LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Is this a joke?

Is this a joke?

Posted Apr 28, 2009 19:37 UTC (Tue) by khim (subscriber, #9252)
In reply to: Firefox 3.0.10 released by sbergman27
Parent article: Firefox 3.0.10 released

Odd that WebKit doesn't seem to have this chronic problem.

WebKit is somewhat better, but only marginally. You don't hear about it because most WebKit-based browsers will just silently upgrade without even offering you opt-out choice! And the ones without such "service" are considered unsupported so you'll never know if you have any security issues till rootkit will be installed on your system...

(Log in to post comments)

Is this a joke?

Posted Apr 28, 2009 20:03 UTC (Tue) by sbergman27 (guest, #10767) [Link]

Uhhh.... right. If a project pushes out updates automatically then all the security sites ignore any security advisories regarding that software, and news sites like LWN.net decline to report on them. Is that *really* the case that you want to argue?

Of course, I'm assuming, just for the sake of argument, that what you claim about WebKit-based browsers pushing out security updates against the users' will was true.

The lengths to which some die-hard Firefox fans will go... the logical contortions they are willing to accept... to "prove" that the endless stream of security vulnerabilities in Firefox is really a good thing is beyond just worrisome. It's out and out scary.

I doubt that there is a transgression that Mozilla Corp could commit, short of maybe dissing the GPL, that would cause some of the more ardent fans to even think critically about the situation.

Is this a joke?

Posted Apr 28, 2009 22:39 UTC (Tue) by njs (guest, #40338) [Link]

I don't think Firefox's security vulnerabilities are a good thing -- I'm not sure who exactly you're arguing with that does -- but it is a fact that Firefox reports internally discovered vulnerabilities as vulnerabilities when they are fixed, while most other browser vendors do not. Therefore, using reported vulnerabilities as an estimate of relative exposure is systematically biased against Firefox. It's possible that even after correcting for that bias then Firefox is the worst. I don't know. But I'm not yet convinced by the evidence available.

If that's "logically contorted", then so be it...

Actually that's not 100% true.

Posted Apr 29, 2009 6:29 UTC (Wed) by khim (subscriber, #9252) [Link]

Therefore, using reported vulnerabilities as an estimate of relative exposure is systematically biased against Firefox.

I'm not convinced in that - only Microsoft practices this hiding approach. Apple and Google are publishing internally-discovered vulnerabilities. And there are less of them then in Firefox (8 vs 38 in 2009 so far), but is this difference enough to claim that Firefox is disaster while WebKit is ideal? Statistic for full 2008 is 45 Safari vs 102 Firefox. Safari still wins but difference is moderate if you'll recall that Firefox has more subsystems - Safari does does support Firefox-like extensions and all this flexibility does not come free.

Yup.

Posted Apr 29, 2009 6:16 UTC (Wed) by khim (subscriber, #9252) [Link]

If a project pushes out updates automatically then all the security sites ignore any security advisories regarding that software, and news sites like LWN.net decline to report on them. Is that *really* the case that you want to argue?

No. Security sites don't ignore them, only news sites do. If you visit security database you'll find out that WebKit is vulnerable, Safari is too and Chrome is far from ideal - but they don't issue numbered releases to be downloaded from site so LWN does not issue articles on subject too. Yes, 1/3 of bugs (159 for Safari vs 455 for Firefox) is good achievment, but is it enough to say "WebKit doesn't seem to have this chronic problem"?

You can not do apples-to-apples comparison between Gecko and WebKit: for Gecko there are just 5 CVE and for WebKit 27, but I find it hard to believe that out of 455 Firefox's vulnerabilities only 5 affect Gecko and some 450 are in different subsystems...

The lengths to which some die-hard Firefox fans will go... the logical contortions they are willing to accept... to "prove" that the endless stream of security vulnerabilities in Firefox is really a good thing is beyond just worrisome. It's out and out scary.

Yes, it's really scary. Only Firefox-haters are worse...

Is this a joke?

Posted Apr 29, 2009 7:46 UTC (Wed) by epa (subscriber, #39769) [Link]

Please distinguish between 'security vulnerabilities' and 'fully disclosed security updates'. It is not possible to say that because program X has more patches released than program Y, that program X has (or had) more vulnerabilities.

A large number of security fixes being published is neither a 'good thing' nor a 'bad thing' in itself.

That's hairsplitting...

Posted Apr 29, 2009 8:28 UTC (Wed) by khim (subscriber, #9252) [Link]

Worthy of Firefox fanboy. It's know fact that Firefox has more vulnerabilities than WebKit-based browsers. May be they are less severe, may be not. That is not the point. The point is: number of vulnerabilities in Firefox and WebKit-based browsers are of the same order. It's not like OpenBSD vs Linux comparison: one side has hundreds of potential vulnerabilities, the other one - just a handful ("ten over last ten years" or something like that). Here both sides have sizable number and these vulnerabilities were exploited in the wild and will surely be exploited in the future. No reason for WebKit developers to feel smug and not reason for Firefox developers to fret over statistic.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds