Firefox Users Most Secure on Internet, Study Reveals

,----[ Quote ]
| Mozilla Firefox fans might rest a little easier these days after a study
| released Tuesday revealed that its users are most secure on the Internet.
`----

http://www.crn.com/security/208802248

Even Microsoft betas contain serious known flaws:

Microsoft Internet Explorer Vulnerability Warning Issued

,----[ Quote ]
| Microsoft's Internet Explorer 6, 7, and 8 beta 1 appear to contain a security
| flaw that could subject users who visit a malicious Web site or open a
| malicious e-mail message to arbitrary code.
`----

http://www.informationweek.com/news/...leID=208801757

Microsoft typically hides its flaws and patches them secretly (it's possible
with blobs).


Recent:

Web security report says known vulnerabilities fall because criminals pay to
hide them

,----[ Quote ]
| Some researchers fear software vendors are now buying information on the
| vulnerabilities so they can fix them without anyone noticing.
|
| In other words, Rouland fears, "it is profitable not to (publicly) report a
| vulnerability."
`----

http://news.smh.com.au/web-security-...0212-1rrs.html


Related:

Vista SP1 will contain undocumented fixes

,----[ Quote ]
| Interesting email in today mailbag: *“Will SP1 contain undisclosed or
| undocumented security fixes?”
|
| For some people, counting the number of security flaws that one OS has
| compared to another is important because it offers a metric upon which to *
| determine which OS is the most secure (personally, I feel that it’s a bogus
| metric, but I’ll let it slide for now). *However, many claim that Microsoft
| stacks the deck in its favor by not disclosing a full list of vulnerabilities
| that have been patched by omitting to include those discovered and patched
| in-house. * * *
`----

http://blogs.zdnet.com/hardware/?p=1225


Critical Vulnerability in Microsoft Metrics

,----[ Quote ]
| This is a small subset of all the vulnerabilities, because the
| vulnerabilities that are found through the QA process and the vulnerabilities
| that are found by the security folks they engage as contractors to perform
| penetration testing are fixed in service packs and major updates. For
| Microsoft this makes sense because these fixes get the benefit of a full test
| pass which is much more robust for a service pack or major release than it is
| for a security update. * * *
`----

http://blog.mozilla.com/security/200...osoft-metrics/


http://antitrust.slated.org/www.iowa...00/PX03096.pdf


Skeletons in Microsoft’s Patch Day closet

,----[ Quote ]
| This is the first time I’ve seen Microsoft prominently admit to silently
| fixing vulnerabilities in its bulletins — a controversial practice that
| effectively reduces the number of publicly documented bug fixes (for those
| keeping count) and affects patch management/deployment decisions. *
`----

http://blogs.zdnet.com/security/?p=316


Beware of undisclosed Microsoft patches

,----[ Quote ]
| Forget for a moment whether Microsoft is throwing off patch counts
| that Microsoft brass use to compare its security record with those
| of its competitors. What do you think of Redmond’s silent patching
| practice?
`----

http://blogs.zdnet.com/microsoft/?p=527


Microsoft is Counting Bugs Again

,----[ Quote ]
| Sorry, but Microsoft's self-evaluating security counting isn't really a
| good accounting.
|
| [...]
|
| The point: Don't count on security flaw counting. The real flaw is
| the counting.
`----

http://www.microsoft-watch.com/conte...129TX1K0000535