Mozilla hits back at browser security claim

Mozilla has reacted to a Symantec report issued on Monday which said serious vulnerabilities were being found in Mozilla's browsers faster than in Microsoft's Internet Explorer. The study was conducted over the first six months of 2005.

Tristan Nitot, president of Mozilla Europe, hit back by claiming on Monday that when a vulnerability is found Mozilla's "ability to react, find a solution and put it into the user's hands is better than Microsoft."

Nitot said that Mozilla's reaction time was faster than Microsoft's. "If you look at our ability to respond, we are in much better shape. On 6 September an IDN buffer issue was reported to Mozilla. On 8 September it was publicly disclosed. We ask our developers not to mention any problems until we have a fix for them, but for some reason he went public. On 9 September we had a configuration change that disabled the IDN problem, that users could implement manually, or they could use a patch. Within ten days we had a newer version that was fixed completely."

"If you look at Microsoft — this month they decided to skip a security patch," so any vulnerabilities won't be addressed, according to Nitot. "That's not the kind of thing that happens with us," he said.

He also argued that, according to security company Secunia's statistics, the Microsoft vulnerabilities were more critical, and had been so over a longer timescale. In the period 2003 to 2005 Secunia have issued 22 security advisories regarding Firefox 1.x, and rate it as "less critical". In the same period Microsoft Internet Explorer 6.x had 85 Secunia advisories, and is rated as "highly critical".

"Basically their vulnerabilities are more critical. With Firefox — yeah, you have holes, but they're much less serious." Nitot likened the differences between Firefox and IE vulnerabilities as being like injuries: "Which would you prefer, to have a broken finger, or your head ripped off?"

Ollie Whitehouse, a researcher at Symantec, thought that the results were surprising but were due to a number of factors, primarily the short uptake time for Firefox and the fact that it was open source.

"Firstly, there has been a wide adoption of Firefox in a short space of time. More security researchers and people with more nefarious motives have been able to look at the code base. Secondly, as Firefox is open source more people have access to the code base, so they are free to look for bugs. IE is closed source, and so it's more difficult to access the code."

"Rogue Web sites find Firefox is quite difficult to exploit because it runs on a large number of platforms."

When asked to comment on Nitot's point about the short timeframe of the study, Whitehouse responded, "Up until now Firefox has had a lot less holes [than IE] — but it has had a wider adoption in the last six months. It will be interesting to see whether this is a blip, or whether the trend will continue."

"As Firefox becomes more popular, it becomes a more attractive target. People who have swapped [from IE to Firefox], even if this is a blip, should ask whether the assumption that Firefox is more secure than IE is valid anymore. They shouldn't just rely on changing their browser, but may think about having to look at a different configuration."