- Brian Krebs, Washington Post, Fanning the Flames of the Browser Security Wars
- Brian Prince, eWeek, Security Report Ignites Firefox vs. Internet Explorer Feud
- Ryan Naraine, CNET, Report: Firefox buggier, but issued fixes quicker
I wrote a more in-depth review of the calculated Mozilla patching speed in from Mozilla Patches Fastest. NOT! which you should read. For those of you who want the concise version, here is a quick bit of data.
The Secunia Report specifically limited scope to vulnerabilities disclosed during 2008. (which is okay to do, unless you want to draw conclusions about overall vendor patching speed.) This excludes any issues disclosed before 2008 and fixed in 2008 (or not fixed at all).
So here is my question for those that are really interested in answer the question of how quickly Mozilla fixes vulnerabilities. What is the average if you include these below (feel free to validate them yourselves to assure yourself that they apply). Also note that I am only listing ones rated High severity in the NVD or Critical in a Mozilla advisory – there were several more rated Medium severity that I ignored. I also limited my search to Firefox 2 vulnerabilities.
- CVE-2007-1736, disclosed 3/28/2007, no MFSA after 631 days (352 in 2008) at product end-of-life
- CVE-2007-2162, disclosed 4/18/07, no MFSA after 610 days (352 in 2008) at product end-of-life
- CVE-2007-2671, disclosed 5/1/2007, no MFSA after 597 days (352 in 2008) at product end-of-life
- CVE-2007-3072, disclosed 6/4/2007, no MFSA after 563 days (352 in 2008) at product end-of-life
- CVE-2007-3073, disclosed 6/4/2007, no MFSA after 563 days (352 in 2008) at product end-of-life
- appears to be silently fixed in FF3.0 on 9/30/08 – maybe in FF2, can’t tell
- link: http://larholm.com/2007/06/04/unpatched-input-validation-flaw-in-firefox-2004/
- CVE-2007-5896, disclosed 11/2/2007, no MFSA after 412 days (352 in 2008) at product end-of-life
I’m not going to do the math, but if you include these six Firefox 2 issues in with the three from the Secunia report, I’m pretty sure the number will be closer to 352 than it will be to zero.
Of course, it may be that some of these issues above were silently fixed by Mozilla. I wouldn’t mind at all if they came out and confirmed my earlier analysis that they may be doing this. It would bring the average down a little.
Mozilla has posted their own thoughts on the Secunia report at: Beware the Security Metric.
Please do read their viewpoint as well, so you have all of the input to draw your own conclusions. Given the above six examples (and my findings in this article), I personally find it ironic that they say this:
Mozilla discloses and releases bulletins for all security issues fixed in Firefox, regardless of how they were discovered. Unlike other vendors that only disclose issues reported by external independent parties, but not by internal developers, QA or security contractors.