Mozilla Counters "Dirty Dozen" Criticism of Firefox Security
Bit9, self-professed leader in enterprise application whitelisting, recently included Mozilla's Firefox browser among "the Dirty Dozen" applications with critical security vulnerabilities. Mozilla's security expert Jonathan Nightingale disputes that critique.
The Waltham, MA company has been issuing annual reports on Windows applications with the highest critical security problems. The most recent press release identifies "the Dirty Dozen," among which Firefox versions 2.x and 3.x rank at the top of the list, followed by Adobe Acrobat 8.1.2 and 8.1.1, Microsoft Windows Live (MSN) Messenger 4.7 and 5.1, Apple iTunes 3.2 and 3.1.2, and Skype 3.5.0.248.
According to Bit9, these applications have a few things in common. They run on Windows, are popular among users, and IT organizations don't consider them potentially malicious. The critical factors that put them on the Dirty Dozen list are that (a) at least one security hole was found, (b) they usually rely on users rather than IT admins to apply upgrades or patches, and (c) they can't be centrally updated with free enterprise tools. For the latter, Bit9 gives Microsoft's Systems Management Server (SMS) and Windows Server Update Services (WSUS) as examples.
Jonathan Nightingale from Mozilla's Human Shield group vehemently counters Bit9's assessment in a blog. He asserts that the "critical vulnerability reported in 2008" label penalizes software companies, such as Mozilla, with an open reporting policy about security problems. "To suggest that this openness is a weakness because it means that we have 'reported vulnerabilities' is to miss the reality: that software has bugs," he writes. For Nightingale, a more meaningful assessment would be to base "a product’s responsiveness to those bugs and its ability to contain them quickly and effectively."
Nightingale asserts that the vulnerabilities Bit9 found have long since been fixed, with most fixes within days of the announcement. He also considers Bit9's criticism of the lack of WSUS updating as ignoring real world experience in that Firefox's built-in update service spares users the trouble. "We consistently see 90% adoption within six days of a new update being released," he writes.
Comments
comments powered by DisqusSubscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Canonical Releases Ubuntu 24.04
After a brief pause because of the XZ vulnerability, Ubuntu 24.04 is now available for install.
-
Linux Servers Targeted by Akira Ransomware
A group of bad actors who have already extorted $42 million have their sights set on the Linux platform.
-
TUXEDO Computers Unveils Linux Laptop Featuring AMD Ryzen CPU
This latest release is the first laptop to include the new CPU from Ryzen and Linux preinstalled.
-
XZ Gets the All-Clear
The back door xz vulnerability has been officially reverted for Fedora 40 and versions 38 and 39 were never affected.
-
Canonical Collaborates with Qualcomm on New Venture
This new joint effort is geared toward bringing Ubuntu and Ubuntu Core to Qualcomm-powered devices.
-
Kodi 21.0 Open-Source Entertainment Hub Released
After a year of development, the award-winning Kodi cross-platform, media center software is now available with many new additions and improvements.
-
Linux Usage Increases in Two Key Areas
If market share is your thing, you'll be happy to know that Linux is on the rise in two areas that, if they keep climbing, could have serious meaning for Linux's future.
-
Vulnerability Discovered in xz Libraries
An urgent alert for Fedora 40 has been posted and users should pay attention.
-
Canonical Bumps LTS Support to 12 years
If you're worried that your Ubuntu LTS release won't be supported long enough to last, Canonical has a surprise for you in the form of 12 years of security coverage.
-
Fedora 40 Beta Released Soon
With the official release of Fedora 40 coming in April, it's almost time to download the beta and see what's new.
bit9 miss the platform and point
"free" enterprise tools..
"free" tools my a.. as far as I know at least you need some heavy investments in various windows products. Please advise me where I can get all this for "free"...
Central updates
Have you seen the bit9 website?
You guys at Firefox/Mozilla ought not to worry about this one. Who can take bit9 seriously?
Missing the Point
Bit9 is an idiot