Browser security is an open and shut case

Comparing the vulnerability reports for IE and Firefox is not an easy matter. Working out the best approach in the long term is far simpler

Think that open source was more secure than proprietary software? Think again, says Symantec. In the first six months of this year, Mozilla scored 25 confirmed vulnerabilities while Internet Explorer got only 13.

Not a good advert for the inherent security of collaborative open development, at least at first sight. Who wants to use the most buggy software?

But that's not what the figures show. As those who use both browsers regularly will know, they are of roughly equal quality – something that should give Microsoft pause for thought, given that Firefox was created entirely free of Microsoft's obsessive, expensive and cumbersome management procedures. Assuming that coding and design errors are evenly distributed in the products, then the number of security flaws may be roughly equal too. At least, to begin with.

Where open source software does have an advantage is that a popular package will without question attract more expert perusal of the code than the equivalent proprietary closed product. It is reasonable to expect this to unearth more problems more quickly: provided that the code is then fixed more quickly, the quality of the open product should improve more quickly. Symantec's figures are consistent with that analysis, as are Mozilla's claims about the speed of fixing. Open code is also more accessible to hackers, but Secunia's statistics show that a fully patched Firefox is much more secure than a fully patched IE.

If Firefox is still coming up with double-digit exploits four years after launch, then we'll know it's as bad as IE: until then, simple headline figures are in no way sufficient to help you decide which browser is safer. However, one security benefit you can rely on is that by using the browser with the best adherence to open standards and the least reliance on single-vendor options, you will encourage service providers to stick to those standards too. If your favoured browser then proves to be a serious security liability, your options for replacing it are – literally – open.

The combination of open standards and open software remains the strongest guarantee of continued security. Problems out in the open are problems that get fixed.