IE vs Firefox: Microsoft crunches security numbers

Summary:Jeff Jones, security strategy director in Microsoft’s Trustworthy Computing group, is at it again, comparing three years of vulnerability data for the two main Web browsers -- Internet Explorer and Firefox -- to reach a conclusion that IE is arguably much safer than the open-source rival.

Comparing security profiles
Jeff Jones, security strategy director in Microsoft’s Trustworthy Computing group, is at it again, comparing three years of vulnerability data for the two main Web browsers -- Internet Explorer and Firefox -- to reach a conclusion that IE is arguably much safer than the open-source rival.

Jones, known for his security comparisons of operating systems -- which paint Microsoft Windows in a favorable light -- came to a simple conclusion after his IE/Firefox security match-up:

While the data trends show that both Internet Explorer and Firefox security quality is improved in the latest version, it also demonstrates that, contrary to popular belief, Internet Explorer has experienced fewer vulnerabilities than Firefox.

[ GALLERY: How to use Internet Explorer securely

The report (.pdf) examines vulnerabilities  over the past three years, breaks them down by severity, looks at version-over-version trends for each browser and examines how  each browser is doing in terms of unfixed vulnerabilities and, in Jones's estimation, IE has a superior security profile.

[S]upported versions of Internet Explorer have experienced fewer vulnerabilities and fewer High severity  vulnerabilities than Firefox, a result that stands in contrast to early assertions by Mozilla that Firefox "won't harbor nearly as many security flaws as those that have Microsoft's Internet Explorer."

Since the release of Firefox 1.0 in November 2004, Jones counted 199 vulnerabilities in supported Firefox products – 75 HIGH severity, 100 MEDIUM severity and 24 LOW severity.

[ GALLERY: How to avoid hacker attacks on Mozilla’s Firefox browser ]

During the same period, he said Microsoft  fixed 87 total vulnerabilities affecting all supported versions of Internet Explorer – 54 HIGH severity, 28 MEDIUM severity, and 5 LOW severity.

The study did not take into account silent (undocumented) patches.

Jones also compared life-cycle support policies of the two browsers and contends that Microsoft does a better job of  shipping patches for older browser versions.

[ SEE: Firefox or IE? Strange answer to security question ]

The report, which is sure to raise hackles among open-source advocates, is clearly an attempt by Microsoft to extol the virtues of its SDL (security development lifecycle) and commitment to security.   However, there's one key thing missing from Jones's analysis -- the auto-patching mechanism built into Firefox that gives Mozilla a clear advantage over Microsoft.

In effect, Firefox patches itself whenever Mozilla ships updates while immediate Internet Explorer updates depend entirely on the end-user using the Windows AU mechanism.   Don't even get me started on the forgotten world of dial-up Windows users who never, ever apply patches.

That's one of the main reasons malware authors take aim at IE more than any other desktop application.

Topics: Security, Browser, Microsoft

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.