Firefox vs. Internet Explorer: No real security winner

Firefox vs. Internet Explorer: No real security winner

Summary: The rhetoric coming from Microsoft and Mozilla has heated up in recent days on who is doing a better job on web browser security.  I'd prefer to frame the debate in terms of who is doing worse than the other because both companies have had lots of security issues with their respective browsers.

SHARE:

The rhetoric coming from Microsoft and Mozilla has heated up in recent days on who is doing a better job on web browser security.  I'd prefer to frame the debate in terms of who is doing worse than the other because both companies have had lots of security issues with their respective browsers.  Both companies have vastly improved since the days of Firefox 1.5 versus Internet Explorer 6.0, If each one of these vulnerabilities were a zit on their faces, would they be bragging publicly that they have fewer zits or who pops them quicker? but each browser leaves much to be desired when you look at the vulnerabilities that have continued to come out.

Microsoft came out and gave a report that showed IE has fewer software flaws than Mozilla Firefox and they want us to believe this is the most important metric.  Mozilla hit back saying that time-to-patch is a more important metric.  Both of these metrics are important and should be debated publicly so that the user can make informed decisions.  However, "time-to-patch" (the time a vulnerability is publicly known until it's patched) should not be confused with time-vulnerable since that is determined by the length of time a product has been publicly available to the time it becomes patched.

It is true that once a vulnerability is publicly known that this is a more dangerous time since more people know about the vulnerability but we should not assume that the software was "safe" before the vulnerability was known.  This is why number of vulnerabilities plays an equally important role in determining the security level of software because it indicates the quality of the auditing done before the software is released to the public.  Patching known critical vulnerabilities in a timely manner is important but that should never excuse shoddy code auditing and the converse of that statement is also true.  Microsoft patches slower but has better code auditing while Mozilla patches critical vulnerabilities faster but permits more vulnerabilities to get past their auditing process.  Clearly each company can learn from the other and each company is failing in overall security.

One other issue that has come up in this spat is Mozilla's Mike Shaver who says flaw count is misleading since Microsoft hides patches in service packs.  That's a really silly argument since there hasn't been a Microsoft Windows desktop OS service pack since 2004 with the release of Windows XP SP2 and all the comparisons that have been made are post SP2.  All the other talk of silent fixes are light on actual details and it's awfully hard to make changes to a browser without the public knowing about it and Microsoft would get skinned alive if they made a change to a product without informing their customers about it.  No one to my knowledge has given a specific example of how Microsoft Internet Explorer 7 has had any silent or bundled fixes yet so we can't really factor this in until someone shows an example.  Furthermore, the difference in flaw count isn't some small margin that can easily be explained away by bundled or silent fixes, the gap is almost a 2 to 1 ratio between Firefox 2.0 and IE7.

