Firefox vs. Internet Explorer: No real security winner

The rhetoric coming from Microsoft and Mozilla has heated up in recent days on who is doing a better job on web browser security.  I'd prefer to frame the debate in terms of who is doing worse than the other because both companies have had lots of security issues with their respective browsers.  Both companies have vastly improved since the days of Firefox 1.5 versus Internet Explorer 6.0, If each one of these vulnerabilities were a zit on their faces, would they be bragging publicly that they have fewer zits or who pops them quicker? but each browser leaves much to be desired when you look at the vulnerabilities that have continued to come out.

Microsoft came out and gave a report that showed IE has fewer software flaws than Mozilla Firefox and they want us to believe this is the most important metric.  Mozilla hit back saying that time-to-patch is a more important metric.  Both of these metrics are important and should be debated publicly so that the user can make informed decisions.  However, "time-to-patch" (the time a vulnerability is publicly known until it's patched) should not be confused with time-vulnerable since that is determined by the length of time a product has been publicly available to the time it becomes patched.

It is true that once a vulnerability is publicly known that this is a more dangerous time since more people know about the vulnerability but we should not assume that the software was "safe" before the vulnerability was known.  This is why number of vulnerabilities plays an equally important role in determining the security level of software because it indicates the quality of the auditing done before the software is released to the public.  Patching known critical vulnerabilities in a timely manner is important but that should never excuse shoddy code auditing and the converse of that statement is also true.  Microsoft patches slower but has better code auditing while Mozilla patches critical vulnerabilities faster but permits more vulnerabilities to get past their auditing process.  Clearly each company can learn from the other and each company is failing in overall security.

One other issue that has come up in this spat is Mozilla's Mike Shaver who says flaw count is misleading since Microsoft hides patches in service packs.  That's a really silly argument since there hasn't been a Microsoft Windows desktop OS service pack since 2004 with the release of Windows XP SP2 and all the comparisons that have been made are post SP2.  All the other talk of silent fixes are light on actual details and it's awfully hard to make changes to a browser without the public knowing about it and Microsoft would get skinned alive if they made a change to a product without informing their customers about it.  No one to my knowledge has given a specific example of how Microsoft Internet Explorer 7 has had any silent or bundled fixes yet so we can't really factor this in until someone shows an example.  Furthermore, the difference in flaw count isn't some small margin that can easily be explained away by bundled or silent fixes, the gap is almost a 2 to 1 ratio between Firefox 2.0 and IE7.

<Next page - Internet Explorer 7 versus Firefox 2.0 vulnerability comparison>

Internet Explorer 7 versus Firefox 2.0 vulnerability comparison

Here is a list of every single vulnerability for both web browsers by CVE (Common Vulnerabilities and Exposures) or original advisory (when CVE isn't available).  This data is harvested from Secunia's website.  I'm going to leave out the advisories that have been rated "Not critical".  Everything else is going to be listed as L (Less critical), M (Moderately critical), H (Highly critical), and X (Extremely critical).  Anything rated with an H or X means that the exploit can be remotely triggered (typically from the network) and can lead to full system compromise.  Less vulnerable flaws typically lead to data leakage or theft and they sometimes require user interaction (social engineering) for the flaw to be exploited.

