and results being touted just didn't ring quite true for what I've observed so far in my analysis. So, first, let's take a look at those three vulnerabilities listed by the Secunia report.
Examine the Three Firefox Report Vulnerabilities
SA32192 Disclosed(2008-10-14) Fixed(2008-11-13) Days Before Patch(30) (This affected Firefox 2)
I was able to identify this one as CVE-2008-4582, addressed in MFSA2008-47. However, though the Secunia Advisory did post on 10/14/2008, my findings are that LIUDIEYU disclosed this issue publicly in his blog entry on 9/27/08. That would be an additional 17 days.
SA32040 Disclosed(2008-10-01) Fixed(2008-12-26) Days Before Patch(86) (This affected Firefox 3)
I was able to identify this one as CVE-2008-4324. Though the Secunia advisory lists "vendor patch" under solution, a status change made on 12-26-2008, Mozilla has not released a security advisory that mentions either the Secunia advisory or the vulnerability identifier. SA32040 advises that upgrading to Firefox 3.0.4 or later will fix the issue. I am going to assume that 3.0.4 did silently fix the issue, however that version was released on 11/12/08. That means days before patch should be 42, rather than 86.