A Closer Look

Security Fixes Come Faster With Mozilla

By Brian Krebs
Special to The Washington Post
Sunday, February 12, 2006

Last month, I looked at how long it took Microsoft to issue security updates for known software flaws in the Windows software that powers most of today's computers. Last week, I conducted the same analysis on free software produced by the Mozilla Foundation, perhaps best known for its Firefox Web browser.

Over the past year, Mozilla averaged about 21 days before it issued fixes for flaws in Firefox, compared with the 135 days it took for Microsoft to address problems.

The thing to remember is that Microsoft's market reach has always made it the primary target for virus writers and online criminal groups. Windows runs about 90 percent of the world's computers and Microsoft's Internet Explorer still commands about 85 percent of the browser market. It's difficult to say whether Firefox is inherently any more secure than Internet Explorer but you can't discount the fact that most of the online bad guys tend to focus on Internet Explorer users.

For at least 38 days in 2005, Internet Explorer was vulnerable to unpatched critical security flaws that were being exploited actively by viruses, worms and spyware. For at least 256 days last year, Internet Explorer contained unpatched vulnerabilities where the exploit method had been publicly disclosed but was not necessarily being used.

By contrast, Firefox users were exposed to potential threats that might take advantage of publicly released exploit code for only 17 days. I could not find any public reports of viruses, spyware or worms using those exploits during the time that the Firefox vulnerabilities were unpatched.

The key word behind these revelations: public.

Mozilla had relatively few cases where security researchers disclosed critical flaws to the public instead of privately to Mozilla; this happened only a couple of times in 2005. Mozilla took an average of 16 days to release critical software updates after flaws were publicly reported.

Dan Veditz, a security researcher at Mozilla, said problems discovered by open-source community members -- and addressed quickly -- create less of a risk. He also noted that "unconscionable delays in fixing bugs will get criticized in public, which is both embarrassing and may discourage future reporters from going the 'responsible disclosure' route with us. . . . If they're not seeing progress that indicates we're upholding our end of the bargain, they could well go public, and then we've got a full-blown emergency."

Veditz and other Mozilla researchers found themselves in emergency mode in September when a researcher published his findings just four days after notifying Mozilla about a critical flaw in Firefox. The exploit code for it was laughably simple, but the public disclosure nonetheless forced Mozilla to rapidly accelerate its fix process.

I wondered if there was something in the data we collected to support the contention that open-source vendors such as Mozilla react more nimbly than those that do not open their blueprints to researchers, but I was surprised to find little relevant empirical data or analysis other than our own.

Last month, several researchers from Carnegie Mellon University in Pittsburgh reported they had examined some 438 vulnerabilities in programs made by 325 software vendors and found the patching speed of open-source vendors was roughly 60 percent faster than that of the closed-source vendors they studied.

Brian Krebs is a washingtonpost.com reporter. A closer look at his finding of the Microsoft and Mozilla analyses can be found athttp://www.washingtonpost.com/securityfix

© 2006 The Washington Post Company