Month/year	Microsoft Internet Explorer 7	Mozilla Firefox 2.0
DEC 2007	CVE-2007-5355 L
NOV 2007	CVE-2007-3893 H	CVE-2007-5959 H CVE-2007-5960 H CVE-2007-5947 L
OCT 2007	CVE-2007-3893 H CVE-2007-3892 L	CVE-2007-1095 H CVE-2007-2292 H CVE-2007-4841 H CVE-2007-5334 H CVE-2007-5337 H CVE-2007-5338 H CVE-2007-5339 H CVE-2007-5340 H CVE-2006-2894 L
SEPT 2007		Firefox "-chrome" issue L
AUG 2007	CVE-2007-1749 H CVE-2007-0943 H CVE-2007-2216 H CVE-2007-3041 H	CVE-2007-3844 M CVE-2007-3656 L CVE-2007-3670 H
JULY 2007	CVE-2007-3826 H	CVE-2007-3844 H CVE-2007-3734 H CVE-2007-3735 H CVE-2007-3736 H CVE-2007-3737 H CVE-2007-3738 H CVE-2007-3089 H CVE-2007-3656 L CVE-2007-3670 H
JUNE 2007	CVE-2007-1750 H CVE-2007-1751 H CVE-2007-0218 H CVE-2007-2222 H CVE-2007-3027 H
MAY 2007	CVE-2007-0942 H CVE-2007-0944 H CVE-2007-0945 H CVE-2007-0946 H CVE-2007-0947 H CVE-2007-2221 H	CVE-2004-0867 L CVE-2007-2867 H CVE-2007-2868 H CVE-2007-2870 H CVE-2007-2871 H
APR 2007
MAR 2007	CVE-2007-1499 H
FEB 2007	CVE-2007-0995 L CVE-2007-1114 L CVE-2007-1091 L CVE-2006-4697 H CVE-2007-0217 H CVE-2007-0219 H	CVE-2006-6077 H CVE-2007-0008 H CVE-2007-0775 H CVE-2007-0776 H CVE-2007-0777 H CVE-2007-0778 H CVE-2007-0779 H CVE-2007-0780 H CVE-2007-0800 H CVE-2007-0981 H CVE-2007-0994 H CVE-2007-0995 H CVE-2007-1095 H CVE-2007-0981 L
JAN 2007	CVE-2007-0024 X
DEC 2006		CVE-2006-6497 H CVE-2006-6498 H CVE-2006-6499 H CVE-2006-6500 H CVE-2006-6501 H CVE-2006-6502 H CVE-2006-6503 H CVE-2006-6504 H CVE-2006-6506 H CVE-2006-6507 H
NOV 2006		CVE-2006-6077 L
OCT 2006	CVE-2004-1155 M CVE-2006-5544 L CVE-2006-2111 L

It's clear from the list above that neither company has something to be proud of when it comes to software vulnerabilities.  If Microsoft and Mozilla were people and each one of these vulnerabilities were a zit on their faces, would they be bragging publicly that they have fewer zits or who pops them quicker?

Microsoft on the other hand often waits a month or three to patch some critical vulnerabilities that are actively being exploited.  I've raked them over the coal for this many times in the past and it's something I wish Microsoft would change.  Microsoft's position is that life is different when you have a hundred million customers using the software and they're in a tough position to release patches quickly without adequate testing.  Still, this is no excuse for the times that Microsoft will leave vulnerabilities un-patched when they are being actively exploited.  I've argued that even if Microsoft would beta or RC (Release Candidate) their patches when a critical exploit and proof-of-concept is publicly known, that would be a vast improvement over the current situation because users can at least protect themselves if they choose to do so.  When a critical vulnerability publicly known, I'm more than happy to do my own validation testing on RC level code.

One other big factor in my experience is that corporate customers don't even like the fact that patches are released monthly.  They'd actually prefer a quarterly patch schedule (like Oracle) or even annual patch schedule.  They don't want companies to release the patches so often because that would mean the company was failing due diligence if they don't apply a patch that is publicly available and they are liable for that.  But that angers me because it prevents me from getting critical patches and it's not my problem that some other corporation is embarrassed that they don't want to patch frequently.  Companies like Microsoft are caught in this set of conflicting interests and they're in a delicate position.

Basically, Firefox basically has nearly twice the number of flaws in their production code and Microsoft takes substantially longer to patch their issues.  But one wild card in this comparison is that Mozilla fails to implement Protected Mode in Firefox for Windows Vista which is a big disadvantage for Windows Vista users.  So what's the conclusion?  It all depends on your priorities.  I spoke with Larry Dignan (our Executive Editor) and he felt that faster patching was more important to him so he chooses Firefox.  For me since I'm running Windows Vista, I give the security edge to Internet Explorer 7 running in protected mode.  But if I'm running Windows XP, I give it a tie on security in the sense that they're both equally pathetic and the decision needs to be based on other factors and personal preferences.  Whatever your decision, it's just a web browser so pick the browser of your choice and deal with the issues that come up from time to time.