Is Firefox More Secure than Internet Explorer?

Well, sure it is. According to the Firefox web site, which must of course be untainted by marketing claims since it is Mozilla, " Firefox continues to lead the way in online security".

OK, marketing hyperbole aside, I'm a data guy. I care about what the data says. Fortunately, Jeff Jones collected the data and did the analysis. Rather than color your conclusions by mine, I will let you draw your own conclusions from his analysis because (a) Jeff is a friend of mine and I won't let that influence a judgement, and (b) there may be a slight conflict of interest in the analysis due to Jeff's current employment situation. Nevertheless, it is an interesting read, and you can check the numbers for yourself.

Don't forget too that IE 7, under Vista, runs in low integrity, rendering a lot of attacks far less severe. Jeff forgot to mention that in his analysis. Firefox does not work in low integrity; at least not yet.

Published Fri, Nov 30 2007 12:28 PM by jesper
Filed under: , ,

Comments

# Nilotpal said on 30 November, 2007 06:57 PM

What Jeff Jones did not do was see the number of days each vulnerability was left unfixed, the so called "days of risk". I had done such an analysis for a shorter term of about a year a few months back and had found that IE was more insecure, at least under XP. I will re do the analysis again, and publish the findings in the next few days, but I doubt if the findings will be different.

Jeff has also not mentioned about zero day exploits, which are just more common in IE, so for practical purposes, IE will be more insecure for the user.

However, vulnerabilities are just a part of the story. IE is just more secure under Vista due to privilege separation.

I may be wrong, but the leaving out of "days-of risk" seems like Jeff may be indulging in FUD. At least I think so, simply because he had done a "days of risk" where it was not appropriate (comparison of Linux and Windows) but has not done here,where other than one program being proprietary and the other open source, the vulnerability disclosure and fix model is very similar.

# Asa Dotzler said on 30 November, 2007 07:03 PM

"Well, sure it is. According to the Firefox web site, which must of course be untainted by marketing claims since it is Mozilla"

And a "study" conducted by a Microsoft employee and then cited by Microsoft without acknowledging that the study was conducted by one of their own employees couldn't possibly be tainted.

# Ross said on 02 December, 2007 05:28 AM

Hi Jesper, I read carefully the report you suggested, written by Jeff Jones, a Microsoft employee in the Trustworthy computing group. It is just numbers and messy comparisons and it doesn't really help in finding the truth, or sort of...

Mozilla Firefox saw its first 1.0 version in late 2004 and the product came in response to a real need of Internet security. Almost everyone was using IE 6 or 5.x and almost every home pc (and business) was infested with spyware and crapware. IE6 was terrible and Firefox was (and still is) a valid response to this complete lack of security. Moreover, it brought a new browsing experience, inherited from the Mozilla Suite in 2002-2003, and tons of customizations. It gained its popolarity without the marketing power Microsoft has today. We just passed the word and so far hundreds of million people have downloaded a copy of Firefox.

Firefox was definitely better and almost everyone I know could confirm it. Of course there were bugs and security flaws, this is quite normal in software development but no real bug was exploited and generated a widespread infection. On the contrary, IE6 has been targeted by several infections and attacks which all brought to serious damage (you even commented about one of these at msinfluentials.com/.../More-options-on-protecting-against-the-VML-vulnerability-on-a-domain.aspx).What Jones's report doesn't say is the time occurred to prepare and deliver a patch to fix a security flaw. As far as Mozilla is concerned, it often takes less than a week. For IE6 it took weeks or even months!! In the previous example, you suggested a workaround for a mitigation because there was no patch available!

Then, Firefox is not always the same browser. Version 1.5 came just one year later, then came 2.0 and 3.0 is on its way. Jones's comparison is not always consistent.

Wrapping things up, IE7 was published last year to fill the gap and fight the users' mistrust. But it's still years behind Mozilla Firefox (and Opera). Usability and customizations are still embarrassing and this helped Firefox in gaining even more popularity.

People want a real browser, not a a carrier of crapware and nasty things. Yes, IE7 is less prone to malware than IE6 but people just don't trust it anymore and they just have fun with Firefox.Cheers!

# Harry Johnston said on 03 December, 2007 02:11 PM

Mozilla have published a rebuttal, which can be found here:

blog.mozilla.com/.../critical-vulnerability-in-microsoft-metrics

# LonerVamp said on 05 December, 2007 01:45 PM

Wow, I didn't expect to read this double punch from you! First you mention that Mozilla touting it's own browser is biased, but then point to a Microsoft employee on a Microsoft blog touting Microsoft's browser?

Second, I think it is very shallow and misleading (and when not misleading, a dangerous practice!) to call one piece of software better than the other simply due to disclosed vulnerabilities. A script I wrote the other day has no disclosed vulnerabilities, so I can claim it to be pretty darn secure?

I'm not taking a stance either way on which browser is better or more secure or which I prefer (which really is what most people are talking about in their 'scientific' reports). I just find it a bit low and juvenile to base conclusions on this report, and pimp it while poking fun at Mozilla's own biased comments.

# Alun Jones said on 05 December, 2007 10:02 PM

I haven't yet seen a metric in this debate that I would say is a good measure of security.

"Days of risk" is perhaps the most useful.

On the one hand, it seems you've got "numbers of bugs fixed", which doesn't address "numbers of bugs unfixed", and on the other hand, you've got "speed to release a patch", which doesn't address "speed to release the second and third patch for the same problem, plus the patch to fix the problem caused by lack of diligent coding to release the first patch".

I want to see a workaround, or a blocking measure, quickly, using already-available components and tools. Then, I want to see a fix produced with prudent speed that I'm not going to have to re-deploy in a month or two because you introduced another bug, or didn't fully explore the cause of the present one.

As for Mozilla's whining about bugs 'secretly' fixed by Microsoft, get over it.

I fix code as I find it is wrong - and I may not necessarily know what bug it causes, just that the code is wrong. As a result, come the next release, I cannot list all of the bugs that I have fixed, because I don't know all of the bugs that I have fixed. There's no need for a grand conspiracy to secretly fix bugs.