On TechRepublic: 12 tech terms that make you sound old
BNET Business Network:
BNET
TechRepublic
ZDNet

September 27th, 2005

Detailed Firefox and IE vulnerability report

Posted by George Ou @ 3:17 am

Categories: Security

Tags:

When I wrote "Is the Firefox honeymoon over" two weeks ago, it stirred up a huge debate that continued for days.  Yesterday, Dan Farber interviewed the 20-year-old co-creator of Firefox Blake Ross in a podcast where he addressed the criticism of Firefox in the media and my blog in particular.  Ross criticized the analysis in my blog on two main points.

  • No comparisons in the severity of the flaws
  • No comparisons in the response time to fix the flaws.

On the first point, Ross is absolutely right that the severity of a vulnerability is critical.  Because I didn’t set out to do a formal security analysis of Firefox and Internet Explorer, I created an overly simplified comparison.  Since this has sparked a huge debate, my original analysis is not sufficient to be conclusive.  Ross believes that Internet Explorer’s vulnerabilities are much worse than Firefox vulnerabilities so we’ll have to see if he’s right.

On the second point, Ross believes Firefox is more responsive to security vulnerabilities and delivers more timely patches.  Ross even quoted that Internet Explorer had about "10 to 15" unpatched vulnerabilities, so we’ll have to see if he’s right.

To settle this debate, I created this detailed chart going back as far as the Secunia reports went for Firefox 1.x.  Because Ross had said to Dan Farber in an email that some patches were too low risk to be considered vulnerabilities (which I agree), I left out all vulnerabilities below Secunia’s "moderate criticality" rating.  Then, I not only compared unpatched vulnerabilities, I also included statistics for all of Microsoft’s unpatched vulnerabilities before August 2004.

I color coded the results. Grey highlighting signifies the security loser of the month and Red characters signify unpatched vulnerability.  All data was compiled from Secunia on 9/25/2005.

Now that we have the detailed comparison, let’s see how Firefox and Internet Explorer fared.

On the issue of vulnerability severity, it appears that either camp can claim victory depending on when you look at the numbers.  If you look at vulnerability activity before March of 2005, Microsoft Internet Explorer had a consistent drip of monthly vulnerabilities and a huge rash of problems in October 2004.  During that same period of time, Firefox was fairly quiet.  After March of 2005, the trend reversed and Firefox had a continuous drip of monthly vulnerabilities while Internet Explorer was relatively quiet.  Internet Explorer appears to have had an ugly history but seems to be maturing and stabilizing while Firefox appears to be going through some growing pains in the last seven months.  From these results, it is clear is that there is no clear victor and neither camp has anything to be proud of with all these security vulnerabilities.

On the issue of patch responsiveness, Ross appears to have a point in that Firefox holds an edge in this department.  While it isn’t the "10 to 15" unpatched Internet Explorer vulnerabilities that Ross talked about if you exclude the low risk flaws that were omitted for both browsers in this comparison, Microsoft has five "moderately critical" issues that have not been addressed yet.  There is even a "highly critical" vulnerability from October 2003 that Microsoft has not addressed yet, but I’m not sure if this old vulnerability still applies to Windows XP SP2.  Some of the "moderately critical" vulnerabilities had example exploits that you can test and they failed to produce any results on my Windows XP SP2 system.  I’ll try to get an answer from Microsoft about all these unpatched vulnerabilities and post their response in a follow up.

The bottom line is that we have some mixed results where either browser camp can claim victory.  I will wrap this blog up by saying that Blake Ross has produced some important innovations in his web browser and I want to thank him for his hard work and I wish him luck in his new endeavors.  Microsoft was getting overly complacent with Internet Explorer and it took a jolt from Firefox to light a fire under their feet.  Even the staunchest supports of Microsoft will have to admit that they are benefiting from renewed competition in the web browser market.  I also congratulate Microsoft for cleaning up Internet Explorer and I hope their efforts to clean up their code continues in all Microsoft products.

George Ou is Technical Director of ZDNet. See his full profile and disclosure of his industry affiliations.