<Next page - Internet Explorer 7 versus Firefox 2.0 vulnerability comparison>

Internet Explorer 7 versus Firefox 2.0 vulnerability comparison

Here is a list of every single vulnerability for both web browsers by CVE (Common Vulnerabilities and Exposures) or original advisory (when CVE isn't available).  This data is harvested from Secunia's website.  I'm going to leave out the advisories that have been rated "Not critical".  Everything else is going to be listed as L (Less critical), M (Moderately critical), H (Highly critical), and X (Extremely critical).  Anything rated with an H or X means that the exploit can be remotely triggered (typically from the network) and can lead to full system compromise.  Less vulnerable flaws typically lead to data leakage or theft and they sometimes require user interaction (social engineering) for the flaw to be exploited.
Month/year Microsoft Internet Explorer 7 Mozilla Firefox 2.0
DEC 2007 CVE-2007-5355 L  
NOV 2007 CVE-2007-3893 H CVE-2007-5959 H CVE-2007-5960 H CVE-2007-5947 L
OCT 2007 CVE-2007-3893 H CVE-2007-3892 L CVE-2007-1095 H CVE-2007-2292 H CVE-2007-4841 H CVE-2007-5334 H CVE-2007-5337 H CVE-2007-5338 H CVE-2007-5339 H CVE-2007-5340 H CVE-2006-2894 L
SEPT 2007   Firefox "-chrome" issue L
AUG 2007 CVE-2007-1749 H CVE-2007-0943 H CVE-2007-2216 H CVE-2007-3041 H CVE-2007-3844 M CVE-2007-3656 L CVE-2007-3670 H
JULY 2007 CVE-2007-3826 H CVE-2007-3844 H CVE-2007-3734 H CVE-2007-3735 H CVE-2007-3736 H CVE-2007-3737 H CVE-2007-3738 H CVE-2007-3089 H CVE-2007-3656 L CVE-2007-3670 H
JUNE 2007 CVE-2007-1750 H CVE-2007-1751 H CVE-2007-0218 H CVE-2007-2222 H CVE-2007-3027 H  
MAY 2007 CVE-2007-0942 H CVE-2007-0944 H CVE-2007-0945 H CVE-2007-0946 H CVE-2007-0947 H CVE-2007-2221 H CVE-2004-0867 L CVE-2007-2867 H CVE-2007-2868 H CVE-2007-2870 H CVE-2007-2871 H
APR 2007    
MAR 2007 CVE-2007-1499 H  
FEB 2007 CVE-2007-0995 L CVE-2007-1114 L CVE-2007-1091 L CVE-2006-4697 H CVE-2007-0217 H CVE-2007-0219 H CVE-2006-6077 H CVE-2007-0008 H CVE-2007-0775 H CVE-2007-0776 H CVE-2007-0777 H CVE-2007-0778 H CVE-2007-0779 H CVE-2007-0780 H CVE-2007-0800 H CVE-2007-0981 H CVE-2007-0994 H CVE-2007-0995 H CVE-2007-1095 H CVE-2007-0981 L
JAN 2007 CVE-2007-0024 X  
DEC 2006   CVE-2006-6497 H CVE-2006-6498 H CVE-2006-6499 H CVE-2006-6500 H CVE-2006-6501 H CVE-2006-6502 H CVE-2006-6503 H CVE-2006-6504 H CVE-2006-6506 H CVE-2006-6507 H
NOV 2006   CVE-2006-6077 L
OCT 2006 CVE-2004-1155 M CVE-2006-5544 L CVE-2006-2111 L  
It's clear from the list above that neither company has something to be proud of when it comes to software vulnerabilities.  If Microsoft and Mozilla were people and each one of these vulnerabilities were a zit on their faces, would they be bragging publicly that they have fewer zits or who pops them quicker?

Microsoft on the other hand often waits a month or three to patch some critical vulnerabilities that are actively being exploited.  I've raked them over the coal for this many times in the past and it's something I wish Microsoft would change.  Microsoft's position is that life is different when you have a hundred million customers using the software and they're in a tough position to release patches quickly without adequate testing.  Still, this is no excuse for the times that Microsoft will leave vulnerabilities un-patched when they are being actively exploited.  I've argued that even if Microsoft would beta or RC (Release Candidate) their patches when a critical exploit and proof-of-concept is publicly known, that would be a vast improvement over the current situation because users can at least protect themselves if they choose to do so.  When a critical vulnerability publicly known, I'm more than happy to do my own validation testing on RC level code.

One other big factor in my experience is that corporate customers don't even like the fact that patches are released monthly.  They'd actually prefer a quarterly patch schedule (like Oracle) or even annual patch schedule.  They don't want companies to release the patches so often because that would mean the company was failing due diligence if they don't apply a patch that is publicly available and they are liable for that.  But that angers me because it prevents me from getting critical patches and it's not my problem that some other corporation is embarrassed that they don't want to patch frequently.  Companies like Microsoft are caught in this set of conflicting interests and they're in a delicate position.

Basically, Firefox basically has nearly twice the number of flaws in their production code and Microsoft takes substantially longer to patch their issues.  But one wild card in this comparison is that Mozilla fails to implement Protected Mode in Firefox for Windows Vista which is a big disadvantage for Windows Vista users.  So what's the conclusion?  It all depends on your priorities.  I spoke with Larry Dignan (our Executive Editor) and he felt that faster patching was more important to him so he chooses Firefox.  For me since I'm running Windows Vista, I give the security edge to Internet Explorer 7 running in protected mode.  But if I'm running Windows XP, I give it a tie on security in the sense that they're both equally pathetic and the decision needs to be based on other factors and personal preferences.  Whatever your decision, it's just a web browser so pick the browser of your choice and deal with the issues that come up from time to time.

Topics: Browser, Microsoft, Security, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

88 comments
Log in or register to join the discussion
  • I think it's sick that all we do

    is compare web browsers based on security and not on features. I know we do it because our hand is being forced, but still it makes me lament the days when functionality and price were the deciding factors in making software decisions.
    Michael Kelly
    • You can still go back to those days if you rip out your Ethernet connection

      "but still it makes me lament the days when functionality and price were the deciding factors in making software decisions"

      Back in the "good ol days", you didn't even have user account separation in Windows. Any user can read any other user's files. There was no security in the "good ol days".
      georgeou
      • I remember user account separation

        And still not having to worry so much about security. But of course this was in the days of the LAN connection, before the WAN connection. I'm not saying security was 100% perfect, but at least you had control over the people who connected to the LAN.
        Michael Kelly
  • Could you clarify

