When more bugs can mean tighter security

,----[ Quote ]
| The Mozilla Foundation is perhaps best known for its Firefox web browser, an
| open-source offering that was first developed to go head-to-head with
| Microsoft's Internet Explorer.
| Tristan Nitot, the president of Mozilla Europe, has much to say on the
| differences between Microsoft's and Mozilla's approaches to browser
| development. ZDNet.co.uk caught up with Nitot at the Online Information
| conference in London this week to talk about the security of Firefox and
| Internet Explorer (IE), online privacy and the future of open source.



Firefox has ‘at least’ 126m users

,----[ Quote ]
| John Lilly, Mozilla’s Chief Operating Officer, has estimated that Firefox,
| the company’s popular open source web browser, is used by at least 126
| million people aound the world. *


Critical Vulnerability in Microsoft Metrics

,----[ Quote ]
| This is a small subset of all the vulnerabilities, because the
| vulnerabilities that are found through the QA process and the vulnerabilities
| that are found by the security folks they engage as contractors to perform
| penetration testing are fixed in service packs and major updates. For
| Microsoft this makes sense because these fixes get the benefit of a full test
| pass which is much more robust for a service pack or major release than it is
| for a security update.



Skeletons in Microsoft’s Patch Day closet

,----[ Quote ]
| This is the first time I’ve seen Microsoft prominently admit to silently
| fixing vulnerabilities in its bulletins — a controversial practice that
| effectively reduces the number of publicly documented bug fixes (for those
| keeping count) and affects patch management/deployment decisions.


Beware of undisclosed Microsoft patches

,----[ Quote ]
| Forget for a moment whether Microsoft is throwing off patch counts
| that Microsoft brass use to compare its security record with those
| of its competitors. What do you think of Redmond’s silent patching
| practice?


Microsoft is Counting Bugs Again

,----[ Quote ]
| Sorry, but Microsoft's self-evaluating security counting isn't really a
| good accounting.
| [...]
| The point: Don't count on security flaw counting. The real flaw is
| the counting.