  • Talkback
  • Most Recent of 268 Talkback(s)
Adblock is the biggest Mozilla factor
On Mozilla's browsers with the Adblock extension installed (and a good filter), most all of the slimebag advertisers' iframes, javascripting, banners and popups (with their associated cookies)who try ... (Read the rest)
Posted by: rick752 Posted on: 11/30/05 You are currently: a Guest | | Terms of Use
Minor quibble on conclusions  palmwarrior | 09/27/05
I said "but seems to be maturing"  george_ou | 09/27/05
Weasel Words 101  druid_z | 09/27/05
Note IE  cashaww | 09/30/05
MAJOR quibble on conclusions...  figgle | 09/27/05
No one else confirms this  george_ou | 09/27/05
Please stop with eEye  IT Scion | 09/27/05
Do you really want to trust a company tha has testified before Congress?  B.O.F.H. | 09/28/05
Firefox still rules !!!!!!!!!!!!!!!!!!!!!!  I'm Ye, the MS SHILL . | 09/27/05
Minor quibble on conclusions  pjones | 09/28/05
Knowns  halfmute | 09/28/05
Firefox young  tero_t_vaananen@... | 09/27/05
Doesn't matter  Arthas | 09/27/05
I agree  bobiroc | 09/27/05
2 reasons  ddabinett | 09/27/05
Keh?  Stephen Wheeler | 09/27/05
On the contrary, ...  ShadeTree | 09/27/05
I see  Stephen Wheeler | 09/27/05
Put sales speeches aside  tero_t_vaananen@... | 09/28/05
And yet  CobraA1 | 09/27/05
Why?  ye | 09/27/05
Age Not A Factor  zztong | 09/27/05
Firefox Young  tBuggR | 09/29/05
IE still allows for drive-by spyware installs...  BitTwiddler | 09/27/05
and no one else will make this point  Nullifidian | 09/27/05
Not really  IT Scion | 09/27/05
But there is a problem with this logic.  Linux User 147560 | 09/27/05
No tweaking required other than  IT Scion | 09/27/05
Precisely the problem.....  Quiet_Type | 09/27/05
Precisely [  s_gamgee | 09/28/05
Exactly  crashoverride | 09/28/05
Can I  cashaww | 09/30/05
Every "normal user" machine I see has spyware...  figgle | 09/27/05
But...  rapson | 09/27/05
It's the same thing  figgle | 09/28/05
I just cleaned a computer last night...  ju1ce | 09/27/05
Just exactly how did you uninstall IE?(nt)  ShadeTree | 09/27/05
Grain of salt...  Linux User 147560 | 09/27/05
Bovine Excriment  Trevor_G | 09/27/05
Canine Feces  Taz_z | 09/27/05
The point I have been harping on  Linux User 147560 | 09/27/05
Yep.  figgle | 09/28/05
Firefox user got spyware  benellism90 | 09/28/05
Adblock is the biggest Mozilla factor  rick752 | 11/30/05
NO!  cashaww | 09/30/05
Opera browser!  jesusbits2@... | 09/27/05
Another "security by obscurity" screamer  ejhonda | 09/27/05
Spot On...  No_Ax_to_Grind | 09/27/05
No axe  Linux User 147560 | 09/27/05
Call it what you want...  Taz_z | 09/27/05
New?  Yensi717 | 09/27/05
Opera 8.5  pvantine | 09/27/05
No ad banner!  jerushy44 | 09/29/05
I'll cover that next  george_ou | 09/27/05
Although it may be the most secure of them all....  ju1ce | 09/27/05
Yes, but FF screws up some pages too  george_ou | 09/27/05
Just wait till you use opera...  ju1ce | 09/27/05
Actually, Opera and FF don't screw up the pages...  NetArch. | 09/28/05
You may have bad code if the page breaks in FF and Opera.  B.O.F.H. | 09/28/05
Opera browser  thecoop@... | 09/27/05
Table is confusing  rpmyers1 | 09/27/05
Unpatched for Extreme, High, or Moderate  george_ou | 09/27/05
Any security issues should be major!!  orlando@... | 09/27/05
Read the same thing???  jcs26 | 09/27/05
Revisiting the issue  markgros@... | 09/27/05
As loath as I am to use car analogies...  jbroche18 | 09/27/05
You forgot something...  Taz_z | 09/27/05
Yes, security is a big issue  benellism90 | 09/28/05
Just not detailed enough to draw conclusions  george_ou | 09/27/05
Neither can claim victory?  markgros@... | 09/27/05
which is whyI tell people chose Firefox  Feldon | 09/27/05
Oh please. Lets not exaggerate.  DpuTiger | 09/27/05
Stability  IT Scion | 09/27/05
The past  IT Scion | 09/27/05
Well yes and NO!  Laff | 09/27/05
Not true  rapson | 09/27/05
Beta Testers  Trevor_G | 09/27/05
We're all beta testers  WiredGuy | 09/28/05
Re: Well yes and NO!  none none | 09/27/05
Actually  IT Scion | 09/27/05
Carl and IT...so what is fair?  Laff | 09/27/05
Fairness is relative  rapson | 09/27/05
Obviously you've never met my relatives...:)  Laff | 09/27/05
In the end  IT Scion | 09/27/05
Gee anyway you look at it...  thetargos | 09/29/05
Just 1 or 2 years old??  benellism90 | 09/28/05
Minor point  rapson | 09/27/05
Re: Neither can claim victory?  aalva66 | 09/27/05
Strangely  Robert Crocker | 09/27/05
