Internet Explorer 7 vs. Firefox 2.0: It's all about security (actually, lack thereof)

Barely a week has passed since Internet Explorer 7 and Firefox 2.0 were released to the public and already, the merits of one vs. the other is devolving into a discussion of which is less insecure (I chose those words very carefully). As it turns out, there are already vulnerabilities in both. In the case of Internet Explorer 7, the most recent of these vulnerabilities (ranked as moderately critical by security researcher Secunia) is, according to eWeek, and "old windows injection flaw" that "has haunted earlier versions of Internet Explorer since Dec 2004." Suggesting that the flaw may be too obscure to merit attention (I'll leave that to security whizzes like George Ou to discuss), eWeek noted that "The flaw remains unpatched in IE 6.0, suggesting that Microsoft may not consider it serious enough to warrant a patch."

Meanwhile, ZDNet readers are claiming that that we're playing favorites by not giving Firefox's vulnerabilities equal airtime (headlines).  According to a reader that goes by the handle of "PeterWeter," there may be other vulnerabilities in Firefox, all-be-them equally obscure. According to SecurityFocus's discussion of one:

Mozilla Firefox is prone to a remote memory-corruption vulnerability. This issue is due to a race condition that may result in double-free or other memory-corruption issues...attackers may likely exploit this issue to execute arbitrary machine code in the context of the vulnerable application, but this has not been confirmed. Failed exploit attempts will likely crash the application.

Another Firefox vulnerability is cited by the Department of Homeland Security's National Vulnerability Database as being of medium criticality.  Says the post:

Concurrency vulnerability in Mozilla Firefox 1.5.0.6 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via multiple Javascript timed events that load a deeply nested XML file, followed by redirecting the browser to another page, which leads to a concurrency failure that causes structures to be freed incorrectly...

My point isn't that either browser has vulnerabilities or that one is less insecure than the other. My point is how the conversation regarding these and other insecurities that you just know certain people are racing to find will very likely overshadow the conversation about why these browsers represent advancements over their predecessors. Instead of upgrading to them for their features, the first question will be, but are they secure? Answer: No software except for "Hello World" is 100 percent secure. Ever. Now, the conversation appears not to be about why I should upgrade to one of these. It's about why I shouldn't.

This will of course re-open the debate of what's more secure: commercially developed software or open source?  So, there's no time like the present to get a head start.

[poll id=8]