IE vs Firefox: Microsoft crunches security numbers

IE vs Firefox: Microsoft crunches security numbers

Summary: Jeff Jones, security strategy director in Microsoft’s Trustworthy Computing group, is at it again, comparing three years of vulnerability data for the two main Web browsers -- Internet Explorer and Firefox -- to reach a conclusion that IE is arguably much safer than the open-source rival.

SHARE:
124

Comparing security profilesJeff Jones, security strategy director in Microsoft’s Trustworthy Computing group, is at it again, comparing three years of vulnerability data for the two main Web browsers -- Internet Explorer and Firefox -- to reach a conclusion that IE is arguably much safer than the open-source rival.

Jones, known for his security comparisons of operating systems -- which paint Microsoft Windows in a favorable light -- came to a simple conclusion after his IE/Firefox security match-up:

While the data trends show that both Internet Explorer and Firefox security quality is improved in the latest version, it also demonstrates that, contrary to popular belief, Internet Explorer has experienced fewer vulnerabilities than Firefox.

[ GALLERY: How to use Internet Explorer securely

The report (.pdf) examines vulnerabilities  over the past three years, breaks them down by severity, looks at version-over-version trends for each browser and examines how  each browser is doing in terms of unfixed vulnerabilities and, in Jones's estimation, IE has a superior security profile.

[S]upported versions of Internet Explorer have experienced fewer vulnerabilities and fewer High severity  vulnerabilities than Firefox, a result that stands in contrast to early assertions by Mozilla that Firefox "won't harbor nearly as many security flaws as those that have Microsoft's Internet Explorer."

Since the release of Firefox 1.0 in November 2004, Jones counted 199 vulnerabilities in supported Firefox products – 75 HIGH severity, 100 MEDIUM severity and 24 LOW severity.

[ GALLERY: How to avoid hacker attacks on Mozilla’s Firefox browser ]

During the same period, he said Microsoft  fixed 87 total vulnerabilities affecting all supported versions of Internet Explorer – 54 HIGH severity, 28 MEDIUM severity, and 5 LOW severity.

The study did not take into account silent (undocumented) patches.

Jones also compared life-cycle support policies of the two browsers and contends that Microsoft does a better job of  shipping patches for older browser versions.

[ SEE: Firefox or IE? Strange answer to security question ]

The report, which is sure to raise hackles among open-source advocates, is clearly an attempt by Microsoft to extol the virtues of its SDL (security development lifecycle) and commitment to security.   However, there's one key thing missing from Jones's analysis -- the auto-patching mechanism built into Firefox that gives Mozilla a clear advantage over Microsoft.

In effect, Firefox patches itself whenever Mozilla ships updates while immediate Internet Explorer updates depend entirely on the end-user using the Windows AU mechanism.   Don't even get me started on the forgotten world of dial-up Windows users who never, ever apply patches.

That's one of the main reasons malware authors take aim at IE more than any other desktop application.

Topics: Security, Browser, Microsoft

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

124 comments
Log in or register to join the discussion
  • One line says it all.

    The most telling, and understated line in the whole post.

    [i]The study did not take into account silent (undocumented) patches.[/i]

    Mozilla doesn't get silent patches. When some thing's wrong in Firefox, the world knows about it. MS gets to continue to hold the cards close to their vest, in their pockets and up their sleeves. It's not a poker game if things aren't equal, and things aren't equal.
    Dr. John
    • and they should also ake into account

      the MSIE versions from 1.0 onwards. You can't really compare a young product with an old product such as IE unless you compare each from their birth.

      Then lets count the patches, bug fixes and timescales of response.

      Not that I use FF that much, i prefer Opera.
      deaf_e_kate
      • Re: and they should also ake into account

        > the MSIE versions from 1.0 onwards. You can't really compare
        > a young product with an old product such as IE unless you
        > compare each from their birth.

        that must be the most hillarious argument in this discussion. i almost took it seriously. hm, actually anyone who hasn't seen a web browser before 2004 could take it really seriously...

        IE 1.0 was released in 1995.
        Firefox 1.0 was released in 2004.

        if anything, Firefox version should start with Netscape Navigator (1997), which was INITIALLY released as version 4.0...

