IE trumps Firefox in Microsoft safety study

IE trumps Firefox in Microsoft safety study

Summary: A senior Microsoft executive has said IE is the safer bet after comparing how many vulnerabilities were found in the two browsers, but critics claim the study was flawed

TOPICS: Security

Internet Explorer is more secure than Firefox, according to a senior Microsoft executive, who compared how many vulnerabilities were found in the two browsers — but critics say his study is flawed.

Jeff Jones, security strategy director of Microsoft's Trustworthy Computing Group, released a study last week comparing the flaws in Microsoft's Internet Explorer to Mozilla's Firefox browser — unsurprisingly, he concluded that Microsoft is doing a better job than Mozilla.

Challenging early predictions that Mozilla's Firefox browser would experience fewer vulnerabilities than IE, Jones concedes that both vendors' browsers have experienced significant flaws.

Jones claims Mozilla has fixed more flaws in its browser than Microsoft during equivalent periods, which he said renders Firefox more vulnerable than IE.

"Since the release of Firefox 1.0 in November 2004, Mozilla has fixed 199 vulnerabilities in supported Firefox products — 75 high severity; 100 medium severity; and 24 low severity. In the same timeframe, Microsoft has fixed 87 total vulnerabilities affecting all supported versions of Internet Explorer — 54 high severity, 28 medium severity; and five low severity," said Jones.

Comparing Microsoft's 2004 release, IE6 (Service Pack 2), to Firefox 1.0, Jones said Microsoft fixed 79 flaws while Mozilla fixed 88.

He also compared IE7 to Firefox 2.0 over a 12 month period, during which he said Mozilla fixed 56 flaws while Microsoft fixed only 17 in IE7.

"While the data trends show that both Internet Explorer and Firefox security quality is improved in the latest version, it also demonstrates that, contrary to popular belief, Internet Explorer has experienced fewer vulnerabilities than Firefox," said Jones.

However, Jonathan Oxer, technical director and founder of web application development company, Internet Vision Technology, and president of Linux Australia, claims the study is flawed because Microsoft tends to bundle its fixes, which lead to a lower count over the period being compared.

"For example, when fixing a vulnerability there might be several issues being resolved in one go. So it decreases the bug count."

Oxer explained that the way in which levels of security are reported is frequently different. "In the case of Firefox there may be issues that [Mozilla] has reported for which there is no known exploit — a theoretical exploit — so it's not necessarily accurate to directly compare fixed exploits without an understating of how the numbering or definition of an exploit is determined," he said.

Oxer believes that a more valid way to score software in terms of security is to give each exploit a value depending on the number of days from discovery of a bug to the release of a fix, multiplied by a severity factor.

"Two products that have a similar number of exploits fixed over a certain period may actually be very different in terms of the number of days of exposure to which users are subjected," said Oxer.

Distributor support
The Microsoft data also raises the issue of support for legacy versions of the software. While Mozilla ends support for each version six months after a new release of Firefox, Microsoft maintains support for up to a decade after the version ends, in line with its cycle for operating systems.

"If Microsoft had this same policy, then support of Internet Explorer 6 would have ended in May 2007, or similarly Internet Explorer 5.01 support would have ended in 2001. In contrast, Microsoft generally releases a browser in conjunction with a new operating system release and commits to supporting that version for the lifecycle of the product — now 10 years for business products," said Jones.

Support issues also affect third-party distributors, Jones said. Despite Mozilla ending support for Firefox 1.5 in May 2007, Ubuntu 6.06 LTS — which integrates that version of Firefox — has committed to providing security support until 2009. Likewise, Novell Suse Linux offers support for Firefox 1.5 until 2013. While Ubuntu and Red Hat released patches for Firefox version 1.5, Jones said: "The vulnerabilities patched by each vendor only overlap partially."

Read this


Photos: Driving the web revolution: The 'Internet Van'

California's Computer History Museum is celebrating the 30th birthday of the first true internet connection by displaying the van in which it occurred

Read more

"Lifecycle considerations are likely [to be] more important to corporate enterprises, as they sometimes have custom web applications and are hesitant to upgrade between major releases very often, and even then may have a relatively long transition plan," said Jones.

However, Linux Australia's Oxer reckons this manner of delivering support is a benefit of the open-source model, because it allows customers greater flexibility throughout a contract.

"One of the major differences between the proprietary and open-source models is when multiple vendors are providing support for a single code base… even though Mozilla may end its support, there are software vendors — such as [Linux] distribution providers — that are committed to providing support to enterprise customers," said Oxer.

"What it means is that end users get to choose the level of support they want. If you choose a company with long-term support for maintaining a stable operating environment for desktops, that's one option they can take. Or they may want a distributor with more frequent updates," he said.

The disadvantage of using a proprietary software company such as Microsoft, said Oxer, is that enterprise customers are shackled to the schedule of a single vendor, which may not fit the organisation's timetable.

Topic: Security

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • I've just fainted in surprise

    Sorry - did I read your headline right? Microsoft's product beats a rival in Microsoft's own safety study and this is trumpeted by a Microsoft executive? Apprently in a study in Stalin's Russia, Stalin's five year plans were perfect. Stalin said so himself. Thank the Lord for objectivity in research...
  • crazy logic

    Basically, "we fixed more bugs in our software, therefore it is safer"

    Christian Brown
  • It's not the number, it's the size.

    The security bugs in Firefox tend to be (not always) theoretical ones that get fixed. The exploits in Internet Explorer tend to be real ones already out there and in use by websites.

    Without close examination of the actual exploit, the numbers are meaningless. One would have hoped that a Microsoft executive had some intelligence to work this out, obviously not.

    I remember when the browser was separate from the operating system, it was just another application and far more secure as a result.
  • Internet Explorer is more secure than Firefox.

    Oh yeah, you can believe this. After all Microsoft has made numerous studies showing their software is more secure than their rivals. If you want facts just ask any Microsoft executive, because they have never lied before.
  • Surely, you must win your own competition!

    It's crazy that they would publish a report of this nature, IE might be better that Firefox, but who are Microsoft fooling, do they expect people to believe an internal comparison to be totally impartial? I would expect to win in my own competition!

    IE7 is a very reliable browser but Microsoft, leave comparisons to a disintersted third party, or carryout a joint study with the guys from Mozilla.