« ..::B:R:A:D::.. home page
« Natural Disasters and Politics…
Another Supporter of OpenDocument »

Reporting on Security…

Here is yet-another-pathetic-zdnet-article attempting to convice its readers that Firefox is many times more “insecure” than IE. Not that I would expecting anything more from any Ziff-Davis publishing subsidiaries. The article itself sounds an aweful lot like some recent Microsoft propaganda trying to discredit Linux as being vastly more vulnerable than Windows.

Here are some key points one should take into account when reporting/reading articles on security.

[Vulnerabilities v. Exploits]
There is a difference between simply finding a vulnerability and there being an exploit of the vulnerability. How many actual “real world” exploits out in the wild are there.

[Severity of the Problem]
Not all exploits or vulnerabilities are equal. Vulnerablities should be weighted, especially if you are trying to do some “actual” comparisons between products. A vulnerability that lets someone take control of your machine and use it as a spam relay is not nearly the same as a vulnerablity that allows someone access to several files in your home directory.

[Days of Vulnerablity]
How long until the vulnerablity was corrected. How many unpatched vulnerabilites still exist?

I, for one, would EXPECT there to be more vulnerabilities reported for an open source program such as Firefox. Why? Because of the fact that it IS open source. Isn’t that the whole point of the “more eyes” thing? The whole development process is transparent, open to anyone. In a closed development process if a vulnerability is found it is more than likely corrected discretly; no one would know. In addition to that, being a closed source product…how many vulnerabilities in the code exist that we simply wont know about until it’s too late?

The fact of the matter is, if you actually read the reports on Secunia that the ZDnet article points to, you will see that IE has far more unpatched vulnerabilites (IE 28% Unpatched 13% Partial Fix, Firefox 14% Unpatched 5% Partial Fix) and far more critical vulnerabilites (IE 14% Extreme 19%High, Firefox 0% Extreme 23% High).

Explore posts in the same categories: Linux

This entry was posted on Friday, September 16th, 2005 at 6:25 pm and is filed under Linux. You can subscribe via RSS 2.0 feed to this post's comments. You can comment below, or link to this permanent URL from your own site. Your comments will appear immediately, but I reserve the right to delete innapropriate comments.

One Comment on “Reporting on Security…”

  1. Alex Valentine Says:
    September 19th, 2005 at 11:25 am

    I can’t stand that myself. There have been countless debates where some idiot will say project X has xx amount of vulnerabilities. The amount of vulnerabilities had absolutely nothing to do with the security level of an application.

Comment:

You must be logged in to post a comment.