Microsoft: Firefox users in danger due to more frequent updates
The author of a controversial white paper comparing Firefox' security integrity with IE's has released an update, which now makes an even more contentious claim than the original.
Because Microsoft releases Web browsers less frequently and supports older editions for longer periods, claims Microsoft Security Strategy Director Jeff Jones in his latest report, Internet Explorer 7 users are less susceptible to security vulnerabilities than users of Firefox, whose updates come more frequently and whose older versions are disavowed sooner.
"One key factor of lifecycle is simply the fact that 'unsupported' versions of products don't get patches developed for them," writes Jones. "This is equally true for all vendors, but shorter lifecycles mean more people may still be running an unsupported version and be exposed."
Microsoft's policy, Jones points out, is to provide support for a previous service pack for a product for at least one year following the release of a new service pack. Mozilla, by contrast, continues support for an older version for only six months.
"So, according to its original schedule, Firefox 3.0 was scheduled to ship in November 2007, which meant Firefox 2.0 support would end in May 2002," he writes. "To put this in perspective, if Microsoft had this same policy, then support of Internet Explorer 6 would have ended in May 2007, or similarly Internet Explorer 5.01 support would have ended in 2001."
Jones cited evidence that Mozilla discontinued support for Firefox 1.5 on schedule, but two months after it was selected for inclusion in Red Hat Enterprise Linux Desktop 5. As a result, he said, Red Hat was in a position of distributing a product on behalf of another vendor that had already discontinued support for it.
Microsoft's Security Strategy Director Jeffrey Jones |
Such discontinuation of support, he contends, leads to situations where users who hang on to their installed software for as long as possible -- one of only two types of people, he says -- may find themselves using vulnerable software that the vendor is unwilling to patch.
But as one of Jones' own charts makes clear, Firefox had undergone three lifecycles in the same time IE6 was only most of the way through one. Plus, he quotes from a message that had been posted to Mozilla's own Web site, advising its customers that one way to get support again is to upgrade: "All users are urged to upgrade to the newest version of Firefox," it read.
Such short messages and such terse terminations of support, Jones contends, pose a problem for home-based browser users who have a natural expectation of longer product lifecycles than merely six months.
In an update to his claim earlier this year that Firefox was a riskier Web browser than IE because Firefox' manufacturer found and fixed more vulnerabilities than did IE's manufacturer, Jones cites new data showing that in the first 12 months of their respective lifecycles, Mozilla found and fixed 56 vulnerabilities for Firefox 2.0 (13 of them rated "high"), while Microsoft found and fixed 17 vulnerabilities for IE7 for Windows XP (14 of them "high") and 14 vulnerabilities for IE7 for Windows Vista (11 of them "high").
Among so-called "unfixed vulnerabilities," which he describes as problems described in advisories but have yet to be fully addressed as of last Tuesday, 24 unpatched vulnerabilities currently exist in Firefox 2.0 by Jones' count (8 of them "high"), versus 21 security holes in IE7 (10 of them "high").
While considerable effort has indeed been expended in making IE7 a more secure browser than its predecessors (many contend it could only have gotten better), even those who agree with that general conclusion raise doubts as to whether the number of problems, as opposed to the nature of those problems, is a proper metric for judging software integrity.
At the last TechEd Orlando conference, one IE user asked Jones, doesn't the fact that a company addresses more problems make you feel better about that company than when it refuses to acknowledge them?
"While the results in this study showing fewer vulnerabilities in Internet Explorer might be surprising to some," Jones concluded in his study from Tuesday, "to others the results will simply be a confirmation that improving security is a hard job even with the best of intentions. Further, it shows that with commitment and focused effort, vendors can make progress in improving computer security for software products."