“Last month, I looked at how long it took Microsoft to issue security updates for known software flaws in the Windows software that powers most of today’s computers. Last week, I conducted the same analysis on free software produced by the Mozilla Foundation, perhaps best known for its Firefox Web browser. Over the past year, Mozilla averaged about 21 days before it issued fixes for flaws in Firefox, compared with the 135 days it took for Microsoft to address problems.”
… found the patching speed of open-source vendors was roughly 60 percent faster than that of the closed-source vendors they studied.
That’s what I like to hear!
But actually, patching speed is only half the equation. The patch does no good if the user doesn’t apply it. Personally, I don’t use any automated updating, and I only check for updates occasionally. And I would guess I do better than average.
Well, my suggestion is not to let the spammer of Firefox Myth fame, Mastertech (aka Nemo, etc) see this article, but it’s probably already to late…so assume the position because you’re going to get misquoted, words will be put in your mouth, etc.
Another factor not taken into consideration is that Firefox is a stand alone application where as IE is integrated into the environment. Microsoft would have to do a lot more testing due to more configurations of the OS and hardware. Also how may of these vulnerabilities were OS issues or IE issues? I’m not arguing that Mozilla puts out fixes quicker, thats a fact jack, but there are some other factors to consider when comparing the two as to the delay by Microsoft.
Another factor not taken into consideration is that Firefox is a stand alone application where as IE is integrated into the environment. Microsoft would have to do a lot more testing due to more configurations of the OS and hardware. Also how may of these vulnerabilities were OS issues or IE issues? —TaterSalad
Fine. Take IE and Outlook Express off my system. I never use it anyway, preferring to evaluate my patches and download them with Firefox in WindizUpdate at [ http://windowsupdate.62nds.com/ ] and am quite happy not using either application for anything on my system. I never asked for these programs and quite frankly as I never use them it irritates me to no end when I discover yet another way my system could go down thanks to the unnecessary and foolish integration of a browser to the operating system.
I feel no need to give Microsoft any slack or to try considering other factors when it comes to their dismal performance at security. They were warned about this when they started down this road. Now here we are some eight years later and if anything the security situation keeps getting worse, not better! This little experiment of theirs has gone waaaaay beyond working out the kinks and needs to be terminated! Did anyone really think eight years ago we’d still be dealing with stuff like drive by downloads and $#@& picures that can excecute code just by viewing a webpage today? IIRC we were all told that these types of things would eventually be fixed… HAH!
–bornagainpenguin, nLite user; Fred Vorck disciple, early 98Lite adopter
> Another factor not taken into consideration is that Firefox is a stand alone application where as IE is integrated into the environment.
And whose fault is that, exactly?
Intertwining IE with Windows was a bad technical decision. It was a decision made based upon MS’s legal and marketing needs and now the users get to pay the consequenses.
It really shouldn’t matter. MSIE is essentially a rendering engine with bits of UI code on top, and that type of application isn’t all that complex if it is designed and implemented in a modular manner.
Given Microsoft’s actions and comments w.r.t. “SMB/CIFS and the EU” and other matters, however, it does seem like they have a cultural tendency to develop code organically without much regard for modular design (or formally-defined interfaces), and that type of approach would make bug isolation, fixing, and testing more difficult even *if* MSIE were a standalone application.
Microsoft made its own bed in this instance, I think. Let them lie in it. It would make far more sense to create a separate (and far more limited) browser decoding engine for use with system help files and the like — instead, MS chose to take a route which was politically expedient but which resulted in far more complexity. In their case, this seems to be fairly par for the course, but it also explains why so many of us tend to view their product designs with disdain.
Consider it this way. Firefox is just a browser. Whereas the fixes provided by MS are not just fixes for the browser but the underlying OS as well. And their userbase is quite insanely huge in comparison to Firefox. I may sound like an MS fanboy but I really am not. It just seems unfair to me to say MS has a slow enough response time to exploits but one fails to consider of the potential ramifications of Ms releasing patches that are untested properly with the millions of possible configurations of the OSes being used all over the world. SP2 is an example that comes to mind. People were for example trying to install it on their setups which already were infected with spyware. SP2 didnt like that and thus would result in system lockups and crashes. And yet the blame would be placed on MS despite having launched something that genuinely increased the reliability of the OS overall.
It *is* fair… MS has an exponentially larger userbase than mozilla. This means they have an exponentially larger cashflow and with that an exponentially larger (in theory) development team.
Based upon these assumptions, they should release patches faster than firefox. I guess this fact proves open source is a superior programming methodology.
Edited 2006-02-13 20:05
No, because they have to test a much wider number of scenarios, and even throwing more cash at it won’t do that much to speed the process up.
Think about it. All these different scenarios.. they test them… a bunch find problems.. they have to fix the problem, put in a regression test, recompile (can take a while), retry. It’s a slow process.
