Thursday, December 18, 2008

Mozilla Responds To Claims That FireFox Is The "Most Vulnerable App"

As we reported earlier this week FireFox topped Bit9 Inc.'s list of 2008’s Most Popular Applications with Critical Security Vulnerabilities, shortly following the release of the article Mozilla fired back refuting Bit9’s vulnerability claims.

On the Mozilla Security Blog Johnathan Nightingale writes, "There has been some interest in the last few days about a recent report from a company called Bit9 about application vulnerabilities. While we’re always happy to see stories that focus on educating our users about security, there are some problems with Bit9’s methodology that hinder its ability to draw any meaningful conclusions."

Mr. Nightingale says comparing companies that publicly report vulnerabilities against those that don't is an unfair and unreasonable assessment. Simply put a company that doesn't disclose vulnerabilities isn't necessarily less vulnerable than one that does, you just don't get to hear about those issues.
"Bit9 says it drew up this list by identifying popular applications that have had a critical vulnerability reported in 2008. This is an ineffective test, as it rewards software companies that conceal their security vulnerabilities.

Mozilla security process involves regularly identifying, fixing, testing, and releasing security updates to keep our users safe, and we do that in a public way so that others can scrutinize our processes and help make them better. To suggest that this openness is a weakness because it means that we have “reported vulnerabilities” is to miss the reality: that software has bugs. A product’s responsiveness to those bugs and its ability to contain them quickly and effectively is a much more meaningful metric than counting them."

Nightingale concludes stating, "Firefox vulnerabilities Bit9 discusses are long-since fixed, with the majority of these fixes coming within days of it being announced." This was a fact Bit9 was clear on conceding, in their full report they added that most all of the vulnerabilities from almost all of the companies had been fixed.

The clear problem is not with FireFox, nor is it with FireFox's security. While being very secure, and probably not the most vulnerable app on the list, FireFox is still a vulnerability when it is un-patched just like any other applications. In his response Nightingale appears to have overlooked one of the main criteria which is the application "Relies on the end user, rather than a central IT administrator, to manually patch or upgrade the software to eliminate the vulnerability, if such a patch exists."

In the enterprise world, a lot of the time your patching is done through manual roll outs and not done by the actual user. Third party apps can, and often do, go un-patched for days, weeks even months. I'm sure we all know how reliable people are on keeping all their software up to date. So while FireFox might be secure and those bugs are fixed those fixes may or may not be applied.

I'm a big FireFox supporter, have been for years and will continue to be. I personally believe the software to be amongst the most secure out there. But to fully understand the context of the article you need to look at this from the enterprise stand point and not the end user side. If you take into account the reliability of the users using the software you can see Bit9 may have a point.


  1. Anonymous5:06 AM

    Firefox has an auto-update feature that automatically checks to see if you are up-to-date with all the latest fixes. This greatly increases the likelihood that an end user will find and install security updates. Your article ignores this feature.

  2. While it increases the likelihood it still relies on the end user applying those updates. Should the user ignore the update or choose not to install it the then you are stuck with unpatched apps on your network.


All comments will be moderate for content, please be patient as your comment will appear as soon as it has been reviewed.

Thank you