News Stay informed about the latest enterprise technology news and product updates.

Who patches better: Microsoft or Mozilla?

Window Snyder was a senior security strategist at Microsoft before leaving in 2005 to become a founder and CTO of Matasano Security LLC. Last September she became Mozilla Corp.'s security chief and is now responsible for locking down the popular Firefox browser and other programs. In this Q&A, Snyder credits Microsoft for working hard at a faster and more accurate patching process and admits that, sometimes, even Mozilla has to pull back on security updates at the 11th hour. But she says Mozilla will always be a step ahead because a huge open source community is helping the company find and fix problems around the clock.

You worked for Microsoft before moving over to Mozilla. Talk about why you left the software giant.
Actually, I went from Microsoft to a start-up that a few friends were doing [New York-based security consultancy Matasano Security LLC] and from there went to Mozilla. I went to Mozilla because it seemed like there was a real opportunity to impact how users really experience the Internet and to try and make that as secure as possible. Obviously, your allegiance is to Mozilla now. But do you think Microsoft has gotten better at producing patches that are quick and accurate?
I was never skeptical of what Microsoft was doing. I was always very proud of the changes they made over the time when I was there. They do have a difficult task in that they are testing their changes against a huge suite of applications that rely on Internet Explorer, for example, and they have to test against a lot of controls used in internal applications that the home user doesn't see as much. On our side, we have this tremendous community that's able to test all these different configurations in a very short period of time. In that regard, it's almost surprising to think that maybe Mozilla has more resources on the testing side than Microsoft with all its financial resources. That's one of the reasons we're able to ship patches so quickly, because we're able to get really broad testing done in a short amount of time. While Microsoft has its internal team of researchers to work on these problems, Mozilla has the entire open source community on the case.
Exactly. Mozilla has the benefit of an enormous community that helps us test our nightly builds. There's something like 10,000 people downloading and testing it every night. That's a huge number of people working on security patches and new versions of the browser, testing them in different combinations on different platforms. That's the real difference between our process and Microsoft's.
It's almost surprising to think that maybe Mozilla has more resources on the testing side than Microsoft with all its financial resources.
Window Snyder,
chief security officerMozilla Corp.
Let's look at Mozilla's own security challenges. The company released Firefox 2.0 last fall and by late December a large security update was released to fix a healthy pile of vulnerabilities. We've seen other cases in the past -- after the release of Firefox 1.5 and the release of Firefox 1.0, for example -- where big security updates became necessary fairly quickly. That being the case, explain how programs like Firefox are a safer bet than Internet Explorer.
Mozilla tries to ship a security patch every six to eight weeks. That includes patches for vulnerabilities found externally and internally. So to say a patch came out right after we shipped 2.0 -- I could have told you that months before we shipped it. Of course we're going to ship a security patch because we're going to continue to look for vulnerabilities and we'll make a security update available to the user as soon as we can. Microsoft has a slightly different process where they do look for vulnerabilities in their products and update them in service packs that come out -- in Windows' case -- once a year or so. And when vulnerabilities are found externally, they're addressed in the monthly security updates. The difference is we're continuously looking for vulnerabilities and continuously fixing them. Users don't have to wait for the next version of the product to get a lot of the benefits of the security work we're doing. They get it on a regular basis. Talk about the ease of deploying these patches. There are some who say the process has gotten easier for Microsoft customers because of programs like Windows Server Update Services (WSUS). Then there are the Mozilla fans who say that with Firefox, you just get an update box and there it is.
The model we work with is designed to meet the needs of the consumer whereas Microsoft has a lot of infrastructure built in for enterprises. On our side we think we have an easier model for the user where they see the update box, click and then they're good to go. We spend a lot of time creating features to protect consumers and end users. That's where the bulk of our time has been because that's out target market.
Microsoft and Mozilla:
Out-of-cycle Microsoft patch likely, experts say

Microsoft issues critical fixes for Excel, Outlook and Windows

Microsoft nixes four patch bulletins

Mozilla fixes multiple Firefox flaws

Firefox still feels the love, despite flaws

Security Blog Log: Dissecting Firefox 2.0
Microsoft originally planned eight security updates for January but ultimately decided to hold back on half of them. Knowing what you know from working there, talk about why it sometimes becomes necessary to hold back, and whether that's something Mozilla has had to do in the past.
It has been an issue for us, actually. We've been ready to ship a fix for something and then decided there was a more robust way to fix the problem that would prevent other problems in the future. Or maybe a particular fix didn't get enough testing, and so on. This was an issue when I was at Microsoft and really on every team I've worked with. Occasionally you go to fix something and find it's not the only problem, that there are many, and you want to fix the whole category of problems instead of the one issue. Sometimes you find that late in the process. There are lots of reasons this can happen. These are all smart people working on really hard problems and we're all trying to do right by the user. I'm sure [Microsoft] is not holding back on a whim. I'm sure they've just concluded that the user will be better protected later on [by spending more time working on a patch]. Microsoft has taken a lot of researchers to task in the past for disclosing flaws without giving them a chance to provide a patch or workaround. What do you consider to be responsible disclosure vs. irresponsible disclosure, and has Mozilla ever fallen victim to the latter?
Microsoft and Mozilla both agree that the user is most protected when the security researcher reports the vulnerability to the vendor and the vendor has the chance to patch it before the information is made public. So we both agree on that point. But Mozilla appreciates any report of security vulnerabilities even if it happens to go public because that means we have an opportunity to fix it and that makes the product more secure over time. I personally prefer that users have the opportunity to get the patch before the rest of the world gets the vulnerability details, but even getting that information out there is still valuable because overall the product becomes more secure and the users are protected Talk about the value of source code and binary analysis and Mozilla's approach to it compared to Microsoft.
Microsoft has done a lot of work internally to train their developers on security best practices and engages vendors to come in and work on their code. At Mozilla, we really try to reach out the research community and encourage them to contribute to the Mozilla Project by turning their research in this direction as well. A lot of browser issues impact every browser. It's easier to understand [common browser issues] if you have the source code and it makes for an interesting project for some of these people. We really value their contributions and really encourage them to help us find security vulnerabilities and think of better ways to secure the browser.

Dig Deeper on Microsoft Patch Tuesday and patch management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.