On TechRepublic: 10 dying IT skills
BNET Business Network:
BNET
TechRepublic
ZDNet

November 30th, 2007

IE vs Firefox: Microsoft crunches security numbers

Posted by Ryan Naraine @ 11:44 am

Categories: Botnets, Browsers, Data theft, Hackers, Microsoft, Mozilla, Open source, Patch Watch, Pen testing, Punditocracy, Responsible disclosure, Spam and Phishing, Spyware and Adware, Vulnerability research, Zero-day attacks

Tags: Mozilla Firefox, Vulnerability, Jeff Jones, Microsoft Internet Explorer, Severity, Microsoft Corp., Web Browser, Web Browsers, Security, Internet

Comparing security profilesJeff Jones, security strategy director in Microsoft’s Trustworthy Computing group, is at it again, comparing three years of vulnerability data for the two main Web browsers — Internet Explorer and Firefox — to reach a conclusion that IE is arguably much safer than the open-source rival.

Jones, known for his security comparisons of operating systems — which paint Microsoft Windows in a favorable light — came to a simple conclusion after his IE/Firefox security match-up:

While the data trends show that both Internet Explorer and Firefox security quality is improved in the latest version, it also demonstrates that, contrary to popular belief, Internet Explorer has experienced fewer vulnerabilities than Firefox.

[ GALLERY: How to use Internet Explorer securely

The report (.pdf) examines vulnerabilities  over the past three years, breaks them down by severity, looks at version-over-version trends for each browser and examines how  each browser is doing in terms of unfixed vulnerabilities and, in Jones’s estimation, IE has a superior security profile.

[S]upported versions of Internet Explorer have experienced fewer vulnerabilities and fewer High severity  vulnerabilities than Firefox, a result that stands in contrast to early assertions by Mozilla that Firefox “won’t harbor nearly as many security flaws as those that have Microsoft’s Internet Explorer.”

Since the release of Firefox 1.0 in November 2004, Jones counted 199 vulnerabilities in supported Firefox products – 75 HIGH severity, 100 MEDIUM severity and 24 LOW severity.

[ GALLERY: How to avoid hacker attacks on Mozilla’s Firefox browser ]

During the same period, he said Microsoft  fixed 87 total vulnerabilities affecting all supported versions of Internet Explorer – 54 HIGH severity, 28 MEDIUM severity, and 5 LOW severity.

The study did not take into account silent (undocumented) patches.

Jones also compared life-cycle support policies of the two browsers and contends that Microsoft does a better job of  shipping patches for older browser versions.

[ SEE: Firefox or IE? Strange answer to security question ]

The report, which is sure to raise hackles among open-source advocates, is clearly an attempt by Microsoft to extol the virtues of its SDL (security development lifecycle) and commitment to security.   However, there’s one key thing missing from Jones’s analysis — the auto-patching mechanism built into Firefox that gives Mozilla a clear advantage over Microsoft.

In effect, Firefox patches itself whenever Mozilla ships updates while immediate Internet Explorer updates depend entirely on the end-user using the Windows AU mechanism.   Don’t even get me started on the forgotten world of dial-up Windows users who never, ever apply patches.

That’s one of the main reasons malware authors take aim at IE more than any other desktop application.

Ryan NaraineRyan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.


Email Ryan Naraine

For daily updates on Ryan's activities, follow him on Twitter.

Subscribe to Zero Day via Email alerts or RSS.