        [source: wikipedia]
        the_fiddler_on_the_roof
        • wrong

          ahem... Netscape Navigator was INITIALLY released as version 1.0 in 1994 (not to mention pre-1.0 versions)
          [source: wikipedia]
          shoktai@...
          • This is what I remember..

            from actually using it on Windows 3.1 about that date; seemed even earlier though. 1991
            [source: flakey brain memory]
            JCitizen
        • What does 1.0 mean to you?

          In commercial development, 1.0 is the first version you usually let customers see; it rarely has all the features you want, it almost always has (in retrospect) howling defects and "sharp edges to cut yourself on"... think Windows pre-2000, the original 128K Mac, the original Zune, etc.

          In open development, 1.0 generally means "feature complete and no serious defects that the team is aware of, and we've already gone through significant end-user feedback loops."

          To put it into perspective: you're comparing sports cars between a Lamborghini Countach and a Corvair. Not a very fair comparison at all, is it?
          jeffdickey
    • Amazing, isn't it?

      [i]The study did not take into account silent (undocumented) patches.[/i]

      You know, I'm an advertising professional of 30+ years' experience and even [i]I[/i] can't warp reality as effortlessly and completely as Microsoft can.

      I tell ya, it's simply breathtaking. Stalin's aktivnye meropriiatiia machine looked like amateurs compared to these folks.
      UserLand
      • 30 plus years?

        Somehow you got stuck in the past. Nobody thinks microsoft is trying to "warp" reality. They used to use their marketshare in opportunistic ways and that's it. Apple is in the RDF methods. <br>
        Microsoft doesn't even advertise IE and it's now free of wga.
        It's good you are in sales because you don't begin to understand the real game that's been played for ages now. That is the ABM song and dance that builds strawman arguments against Microsoft in the face of equally bad software, behavior and an attempt to take over all of the computing world via "standards". You don't see a linux person talking about sharing a market, you here them talking about the death of proprietary software. Unfortunately they are putting millions of jobs at risk and hurting families and businesses in a worse way than Microsoft ever could while dumping product into a market. <br>
        Let's put it this way, you talk about Stalin, well the man that invented Linux has openly dismissed and shown pure disgust for how the "open source" movement has turned into a religious war with radicals taking control of it. I'd say we've had enough radicalism for a lifetime. <br>
        Then there is OS X. the only OS so perfect, so grand, so enchanting as to drive people into making death threats, many many death threats against people who have claimed the could exploit it, or even spoke out too negatively about it. <br>
        Microsoft may have used it's marketing muscle but they are NOT Radicals. <br>
        xuniL_z
        • From what I have seen

          Microsoft can claim its share of radicals from its fan base too. Some of the claims I have seen here about Microsoft products (both for and against) show either blatant ignorance or deliberate deception. Marketing and sales are known for exagerrating a product's capabilities and minimizing its weaknesses while doing the opposite for its competitors.

          Your use of exagerration against OSS also shows your radicalism. A lot of OSS is written for the Windows platform. Firefox, Eclipse, Open Office all are available on MS Windows. Many of the companies that back OSS also have their own proprietary software like IBM, Norvell, and Sun Microsystems. Also, not everyone that uses Linux is anti-proprietary or anti-Microsoft for that matter.

          As for standards, they are meant to facilitate interoperability between platforms. SQL, C, C++ have had standards committees long before OSS existed. Microsoft has also used more than just its marketing muscle. Both US Justice department and the EU have filed and won cases involving unfair competition and anti-trust law violations against Microsoft. Like many of the big corporations out there, Microsoft is not some innocent lamb or benevolent protector. Like most corporations if not all it is interested primarily in its bottomline and if it is not monitored it will abuse its power.
          alaniane@...
          • Speaking of standards...

            MS is notorious for bending standards in such a way as to insure that no other vendor's products will work properly with MS's stuff.

            As I've said before, I like MS, to a degree, and I like some of their products. But, I still gotta call ugly, ugly.
            Dr. John
    • You contradict yourself with this silly argument.

