Update: Window Snyder (in charge of Security at Mozilla) has posted a great analysis of the report. Please read Better metrics for scurity, understanding the Symantec Security Threat report.
I've been reading the 10th edition of Symantec's Internet Security Threat Report (PDF downlad), and I thought I could share with my twelve readers my own initial thoughts...
After a quick read, two items come to mind:
- Firefox is still leading the pack by fixing security bugs quickly (see page 14), which is the demonstration of how committed is Mozilla in addressing security issues in a timely fashion.
- The report has improved over the last edition by taking into account the "Window of exposure", which is a better way to assess security than just counting reported security bugs. It's not yet perfect (who is?), but it's better.
On this last topic, see an extract of Symantec's report (emphasis mine):
For the first time, in this volume of the Internet Security Threat Report, Symantec is assessing the window of exposure for Web browsers. In the first half of 2006, Internet Explorer had a window of exposure of nine days, down considerably from 25 days in the second half of 2005 (figure 4). Apple Safari had a window of exposure of five days, up from zero days in the second half of 2005. In the first half of 2006, Opera had a window of exposure of two days, down considerably from 18 days during the second half of 2005. In the first half of this year, Mozilla had a window of exposure of one day. In the second half of 2005, Mozilla had a window of exposure of negative two days, meaning that exploit code in that period was generally released after patches were available.
The inherent limits of bug counting
The central issue is how can we assess browser security? Just counting reported bugs is definitely not enough, and let's try to explain why. The Mozilla project is very transparent in its processes. Therefore, every security-related bug is posted. On the contrary, it is possible for a closed-source vendor to silently fix security bugs. If these bugs are discovered internally, then reports such as Secunia or Symantec won't count them. They did exist, but were not counted. Therefore, counting reported bugs is a method that essentially benefits proprietary vendors on paper.
For example, Mozilla has been working really hard lately in investigating more than ever its security weaknesses, using various means, including Coverity software. This has led to fixing more bugs than in the past. While it looks like more bugs have been discovered, the actual good news is that they have been discovered and patched before they were exploited. In this case, a higher number of fixed bugs is actually good news. If proprietary vendors have used or are investing similar effort, no one will notice, as the fixed bugs will not be reported by Symantec. In this case, transparency, as Mozilla demonstrates, is benefitting the end user, but hurting on the PR front. I'm glad to say that the end user is the priority for Mozilla, even if the cost to pay is explaining over and over why our visible bug count is higher than others, and that it's actually good news (yes, I'm happy to see these bugs fixed!).
There is something that I'd like to see mentioned in future editions of the Symantec report in the future, is the criticality of security issues. Maybe it's just that I missed it, but I did not see any mention in Symantec's latest report. I do think that security issues are not created equal, as some of them are more severe than the others. This is a mitigating factor in terms of security. We should note that non-critical issues need to be addressed too, as they may become critical down the road, being combined with similar faults. I've heard Window Snyder (Chief Security Something at Mozilla) explaining that Mozilla is committed in fixing all issues, even if they are not critical. And she is right!
In order to conclude, I'd like to quote Symantec once again, as I understand that fixing browser bugs is nothing if people don't use the latest version:
In order to protect against Web browser attacks, Symantec advises users and administrators to upgrade all browsers to the latest, patched versions.
Well said!
