Mozilla slams study labelling Firefox as ‘most vulnerable app’
By John Lister
A security firm has ranked Firefox as the most dangerous application system administrators should watch out for on their network. But manufacturer Mozilla has joined a chorus of discontent from people claiming the study is deeply flawed.
The list comes from Bit9, a firm which sells white-listing software to corporations. The products work by blocking all applications which aren’t specifically authorized. That viewpoint partially explains the unusual results.
Bit9 ranked Firefox at the top of its list dubbed ‘the dirty dozen’. The list also included Adobe Acrobat, Windows Live Messenger (MSN), Apple’s iTunes and Skype.
Although Firefox has certainly had its share of security issues, the absence of Internet Explorer is pretty glaring given the recent security loophole, which affected an estimated two million users.
On closer examination, it turns out the study has a condition which, although arguably valid, is likely the sole reason for these results. With the study aimed at IT managers, one of the key points to the rankings is whether patches can be applied across a network from a central point. That is possible under most Microsoft products, but not for products such as Firefox or iTunes. (Of course, it’s a lot easier to provide such a function when your own company designed the operating system.)
To qualify, products must have had at least one ‘critical’ vulnerability this year. They also had to be “well-known in the consumer space and frequently downloaded by individuals” and “not classified as malicious”, thus ruling out most rogue applications.
Jonathan Nightingale of Mozilla says the report is unfair as it effectively rewards firms which are able to keep serious problems secret, and takes no account of how quickly problems are fixed. He also criticized the requirement for a Microsoft-style network-wide patch system, arguing that “our built-in update mechanism requires no user intervention, and we consistently see 90 percent adoption within six days of a new update being released.”
In some ways the study makes a valid point: if people are running ‘non-standard’ applications on a network without the system administrator’s knowledge, the potential for security problems increases. It’s just a shame Bit9 chose a methodology which was (however unintentionally) about as pro-Microsoft as you could design.
Related:
Entry was posted
on Thursday, December 18th, 2008 at 1:35 pm
under
Read more entries by John Lister.
Stumble It!
December 18th, 2008
There should be some truth in reporting and tainting a company’s reputation. It will be interesting to see if they take back their words against firefox
December 18th, 2008
I love Firefox. I use it at home. I have colleagues who work there. I also work at Bit9. The list was aimed at IT administrators and enterprises that need a way to centralize patching and updates. Only popular apps that cannot be centrally updated by IT made it on the list. The writer here, John Lister, got it right here in the description. The only point I’d add is that Microsoft made it onto the list, too. It’s the third year in a row for the list and this year it’s gotten lots more attention for some reason.
December 19th, 2008
The answer is simple: Use Linux. This way ALL programs (including Firefox, OpenOffice, Graphic program, music player,etc) get patched/updated centrally. Windows will never be able to do this.
December 19th, 2008
Linux programs installed outside the repositories of your Distro don’t. The article has to do with network centralized updating. There are many avenues open to a MS shop to do this with additional software.
WTF is it with Linux users that make them so annoying? Totally off subject and wrong. Linux is my OS of choice but I might have to start running BSD to avoid getting painted with the cult brush.
You aren’t helping with Linux acceptance. Stop.