Firefox buffer overflow and full disclosure [LWN.net]

Firefox buffer overflow and full disclosure

Posted Sep 17, 2005 15:47 UTC (Sat) by RobSeace (subscriber, #4435)
In reply to: Firefox buffer overflow and full disclosure by cventers
Parent article: Firefox buffer overflow and full disclosure

Oh, please... I do hope you're joking, and aren't actually buying into
that ZDNet FUD... Comparing raw numbers of adviseries is never a good
tactic, to start with... Product X may have a higher number of discovered
bugs than product Y, but that says absolutely nothing about the relative
security of the two... If all of product X's bugs are trivial and cause
no serious problems, while all of product Y's are extremely serious and
lead to easy exploitation and take-over of the system, then which would
you rather be running?? If all of product X's bugs were fixed within a
couple days, while all of product Y's remain unfixed to this day, which
would you rather be running??

(Log in to post comments)

Firefox buffer overflow and full disclosure

Posted Sep 17, 2005 20:11 UTC (Sat) by RobSeace (subscriber, #4435) [Link]

How about number of machines/users infected/exploited because of each? Or, how about the idea proposed in the link from the first comment on this story: number of safe/unsafe days? Or, if you want to go with simple counts, how about separating the actual critical/important bugs from the minor/trivial ones, and compare apples to apples and oranges to oranges, at least? Or, how about you actually follow the links in that ZDNet story to Secunia, and read what THEY actually have to say on the matter, rather than some ZDNet mouthpiece with an axe to grind? ("Mozilla Firefox 1.x ... 22 total advisories ... 0% extremely critical, 23% highly critical, 36% moderately critical, 32% less critical, 9% not critical ... leads to system access: 18% ... remains unpatched: 14%" versus "Microsoft Internet Explorer 6.x ... 85 total advisories ... 14% extremely critical, 29% highly critical, 20% moderately critical, 14% less critical, 22% not critical ... leads to system access: 31% ... remains unpatched: 28%"... Does Firefox look great? No, certainly not... But, it's not even on the same universe of insecurity as IE is...)

Firefox buffer overflow and full disclosure

Posted Sep 17, 2005 20:18 UTC (Sat) by cventers (subscriber, #31465) [Link]

I see no point in continuing to push this debate along - neither one of
us is going to have an impact in either the number of Firefox/IE users or
the number of Firefox/IE vulnerabilities.

You're probably right on all regards about establishing the security
difference (who knows, I don't feel like arguing about it).

The bottom line? I guess your definition of universe differs from mine.
Firefox looks incredibly insecure to me. So does Internet Explorer. If
you could define some magic security number and rank all of the Internet
Browsers, Internet Explorer would probably be the worst, followed by
Firefox, followed by the rest of the browsers.

I made this basic claim a number of posts back, and you felt determined
to point out this universe of difference between the two. Frankly, the
gap doesn't seem *that* wide to me. At the end of the day, though, what
have we won? I've wasted a cumulative half an hour arguing over it, and
so have you.

Firefox buffer overflow and full disclosure

Posted Sep 17, 2005 21:29 UTC (Sat) by RobSeace (subscriber, #4435) [Link]

Arguing online never accomplishes much... But, it's sometimes fun... ;-)

As for other browsers besides IE and FF, I don't know... But, so few people
actually use any of the others that it's nearly irrelevent to the topic at
hand, since at the end of the day 99% of the people are going to be using
either IE or FF... It's like saying compared to OpenBSD, both Linux and
Windoze are horribly insecure... While perhaps true, it's not entirely
relevent if you want to talk about OS's which most people actually USE...
(Oh, no, I just know I've offended some BSD person with that, and am going
to get flamed... ;-) I honestly don't mean anything bad by it... I have
nothing but respect for the OpenBSD team; but, I'm not likely to ever run
their OS, I'm afraid... Nor are the vast majority of others... That's not
their fault, nor does it lessen their accomplishments, but it IS just the
way things are, like it or not...)

Now, maybe you could argue that other browsers are more deserving of the
wide-spread popularity that FF is enjoying... Yeah, maybe so; I don't
know... But, if they were, don't you think more people might start poking
at them, and possibly turn up many more security problems with them, as
well? The FF holes didn't start popping up until it started becoming
popular and wide-spread enough for people to start caring... I know, the
old lame chestnut about "Product X is only attacked because it's the most
popular, and if product Y were that popular, it would appear just as
buggy!" is often used to justify MS's insecurities, but there IS a grain
of truth to the statement... It certainly isn't the whole truth by any
means, but it's not entirely BS, either... If a product is so obscure as
to be off everyone's radar, then it makes sense that fewer people will be
even looking for problems in it... *shrug*

But, anyway... Like you say, I think we've pretty much said as much as we
can on the subject, at this point...