Last Friday night, immediately after reading Jeff Jones'
Browser
Vulnerability Analysis paper and Window Snyder's
response
(as well as schrep's post),
I wrote this:
Microsoft Internet Explorer and Mozilla Firefox have completely
different security goals. Firefox security is designed to sell
beanies and duffel bags and appeals to people who actually want to use
it. Internet Explorer security is for the serious company executive
who is forced to use it by overbearing corporate IT department
types. The only people with IE swag got it free from Microsoft.
Don't believe me? Compare Microsoft's Online Store with Mozilla's.
Incidentally, those were just the first
Google hits for
"shop microsoft store" and
"shop mozilla store".
Now I guess the question might arise "what does marketing merchandise have
to do with security?" I think the answer is that it makes about as much sense as trying
to come up with a security metric based on number of fixed
vulnerabilities.
Counting past vulnerabilities is just pointless navel
gazing. You know the phrase: "past performance is no guarantee of
future results". Does the fact the Firefox has more fixed
vulnerabilities mean that it has more bugs? Does it mean that more
of the bugs have been fixed? Are the really nasty bugs still
lurking in IE7? Should vulnerabilities be prorated based
on NVD CVSS score? Or, maybe, the
vulnerabilities should be adjusted for browser
market share?
Let's face it, both Firefox and IE have unpatched vulnerabilities that can be used to
harm users, so it may be more instructive to focus on why the vulnerabilities
continue appearing. Besides the general fact that web browsers are incredibly
complex, Firefox and IE both have legacy security problems.
Firefox continues to struggle against the perception that it is a
browser for developers. The "what about developers?" voices seem to
generate the most WONTFIX arguments. Too many times it appears that
security vulnerabilities remain unresolved because a developer or
extension writer is depending on the feature. But the recent jar: URI
issue seems to indicate Firefox is closer to turning the corner in
this regard. There wasn't any waffling after domino web
access was broken. I think that is a hopeful sign that Firefox 3
may overcome some of those legacy arguments.
Internet Explorer suffers a different type of legacy problem. After
years and years of invasive operating system integration, IE has a lot of
pre-"Security Push" baggage. The critical vulnerabilities that are
being found in IE aren't necessarily in the browser but rather in
operating system components (e.g., XML, WMF, ANI and GDI exploits).
IE just serves as the vector that allows for exploitation. It's not
even clear if these categories of vulnerabilities were included in Jones' analysis.
Legacy issues obviously aren't the entire story. What if an entirely
new and novel vulnerability class is discovered tomorrow? What about
new
exploitation techniques?
What then? Daniel J. Bernstein suggests a big part
of the answer is ruthlessly
eliminating bugs. Which is why Microsoft's claims of SDL
success ring hollow in the real world. Which browser are most in the
wild attacks targeting? With the years of legacy cruft,
there are probably plenty of IE
client-sides left.
Getting owned isn't any fun. And since it can happen to anyone,
vulnerability counting probably won't matter when its your turn.