Firefox Users Most Secure on Internet, Study Reveals

,----[ Quote ]
| Mozilla Firefox fans might rest a little easier these days after a study
| released Tuesday revealed that its users are most secure on the Internet.

Even Microsoft betas contain serious known flaws:

Microsoft Internet Explorer Vulnerability Warning Issued

,----[ Quote ]
| Microsoft's Internet Explorer 6, 7, and 8 beta 1 appear to contain a security
| flaw that could subject users who visit a malicious Web site or open a
| malicious e-mail message to arbitrary code.

Microsoft typically hides its flaws and patches them secretly (it's possible
with blobs).


Web security report says known vulnerabilities fall because criminals pay to
hide them

,----[ Quote ]
| Some researchers fear software vendors are now buying information on the
| vulnerabilities so they can fix them without anyone noticing.
| In other words, Rouland fears, "it is profitable not to (publicly) report a
| vulnerability."


Vista SP1 will contain undocumented fixes

,----[ Quote ]
| Interesting email in today mailbag: *“Will SP1 contain undisclosed or
| undocumented security fixes?”
| For some people, counting the number of security flaws that one OS has
| compared to another is important because it offers a metric upon which to *
| determine which OS is the most secure (personally, I feel that it’s a bogus
| metric, but I’ll let it slide for now). *However, many claim that Microsoft
| stacks the deck in its favor by not disclosing a full list of vulnerabilities
| that have been patched by omitting to include those discovered and patched
| in-house. * * *

Critical Vulnerability in Microsoft Metrics

,----[ Quote ]
| This is a small subset of all the vulnerabilities, because the
| vulnerabilities that are found through the QA process and the vulnerabilities
| that are found by the security folks they engage as contractors to perform
| penetration testing are fixed in service packs and major updates. For
| Microsoft this makes sense because these fixes get the benefit of a full test
| pass which is much more robust for a service pack or major release than it is
| for a security update. * * *

Skeletons in Microsoft’s Patch Day closet

,----[ Quote ]
| This is the first time I’ve seen Microsoft prominently admit to silently
| fixing vulnerabilities in its bulletins — a controversial practice that
| effectively reduces the number of publicly documented bug fixes (for those
| keeping count) and affects patch management/deployment decisions. *

Beware of undisclosed Microsoft patches

,----[ Quote ]
| Forget for a moment whether Microsoft is throwing off patch counts
| that Microsoft brass use to compare its security record with those
| of its competitors. What do you think of Redmond’s silent patching
| practice?

Microsoft is Counting Bugs Again

,----[ Quote ]
| Sorry, but Microsoft's self-evaluating security counting isn't really a
| good accounting.
| [...]
| The point: Don't count on security flaw counting. The real flaw is
| the counting.