CIO.COM: Mozilla and “Counting Still Easy…”

[DISCLOSURE for those who don’t read about boxes:  I work for Microsoft.]

cio3 I admit that I enjoy discussing issues and digging into claims to see if I can find fractures or flaws in logic.  When I ran product management teams for companies in previous roles, I would always review our draft product glossies and papers and generate a lot of red ink, providing feedback like “we can’t make this claim, we have no evidence to support it.”  There are some countries where that is a particular concern (though I note that the German Mozilla page seems to include all of the same stuff as the US page 

I suppose if I was in political reporting, I’d want to have one of those TV shows that does fact checking after the political debates.

But I really didn’t anticipate some of the vitriolic responses I’ve gotten to this article series.  Seriously, folks can apparently say anything about Microsoft or about me personally, call me a troll, question motives, call me an out and out liar, question my parentage, whatever – but if I dare to challenge unsupported marketing claims of others I guess I’ve really crossed the line.  I even saw one blog posting that declared that I must be in the camp that will “… do anything to win.”  Daring to challenge unsupported marketing claims is apparently doing “anything to win.”  I say again, wow.

Strangely enough, few of these “critics” actually ever have anything substantial to add to the conversation.  No alternate analysis that is anything but flimsy and contrived.  Few arguments beyond (my paraphrasing) “you must be wrong because your results don’t match my expectations” or “you work for Microsoft, therefore you lie!” 

I believe their fondest hope is that they can distract people from actually digging into the details and discovering that it isn’t quite as simple as declaring yourself “the safest XYZ software available.”

What can I say?  Bring it.  Sticks and stones and all that jazz.  I’m happy to stand up and openly debate you at any conference you want name and stand by my analysis and words.

Thanks for your indulgence 😉  Back to the original topic.

Yesterday, I submitted Part 3 of my article series to (you can view all parts on Jeff Jones author page).  I had originally intended to have Part 3 cover 2007 and 2008 vulnerability data and exposure charts, but the more I thought about it, the more I realized that my detractors would probably try to distract from the data with similar arguments to what was used in the Mozilla rebuttal (Counting Still Easy, Critical Thinking Still Surprisingly Hard) to my 2007 paper on IE and Firefox vulnerabilities.  So, instead, I have digressed a bit to dig into the key concerns and assertions raised in that rebuttal. 

The section header (from “Count Still Easy…”) that I will dig into is “You can only count what the vendor wants you to see,” and there are two specific quotations which I think are interesting:

  • “We count every defect distinctly. We count the ones that Mozilla developers find in-house. We count the things we do to mitigate defects in other pieces of software, including Windows itself and other third-party plugins. We count memory behavior that we think might be exploitable, even if no exploit has ever been demonstrated and the issue in question was found in-house.”
  • “It is well known that Microsoft redacts release notes for service packs and bundles fixes, sometimes meaning that you get a single vulnerability “counted” for, say, seven defects repaired.

To dig into these two, I will ask and answer three questions:

  1. Does Mozilla Count All Vulnerabilities?
  2. Are There Cases of Multiple Mozilla Vulnerabilities Assigned a Single Identifier?
  3. Does Mozilla Silently Fix Issues in New Versions?

Given the very strong and public assertions that I quoted above, I think most people would assume that the answers to these questions are YES, NO, and NO, respectively.  I mean, if I had to assume and wasn’t going to take the time to look beyond the confident assertions, I would probably assume yes, no and no. 

Therein lies my problem, it is only an assumption.  Read Part 3 to find out what I discovered when I checked.

Best regards ~ Jeff

Share this post :

About the Author
Jeff Jones

Principal Cybersecurity Strategist

Jeff Jones a 27-year security industry professional that has spent the last decade at Microsoft working with enterprise CSOs and Microsoft's internal teams to drive practical and measurable security improvements into Microsoft products and services. Additionally, Jeff analyzes vulnerability trends Read more »