    [i]Microsoft patches slower but has better code auditing while Mozilla patches critical vulnerabilities faster but permits more vulnerabilities to get past their auditing process.[/i]

    The above statement is difficult to track, because in most cases we won't be aware of fixed bugs found MS internally and which are then fixed. (these won't show up on the normal lists)

    I think it would be better to link to Window Snyder's blog as it concerns a previous windows security expert now working for Mozilla which definitely should have some insight in how Microsoft fixes it's bugs etc.

    http://blog.mozilla.com/security/2007/11/30/critical-vulnerability-in-microsoft-metrics/
    tombalablomba
    • Window works for Mozilla now

      Window works for Mozilla now so what do you expect her to say? Microsoft is going to present it in the best light for Microsoft, Mozilla will present it in the best light for Mozilla. What else is new? All I did was point out the facts. Either show me the specific bundled or secret patch or I can't count it.
      georgeou
      • just one part

        of my remark, the other was how you could derive that their process was better.

        I'm aware that window works for Mozilla now, but previous for Microsoft. A remark from her puts it just in another light then when some other person at Mozilla makes remarks about Microsofts processes. As the prime person responsible for security I just feel that it would be better to link to here than to one of mozilla's evangalists.
        tombalablomba
      • ummm

        >>>>Either show me the specific bundled or secret patch or I can't count it.

        Umm, if it's secret, how can anyone show you?

        _r
        Ryan Naraine
        • Exactly

          Microsoft should either come out and emphatically state that they no longer engage in secret patching, or they should at least release the counts of all the patches when a service pack is released.
          t_mohajir
        • ummm, give me the specifics

          "Umm, if it's secret, how can anyone show you?"

          ummm, give me the specifics. You can't ever prove a negative. It's like me asking you to prove to me you've never clubbed any baby kittens to death. Until you give me a specific example of IE7 being secretly patched and not mere speculation, it doesn't mean a thing.
          georgeou
          • George you and many others here live in denial,,,

            Heck , even the folks at Microsoft live in denial .
            Intellihence
          • And you...

            ...live in a double wide trailer, don't you?

            :)
            Hallowed are the Ori
          • Specifics of what?

            Talk about going around in circles. Microsoft openly admits to silent fixes as a policy. You get suckered in the meaningless counting game with this nonsense about showing hidden/silent fixes.

            Now I'm being suckered into your circular run-around.

            _ryan
            (bowing out)
            Ryan Naraine
          • Give me a specific example of IE7 being patched silently

            Give me a specific example of IE7 being patched silently. Just address the issue at hand.
            georgeou
          • Oh George, come on

            See if you can locate a MS->IE7->Bugzilla accessible to the General Public.

            I mean a true 'open' Bug tracking system with internal/external issue# tracking and source code svn, cvs capability.

            It doesn't exist.

            Hence, Ryan's point stands that you simply don't know if IE7 was patched silently unless you happen to be employed by MS as a IE7 Programmer/Analyst.

            But, thank you for playing.
            You've been called.
            Later! ;)
            D T Schmitz
          • I don't think Ray was attacking you, just the logic

            In other words, if the patch was not publicly known, why should we know about it. We can only assume that this happens.

            Actually, the company most known for "secret" patches is Opera. Way to do Norway proud.
            nucrash
          • Faith.

            Only Microsoft knows the truth, so we either believe in Microsoft words or not believe. You've chosen to believe. And no one can discuss a question of faith.
            pablo Dante
          • ummm, give me the specifics

            I'm puzzled how someone can give specifics about secret info held by a corporation, unless they work for that corporation and don't value their job.
            boguscomputer
          • georgeou clubs baby kittens, thats terrible!!

            nt
            hbashman@...
      • Why do you even want to count it?

        [i]Either show me the specific bundled or secret patch or I can't count it.[/i]

        Who cares if you count it or not? The point you made in your conclusion (and I agree with it) is that [b]both[/b] browsers have exploitable vulnerabilities.

        [i]But if I?m running Windows XP, I give it a tie on security in the sense that they?re both equally pathetic and the decision needs to be based on other factors and personal preferences[/i]

        If it turned out that Microsoft secretly fixed more vulnerabilities, it wouldn't reduce the vulnerability count for Firefox at all. What your critics are implying (and you are getting sucked into debating) is something that, even if true, in no way contradicts your conclusion: under XP, vulnerability counts should not be used as a deciding factor between IE7 and Firefox. Use whichever one you prefer since neither gives you very good security.
        NonZealot
      • This is an ad hominem response George.

        It's not valid when the ABMers use it to discredit reports released by Microsoft and it's
        not valid when it's applied to OSS.

        I understand your point but without any proof that Window is stretching the truth (to
        be nice) you're making an unsubstantiated claim. Do you have any proof she's being
        less than honest?
        ye