Monday, September 26, 2005

The browser wars are back: on security turf

In this article, OSS means slower patches, David Sykes from Symantec makes some absurd claims about open source being slower to patch than closed source.

"It is relying on the goodwill and best efforts of many people, and that doesn't have the same commercial imperative," he said. "I'm sure that is part of what is causing the blow-out in the patch window."

So... "commercial imperative" is a requirement to be quick with patches? Where has this guy been for the past 10+ years when commercial vendors have done everything to thwart publication of vulnerabilities and have been the slowest to patch (and still are, such as Oracle and Cisco).

Also, "I'm sure [relying on the goodwill and best efforts of many people] is part of what is causing the blow-out in the patch window" is entirely an opinion statement. But there are actual people with actual data working on the mozilla project who the reporter or even Mr Sykes could have asked. But no, they go with the unsubstantiated opinion of a purported expert on the matter instead.

Of course, Mr Sykes has a vested interest in maintaining a level of fear in users to keep buying Symantec products to protect them.

Fortunately, the Mozilla organization has hit back with the facts: Mozilla hits back at browser security claim

He also argued that, according to security company Secunia's statistics, the Microsoft vulnerabilities were more critical, and had been so over a longer timescale. In the period 2003 to 2005 Secunia have issued 22 security advisories regarding Firefox 1.x, and rate it as "less critical". In the same period Microsoft Internet Explorer 6.x had 85 Secunia advisories, and is rated as "highly critical".

"Basically their vulnerabilities are more critical. With Firefox — yeah, you have holes, but they're much less serious." Nitot likened the differences between Firefox and IE vulnerabilities as being like injuries: "Which would you prefer, to have a broken finger, or your head ripped off?"

No comments:

Post a Comment