« October 2007 | Main | December 2007 »
November 30, 2007
Apples, Oranges, and the truth
The IE Blog today linked to a report that "showed that IE7 had both fewer fixed and unfixed vulnerabilities in the first year than the other browsers we compared." Paul has already pointed out that this report was generated by a Microsoft employee, but not explicitly disclosed as such.
Wanting to verify the data I wandered over to the public IE bug database that Microsoft launched to great fanfare and I encountered this:
A vivid reminder that there is no way for anyone outside of Microsoft to confirm how many vulnerabilities ever existed in Internet Explorer. In an earlier post the author of the study touts the benefits of the Software Developement Lifecycle (SDL) at Microsoft as a reason Vista is more secure. Surely one of the goals of this process is to identity and fix security bugs right? How many bugs were identified and fixed using the SDL during development? Your guess is as good as mine.
Bug counts are meaningless, what matters is whether you are at risk or not. Symantec looked at this problem before as has Brian Krebs of the Washington Post. I recently found this up-to-date analysis of data on Secunia which paints the same picture. Firefox is safer than IE:
On a related note - remember the URI vulnerability from July? When we first encountered it we, along with others, were pretty sure it was a flaw in Windows or IE. Many folks attacked us for this stance. Embarrassingly, we were vulnerable to the same issue, and we fixed it one week later.
Microsoft maintained that it was not their issue, even after I sent them this spreadsheet developed by our QA team over a weekend in July which clearly showed a change in behavior for all applications after IE7 was installed.
Three months later, when Microsoft's own Outlook and Outlook Express joined the ranks of affected applications Microsoft finally admitted it was their problem. It took another month before they fixed it. It took them three months to admit the problem and another month to fix it.
Does this look to you like the behavior of vendor trying to be open, transparent, and honest about security issues?
I expect more out of software vendors, and so should you.
Posted by schrep at 5:42 PM | Comments (10)
November 2, 2007
Mozilla Mobile
There have been a couple of recent reviews of the Mozilla based browser for the Nokia N800 tablet and a review of the upcoming Nokia N810 tablet. Some highlights:
"The web browser in the Nokia N810 is incredibly fast, loading complete web pages in seconds."
"With the new Mozilla based browser, dubbed "MicroB" and which you can find and install over here, GMail performance is improved, using Google Maps is finally possible, and you can switch between using the Opera and the Mozilla Gecko -the same one used by Firefox and SeaMonkey- engines using the appropriately named "Set Engine" option. GMail performance is improved as is loading Word documents with Google Docs."
Congrats again to the Nokia team, Dougt, Chris H, and everyone involved in getting this going. Glad to see all the perf improvements in Gecko 1.9 (coming soon in Firefox 3) showing well on a device with just a 3-400 MHz processor. I can't wait to see where we get as the new mobile team really starts cranking...
Posted by schrep at 2:45 PM | Comments (6)
November 1, 2007
The story behind Firefox 3: Places
This is the first in what will hopefully be many posts talking about what we are up to in Firefox 3 and why we are doing what we are doing.
Why Places?
The drive behind places came from a number of different directions at once:
- People losing their kmarks has been one of the top support issues in Firefox for years.
We've already been using and contributing to sqlite for some time, so we decided to move bookmark and history storage to a well-used, open-source, database that implements full ACID compliant transaction model rather than a hodgepodge of custom ways to manage on-disk storage (I'm looking at you mork and RDF!). This means that it should be near impossible for you to lose bookmarks in FF3 from power outages, crashes or the like. But even if everything goes wrong there is a very handy automatic backup and restore feature built into the bookmarks organizer.
Lost bookmarks no more!
- Organizing your little piece of the web. Turns out there are a lot more sites on the web than in 1994 (news flash!) so organizing them with the standard files/folders bookmark metaphor just doesn't cut it. Places makes it easier to deal with huge numbers of bookmarks by adding one-click bookmarking, tagging, annotations, and intelligent searching through your history right in the url bar:
- Customization: Extension authors have done heroic things with the arcane bookmark API's in FF2 and below. Places brings a whole new set of capabilities from annotations to easily building sync services.
- Performance: Instead of just reading the entire contents of your history into memory on startup we have a full database engine with indexes, paging, and all sorts of knobs to turn. This means performance on many operations related to history (startup, viewing the history sidebar, coloring links you've visiting, etc) will be significantly better in Firefox 3 even after storing a much larger (and thus more useful) history range.
Check out the developer docs or ui plan for more info.
The team has spent nearly a year hammering out the infrastructure (this means it is solid) so like many things in Firefox 3 what you see in the UI will be just the tip of the iceberg in terms of what we can do.
Posted by schrep at 7:20 PM | Comments (4)