Anyone see a game changer here?

Sat Jan 23 04:08:55 UTC 2010

On Jan 22, 2010, at 10:37 PM, William Pitcock wrote:

> On Fri, 2010-01-22 at 22:16 -0500, Steven Bellovin wrote:
>> On Jan 22, 2010, at 12:26 AM, Bruce Williams wrote:
>> 
>>> The problem with IE is the same problem as Windows, the basic design
>>> is fundementally insecure and "timely updates" can't fix that.
>> 
>> You do realize, of course, that IE is recording less than half the
>> security flaw rate of Firefox?  (See
>> http://prosecure.netgear.com/community/security-blog/2009/11/web-browser-vulnerability-report---firefox-leads-the-pack-at-44.php)
> 
> Consider for a moment that both Firefox and Safari are built on
> open-source code where the code can be audited.  As a result, it is
> clear why Firefox and Safari are more "insecure" than IE, it is simply
> because the code is there to be audited.
> 
> Frankly, they are all about the same security-wise.
> 
I think that that's wishful thinking.  IE has fewer security problems because Microsoft has put a tremendous amount of effort -- and often fought its own developers -- in a disciplined software development environment with careful, structured security reviews by people who have the power to say "no, you can't ship this".  They've also put a lot of effort into building and using security tools.  (For earlier comments by me on this subject, see http://www.cs.columbia.edu/~smb/blog/2009-04/2009-04-29.html)

I'm not a fan of Windows.  I think it's ugly and bloated, and I don't like it as a user environment.  I'm typing this on a Mac (which I like for its JFW properties, not its security; I do not think it is more secure than Vista or Windows 7); I'm also a heavy user -- and a developer -- of NetBSD.  If the world suddenly switched its OS of choice away from Windows, I wouldn't weep.  But I also would and do hope that the other platforms, be they open or closed source, would learn from what Bill Gates has done well.

		--Steve Bellovin, http://www.cs.columbia.edu/~smb