comment on journal entry: the latest firefox bug - flagged 'extremely critical'
:-
Cool!
I think there will be 1.0.4 soon. So I'm not worry.
Like "extremely critical" bug? 14% of IE bugs are "extremely critical", compared to 6% in Firefox. Some are fixed of course, but it still shows you how insecurity IE is by design.
Also, 19 out of 80 Secunia advisories of IE is unpatched. As 6 are reported in 2005, you can see how many bugs from 2004 (or earlier) are still not fixed. ;-) [minghong] [reply] -
wrong, wrong and wrong
Firefox 1.0.4... let's see, shall we? Both in terms of a bug fix and correct behaviour of the auto-update feature. Bear in mind that auto-update has failed to kick in both on my Mac and PC with the latest versions of Firefox.
You say 14% of reported IE bugs are 'extremely critical,' which is true. However, you fail to mention that all such bugs have been patched long ago by Microsoft. The last 'extremely critical' vulnerability in IE was discovered six months ago and patched shortly afterwards. Do you realise that all Firefox needs is another one, or maybe two of these 'extremely critical' bugs before they form a higher proportion of its vulns than in the case with IE.
As for there being 19 vulnerabilities unpatched in IE, this is simply incorrect, since the latest version IE6 SP2 is only vulnerable to a handful of them. Unlike the case with Firefox, Secunia reports IE vulnerabilities from all releases of IE6 in one report. Many of the IE vulnerabilities marked 'unpatched' have actually been fixed for the version that most people are using, but linger in early versions of IE6. Firefox, on the other hand, has had the had its vulnerabilities split between two groups on Secunia, Firefox 0.x (4 out of 29 vulnerabilities unpatched), and Firefox 1.x.
Let's not forget that there are some very obvious reasons why Firefox has less reported bugs than IE.
- Firefox has a much smaller user-base to discover and report bugs
- IE has been around for six+ years, vs Firefox's one
- Mozilla employs a strict policy of secrecy around releases of bugs to security organisations. It uses the $500 bounty as a bribe to ensure the details of its holes are not leaked. In the bug I refer to in the article, the details were leaked to Secunia against the wishes of both Mozilla and the guy who found them. IE on the other hand, has hundreds of stakeholders in minority browsers publicising its bugs because its good propaganda for Firefox, Opera, Konqueror et al.
[Chris Beach] [reply] -
wrong, wrong, wrong...
1.0.4 is already out, just a few days after being public.
> - Firefox has a much smaller user-base to discover and report bugs
However much of the user-base of IE is just non-technical people that won't "discover and report" bugs.
> - IE has been around for six+ years, vs Firefox's one
Wrong. The core layout engine was made public since 2002 (or earlier?). While some of the currently known (and fixed) bugs affect Firefox only, many affect all Gecko-based browsers. [minghong] [reply] -
a couple of points
"However much of the user-base of IE is just non-technical people that won't "discover and report" bugs."
Whilst true, don't forget all the tech support teams (like Alistair's) that see the bugs that non-techy users find.
"The core layout engine was made public since 2002 (or earlier?). While some of the currently known (and fixed) bugs affect Firefox only, many affect all Gecko-based browsers."
If we're going to take into account Mozilla, Phoenix, Firebird et al then the Secunia bug situation looks decidedly grim for Firefox! [Chris Beach] [reply]
[view more replies on journal entry the latest firefox bug - flagged 'extremely critical']