      You say silent patches is key here but all we hear from the linux camp is how the code goes out in better shape because of so many people looking at the code? Which way do you want it? <br>
      This silly line of argument from the entire camp is outragous. We are talking aobut the vulnerabilities of released products, not those still in development. MS products attrack massive numbers of security experts prying and trying to hack, break, anything a criminal hacker could possibly do, to find cracks in the code. In fact there is no data, only anecdotal rhetoric, that says this method of looking for cracks is less likely to find them than flat out code reviewers. Not every FF user is a software engineer. And most IE code is floating around anyway.
      <br>
      Please let's put an end to Urban legends and this kind of rhetoric. If anyone is holding extra cards, it's open source by virtue, once again, of what you say are so many eyes looking at it before it's even released. Microsoft has only their inhouse IE team before released and then they are at teh disadvantage again because there are most people, both good and especially BAD trying to crack the code.
      <br>
      Why can't we talk about why the two products should be used together or something constructive. <br>
      FF is mostly a commercial product with loads of Google engineering involved in the coding on top of all those "eyes". It should be released totally free of bugs in that respect.
      The advantages are at least a wash, at most they go to open source. So IE is the superior product. Hands down.
      <br>
      thanks.
      xuniL_z
      • Full of Crap

        "You say silent patches is key here but all we hear from the linux camp is how the code goes out in better shape because of so many people looking at the code? Which way do you want it?"

        Why mix up 2 different things in order to justify yourself? No. 1 silent patches are good. Period. Do you understand something as simple as vulnerability exposure window? Clearly you don't otherwise you would stop your silly argument about that one. And please don't try to argue. Anyone without vested interests will tell you straight up, that a system/ application that is patched is more secure than an unpatched one. So, in this case, FF forces silent patches automatically thus drastically reducing the exposure window. No. 2 Blackbox testing or hacking is much harder at exposing vulnerabilities than code review. Again, you either have a vested interest or are too deep beyond your understanding of the issue. Any seriuos security practitioner given the choice between code review and blackbox testing would choose code review. Why, because it can quickly identify potential issues which can then be explored. Let me give you some tools
        http://sourcenav.sourceforge.net/
        http://java-source.net/open-source/code-analyzers
        And by the way, there is no any other way to assure software at the highest level of assurance without code review. In evaluation organizations like common criteria, Evaluation Assurance Level 7 or EAL 7 can only be attained through code review. Understand this.

        "We are talking aobut the vulnerabilities of released products, not those still in development."

        This may come as news to you but FF is a released product that is in wide use.

        "MS products attrack massive numbers of security experts prying and trying to hack, break, anything a criminal hacker could possibly do, to find cracks in the code"

        And FF isn't hacked or tested for hacking? I suppose this are a figment of my futile imagination
        http://www.milw0rm.org/platforms/windows

        "In fact there is no data, only anecdotal rhetoric, that says this method of looking for cracks is less likely to find them than flat out code reviewers."

        Some things are deemed to be self evident if you have enough knowledge of the subject matter. Code review is the ultimate security check.

        "And most IE code is floating around anyway. "
        Why shoot yourself in foot mate. You have said code review isn't as effective as claimed. Why now point that there is IE code floating around. Could it be due to the importance of code review. Let me stipulate further, are alluding to reverse engineering to obtain source code since I haven't since source code released by MS. Why would this professionals resort to reverse engineering? I wonder

        "Why can't we talk about why the two products should be used together or something constructive. "

        Who is the source of the this latest conflict? Of course it must be FF since MS did a study that proved they are better. What parameters we overlooked? Sheesssh those FF people just can't accept reality. They are beaten well and truly. How dare they raise pertinent and appropriate questions.

        "FF is mostly a commercial product with loads of Google engineering involved in the coding on top of all those "eyes". It should be released totally free of bugs in that respect."

        And your ignorance shines bright. What system is perfect my friend. Forget even about software. What system is perfect?
        goxk@...
      • show me

        Look at the Coverity scans of open source software. They represent a very high quality set of 'eyes'. Seeing a bug doesn't fix it, but it is a great first step. Go look at the rate of bug fixes once Coverity uncovers a bug. This is a code review and it does find bugs before they become issues. So eyeballs looking at source code does find bugs.
        shis-ka-bob
      • Maybe if I showed you the math....

        [i]You say silent patches is key here but all we hear from the
        linux camp is how the code goes out in better shape because of
        so many people looking at the code? Which way do you want it?
        [/i]

        Maybe if I showed you the math, you'd understand why this isn't
        a contradiction.

