Symantec’s browser report misleading
In recent days I’ve been in a bit of a dustup with my friend Gio over at The Agency Blog concerning browser security. On that same issue, I found this cNet article very interesting…
Security Watch: In defense of Mozilla Firefox
Here are some excerpts:
Let’s look at those numbers in greater detail. Symantec says that from January through June 2005, there were 25 vendor-confirmed vulnerabilities reported in Mozilla Firefox, 18 of which Symantec classified as high threats, while there were 13 vendor-confirmed vulnerabilities reported in Microsoft Internet Explorer, 8 of which were classified as high threats. But Symantec’s talking about only those vulnerabilities that the vendor confirms, not all of the publicly known vulnerabilities that are out there. Microsoft is well known to be tone-deaf to independent security researchers.
…I ask only that the vendor be responsible and fix the security vulnerabilities, especially the critical ones, in a timely fashion. Microsoft isn’t one of those vendors. According to Secunia, Internet Explorer 6.x has several unpatched, critical security vulnerabilities dating back to 2003 (the first year Secunia offered its own security alerts). And this month, Microsoft arrogantly decided not to issue any security patches — none.
It might be an interesting excercise to look into how many of those holes were fixed with the release of SP2 for Windows XP…