  • Talkback
  • Most Recent of 123 Talkback(s)
Fast Patches = Susceptability to bugs
As a Software developer for 35 years I am always skeptical of "Fast Patches" - expecially for security issues on large products. Time needs to be taken to thouroughly test the changes to the code. Now... (Read the rest)
Posted by: Compudad9 Posted on: 01/07/09 You are currently: a Guest | | Terms of Use
One line says it all.  Dr. John | 11/30/07
and they should also ake into account  deaf_e_kate | 11/30/07
Re: and they should also ake into account  the_fiddler_on_the_roof | 11/30/07
wrong  shoktai@... | 12/01/07
This is what I remember..  JCitizen | 12/03/07
What does 1.0 mean to you?  jeffdickey | 12/03/07
Amazing, isn't it?  UserLand | 11/30/07
30 plus years?  xuniL_z | 12/01/07
From what I have seen  alaniane@... | 12/03/07
Speaking of standards...  Dr. John | 12/06/07
You contradict yourself with this silly argument.  xuniL_z | 12/01/07
Full of Crap  goxk@... | 12/02/07
show me  shis-ka-bob | 12/03/07
Maybe if I showed you the math....  kingmph@... | 12/04/07
No, I don't.  Dr. John | 12/06/07
Fear of the unknown = Paranoia  Compudad9 | 01/07/09
RE: IE vs Firefox: Microsoft crunches security numbers  shollomon | 11/30/07
I agree  balaknair | 12/03/07
Where was that conclusion pulled out of?  toadlife | 11/30/07
it's also an easier target  mdsmedia | 11/30/07
85%? I don't think so.  Arm A. Geddon | 11/30/07
Nice selection  toadlife | 11/30/07
re: Gee I wonder why you chose that particular site?  Arm A. Geddon | 12/01/07
You should give it more time. you can't miss....  xuniL_z | 12/01/07
re: give it more time  Arm A. Geddon | 12/03/07
USE this site for accurate stats? I don't think so.  xuniL_z | 12/01/07
85%  Hrothgar - PCLinuxOS User | 12/03/07
Oops, most of the 85%  Hrothgar - PCLinuxOS User | 12/03/07
Doesn't matter really  No_Ax_to_Grind | 11/30/07
"You are in a helicopter"  Yagotta B. Kidding | 11/30/07
Valuable contribution!  nizuse | 11/30/07
Your welcome, I find that a dose of reality  No_Ax_to_Grind | 12/01/07
"People use what they like"?  mdsmedia | 11/30/07
And then they choose to use  No_Ax_to_Grind | 12/01/07
That is what is causing the problems.  xuniL_z | 12/01/07
You over-simplify...  DavidIMcIntosh | 12/03/07
Well I will choose Firefox  jacarter3 | 12/03/07
The notion that people use that they "like"...  kingmph@... | 12/04/07
Dang!!! I agree.  ju1ce | 12/03/07
I'm pleased Ryan was clear who "crunched" the numbers  mdsmedia | 11/30/07
shallow?  xuniL_z | 12/01/07
You forgot the other main reason, IE is 100% ubiquitous  georgeou | 11/30/07
FF patch 2.0.0.11 is now available...pick up! happy  D. T. Schmitz | 11/30/07
Mozilla may have dropped support for FF 1.5  mdsmedia | 11/30/07
ok and....  xuniL_z | 12/01/07
And I wonder why  goxk@... | 12/02/07
IE Is in protected mode in VISTA  mdsmedia | 11/30/07
Mozilla has knocked protected mode  georgeou | 12/01/07
Dear George...  Cardinal_Bill | 11/30/07
No, according to everyone's vulnerability databases, it's correct  georgeou | 12/01/07
Of course let us  goxk@... | 12/02/07
Amazing that with only one day of testing...  jasonp@... | 12/01/07
have to disagree...  patibulo | 12/01/07
Microsoft reports fewer flaws  FreewheelinFrank | 12/02/07
If no one outside finds the issue, it isn't an issue  georgeou | 12/02/07
How do you know it hasn't been found?  patibulo | 12/02/07
Same thing applies to Mozilla  georgeou | 12/02/07
I don't buy it  FreewheelinFrank | 12/03/07
its not just silent fixes  doh123 | 12/03/07
How do we know?  FreewheelinFrank | 12/02/07
