A very common misconception about open source projects is that there are more eyes on the code and therefore a potential improvement in security.
The average open source project does not go through more or less security review than a Microsoft product, at least not in an organic fashion from "the community." There are not a team of people simply looking at Firefox code all day for security vulnerabilities simply because they want to help out. They are either employed by Mozilla or they are researchers that have something to gain from finding vulnerabilities. But there is definitely not a large group of Birkenstock wearing college kids pounding on open source projects for vulnerabilities all day. The closest thing to that would be something like OpenBSD, maybe. Microsoft and Mozilla both get their security auditing done by shelling out money to employees and contractors whom are performing security testing and code audits against their product[s]. Microsoft spends more money on security but that all makes sense considering they have a much bigger problem than Mozilla. Mozilla to their credit also hires contractors and employees to do security audits and they even do something above and beyond Microsoft by offering researchers $500 dollars for every security bug they report. That is more of a cute gesture though really considering a remote Firefox vulnerability is worth a lot more than $500. The more interesting aspect of this Firefox 3.0 vulnerability, beyond the usual flaming between people who are not thinking with logic but rather loyalty, is that Firefox has finally gained enough market share that it has caught the attention of the main stream hacking community. Market share, with a few small exceptions, is the one thing that makes a difference in software being audited for vulnerabilities. If you are a small company with small market share, security is the last thing on your mind, and researchers don't care because finding a bug in your software is of no value. However, the bigger the market share, the bigger the target, and the more those companies CAN spend on securing their software. What you are seeing with companies like Mozilla and Apple is a side effect of them actually starting to become successful, in the sense of the size of their market share. If tomorrow you woke up and Mozilla or Apple were at 50% market share with Microsoft then you would see security problems in those companies products as frequently as you do with Microsoft, although in some cases that is already true. So if I was Rod Trent the lover of all things Microsoft I would be more upset not about who is more secure or not, but how Google, Apple, and Mozilla, are hot on Microsoft's ass. HEH :-) Friday humor man! Microsoft's iron grip on the computing industry will simply be dead within the next 10-15 years. The operating system is no longer Windows, it is the web. Microsoft has no control over the standards, presentation layers, and APIs of the web based operating system of now and the future and that control is the only thing that kept them where they are at today because they could control the platform. Not that they will give up the "OS" without a fight. They understand that web is the new platform and things like Flash/Flex/"AJAX" are some of the biggest components of this new platform, which is why they are trying their damndest with Silverlight, although getting nowhere fast. That is not to say there will not be PC's and operating systems in the future, but they will be not much more than what is needed to receive and render high-speed internet data. Which has to make one wonder what the future is for hardware manufactures that are always pushing for more storage, more memory, more speed. You simply won't need all of that as things eventually top out and only gradually increase as bandwidth and visualization needs do. or not Marc Maiffret Founder/CEO Invenio Security Security Services & Training http://www.inveniosecurity.com ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
