IE vs Firefox: Microsoft crunches security numbers

Jeff Jones, security strategy director in Microsoft’s Trustworthy Computing group, is at it again, comparing three years of vulnerability data for the two main Web browsers -- Internet Explorer and Firefox -- to reach a conclusion that IE is arguably much safer than the open-source rival.

Jones, known for his security comparisons of operating systems -- which paint Microsoft Windows in a favorable light -- came to a simple conclusion after his IE/Firefox security match-up:

While the data trends show that both Internet Explorer and Firefox security quality is improved in the latest version, it also demonstrates that, contrary to popular belief, Internet Explorer has experienced fewer vulnerabilities than Firefox.

[ GALLERY: How to use Internet Explorer securely ] 

The report (.pdf) examines vulnerabilities  over the past three years, breaks them down by severity, looks at version-over-version trends for each browser and examines how  each browser is doing in terms of unfixed vulnerabilities and, in Jones's estimation, IE has a superior security profile.

[S]upported versions of Internet Explorer have experienced fewer vulnerabilities and fewer High severity  vulnerabilities than Firefox, a result that stands in contrast to early assertions by Mozilla that Firefox "won't harbor nearly as many security flaws as those that have Microsoft's Internet Explorer."

Since the release of Firefox 1.0 in November 2004, Jones counted 199 vulnerabilities in supported Firefox products – 75 HIGH severity, 100 MEDIUM severity and 24 LOW severity.

[ GALLERY: How to avoid hacker attacks on Mozilla’s Firefox browser ]

During the same period, he said Microsoft  fixed 87 total vulnerabilities affecting all supported versions of Internet Explorer – 54 HIGH severity, 28 MEDIUM severity, and 5 LOW severity.

The study did not take into account silent (undocumented) patches.

Jones also compared life-cycle support policies of the two browsers and contends that Microsoft does a better job of  shipping patches for older browser versions.

[ SEE: Firefox or IE? Strange answer to security question ]

The report, which is sure to raise hackles among open-source advocates, is clearly an attempt by Microsoft to extol the virtues of its SDL (security development lifecycle) and commitment to security.   However, there's one key thing missing from Jones's analysis -- the auto-patching mechanism built into Firefox that gives Mozilla a clear advantage over Microsoft.

In effect, Firefox patches itself whenever Mozilla ships updates while immediate Internet Explorer updates depend entirely on the end-user using the Windows AU mechanism.   Don't even get me started on the forgotten world of dial-up Windows users who never, ever apply patches.

That's one of the main reasons malware authors take aim at IE more than any other desktop application.