Comments on: Firefox and Security http://robert.accettura.com/blog/2005/09/16/firefox-and-security/ Robert Accettura's Personal Blog on Web Development and Tech Thu, 18 Mar 2010 15:46:47 -0400 http://wordpress.org/?v=2.9.2 hourly 1 By: Ferdinand http://robert.accettura.com/blog/2005/09/16/firefox-and-security/comment-page-1/#comment-5566 Ferdinand Sat, 17 Sep 2005 05:28:33 +0000 http://robert.accettura.com/archives/2005/09/16/firefox-and-security/#comment-5566 "Microsoft has more testers and more automated tests" Are you sure MS has more testers? (Think bout Firefox 1.5 which has been tested every day since Firefox 1.0) "Microsoft: fuzz tests EVERYTHING, compiles with /GS, and uses Prefast etc, Every Microsoft code checkin is threat-modelled" And still Mozilla alpha's are more stable than MS beta's. I agree Mozilla should use more elaborate automated testing methods “Microsoft has more testers and more automated tests”
Are you sure MS has more testers? (Think bout Firefox 1.5 which has been tested every day since Firefox 1.0)
“Microsoft: fuzz tests EVERYTHING, compiles with /GS, and uses Prefast etc, Every Microsoft code checkin is threat-modelled”
And still Mozilla alpha’s are more stable than MS beta’s.

I agree Mozilla should use more elaborate automated testing methods

]]> By: a http://robert.accettura.com/blog/2005/09/16/firefox-and-security/comment-page-1/#comment-5556 a Sat, 17 Sep 2005 00:49:18 +0000 http://robert.accettura.com/archives/2005/09/16/firefox-and-security/#comment-5556 How about QA? Wasn't a security regression shipped in 1.0.4? Microsoft has more testers and more automated tests. How about fuzz testing? Microsoft fuzz tests EVERYTHING, AFAIK Mozilla do very limited fuzz testing (not for JavaScript, for example). How about compile-time code-checks? Microsoft compiles with /GS, and uses Prefast etc, which catches LOTS of buffer overflows, integer overflows and even race conditions. How about threat modelling? I haven't seen a single threat modelling document from Mozilla. Every Microsoft code checkin is threat-modelled. Mozilla is safer in some ways. It has less users, it has better community relations, rewards for security make 0-day exploits less likely, and it patches critical security updates faster on average. It also has far better security at the UI level - yellow address bar, etc. Overall though I trust the Trident code far more than Gecko. How about QA? Wasn’t a security regression shipped in 1.0.4?
Microsoft has more testers and more automated tests.

How about fuzz testing?
Microsoft fuzz tests EVERYTHING, AFAIK Mozilla do very limited fuzz testing (not for JavaScript, for example).

How about compile-time code-checks?
Microsoft compiles with /GS, and uses Prefast etc, which catches LOTS of buffer overflows, integer overflows and even race conditions.

How about threat modelling?
I haven’t seen a single threat modelling document from Mozilla. Every Microsoft code checkin is threat-modelled.

Mozilla is safer in some ways. It has less users, it has better community relations, rewards for security make 0-day exploits less likely, and it patches critical security updates faster on average. It also has far better security at the UI level – yellow address bar, etc.

Overall though I trust the Trident code far more than Gecko.

]]> By: Robert http://robert.accettura.com/blog/2005/09/16/firefox-and-security/comment-page-1/#comment-5552 Robert Sat, 17 Sep 2005 00:03:22 +0000 http://robert.accettura.com/archives/2005/09/16/firefox-and-security/#comment-5552 Jesse: 1. Good point 2. Another good point 3. I wouldn't recommend nightlies. But keeping latest release builds. There are still a fair number of Firefox users not running the latest version. Jesse:
1. Good point
2. Another good point
3. I wouldn’t recommend nightlies. But keeping latest release builds. There are still a fair number of Firefox users not running the latest version.

]]> By: Jesse Ruderman http://robert.accettura.com/blog/2005/09/16/firefox-and-security/comment-page-1/#comment-5551 Jesse Ruderman Fri, 16 Sep 2005 23:48:12 +0000 http://robert.accettura.com/archives/2005/09/16/firefox-and-security/#comment-5551 But a few are found by accident, and a few by malice. And a few by people trying to make the software more secure. Vulnerability vs. Exploit You could split this up further: Vulnerability known vs. Exploit code available vs. Active exploits I’d say there is a lesson. Keep your software up to date. Would you go as far as to recommend that users upgrade to betas or nightlies? Given that fixes often go into public CVS long before releases come out, doing so might make sense if security is important to you. I’m personally surprised that in 2005 Apple and Microsoft still don’t have a method for software developers to register their products to be used with the default updating mechanism in the OS. I agree. But a few are found by accident, and a few by malice.

And a few by people trying to make the software more secure.

Vulnerability vs. Exploit

You could split this up further: Vulnerability known vs. Exploit code available vs. Active exploits

I’d say there is a lesson. Keep your software up to date.

Would you go as far as to recommend that users upgrade to betas or nightlies? Given that fixes often go into public CVS long before releases come out, doing so might make sense if security is important to you.

I’m personally surprised that in 2005 Apple and Microsoft still don’t have a method for software developers to register their products to be used with the default updating mechanism in the OS.

I agree.

]]>