Interviewed by CNN on 17/05/2011 11:01, [email protected] told the world: > Is this a true statement or just more MS-propaganda -- once one > parses his statement? > > "Many readers might still think that Microsoft (my full-time employer) > has the most vulnerable on the market in Internet Explorer. Surprise, > surprise -- every major vendor that has tried to make a significantly > less vulnerable browser has failed. Chrome, Firefox, and Safari have > vulnerabilities numbering in the hundreds -- far more than Internet > Explorer in the same time periods. It turns out making a truly secure > browser is harder than it looks."
I have seen similar claims in the past. Mostly, they compare publicly available records of known security problems, both the fixed and unfixed sort -- sometimes together, sometimes separately. Here's the thing: Mozilla's development is mostly made in the open. Security issues ALWAYS go public, usually very quickly. The response is usually quick too. There's also the matter of bug duplication -- bugs are frequently reported two, three or ten times, and not all the duplicates are identified as such. So this makes for a large bug count. That's also (partially) true for Webkit browsers, since much of their development is also open -- although Apple and Google do a lot of thing behind closed doors. IE's development, in contrast, is done secretly. Few people have access to their source code to audit it. No outsider knows how many security issues they REALLY know about. Nobody knows how many they DO know about but haven't bothered to fix. When they post a fix, many times we don't know for how long that has been a known issue that wasn't fixed. Some issues may be quietly fixed without MS ever acknowledging that there was a security bug in the first place. So this means that the public bug count is smaller than the real bug count. So it's an unfair comparison, plain as that. Microsoft compares a partial count with a full (sometimes more-than-full) count in their competition. Note that he doesn't mention Opera -- because Opera, being closed-source, has the same ability to do "spin control" on their bug list. Therefore, the known issues list for Opera is also far smaller than Mozilla or Webkit. Now, there is another metric that's worth watching -- how long a publicly-known bug takes to be fixed. Microsoft does not have a very good record with that. -- MCBastos This message has been protected with the 2ROT13 algorithm. Unauthorized use will be prosecuted under the DMCA. -=-=- ... Sent from my telegraph office. *Added by TagZilla 0.066.2 running on Seamonkey 2.0.14 * Get it at http://xsidebar.mozdev.org/modifiedmailnews.html#tagzilla _______________________________________________ support-seamonkey mailing list [email protected] https://lists.mozilla.org/listinfo/support-seamonkey
