The Mozilla team is not pleased with the manner in which browser security is assessed by the industry and wants to make a few changes. The new security metrics system should look past the simple bug, update and patch count and more accurately reflect the level of protection offered by the browser. Several factors must be taken into consideration, such as how much time passes until a patch or fix is issued, what techniques and tools are used in the development of the browser, and so on.
It comes as no surprise to anyone that new vulnerabilities and flaws are constantly being discovered within various software products, and the Firefox browser has its own share of security issues. The Mozilla team does not draw attention to the flaw itself, because that is quickly remedied; instead, it points to the span between the moment a vulnerability is discovered and the instant a fix is issued. During that time an attacker could easily exploit that vulnerability, which is why Mozilla is working together with Rich Mogull, security researcher and analyst, to come up with a "baseline model" that can be improved as time goes by.
In the Internet Explorer camp, the relative security the browser provides is measured depending on the number of patches the software producer issues. So the more patches you put out, the less secure the browser is; no patches on the other hand means that the browser offers a maximum level of protection. This approach is not very popular amongst users and has been criticized on numerous occasions. Window Snyder for example, who used to be part of the Microsoft team, and who is currently working with Mozilla as a security specialist, is just one of those critics.
The Mozilla team more than welcomes user input on this open project. They are in fact encouraging users to share their opinion either on the
Mozilla Blog or by sending an e-mail to Rich Mogull at the following address: rmogull@securosis.com.
Find us on Google+
No user comments yet.
Be the first to express your opinion!