With firefox, they do testing, but they are held to a lower standard. If a fix breaks something else.. well.. hey it’s free, you can’t really complain.
But yeah, they have been very lax and still seem to be kind of lax about the speed in which they release IE fixes, unless it’s very critical.
I have only 3 words for their developers that make your point (mostly) null:
automated unit testing
That’s good for some stuff. There is still a fair amount that needs to go through QA. I would in fact say most of it still needs to go through QA.
When I worked in an applications development shop 13+ years ago, most of the testing and “QA” that we did was fully automated. We had literally dozens of regression scripts that we ran against the product, some of them containing 100 or more test cases, and we used a DIFF equivalent against the output log files (suppressing time stamps and other miscellania) to ensure that nothing unexpected had changed in the output.
Custom scripts to address a given problem could be recorded and played back in a few hours, and it was possible to give the entire applications suite a fairly strenuous workout in a couple of days. We’re talking about a multi-language mainframe application used at the time by *dozens* of airlines.
That was done in a “primitive” mainframe applications develpment environment over a decade ago. Surely Microsoft is able to do soemthing similar in their more “advanced” environment…?
Um.. you kind of answered your own question. You did it in a PRIMITIVE environment. Not an OS.
Windows is an Operating System which can’t be QAed with just a bunch of scripts. Sorry, but that’s just how it is.
We are talking about a web browser (an application) and a help file rendering engine, not an OS.
But IE uses many other components that are a “part” of Windows that third party apps use as well. A lot of Windows stuff has to be QAed too.
I think its fairly clear that many of Microsofts patching problems regarding IE, originated in the decision to integrate it tightly into the OS, and thus creating a lot of dependencies.
And while MS has an enormous amount of money, throwing more resources at a complex software project does not always leads to the expected result. The marginal utility of an extra developer to the project will probably be closer to zero than to one.
And Windows must be a bloody mess with its integrated and non-modular design.
So you cannot just say that with more resources MS should be able to provide patches faster. I think it will require some kind of redesign/rewrite.
Vista anyone 🙂
Yes, but there are still exploits, etc. that MS still has not fixed…and some of them are a few months to a few years old.
>Unfair. Consider it this way. Firefox is just a browser. Whereas the fixes provided by MS are not just fixes for
>the browser but the underlying OS as well.
Ok so you don’t think its fair for Microsoft to get penalized for making such a hugely bad design decision to put the browser “into the os”.
Puuuuuhlease. BTW, a huge percentage of the crap that firefox has to release fixes for is because of Windows OS FLAWS as well.
“They bought their ticket, I say let them crash.”
> BTW, a huge percentage of the crap that firefox has to release fixes for is because of Windows OS FLAWS as well.
Really? Can you show me some evidence of that? I’m curious.
Unfortunately, this is the only way for responsible companies to release. Fixes have to go through a lot of testing and qa. In terms of releases, the only ones that we hear about are security patches. However, there is a huge process behind the scenes comprised of bug fixes, enhancement requests, customizations, and probably just plain r&d. So go ahead and whine. Imagine if the fix was made but broke something else in the process… then you’d be so much more mad.
Imagine if the fix was made but broke something else in the process… then you’d be so much more mad. — frank
And imagine if they test the ‘fix’ and test and test it—and meanwhile the problem gets more and more serious by the day and exploits are appearing left and right–so they release it on schedule anyway because ‘you can’t rush these things’ and it still breaks something ? You’d be REALLY mad then wouldn’t you? Oh wait–that’s the reality now!
Sorry to be so sarcastic here, but IMHO this was the best way to say it and make sure the message got home. Bottom line is that Microsoft has made their bed and while doing so burned a tremendous amount of bridges along the way and alienated a large number of their user base. Not many of us have any sympathy left for them anymore. The few people who still do are the ones who haven’t followed the history or lived through it and that takes care of itself over time.
–bornagainpenguin
Unfortunately, this is the only way for responsible companies to release. Fixes have to go through a lot of testing and qa. In terms of releases, the only ones that we hear about are security patches. However, there is a huge process behind the scenes comprised of bug fixes, enhancement requests, customizations, and probably just plain r&d. So go ahead and whine. Imagine if the fix was made but broke something else in the process… then you’d be so much more mad.
Mozilla has an advantage here as well. IE may have a larger user-base, but Mozilla’s user-base that is willing to test releases and go through long drawn out bug fixing processes and participate in development with Mozilla dwarfs that of IE.
Mozilla could release a beta of 1.5.0.2 for Firefox tomorrow, and by the end of the week it would have been tested on thousands upon thousands of configurations for Mozilla, across multiple operating systems and architectures, for Mozilla, for free.
“Mozilla could release a beta of 1.5.0.2 for Firefox tomorrow, and by the end of the week it would have been tested on thousands upon thousands of configurations for Mozilla, across multiple operating systems and architectures, for Mozilla, for free.”
Indeed. But this beta testing will be a little limited
But less limited than IE7 beta2 test time