Apples and Oranges, Firefox and Internet-Explorer
Posted by coldtobi | 6 Dec, 2007, 00:01There is a saying: Never thrust statistics, that you didn't manipulate yourself. Basically, if read some report comparing something, you better make sure to analyize the funding of these reports.
Especially if the results are clearly favouring a specific product, and you find out, that the manufactor of this product sponsored the research report, than a red flag should rise. Well, this is common sense, and there is another thing people say in such situation: Whose bread I eat, whose song I sing.
This behavoiur is seen in every industrial sector. But there is definitly a master out there, especially in the IT sector, and very especially it comes to Open Source. Other tell, that probably, they patented this scheme. If you search for MS vs Linux or MS vs FLOSS in generall, you will find many reports telling that the commerical product is much better, cheaper, safer, more reliable, and probably also makes better coffee.
But this time, IMHO, they gone further if not too far: This time, they did not really try to outsource the opinion making, this time the report in question actually made by Jeff Jones, Security Strategy Director, Microsoft's Trustworthy Computing Group.
Okay, it is actually not "this time", as Jeff already showed his unbiased view this summer, when he compared Vista with Linux and MacOS. This articles are interesting, as they give a glimpse on the sophisticated science of adding and omitting information to biasing the outcome. But please read one example-reaction on this by yourself, as I wanted to focus on the Firefox-IE-rant.
So this times, IE had to be safer than its competitors. Well, according Jeff, it is. Just a quote from Jeffs article:
The report in detail examines vulnerabilities over the past 3 years, breaks them down by severity, looks at version-over-version trends for each browser and finally examines how each browser is doing in terms of unfixed vulnerabilities.
Well, exactly that I gonna do too. However, I cannot spent the time for an full-time anaysis, so I will use data that is available in the public. Actually, Jeff used secunia data too. So I am really wondering how he gets the figures. The report itself is too blurry and gives not details about which bugs have been considered and which not. However, according Heise (note: German) there one confirmed case, in which a bug -- which was in Windows OS and not in the browser -- did not count for the IE but for Firefox it was indeed counted. (Background: Firefox released a patch, and Jeff is counting patches not vulneraties a patch, they got an mark for the same issue. For the IE it was not counted, as the IE is not considered as part of the OS.)
Unanswered has been heise's question, who the fix MS05-038 has been counted. As one vulnerability or as the 17 resp. 32 listed in the CVEs. As the total number of vulnerabilities is 50, heise concludes that this is unlikely.
The "problem", that Mozilla publishes all bugs found in Firefox, is not found in Microsoft. They used to have a "login-to-view"-database, but they closed it with the release of IE7. So I can only focus on the data, that is on the web. And even with that data, that IMHO might not include vulnerabiilites which are only known to Microsoft and not fixed silently. (Quote Jeff's report: "Note that in this report, “disclosure” is used to mean broad and public disclosure and not any sort of private disclosure or disclosure to a limited number of people.")
To get some numbers, lets use a source Jeff also uses: Secunia. Lets start with the picutres. Please note, that this are live images, so they might change over time. Therefore I add the numbers as they are today as text below the images. Please note, that the period is different to Jeffs', and that you have to add the reports by yourself, as it is a picture for every version.
IE 5.01: 65 advisories, 5% unpatched, 8% partial patched. Most serious unpatched flaw is rated: Moderately critical
Firefox 0.x: 39 advisories, 9% unpatched, 6% partial patched. Most serious unpatched flaw is rated: Less critical
IE 5.5: 54 advisories, 11% unpatched, 7% partial patched. Most serious unpatched flaw is rated: Moderately critical
Firefox 1.x: 45 advisories, 9% unpatched, 4% partial patched. Most serious unpatched flaw is rated: Less critical
IE 6.x: 106 advisories, 20% unpatched, 8% partial patched. Most serious unpatched flaw is rated: Moderately critical
Firefox 1.x: 19 advisories, 26% unpatched, 0% partial patched. Most serious unpatched flaw is rated: Less critical
IE 7.x: 20 advisories, 35% unpatched, 0% partial patched. Most serious unpatched flaw is rated: Moderately critical.
Another nice anaylsis can be found at http://www.webdevout.net/browser-security, which has also some nice graph, showing how many *working exploited holes* are known for the individiual Browsers:
(Graph (c) by David Hammon.)
Closing the article, I think, every product should use the browser he wants. On the other side, it could be dangerous if you believe you are safe, but in really you aren't. Getting 0wn3d by a browser exploit can indeed happen with every browser out there, as this is just complex software. Software, by definition, will never be free of bugs. But on the other side, does Microsoft really needs to publish such reports? Reports, on which the outcome is already defined by whom it is payed? I don't think so, but I also don't think that they will change their mind. Money rules their world, not security.
Or, using googles words Browse the web more securely. With Firefox and Google Toolbar.
Blog and Website | Comments (2) | Trackbacks (0)
Related Articles:
- IE Clipboard Reveals Informations
- Not all "defects" are security bugs
- [Updated] La Fonera: A bunch of Autoupdates (to 0.7.2.2)
- WoW Money Laundering?
- Installing Debian on the Thecus N2100 -- PART 3 -- Installing Debian
Brett Dugan :
18/02/2009, at 08:20 [ Reply ]
Great factual article. Although I agree that software in general will ever be completely free of bugs and hacks. It's hard to disregard such overwhelming statistics.
web development company : RE:
20/10/2009, at 16:42 [ Reply ]
Cool,
But i dont trust statistics, tables can be impressive and numbers can be high but dosnt mean they are true
Thanks for writing about it