This is my response to a poorly-written and poorly-prepared by a so-called professional blogger at ZDNet.com. The article is entitled Firefox tops list of 12 most vulnerable apps. Outrageous reporting, and I'm calling them out on it.

While I truly enjoy many articles and blog posts from ZDNet regarding tech news, etc.--I am disgusted whenever I see sensationalist or poor journalism. Apparently, I'm not the only one who feels that way. The feedback rating on the blog post is a negative 27 points...that's pretty bad.

Apparently Bit9, some security company that I've never heard of until today, released a report claiming that FireFox was the most vulnerable application for Windows. Hundreds of people called Foul Ball, and defenders of the study used the following argument:

"The study is really about desktop management not vulnerabilities. So to be on the list the application must rely on end users to update patches. From an IT shop standpoint this is a critical issue since if it is up to the end user to apply patches you can’t control patch rollout and can’t rely on patches being applies. So IE may have a ton of vulnerabilities but since it can be patched organization wide via an update service it is not included in the list. This kind of list has a lot of merit to an IT organization. It is noted that most of these apps have some sort of update procedure the point is that this procedure cannot be centrally managed."

Weaksauce Reporting

This article is really weak when you consider the limited scope of the research initiative. *sarcasm* I can copy and paste summary findings from a report, too! *sarcasm* Where's the actual commentary or at least challenges to these findings? This is what I like to call weaksauce reporting.

And they wonder why journalism is having such a rough time ;) Quality reporting is hard to find these days. Just look at the sensationalist title that doesn't really even correlate to the topic of the actual research study.

Rebuttal

While I agree central management is an important issue to address in many corporate IT environments, this article doesn't even attempt to show us that there are options out there. The easiest example is Firefox. What the article doesn't say is that Firefox ADM provides central management functionality.

Also, interestingly enough, when it comes down to actual practices, IE is statistically the least patched browser. This article at GCN goes into more detail on that.

Despite the fact that this is anecdotal evidence, in my work with Asian companies (Japan and China mostly) that use central management techniques, the vast majority of the companies refuse to fully patch their browsers for either internal tool compatibility reasons or other nonsensical excuses. I've seen companies there force the users to use Internet Explorer 5. With the Metasploit framework, I was able to hack in and take control of a computer running IE5 in less than 10 minutes.

The fact of the matter is, the updating process that Firefox administers by default is one of the best in the browser business. So for the bottom line, Firefox is exploited less than IE ever is. That's what true security procedures should be concerned about ultimately.

What I would like to see is an article examining the weaknesses of Corporate IT governance policies, not a cheap shot at a very well-made browser.