Microsoft and Mozilla Squabble Over which Browser is Most Secure
Which browser is more secure Internet Explorer or Firefox? We all have our opinions, but rarely do we get a chance to hear Microsoft and the makers of the Firefox browser, Mozilla, debate the issue. On Friday Microsoft Security Strategy Director Jeff Jones released a study "Download: Internet Explorer and Firefox Vulnerability Analysis" that proclaims Internet Explorer 7 is safer than Firefox (Did we expect a Microsoftie to tell us anything else?). The report can be accessed through Jones' blog.
In the study, Jones argues, because Microsoft releases new versions of its Web browsers less frequently and continues to patch older IE browser releases for longer periods of time, IE users are safer from security vulnerabilities than Firefox users.
"Over the past 3 years, supported versions of Internet Explorer have experienced fewer vulnerabilities and fewer High severity vulnerabilities than Firefox," according Jones' report.
He points out Microsoft released IE 6 in August 2004 and IE 7 in October 2006 and that both versions of IE are currently supported by Microsoft. Jones slams Mozilla for halting support on older versions of Firefox, instead directing users in many cases to simply upgrade to a newer version. He gives the example of Firefox 1.5 which Mozilla stopped supporting in May 2007, according to Jones. Mozilla dropped the ball, he argues, because it was only 2 months after a Red Hat Enterprise Linux 5 (RHEL) shipped with Firefox 1.5 bundled with the OS.
Soon after the RHEL5 release Mozilla reportedly urged users to upgrade their Firefox browser to avoid a "severe vulnerabilities."
Jones suggests that because Mozilla chose not to patch the older version of the browser (prompting people to download a new version instead) many who declined the upgrade were left vulnerable.
Mozilla Counters Jones' Claim
As you might guess, Mozilla had a few thoughts on the subject as well. According to a post at the the official Mozilla Security Blog a contributor named Window Snyder responds to Jones' report:
"One of the goals of the bug counting report (Jones' study) is to demonstrate that Microsoft fixed fewer bugs for IE than Mozilla did for Firefox. Unfortunately for Microsoft (and for anyone trying to use this report as analysis of useful metrics) he does not count all the security issues. If he were able to count them all, Microsoft could get credit for all the bugs they fixed."
Synder argues that many of Microsoft's browser bugs are spotted by "contractors" who are "engaged" by Microsoft to stress-test IE for vulnerabilities. Because of this relationship many IE bugs never become publicly known.
"Unfortunately for Microsoft's users this means they have to wait sometimes a year or more to get the benefit of this work. That's a lot of time for an attacker to identify the same issue and exploit it to hurt users."
Synder points to a Washington Post blog by Brian Krebs who wrote in January 2007:
"For a total 284 days in 2006 (or more than nine months out of the year), exploit code for known, unpatched critical flaws in pre-IE7 versions of the browser was publicly available on the Internet.
In contrast, Internet Explorer's closest competitor in terms of market share ? Mozilla's Firefox browser ? experienced a single period lasting just nine days last year in which exploit code for a serious security hole was posted online before Mozilla shipped a patch to remedy the problem."
Synder continues:
"It speaks to the strength of our community based security efforts to actively identify and quickly fix security issues. We don't let fixes languish on the tree waiting for a major release while users are vulnerable. We ship fixes regularly because securing our users is more important than protecting our PR team?"
PC World's Marketplace
PC World's Free Whitepapers
tech news tech blogs community & forums laptop prices software reviews downloads
Let us recall the IE browser Microsoft created for the Macintosh, completely unsupported now, was horrible from the beginning to the end. It's a shame that Microsoft actually say that Mac users should migrate to a good browser like Apple's Safari:
http://www.microsoft.com/mac/products/internetexplorer/internetexplorer.aspx?pid=internetexplorer
The thing about Firefox is that Mozilla provides it free-of-cost. Something that Microsoft doesn't have any clue about. Yes, they make money through advertisers but they are a registered Non-profit organization and provide what they can. Support is done through the community of it's users. There are plenty of forums with people generously giving Firefox tips/tricks/fixes.
The only point Microsoft is actually making is that they update their software less...which is actually not true at all (Microsoft Update?) it only looks like it because they don't show VERSION NUMBERS (IE: Firefox 2.0.0.11). People have to update to not be vulnerable!!!
While Microsoft and Mozilla continue to bicker over who's the real 800 pound gorilla, I'm gong to keep using a real browser (Opera). Besides, I've had garbage get through both IE and Firefox, and I hardly ever use those two browsers (despite keeping both locked up tighter than Fort Knox and updated reguarly). Nothing has gotten through Opera, and I've been using it since version 5 came out back during "the Dark Ages".
But I will give the Mozilla team credit where it is due for forcing upgrades. Regardless of what software you use, whether it is Web based or downloaded, it is always recommended that you update your software regularly. It's just common sense, afterall.
I don't see the problem forcing users to update. It is free software. Personally, I'd want to have the most up to date version. It'd be different if Microsoft forces the user to upgrade for it's paid software like Windows. Wait, they do by stopping support of older versions. Wake up Microsoft, you're losing ground every day, in the OS market, in the browser market, in everything really.
I don't see Mozilla as being a 800lb Gorilla. More a 80 lb Chimpanzee. The updates are free and quick and most important to me, less intrusive and resources hog. I have both on my systems, default being Mozilla. Two reasons I keep IE6: Windows updates and the rare www site that opens with a IE centric view.
Firefox, shmirefox; Opera, shmopra. IE 6 is my browser of choice and I'm sticking with it! I like it. It's uncomplicated. It does what I want my browser to do, so why switch to anything else? It wouldn't make sense to switch.