You missed the part  IT Scion | 09/27/05
Robert  Linux User 147560 | 09/27/05
Bottom Line from Secunia  Robert Crocker | 09/27/05
robert, you're right....  Monkey_MCSE | 09/27/05
oops correction  Monkey_MCSE | 09/27/05
Possibly but  IT Scion | 09/27/05
And that is what many of us that use  Linux User 147560 | 09/27/05
Firefox 1.0 v. IE 6.x  B.O.F.H. | 09/27/05
Oh give it up already...  ye | 09/27/05
I don't see him making apologies but  Linux User 147560 | 09/27/05
He most certainly is...  ye | 09/27/05
Again your perception seems to be  Linux User 147560 | 09/27/05
Typical open source zealot response...  ye | 09/27/05
I am sorry but I hold the same view for Windows in this  Linux User 147560 | 09/27/05
Best point  IT Scion | 09/27/05
Non sequitur..  ye | 09/27/05
When I say exploits  IT Scion | 09/27/05
No I think his point is ...  George Jay | 09/27/05
His point is nothing more than an excuse...  ye | 09/27/05
So what is the excuse used with IE?  B.O.F.H. | 09/27/05
There is no excuse for IE...  ye | 09/27/05
And what of Opera?  B.O.F.H. | 09/27/05
What of it?  ye | 09/27/05
In the original post I addressed 3 browsers (at least).  B.O.F.H. | 09/27/05
Oh give it up yourself...  Taz_z | 09/27/05
Taz  Linux User 147560 | 09/27/05
Probably true  Taz_z | 09/27/05
I'll do it...  ye | 09/27/05
I'm glad you agree  Taz_z | 09/27/05
Nice attempt at moving the goal posts...  ye | 09/27/05
It doesn't and that isn't the point  Linux User 147560 | 09/27/05
You haven't done that at all...  ye | 09/27/05
I have  Linux Guy 1000 | 09/27/05
All you've proven...  ye | 09/28/05
Irrelavent...  ye | 09/27/05
Now that's "irrelevant"  Taz_z | 09/27/05
Question  Stephen Wheeler | 09/27/05
I think you've got the wrong person...  ye | 09/27/05
Bug Free - Not Me  Stephen Wheeler | 09/27/05
Those that refuse to admit...  ye | 09/27/05
No based on the facts  Linux User 147560 | 09/27/05
The only facts that you've provided...  ye | 09/27/05
Who Care's  coinsrgood | 09/27/05
So your point is no one should use FF until it has more time?  No_Ax_to_Grind | 09/27/05
Takes time with any piece of software.  B.O.F.H. | 09/27/05
So don't use FF until it's mature???  No_Ax_to_Grind | 09/27/05
Balancing Act  Stephen Wheeler | 09/27/05
Cute joke, too bad it has nothing to do with the subject.  No_Ax_to_Grind | 09/27/05
No  Linux User 147560 | 09/27/05
Everything  Stephen Wheeler | 09/27/05
Maturity??  benellism90 | 09/28/05
A reasonable comparison.  Letophoro | 09/27/05
Face it, there is no such thing as a secure browser.  No_Ax_to_Grind | 09/27/05
Which is why  Michael Kelly | 09/27/05
I agree, but...  No_Ax_to_Grind | 09/27/05
Agreed  Michael Kelly | 09/27/05
While this may be a relatively true  Linux User 147560 | 09/27/05
The facts don't back up your claims.  No_Ax_to_Grind | 09/27/05
The facts do support my stance.  Linux User 147560 | 09/27/05
That is one take...  No_Ax_to_Grind | 09/27/05
So what do you use?  Taz_z | 09/27/05
I use them both.  No_Ax_to_Grind | 09/27/05
I kind of doubt that  Linux User 147560 | 09/27/05
I disagree  Patrick Jones | 09/27/05
Here's The Cruel FACT You Need To Face  itanalyst | 09/27/05
You can choose not to default to IE  george_ou | 09/27/05
True, But  itanalyst | 09/27/05
Or, better, use some other platform altogether. nt  michael_t | 09/27/05
Term should have been  Fleeb | 09/27/05
Security is an illusion  Suicida| | 09/27/05
Secunia seems to have different data???  Solid Water | 09/27/05
Below "moderately critical" excluded  george_ou | 09/27/05
Oh  Revrant | 09/27/05
Old vs. New  Stephen Wheeler | 09/27/05
More exploit code on Firefox  george_ou | 09/27/05
Yes but you and everyone else except  Linux User 147560 | 09/27/05
These are confirmed exploits  george_ou | 09/27/05
Confirmed where?  Linux User 147560 | 09/27/05
In the wild for anyone to download  george_ou | 09/27/05
Rephrasing the question  Taz_z | 09/27/05
George, I have tried  Linux User 147560 | 09/27/05
So all bets are off?  Stephen Wheeler | 09/27/05
Yet crackers are having more success with Firefox  george_ou | 09/27/05
Get with the Program  Stephen Wheeler | 09/27/05
How do you figure?  IT Scion | 09/27/05
Developed Code Base  Stephen Wheeler | 09/27/05
Mosaic  marlinj@... | 09/27/05
If the sheeps would like to go to the actual source and  michael_t | 09/27/05
You missed the SPIN part ... wink nt  michael_t | 09/27/05
Claiming that IF and FF have similar quality wrt to security  michael_t | 09/27/05
