I think it was Groucho Marx who quipped “Statistics are like a bikini. What they reveal is interesting, but what they conceal…that is vital!”

Techweb has posted a news story that Symantec is changing the way they calculate vulnerabilities per year per browser. They have adopted the rather obvious position that they will now count all the publically known vulnerabilities for a browser, not just the ones published after a delay by a vendor (who might also bunch separate vulnerabilities together into a single confirmation, etc.):

But the new counting methodology, which Friedrichs said was the “more accurate” of the two, combines all vulnerabilities, including those made public but not necessarily confirmed by the vendor.

In that count, IE comes out second-best: In the same six months, Firefox suffered from 17 total vulnerabilities, while IE had 24.

“The vendor- and non-vendor-confirmed numbers are the ones I’d recommend using,” said Friedrichs. “For one thing, it removes the delay that can effect numbers because of long patch times by commercial vendors.”

Symantec, said Friedrichs, won’t make claims that one of the two leading browsers is more secure than the other. “We just stick to the facts,” he said. “But the number of vulnerabilities are legitimate, so we can say that Firefox has fewer vulnerabilities.”

BlackHat had a fairly technical presentation on weaknesses of the Microsoft fingerprint reader, but it boils down to the old problem that someone can potentially capture the fingerprint data and replay it instead of needing a finger.

Techweb has a nice write-up of the different perspectives on the BlackHat presentation.

I have been testing one of the readers myself for some time now and just stopped using it because of a number of inconveniences (ironically it’s billed a “convenience only” device). This news puts the nail in the coffin, at least until a new revision comes out.