Mozilla Counters "Dirty Dozen" Criticism of Firefox Security
Bit9, self-professed leader in enterprise application whitelisting, recently included Mozilla's Firefox browser among "the Dirty Dozen" applications with critical security vulnerabilities. Mozilla's security expert Jonathan Nightingale disputes that critique.
The Waltham, MA company has been issuing annual reports on Windows applications with the highest critical security problems. The most recent press release identifies "the Dirty Dozen," among which Firefox versions 2.x and 3.x rank at the top of the list, followed by Adobe Acrobat 8.1.2 and 8.1.1, Microsoft Windows Live (MSN) Messenger 4.7 and 5.1, Apple iTunes 3.2 and 3.1.2, and Skype 3.5.0.248.
According to Bit9, these applications have a few things in common. They run on Windows, are popular among users, and IT organizations don't consider them potentially malicious. The critical factors that put them on the Dirty Dozen list are that (a) at least one security hole was found, (b) they usually rely on users rather than IT admins to apply upgrades or patches, and (c) they can't be centrally updated with free enterprise tools. For the latter, Bit9 gives Microsoft's Systems Management Server (SMS) and Windows Server Update Services (WSUS) as examples.
Jonathan Nightingale from Mozilla's Human Shield group vehemently counters Bit9's assessment in a blog. He asserts that the "critical vulnerability reported in 2008" label penalizes software companies, such as Mozilla, with an open reporting policy about security problems. "To suggest that this openness is a weakness because it means that we have 'reported vulnerabilities' is to miss the reality: that software has bugs," he writes. For Nightingale, a more meaningful assessment would be to base "a product’s responsiveness to those bugs and its ability to contain them quickly and effectively."
Nightingale asserts that the vulnerabilities Bit9 found have long since been fixed, with most fixes within days of the announcement. He also considers Bit9's criticism of the lack of WSUS updating as ignoring real world experience in that Firefox's built-in update service spares users the trouble. "We consistently see 90% adoption within six days of a new update being released," he writes.
Comments
comments powered by DisqusSubscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Gnome 47.2 Now Available
Gnome 47.2 is now available for general use but don't expect much in the way of newness, as this is all about improvements and bug fixes.
-
Latest Cinnamon Desktop Releases with a Bold New Look
Just in time for the holidays, the developer of the Cinnamon desktop has shipped a new release to help spice up your eggnog with new features and a new look.
-
Armbian 24.11 Released with Expanded Hardware Support
If you've been waiting for Armbian to support OrangePi 5 Max and Radxa ROCK 5B+, the wait is over.
-
SUSE Renames Several Products for Better Name Recognition
SUSE has been a very powerful player in the European market, but it knows it must branch out to gain serious traction. Will a name change do the trick?
-
ESET Discovers New Linux Malware
WolfsBane is an all-in-one malware that has hit the Linux operating system and includes a dropper, a launcher, and a backdoor.
-
New Linux Kernel Patch Allows Forcing a CPU Mitigation
Even when CPU mitigations can consume precious CPU cycles, it might not be a bad idea to allow users to enable them, even if your machine isn't vulnerable.
-
Red Hat Enterprise Linux 9.5 Released
Notify your friends, loved ones, and colleagues that the latest version of RHEL is available with plenty of enhancements.
-
Linux Sees Massive Performance Increase from a Single Line of Code
With one line of code, Intel was able to increase the performance of the Linux kernel by 4,000 percent.
-
Fedora KDE Approved as an Official Spin
If you prefer the Plasma desktop environment and the Fedora distribution, you're in luck because there's now an official spin that is listed on the same level as the Fedora Workstation edition.
-
New Steam Client Ups the Ante for Linux
The latest release from Steam has some pretty cool tricks up its sleeve.
bit9 miss the platform and point
"free" enterprise tools..
"free" tools my a.. as far as I know at least you need some heavy investments in various windows products. Please advise me where I can get all this for "free"...
Central updates
Have you seen the bit9 website?
You guys at Firefox/Mozilla ought not to worry about this one. Who can take bit9 seriously?
Missing the Point
Bit9 is an idiot