Mozilla Counters "Dirty Dozen" Criticism of Firefox Security

Dec 19, 2008

Bit9, self-professed leader in enterprise application whitelisting, recently included Mozilla's Firefox browser among "the Dirty Dozen" applications with critical security vulnerabilities. Mozilla's security expert Jonathan Nightingale disputes that critique.

The Waltham, MA company has been issuing annual reports on Windows applications with the highest critical security problems. The most recent press release identifies "the Dirty Dozen," among which Firefox versions 2.x and 3.x rank at the top of the list, followed by Adobe Acrobat 8.1.2 and 8.1.1, Microsoft Windows Live (MSN) Messenger 4.7 and 5.1, Apple iTunes 3.2 and 3.1.2, and Skype 3.5.0.248.

According to Bit9, these applications have a few things in common. They run on Windows, are popular among users, and IT organizations don't consider them potentially malicious. The critical factors that put them on the Dirty Dozen list are that (a) at least one security hole was found, (b) they usually rely on users rather than IT admins to apply upgrades or patches, and (c) they can't be centrally updated with free enterprise tools. For the latter, Bit9 gives Microsoft's Systems Management Server (SMS) and Windows Server Update Services (WSUS) as examples.

Jonathan Nightingale from Mozilla's Human Shield group vehemently counters Bit9's assessment in a blog. He asserts that the "critical vulnerability reported in 2008" label penalizes software companies, such as Mozilla, with an open reporting policy about security problems. "To suggest that this openness is a weakness because it means that we have 'reported vulnerabilities' is to miss the reality: that software has bugs," he writes. For Nightingale, a more meaningful assessment would be to base "a product’s responsiveness to those bugs and its ability to contain them quickly and effectively."

Nightingale asserts that the vulnerabilities Bit9 found have long since been fixed, with most fixes within days of the announcement. He also considers Bit9's criticism of the lack of WSUS updating as ignoring real world experience in that Firefox's built-in update service spares users the trouble. "We consistently see 90% adoption within six days of a new update being released," he writes.

Related content

Comments

  • bit9 miss the platform and point

    Dump windows and get a mac fleet - then simply running AppFresh and automatic updates will keep macs up to date and running well. As for bit9 whitelisting applications - this is totally the wrong approach. The most effective way of running a happy desktop fleet is to rollout suitable software to every desktop (not that difficult to template) and encourage users to utilise OpenSource - that way you stay legal, the fleet stays happy and you have high productivity. Any sys admin tool that locks down the desktop just treats users like children and makes them more likely to dislike your organisatio and utilately consider working for your competitor. Authoritarian IT is not the basis for a creative, happy workforce. Your issue is lack of imagination and windows - bit9 is not your solution.
  • "free" enterprise tools..

    "(c) they can't be centrally updated with free enterprise tools. For the latter, Bit9 gives Microsoft's Systems Management Server (SMS) and Windows Server Update Services (WSUS) as examples. "

    "free" tools my a.. as far as I know at least you need some heavy investments in various windows products. Please advise me where I can get all this for "free"...
  • Central updates

    I've worked for several companies that don't allow the user to run windows update. This is fine for desktop computers that can be accessed on a regular basis but puts my laptop (and thus the entire network) at danger whenever I'm away from the office for weeks at a time. I'm out in the "wild" and can't even update my anti-virus definitions. And NO, they don't allow anyone to login remotely into the network (from home or away from the office). THAT is something they should whitelist.
  • Have you seen the bit9 website?

    Their website proffers that their product will, not maybe but will, get rid of all your problems. Not even the opportunists who sell poor anti-virus products (Symantec etc.) that ought not to even be given away free would suggest absolute security is available by buying their product. Who knows what form the next "genius" virus will take?

    You guys at Firefox/Mozilla ought not to worry about this one. Who can take bit9 seriously?
  • Missing the Point

    Folks usually miss the point with these 'news broadcasts' from vendors. The fact is, Bit9 would like to sell more of their product. If they do not create "Fear, Uncertainty, and Doubt" - FUD around things such as this, people won't be concerned and deploy their product as a result. Since these products listed are very WIDELY deployed, it must mean that you'll 'definitely' need their product, right? If they don't bring it to people's attention, no one will know. happy.
  • Bit9 is an idiot

    I think all the other software listed by Bit9 are closed source. Bit9 cannot apply the same assessment to open source products like Firefox. Its just ridiculous based on the fact that more people are free to report bugs and I agree that all bugs get fixed fast which is more than what I can say for the rest of the lot. The article states that atleast one bug needs to be found to be on that list. If that is true then every software in the world should be on that list as I know of not a single software that has no bug (open source included). I think XP and Vista should take the top spot. Why limit the list to applications include OSes too.
comments powered by Disqus

Issue 170/2015

Buy this issue as a PDF

Digital Issue: Price $9.99
(incl. VAT)

News