Mozilla Patches Fastest. NOT!

[DISCLOSURE: Jeff Jones is a director at Microsoft. You can learn more about him at his technet blog.]

If you take away one thing from reading this, I hope that you take away skepticism. The Mozilla team focuses on security and that is a relatively rare thing in the software industry--and I heartily applaud them for their intent and efforts. I wish more would follow their example. However, I think the vulnerability picture for Firefox may not be quite as rosy as some would wish.

A couple of days ago, Secunia published their Secunia 2008 Report, and one of their tables garnered quite a bit of attention:

* Brian Krebs, Washington Post, Fanning the Flames of the Browser Security Wars

* Brian Prince, eWeek, Security Report Ignites Firefox vs. Internet Explorer Feud

* Ryan Naraine, CNET, Report: Firefox buggier, but issued fixes quicker

In one way, I am quite excited that Mr. Krebs thinks "fixing quickly" is the metric that matters most. I am in the process of updating my H1 2008 report to cover all of 2008, and you may recall, in the previous report Microsoft fixed operating system issues at least twice as fast as other vendors.

On the other hand, I just happen to be in the middle of analyzing Mozilla Firefox vulnerabilities for 2007 and 2008 and results being touted just didn't ring quite true for what I've observed so far in my analysis. So, first, let's take a look at those three vulnerabilities listed by the Secunia report.

Examine the Three Firefox Report Vulnerabilities

SA32192 Disclosed (2008-10-14) Fixed (2008-11-13) Days Before Patch (30) (This affected Firefox 2)

I was able to identify this one as CVE-2008-4582, addressed in MFSA2008-47. However, though the Secunia Advisory did post on 10/14/2008, my findings are that LIUDIEYU disclosed this issue publicly in his blog entry on 9/27/08. That would be an additional 17 days.

SA32040 Disclosed (2008-10-01) Fixed (2008-12-26) Days Before Patch (86) (This affected Firefox 3)

I was able to identify this one as CVE-2008-4324. Though the Secunia advisory lists "vendor patch" under solution, a status change made on 12-26-2008, Mozilla has not released a security advisory that mentions either the Secunia advisory or the vulnerability identifier. SA32040 advises that upgrading to Firefox 3.0.4 or later will fix the issue. I am going to assume that 3.0.4 did silently fix the issue, however that version was released on 11/12/08. That means days before patch should be 42, rather than 86.

SA28622 Disclosed (2008-1-24) Fixed (2008-2-12) Days Before Patch(15) (This affected Firefox 2)

I was able to identify this one as CVE-2008-0418, addressed in MFSA2008-05. SA28622 posted on 1/24/08, but I place the first public disclosure on 1/19/08 at hiredhacker. On the other hand, MFSA2008-05 appears to have published on 2/7/08. Taking into account both the earlier disclosure date and the earlier fix date, I believe the days before patch were 19.

After examining these three, I can say that I am very glad that there weren't more! It seems like Secunia is using Secunia advisory publication dates as the date for "public disclosure", though as we see in two of the cases, the vulnerability information was public even earlier. Let me point out that there may be similar differences in the numbers concerning Microsoft.