On Jan 22, 2010, at 10:37 PM, William Pitcock wrote: > On Fri, 2010-01-22 at 22:16 -0500, Steven Bellovin wrote: >> On Jan 22, 2010, at 12:26 AM, Bruce Williams wrote: >> >>> The problem with IE is the same problem as Windows, the basic design >>> is fundementally insecure and "timely updates" can't fix that. >> >> You do realize, of course, that IE is recording less than half the >> security flaw rate of Firefox? (See >> http://prosecure.netgear.com/community/security-blog/2009/11/web-browser-vulnerability-report---firefox-leads-the-pack-at-44.php) > > Consider for a moment that both Firefox and Safari are built on > open-source code where the code can be audited. As a result, it is > clear why Firefox and Safari are more "insecure" than IE, it is simply > because the code is there to be audited. > > Frankly, they are all about the same security-wise. > I think that that's wishful thinking. IE has fewer security problems because Microsoft has put a tremendous amount of effort -- and often fought its own developers -- in a disciplined software development environment with careful, structured security reviews by people who have the power to say "no, you can't ship this". They've also put a lot of effort into building and using security tools. (For earlier comments by me on this subject, see http://www.cs.columbia.edu/~smb/blog/2009-04/2009-04-29.html)
I'm not a fan of Windows. I think it's ugly and bloated, and I don't like it as a user environment. I'm typing this on a Mac (which I like for its JFW properties, not its security; I do not think it is more secure than Vista or Windows 7); I'm also a heavy user -- and a developer -- of NetBSD. If the world suddenly switched its OS of choice away from Windows, I wouldn't weep. But I also would and do hope that the other platforms, be they open or closed source, would learn from what Bill Gates has done well. --Steve Bellovin, http://www.cs.columbia.edu/~smb