FF is not perfect and has  michael_t | 09/27/05
Total Unpatched for FF = 0; Total Unpatched for IE=5  George Jay | 09/27/05
Is it....  IT Scion | 09/27/05
open source security vs non open source security  Andromedat6 | 09/27/05
There needs to be a better gauge.  IT Scion | 09/27/05
Exactly what I and others have been trying to say  Linux User 147560 | 09/27/05
Funny  thenewa2x | 09/27/05
Fair is fair!  Linux User 147560 | 09/27/05
Please do not include Opera 8.5 (free) in this  Scrat | 09/29/05
The last sentance is sarcasm btw...  Scrat | 09/29/05
2  An_Axe_to_Grind | 09/27/05
Re: I am sorry but I hold the same view for Windows in this  ye | 09/27/05
You have yet to really present a valid or  Linux User 147560 | 09/27/05
Just because an exploit doesn't exist...  ye | 09/27/05
If..  IT Scion | 09/27/05
There is no such thing...  ye | 09/27/05
But the point we are trying to get you to  Linux User 147560 | 09/27/05
The problem is that you haven't demonstrated...  ye | 09/27/05
But you are wrong,  Linux User 147560 | 09/27/05
Sorry...anecdotal  ye | 09/27/05
You see that is your problem  Linux Guy 1000 | 09/27/05
And your problem is...  ye | 09/27/05
Ye  IT Scion | 09/27/05
Zealot double standard...  ye | 09/28/05
By definition of course  IT Scion | 09/27/05
A vulnerability is a vulnerability  benellism90 | 09/29/05
Re: In the original post I addressed 3 browsers (at least).  ye | 09/27/05
You appear to be confused and blinded by something  B.O.F.H. | 09/27/05
Not to interupt but  IT Scion | 09/27/05
Versioning history for those that can recall (or were there):  B.O.F.H. | 09/27/05
IE 7  IT Scion | 09/28/05
No bias...  ye | 09/27/05
I don't think so ...  OldFossil | 09/27/05
Notice the use of the qualifier...  ye | 09/27/05
Still next to worthless  Sxooter_z | 09/27/05
Creating a good metric...  dsentman@... | 09/27/05
I'm using it right now  xkmail | 09/27/05
You mean firefox on windows right?  xkmail | 09/27/05
Nope, for Linux too  george_ou | 09/27/05
It can be easily demonstrated though  Anti_Zealot | 09/28/05
No  george_ou | 09/28/05
No  Linux User 147560 | 09/28/05
But the effect is null without root permissions... (nt)  Anti_Zealot | 09/28/05
And???  ye | 09/28/05
non-root access still wipes my user data  Scrat | 09/29/05
What really is puzzling...  Anti_Zealot | 09/29/05
Re: No based on the facts  ye | 09/27/05
Let me pose this query...  Linux User 147560 | 09/27/05
Poor George!  An_Axe_to_Grind | 09/27/05
Am I missing someting?  berck | 09/27/05
Advisories != Vulnerabilities  george_ou | 09/27/05
Purpose  marlinj@... | 09/27/05
Man, George, You always start a riot.  The King's Servant | 09/27/05
I dont care what was, I only care what is  lsatenstein@... | 09/27/05
FireFox Versus IE  ferrit@... | 09/27/05
Yet another  IT Scion | 09/27/05
Also another  Anti_Zealot | 09/28/05
I do partially agree and  IT Scion | 09/28/05
Yes, indeed  Anti_Zealot | 09/28/05
What if??  79spitfire | 09/27/05
The fact that  Qbt | 09/27/05
Try this George  Qbt | 09/27/05
How about a non-biased data source?  NetArch. | 09/28/05
Excluded results  Revrant | 09/27/05
Yes, much better  Anti_Zealot | 09/28/05
What does it take to get M$'s interest  joeivie@... | 09/28/05
Do you trust Internet Explorer?  golfbob | 09/28/05
The problem is...  ye | 09/28/05
Sadly that's not the case...  NetArch. | 09/28/05
Once again OS embedding is the main issue.  msdead | 09/28/05
Funny  IT Scion | 09/28/05
Do you trust Internet Explorer?  golfbob | 09/28/05
Its still FF for me.  bargeemike | 09/28/05
Not Considered in Article  netman_z | 09/28/05
Abandoning Windows safest bet  tony@... | 09/28/05
The Pundits will Speak  papatator | 09/28/05
Long Run ?  satan666_z | 09/28/05
The widgettary war creates.............  pj-xmesh | 09/28/05
What about Deepnet Explorer?  G_Jake@... | 09/29/05
What kind of vulnerabilities?  ccrashh2@... | 09/29/05
Serious because they can take over your system  george_ou | 09/29/05
How come numbers don't add up?  raygavel@... | 09/29/05
When did I count "Advisories"????  george_ou | 09/29/05
Six of one...half dozen of the other...  raygavel@... | 09/29/05
Statistically Biased Comparison  jacartaya@... | 09/30/05
nitpicking: Firefox Linux specific vulnerabilitie(s) should not be counted  pphant | 10/08/05
Are you kidding?  george_ou | 10/10/05
No you should not...  pphant | 10/11/05
I'll have to be content...  pphant | 10/16/05

