Mozilla Counters "Dirty Dozen" Criticism of Firefox Security
Bit9, self-professed leader in enterprise application whitelisting, recently included Mozilla's Firefox browser among "the Dirty Dozen" applications with critical security vulnerabilities. Mozilla's security expert Jonathan Nightingale disputes that critique.
The Waltham, MA company has been issuing annual reports on Windows applications with the highest critical security problems. The most recent press release identifies "the Dirty Dozen," among which Firefox versions 2.x and 3.x rank at the top of the list, followed by Adobe Acrobat 8.1.2 and 8.1.1, Microsoft Windows Live (MSN) Messenger 4.7 and 5.1, Apple iTunes 3.2 and 3.1.2, and Skype 3.5.0.248.
According to Bit9, these applications have a few things in common. They run on Windows, are popular among users, and IT organizations don't consider them potentially malicious. The critical factors that put them on the Dirty Dozen list are that (a) at least one security hole was found, (b) they usually rely on users rather than IT admins to apply upgrades or patches, and (c) they can't be centrally updated with free enterprise tools. For the latter, Bit9 gives Microsoft's Systems Management Server (SMS) and Windows Server Update Services (WSUS) as examples.
Jonathan Nightingale from Mozilla's Human Shield group vehemently counters Bit9's assessment in a blog. He asserts that the "critical vulnerability reported in 2008" label penalizes software companies, such as Mozilla, with an open reporting policy about security problems. "To suggest that this openness is a weakness because it means that we have 'reported vulnerabilities' is to miss the reality: that software has bugs," he writes. For Nightingale, a more meaningful assessment would be to base "a product’s responsiveness to those bugs and its ability to contain them quickly and effectively."
Nightingale asserts that the vulnerabilities Bit9 found have long since been fixed, with most fixes within days of the announcement. He also considers Bit9's criticism of the lack of WSUS updating as ignoring real world experience in that Firefox's built-in update service spares users the trouble. "We consistently see 90% adoption within six days of a new update being released," he writes.
Comments
comments powered by DisqusIssue 245/2021
Buy this issue as a PDF
News
-
Mageia 8 is Now Available with Linux 5.10 LTS
The latest release of Mageia includes improved graphics support for both AMD and NVIDIA GPUs.
-
GNOME 40 Beta has been Released
Anyone looking to test the beta for the upcoming GNOME 40 release can now do so.
-
OpenMandriva Lx 4.2 has Arrived
The latest stable version of OpenMandriva has been released and offers the newest KDE desktop and ARM support.
-
Thunderbird 78 is being ported to Ubuntu 20.04
The Ubuntu developers have made the decision to port the latest release of Thunderbird to the LTS version of the platform.
-
Elementary OS is Bringing Multi-Touch Gestures to the OS
User-friendly Linux distribution, elementary OS, is working to make using the fan-favorite platform even better for laptops.
-
Decade-Old Sudo Flaw Discovered
A vulnerability has been discovered in the Linux sudo command that’s been hiding in plain sight.
-
Another New Linux Laptop has Arrived
Slimbook has released a monster of a Linux gaming laptop.
-
Mozilla VPN Now Available for Linux
The promised subscription-based VPN service from Mozilla is now available for the Linux platform.
-
Wayland and New App Menu Coming to KDE
The 2021 roadmap for the KDE desktop environment includes some exciting features and improvements.
-
Deepin 20.1 has Arrived
Debian-based Deepin 20.1 has been released with some interesting new features.
bit9 miss the platform and point
"free" enterprise tools..
"free" tools my a.. as far as I know at least you need some heavy investments in various windows products. Please advise me where I can get all this for "free"...
Central updates
Have you seen the bit9 website?
You guys at Firefox/Mozilla ought not to worry about this one. Who can take bit9 seriously?
Missing the Point
Bit9 is an idiot