        Let's use the numbers from the article. Firefox has 199
        security holes and 87 for IE. Let's also use U for the number
        of documented security patches over the lifetime of Firefox, V
        for the number of "silent" patches for Firefox, W for the
        number of security bugs known by the Mozilla team but not made
        public, and X, Y, & z for the respective details for IE.

        If (199+W)-(U+v) > (87+Z)-(X+Y), then the article is right, and
        Firefox has a less secure profile. There are 6 unknowns, but we
        can resolve some of them. Given that Firefox is an open-source
        project and the Mozilla team cannot release "silent" patches
        for Firefox, or hide security bugs from the public, we know
        that V=W=0.

        Now this has to be true for the article: 199-U > (87+Z)-(X+Y).
        We know logically that the # of silent patches released by
        Microsoft must be less than or equal to the number of
        unmentioned bugs, i.e. Y<=Z. If Y<Z then odds are that the
        article is likely wrong, especially if Y << Z (Y is
        significantly less than Z). But let's be nice and assume
        they're equal.

        That leaves us with this for the article: 199-U > 87-X or more
        simply: 112 > U-X. If the Mozilla team has released at least
        112 more security patches than Microsoft over the sampled
        releases, then regardless of the hidden Y & Z data, Firefox is
        no less secure than IE. I'm sure a quick browse through the
        patches released by both development teams could quickly
        resolve that question. Also, given the potential impact of the
        hidden data, it is more than reasonable to assume that Firefox
        is still more secure than IE.

        The complaint that Open Source advocates have is nearly
        identical to the one you're making. We'd all like to see a fair
        comparison of apples with apples. Instead we only have shady
        apples to apples comparison with few people realizing that
        Microsoft's apple is actually a pomme du terre (apple of the
        earth, i.e. potato). Maybe one day we'll all see fair numbers,
        but I wouldn't hold my breath.
        kingmph@...
      • No, I don't.

        Bypassing all your foaming at the mouth, let's review. I said FF doesn't get to hide their flaws, because they are made public, and fixed/patched virtually immediately. And, the fix/patch is dished out virtually immediately.

        MS flaws are typically reported to MS, then MS sits on them until they get around to doing something about them. I could be that they'll do something about them in the next patch Tuesday, or it could be that they'll sit on them for months, if not years. And, since MS has closed code, they can roll out a single patch that is claimed to fix a known bug/vulnerability, that also, silently patches/fixes half a dozen others known only to MS.

        If you doubt any of that last paragraph's validity, feel free to do a little research. There have been several medium to high profile instances of MS knowing about defects for months, about customer machines being vulnerable to the attacks for months, yet they did absolutely nothing until someone, typically the researcher that found the problem in the wild, tells the world. And, when they tell the world, they tend to mention how long ago they told MS about the problem, then waited for the fix.
        Dr. John
    • Fear of the unknown = Paranoia

      So if they are silent and undocumented how do you know if there were even any of these? How many were there? How severe were they?

      Sorry, this sounds a little paranoid to me.

      And even if there were issues of this type they found and fixed, at least they are now fixed.
      Compudad9
  • RE: IE vs Firefox: Microsoft crunches security numbers

    The real reason to use Firefox is AdBlock Plus. Nothing else blocks as much with fewer false positives, not AdBlock Pro, and not the Adblocker in IE7 Pro.
    txscott
    • I agree

      FF + AdBlock Plus + NoScript = The safest browsing experience out there yet. Period. Nothing IE7 offers even comes close.
      balaknair
  • Where was that conclusion pulled out of?

    [i]"Firefox patches itself whenever Mozilla ships updates while immediately Internet Explorer updates depends on the end-user using the operating system???s automatic updates mechanism. That???s one of the main reasons malware authors take aim at IE more than any other desktop application."[/i]

    Uhh. Care to qualify that statement?

    I would think it has a little to with the fact that 85% of internet users still use IE.
    toadlife
    • it's also an easier target

      For whatever reason, IE is an easier target than Firefox.

      I tend to agree that the reason malware authors target IE isn't because of the patch cycle. It may be part of it but it's not the reason.

      IE is simply an easier target, because Windows users get IE whether they like it or not. It's an insecure browser, and Windows users are easy targets.

      Firefox users are more likely to be more secure than the average Windows user, so why target Firefox?

      That said, Firefox is more secure than IE.
      mdsmedia