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

Click Here
advertisement

Recent Entries

Top Rated

    Premier Vendor Content Whitepapers, webcasts & resources from our Power Center Sponsors
    Reduce risk. Reduce complexity. Increase reliability.
    A simplified IT environment isn't just less complex. It's also more reliable. Standardize on a single Linux platform with SUSE Linux Enterprise from Novell, and get the world's most interoperable Linux
    Learn more >>
    The best support in the Linux business
    If Linux is going to power your mission-critical applications, you'd better have the best support known to business. Novell was rated the top provider of Linux technical support.
    Learn more >>
    Keep Up With The Latest In Document Management with The DocuMentor.
    Doc delivers the scoop on today's enterprise content management, printer maintenance, and all other issues related to document management. It's the DocuMentor Blog.
    Learn more >>
    Learn more about tools to grow your business
    The Business Essentials Guide provides you useful tools and templates to help grow your business and save you time with automated shipping solutions.
    Save time with the UPS Business Essentials Guide
    Microsoft Dynamics CRM Online - Free Six-Month Trial for Eligible Organizations
    Microsoft Dynamics CRM Online provides fast online access, simple contact management and better sales performance for a low monthly cost - the best value on the market today.
    Learn more about the free, six-month trial offer>>
    The best support in the Linux business
    If Linux is going to power your mission-critical applications, you'd better have the best support known to business. Novell was rated the top provider of Linux technical support.
    Learn more >>
    advertisement

    Archives

    ZDNet Blogs

    White Papers, Webcasts, and Downloads

    SmartPlanet

    • Thought-provoking progressive ideas on diverse topics that intersect with technology, business, and life, and matter to the world at large. Visit SmartPlanet
    • More from IBM
    • Innovate your business' process model, play against the market, compete against others on our scoreboards and WIN! Try INNOV8 2.0: A BPM Simulator
    • Enabling Real-World Business Transformation through IBM Service Management Read the EMA Analyst Report
    Click Here