Microsoft exec kicks off new browser security war

Microsoft exec kicks off new browser security war

Summary: Internet Explorer is more secure than Firefox, according to a senior Microsoft executive, who compared how many vulnerabilities were found in the two browsers -- but critics say his study is flawed.


Internet Explorer is more secure than Firefox, according to a senior Microsoft executive, who compared how many vulnerabilities were found in the two browsers -- but critics say his study is flawed.

Jeff Jones, security strategy director of Microsoft's Trustworthy Computing Group released a study last week comparing the flaws in Microsoft's Internet Explorer to Mozilla's Firefox browser -- unsurprisingly, he concluded that Microsoft is doing a better job than Mozilla.

Challenging early predictions that Mozilla's Firefox browser would experience fewer vulnerabilities than IE, Jones concedes that both vendors' browsers have experienced significant flaws.

Jones claims that Mozilla has fixed more flaws in its browser than Microsoft during equivalent periods, which he said renders Firefox more vulnerable than Internet Explorer.

"Since the release of Firefox 1.0 in November 2004, Mozilla has fixed 199 vulnerabilities in supported Firefox products -- 75 high severity; 100 medium severity; and 24 low severity. In the same timeframe, Microsoft has fixed 87 total vulnerabilities affecting all supported versions of Internet Explorer -- 54 high severity, 28 medium severity; and five low severity," said Jones.

Comparing Microsoft's 2004 release, IE 6 (Service Pack 2) to Firefox 1.0, Jones said Microsoft fixed 79 flaws while Mozilla fixed 88.

He also compared IE 7 to Firefox 2.0 over a 12 month period, during which he said Mozilla fixed 56 flaws while Microsoft only fixed 17 in IE 7.

"While the data trends show that both Internet Explorer and Firefox security quality is improved in the latest version, it also demonstrates that, contrary to popular belief, Internet Explorer has experienced fewer vulnerabilities than Firefox," said Jones.

However, Jonathan Oxer, technical director and founder of Web application development company, Internet Vision Technology, and president of Linux Australia, claims the study is flawed because Microsoft tends to bundle its fixes, which lead to a lower count over the period being compared.

"For example, when fixing a vulnerability there might be several issues being resolved in one go. So it decreases the bug count.

"Also, the way levels of security are reported is often different. In the case of Firefox there may be issues that [Mozilla] has reported for which there is no known exploit -- a theoretical exploit -- so it's not necessarily accurate to directly compare fixed exploits without an understating of how the numbering or definition of an exploit is determined," said Oxer.

Oxer believes that a more valid way to score software in terms of security is to give each exploit a value depending on the number of days from discovery of a bug to the release of a fix, multiplied by a severity factor.

"Two products that have a similar number of exploits fixed over a certain period may actually be very different in terms of the number of days of exposure to which users are subjected," said Oxer.

Is distributor support a strength or weakness?
The Microsoft data also raises the issue of support for legacy versions of the software. While Mozilla ends support for each version six months after a new release of Firefox, Microsoft maintains support for up to a decade after the version ends, in line with its cycle for operating systems.

"If Microsoft had this same policy, then support of Internet Explorer 6 would have ended in May 2007, or similarly Internet Explorer 5.01 support would have ended in 2001. In contrast, Microsoft generally releases a browser in conjunction with a new operating system release and commits to supporting that version for the lifecycle of the product -- now 10 years for business products," said Jones.

Want to know more?

    For all the latest news, analysis and opinion on security, click here

Support issues also affect third party distributors, Jones said. Despite Mozilla ending support for Firefox 1.5 in May 2007, Ubuntu 6.06 LTS -- which integrates that version of Firefox -- has committed to providing security support until 2009. Likewise, Novell SUSE Linux offers support for Firefox 1.5 until 2013. While Ubuntu and Red Hat released patches for Firefox version 1.5, Jones said: "the vulnerabilities patched by each vendor only overlap partially."

"Lifecycle considerations are likely more important to corporate enterprises, as they sometimes have custom Web applications and are hesitant to upgrade between major releases very often, and even then may have a relatively long transition plan," said Jones.

However Linux Australia's Oxer reckons this manner of delivering support is actually a benefit of the open source model, because it allows customers greater flexibility throughout a contract.

"One of the major differences between the proprietary and open source models is when multiple vendors are providing support for a single code base ... even though Mozilla may end its support, there are software vendors -- such as [Linux] distribution providers -- that are committed to providing support to enterprise customers," said Oxer.

"What it means is that end users get to choose the level of support they want. If you choose a company with long term support for maintaining a stable operating environment for desktops, that's one option they can take. Or they may want a distributor with more frequent updates," he said.

The disadvantage of using a proprietary software company like Microsoft, said Oxer, is that a enterprise customers are shackled to the schedule of a single vendor, which may not fit the organisation's timetable.

Topics: Security, Browser, Enterprise Software, Linux, Open Source

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Funny

    'Microsoft' and 'Trustworthy Computing' in the same sentence. this is the biggest laugh I have had all week
  • Yet another "anti-Microsoft" slanted piece by ZDNet.

    Firstly, there is no point replying to a person that can only make a spuriously silly and childish comment.

    Secondly, Jones is an EXTREMELY well respected person in ICANN and MANY other Internet committee's - definitely far more respected in the WORLD than a generic Australian linux fan.

    Third; if you actually READ the article IN FULL, you will understand and AGREE with Jeff's FACTS and figures. IE7 *IS* actually a good product that has LESS bugs than Firefox. It is as simple as that.

    Considering the anti-Microsoft slant that Australian ZDNET article writers have, it is understandable that the article leans, yet again, towards the "we don't believe Microsoft" even when the information comes from a well respected, world reknown, internet supporter... he just happens to be a consultant to Microsoft. Move beyond the petty little thinking and grow some sensabilities about the real world of computing.

    For the record, I AM a Linux user that installs and maintains Linux/Red Hat & Novell networks for businesses as my daily job. I am a realist and not a blind "fanboi".
  • I thought it was fair and unbiased

    I thought the article was fair and unbiased, the article gave both sides of the story and didn't advise consumers that they should change from one to the other. I will personally continue to use Mozilla Firefox, but I will also continue using IE as well due to the fact some sites don't run on Firefox.

    For the record I am a Windows user that provides desktop support and maintains Windows servers for a company as my daily job.
  • price check

    Relax bois. He has a point, Microsoft does not exactly have a reputation as being fair. Their poor security record and endless antitrust rulings say something about trust and using a dominant market position to exploit the weak.
    And to make another point, Microsoft seem to have a very good reputation for dismissing non-Microsoft innovation and self inflating themselves. If Zdnet's reporting is correct this is still the case.
    By the way, IE7 is still not compatible with many common standards and rates lower that Firefox as far as usability goes. Firefox, don't forget is also free.
  • Rubbish.

    The article was well written and gave space to both sides. Of course that doesn't change the fact that my belief is that Microsoft are being deliberately deceptive as Internet Explorer has an abysmal security track record to date.
    And while we're having a willy-size competition, I manage 100+ staff and a $140 Million AUD IT budget and you're not even a blip on my radar.
    I wish you luck in your career, you'll most probably need it.
  • open vs hidden

    mozilla make open all the bug reports and notify all the fixes, microsoft don't.
    How many bugs has microsoft not told us fixes for?
    How many bugs has microsoft not fixed and not told us about?
    Read the /. discussion on this where the open source representative tells what microsoft really do - since he used to BE the microsoft representative!