The feud between Microsoft Corp. and Mozilla Corp. over whose Web browser is more secure heated up again as officials for both companies trotted out statistics to show their application is safer.
Jeff Jones, the strategy director in Microsoft's security technology unit, started the latest bug count battle last Friday, when he posted a report (download PDF) that claimed Microsoft Corp.'s Internet Explorer had been affected by fewer than half as many vulnerabilities in the last three years as Mozilla's Firefox had.
"Over the past three years, supported versions of Internet Explorer have experienced fewer vulnerabilities and fewer High severity vulnerabilities than Firefox," said Jones in the report, "a result that stands in contrast to early assertions by Mozilla that Firefox 'won't harbor nearly as many security flaws as those [in] Microsoft's Internet Explorer.'"
Jones counted 199 Firefox bugs that Mozilla has quashed since November 2004: 75 ranked "High" in severity, 100 rated "Medium" and 24 were "Low." In the same period, Microsoft fixed 87 total vulnerabilities: 54 High, 28 Medium and five Low.
He also tallied flaws that have been fixed for the newest versions of each browser -- IE 7 and Firefox 2.0 -- and again concluded that Microsoft's browser is better, although Jones acknowledged that Mozilla, like Microsoft, had improved the security of its application.
Mozilla wasted little time firing back. "When you compare how long it takes Microsoft to fix Internet Explorer vulnerabilities versus how long it takes Mozilla to fix vulnerabilities in Firefox, it becomes clear why he chose to count vulnerabilities in this report instead," Window Snyder, who heads Mozilla's security efforts, charged last week in a blog posting of her own.
Others from the open-source developer chimed in. Mike Shaver, Mozilla's chief evangelist, called Jones' logic baffling. "Jeff is saying that Mozilla's products are less secure than Microsoft's because Mozilla fixed more bugs," said Shaver. "By that measure, IE4 is even more secure, because there were no security bugs fixed in that time frame. Microsoft should be embarrassed to be associated with this sort of ridiculous 'analysis.'"
Mike Schroepfer, Mozilla's vice president of engineering, also took Microsoft to the woodshed, first criticizing the vendor for not providing a public bug database so that Jones' numbers could be verified, then discounting the figures entirely. "Bug counts are meaningless; what matters is whether you are at risk or not," Schroepfer said.
In a telephone interview, Snyder ran with that line of reasoning. "Microsoft only counts the vulnerabilities that have been reported externally," she said, and it doesn't include in its total those found by its own engineers or by penetration testers it hires to hammer on its software. Those bugs, said Snyder -- who once worked at Microsoft as a security strategist and was responsible for signing off on the security aspects of Windows XP SP2 -- are patched in the less-frequently-released service packs or major updates.
"[The public] always sees just a subset of Microsoft's vulnerabilities," Snyder claimed. "Firefox will always have more vulnerabilities, because we count everything. When you count Mozilla security bugs, you are seeing not just those that are reported externally, but also the ones that would be considered internal if we acted like most other software vendors."
For that reason it's useless to compare the two browsers by counting bugs. "That's only useful to compare one project with itself over time," she argued.
Rather than add up flaws that have been fixed, Snyder stuck with Mozilla's long-used argument that the time it takes a vendor to issue a patch and get it deployed on users' machines is a better metric. "There's a lot of value in how long it takes a vendor to fix a vulnerability once it's been identified. Jeff knows that. He was one of the first to talk about days-of-risk."
Snyder cited at-risk calculations done by Brian Krebs of the Washington Post nearly a year ago. In 2006, said Krebs, Firefox users were exposed to unpatched exploit code for only nine days, compared to 284 days for IE users. Meanwhile, Schroepfer backed Mozilla's claim by pointing to a risk ranking based on data from Danish bug tracker Secunia ASP.
Mozilla has not done its own days-of-risk analysis, Snyder admitted, but she said it plans to release figures for 2007 soon after the first of the year.
Snyder essentially called Jones' analysis a public relations move. "Microsoft is worried that if it ever says it has fixed x security issues, the world will focus on the fact that it had x vulnerabilities in the first place, not that they are now fixed and no longer a risk for users," she said.
"We had thought that people recognized that this wasn't a valuable metric, that it couldn't tell the whole story," Snyder said in explaining why Mozilla felt it had to contest Jones' numbers. "In the past, we haven't made a big deal of it, but when you see this kind of imbalanced analysis, you have to set it straight.
"We're not building fixes for our PR team, we're building them for our users. Go ahead and count."
Microsoft declined to make Jones available for an interview today.
Related Computerworld Discussion: