comment on journal entry: the latest firefox bug - flagged 'extremely critical'
:-
What was it that Twain said about statistics?
Pick your numbers. If you look at bugs found in the last 5 months, then sure, the new kid on the block has more. If you look at the number of still-unpatched bugs, the figures tilt the other way.
Note: all these numbers are from Secunia, the same source you used.
Firefox 1.x: 5 bugs unpatched
Internet Explorer 6.x: 19 bugs unpatched
I could have stopped here, like you did, with one pair of convenient numbers, but I'd prefer to be honest about it and admit that, since IE has been around longer and people have found more bugs in it, the percentages work out the same. Of course, some of those 19 unpatched IE bugs have been around for a year or more....
But let's look at some other information and see how these trends hold up.
How about criticality?
Firefox: 6% extremely critical, 13% highly critical, 31% moderately critical - altogether 50%
Internet Explorer: 14% extremely critical, 28% highly critical, 22% moderately critical - altogether 64%
Type of vulnerabilities?
The largest category of Firefox vulnerabilities (30%) is spoofing -- allowing one website to impersonate another. The largest category of IE vulnerabilities (again, 30%) is system access.
So sure, you can find one pair of numbers that make Firefox look less secure than IE. But across the board, it's the other way around. [Kelson] [reply] -
if we're gonna get technical
Right then, let's take a closer look at this.
Regarding the severity of bugs lets assume we have a bell-curve distribution - statistically, on average, the number of bugs at the extreme ends of the curve (e.g. 'extremely critical' or 'not critical' will be far less significant than the modal number of bugs (which will be those of average severity). What I learnt in statistics at school was that as the amount of data increases, the rate of extreme data also increases. This means the first few vulnerabilities are more likely to be of average severity rather than extremes. However, as the total number of reports increases, as does the width of the bell curve, and the number of extremes will therefore increase disproportionately highly.
What I mean by all of this is that statistically, a product like IE is more likely to have disproportionately more extreme reports than a product such as Firefox, simply because IE has had more reports. Only once Firefox has accumulated the same total number of bugs as IE, can the distribution of 'extremely critical' bugs be compared.
As I responded to a previous commenter:
You say 14% of reported IE bugs are 'extremely critical,' which is true. However, you fail to mention that all such bugs have been patched long ago by Microsoft. The last 'extremely critical' vulnerability in IE was discovered six months ago and patched shortly afterwards. Do you realise that all Firefox needs is another one, or maybe two of these 'extremely critical' bugs before they form a higher proportion of its vulns than in the case with IE.
As for there being 19 vulnerabilities unpatched in IE, this is simply incorrect, since the latest version IE6 SP2 is only vulnerable to a handful of them. Unlike the case with Firefox, Secunia reports IE vulnerabilities from all releases of IE6 in one report. Many of the IE vulnerabilities marked 'unpatched' have actually been fixed for the version that most people are using, but linger in early versions of IE6. Firefox, on the other hand, has had the had its vulnerabilities split between two groups on Secunia, Firefox 0.x (4 out of 29 vulnerabilities unpatched), and Firefox 1.x.
Let's not forget that there are some very obvious reasons why Firefox has less reported bugs than IE.
- Firefox has a much smaller user-base to discover and report bugs
- IE has been around for six+ years, vs Firefox's one
- Mozilla employs a strict policy of secrecy around releases of bugs to security organisations. It uses the $500 bounty as a bribe to ensure the details of its holes are not leaked. In the bug I refer to in the article, the details were leaked to Secunia against the wishes of both Mozilla and the guy who found them. IE on the other hand, has hundreds of stakeholders in minority browsers publicising its bugs because its good propaganda for Firefox, Opera, Konqueror et al.
[Chris Beach] [reply] -
IE bugs weren't brought onto this plane of existence by Firefox, Konqueror etc.
You do realise that IE would still have bugs, and people would still discover bugs, even if there were no other browsers on Earth right? [Alistair McMillan] [reply] -
err..
To be honest I'm not sure what you're referring to when you say that. Of course I understand that IE bugs exist independently of Firefox, Opera et al
Having said that, the existence of competitors with advocacy programs and evangelical campaigns will undoubtedly encourage the many stakeholders to find and publicise bugs in IE. It helps their cause. [Chris Beach] [reply] -
That is exactly what I was referring to.
Some people do take great pleasure in pointing out IE bugs.
However, as far as I remember, the Firefox advocacy campaigns (who are most vocal in the list of competitors) seem to concentrate more on features rather than bugs. I can't remember one Firefox advoc site that talks about buffer overruns or anything like that except as bullet points in big long lists. [Alistair McMillan] [reply] -
'cause' mentality
What the advocacy sites do well is to encourage people to join a 'cause.' People love subscribing to a cause! In Mozilla's case, they are championing web standards with their flagship browser, Firefox, liberating people from a single choice of software. It's emotive language designed to inspire, rather than to inform. [Chris Beach] [reply] -
And...
That is a bad thing how? [Alistair McMillan] [reply] -
What's the problem with 'cause' mentality?
For the 'cause' there is certainly no problem. It's the best thing to happen to a software house PR campaign. Like religious evangelism, the 'cause' mentality helps rid the followers of logic and reason (those irritating anti-cause factors), and concentrate on supporting and embelishing the cause, regardless of its intellectual merit and tangibility.
For Mozilla it's great.
For intelligent, objective consideration of competing technologies, 'cause' mentality is the worst possible detracting force. [Chris Beach] [reply] -
"the 'cause' mentality helps rid the followers of logic and reason"
Kind of like Microsoft evangelists.
Not pointing any elbows of course. :) [Alistair McMillan] [reply] -
hehe
If MS evangelists existed they'd be able to counteract the Mozilla evangelists and the Wikipedia wouldn't be in such a sorry state [Chris Beach] [reply] -
blah blah blah tabbed browsing
blah blah blah pop-up blocker
blah blah blah standards support
blah blah blah cross-platform
blah blah blah [Alistair McMillan] [reply]
[view more replies on journal entry the latest firefox bug - flagged 'extremely critical']