In a previous post I admitted a small heresy for a Microsoft person. I quite liked firefox; past tense because IE7 gives me all that I liked about Firefox, and more besides.
Last week I learnt of a survey by bit9 which details their top 15 most vulnerable applications. And top of the list is Firefox, version 1.07. Firefox have updates, patches, indeed a whole new version, but if anyone still believes the “lots of eyeballs implies few vulnerabilities” myth of Open Source, they should be able to see it is a fairy story. There is an equal and opposite myth which is that software is only secure if you keep the source secret. The fact that Microsoft have a “Shared source” programme – open source with a small O, gives the lie to this too. Only in Digital Rights Management do you need to keep the code secret.
Talking of digital right management number 2 in the list was Apples iTunes. 6.02 and quick time 7.03 (which, like firefox is patchable, or can be replaced with a new version). At 3 comes Skype 1.4 (patchable) , #4 is Adobe Acrobat Reader 7.02, and 6.03 (superseded and patchable), and #5 is Sun’s Java Runtime Environment (also patchable), #6 is Macromedia Flash Player 7 (patchable again), at #7 is Winzip 8.1 (upgradeable) , keeping Skype company, at #8 is AOL instant messenger 5.5, #9 is MSN messenger 5.0, and #10 is Yahoo instant messenger 6.0, and #15 is the ICQ chat client 2003a. AOL and MSN can be patched or upgraded, Yahoo and ICQ – according to Bit 9 – cannot. You can get the full list of vulnerable apps from bit9.
Inside Microsoft, we’ve talked about what this report means. First, it means Vulnerabilities aren’t confined to Microsoft. Any developer that points a finger at someone else for having a vulnerability is setting themselves up for a fall. We might allow ourselves a small laugh at the expense of those Firefox fans who claim it is totally watertight. But only a small laugh – because they set themselves up for the fall. Too much laughter and we’ll be setting ourselves up for one.
Secondly, 9 of the top 10 have patches and or upgrades. No-one should see any impact from these vulnerabilities. It’s easy to make sure Microsoft software is patched, but how good are people’s practices for the others ?Tagged as Microsoft Firefox Vulnerabilities
This post originally appeared on my technet blog.