Firefox Security Head Says Microsoft Obscures OS Holes

A Slashdot article from yesterday mentions that when Security Director at Microsoft Jeff Jones decided to compare Internet Explorer security vulnerabilities with those of Mozilla Firefox, publishing a study showing that Internet Explorer was more secure, he seems to have forgotten that the Head Security Strategist of Mozilla was a former MS employee. Moreover, he (Window Snyder)had been the security lead for the Service pack of Windows XP and Server.

Snyder rebuts Jones' study saying that only a small subset of all vulnerabilities fixed internally are publicly acknowledged. Snyder writes "...vulnerabilities that are found through the QA process and the vulnerabilities that are found by the security folks they engage as contractors to perform penetration testing are fixed in service packs and major updates. For Microsoft this makes sense because these fixes get the benefit of a full test pass which is much more robust for a service pack or major release than it is for a security update."

The problem for Microsoft users with this policy is that they have to wait sometimes a year or more to get the benefit of this endeavor. Mozilla fixes their bugs openly and ships fixes regularly. Says Snyder "We're not building fixes for our PR team, we're building them for our users."

For a detailed description of the problem with Microsoft's metric, see Snyder's entry on Mozilla's Security Blog