Good point, but MS view is hardly a secret  quux | 12/02/07
Not the issue  FreewheelinFrank | 12/02/07
This vuln is in the NVD  quux | 12/03/07
Thanks!!  battlesound | 12/03/07
Then shouldn't FF flaws  goxk@... | 12/02/07
You can find coding errors, not just known issues  shis-ka-bob | 12/03/07
This vuln is included in Jones' report.  quux | 12/03/07
Not in security bulletin  FreewheelinFrank | 12/03/07
You're right  quux | 12/03/07
Here comes George  goxk@... | 12/02/07
Quite a number of 1.5 only plugins were broken  georgeou | 12/02/07
But of course George  goxk@... | 12/03/07
One other thing George  goxk@... | 12/02/07
You mean UAC, not AUC  georgeou | 12/02/07
When you can't address the issue  goxk@... | 12/03/07
Prove it!!  techboy_z | 12/03/07
"Microsoft has fewer flaws"  balaknair | 12/03/07
100% ubiquitous !?  shis-ka-bob | 12/03/07
The reason these stats are useless  alaniane@... | 12/03/07
Fast Patches = Susceptability to bugs  Compudad9 | 01/07/09
Well...everyone has a navel, right?  kcredden2 | 11/30/07
Stick with Win2K 'til XP support runs out...  mdsmedia | 11/30/07
I have to give you credit  xuniL_z | 12/01/07
No, Ryan, that is not the conclusion he got to  Qbt | 11/30/07
so, where is your evidence?  mdsmedia | 11/30/07
Secure does not mean lesser number of reported vulnerabilities  nilotpal_c | 12/01/07
Open holes = hacked  FreewheelinFrank | 12/01/07
IE7 rocks!  qmlscycrajg | 12/01/07
Firefox Rocks!  chessmen | 12/02/07
OMG, patting themselves...  tek_heretik | 12/01/07
typo...  tek_heretik | 12/01/07
Ryan Naraine: what silent patches, exactly?  quux | 12/01/07
I second that.  xuniL_z | 12/01/07
Silent patches  FreewheelinFrank | 12/02/07
An example  FreewheelinFrank | 12/02/07
Question.  xuniL_z | 12/02/07
Not me.  FreewheelinFrank | 12/02/07
That bug is in NVD  quux | 12/03/07
Here it is, right from the Horses mouth  nilotpal_c | 12/02/07
Here it is, sorry  nilotpal_c | 12/02/07
Then just count the externally reported  xuniL_z | 12/02/07
Well, you still do not admit that the study was dishonest  nilotpal_c | 12/02/07
HEY RYAN. MY AV Software just snagged Adobe trying a silent update!!!!  xuniL_z | 12/01/07
Window of hackability  webm0nster | 12/02/07
Microsoft is best at crunching  Ole Man | 12/02/07
Another  xuniL_z | 12/02/07
You are welcome, Zuny, and it's true  Ole Man | 12/02/07
Internet Explorer Is Anything But Safe  chessmen | 12/02/07
Another good example of Microsoft's crunching  Ole Man | 12/03/07
One statement leads me to not even trust this report  itanalyst | 12/02/07
Who cares? IE still sucks.  kraterz | 12/02/07
Jeff Jones the Marketing Hack  mannyamador | 12/03/07
RE: IE vs Firefox: Microsoft crunches security numbers  kmplmp@... | 12/03/07
Getting past the obvious bias....  GoodmanCPA-IT Tech | 12/03/07
RE: IE vs Firefox: Microsoft crunches security numbers  walter_reinhart@... | 12/03/07
Any MS Product is Like Swiss Cheese ..  dv8Cowboy | 12/03/07
I am lazy  epcraig | 12/03/07
I'm lazy too  Ole Man | 12/03/07
RE: IE vs Firefox: Microsoft crunches security numbers  tharbour1 | 12/03/07
RE: IE vs Firefox: Microsoft crunches security numbers  labman@... | 12/04/07
RE: IE vs Firefox: Microsoft crunches security numbers  darkprince.1979@... | 12/05/07
ZD falls for tranparant MS flackery  spincitysd@... | 12/05/07
RE: IE vs Firefox: or My Dad can beat up Your Dad  slatan@... | 12/05/07

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

Essential Topics Click Here

advertisement

Recent Entries

advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

Meet Doc