Secunia has debunked a myth held dear by Linux devotees and anti-Microsoft grousers: that Firefox is safer than Internet Explorer.
There were 115 reported security vulnerabilities in Firefox last year — almost twice as many as Internet Explorer and Apple’s Safari browser combined, according to a new report by the security researcher.Firefox did surpass IE in one respect, though. Mozilla was much faster at repairing bugs once they were reported or discovered than Microsoft was.
The Secunia report follows on the heels of the release of Mozilla’s new Firefox 3 browser — 3.0.7, which includes fixes for several security problems. Three of the patches in the new browser addressed critical flaws that could — if not remedied — give a hacker the ability to remotely execute code on a computer.
In response to a request for comment, Mozilla directed TechNewsWorld to its blog post on the subject, which was still dark when the article was filed.
Browser Wars
IE is the dominant browser in the marketplace by far — but its share is steadily eroding, thanks to inroads made by Firefox, Safari and other alternatives.
Last month, Net Applications issued a report finding that all three browsers — IE, Firefox and Safari — had reached new milestones: IE accounted for 67.6 percent of browser users in January 2009, its lowest percentage of market share since Net Applications began following the space. Meanwhile, Firefox and Safari achieved new highs: 21.53 percent and 8.29 percent, respectively.
A report by StatCounter Global Stats found that Microsoft’s combined IE 7 and IE 6 marketshare fell from 68 percent last July to 63 percent in February 2009. Firefox 3 and 2 grew from 25 percent last July to 27 percent by February.
One reason IE’s popularity is dropping — ironically, considering Secunia’s finding — is its perceived security and stability issues. To cite just one example, Microsoft has had to release two out-of-bandsecurity updates in recent months in order to plug vulnerabilities that were being widely exploited by hackers. It was a double-edged sword for Microsoft: An IE vulnerability was putting consumers and enterprises at risk, but the company’s fast response should have been praised. Yet Firefox won the PR battles on both issues, largely becauseits flaws have not been in the spotlight as much.
More Marketshare, More Problems
While there are valid criticisms that can be levied about the bugs and flaws in IE — as well as Microsoft’s responsiveness in fixing them — it must be pointed out the company’s market shareis working against it, especially in an apples-to-apples comparisons of which browser is better, faster or more secure.
“I don’t know for a fact whether Mozilla does fix bugs faster than Microsoft — perhaps it very well is true,” Rohyt Belani, CEO of Intrepidus Group, told TechNewsWorld.
“What I do know is that Microsoft has a much larger share of the market, and hackers will always target Microsoft more than they do Firefox or Safari,” he said.
In terms of development practices, though, Belani would not say that one browser was more secure than any other.
Patch Management
Another issue to take into account is user behavior — specifically, patch management practices.
In theory, releasing a bug patch faster reduces the Zero Day window or threat level, said Derek Manky, security and cyber threat researcher for Fortinet’s FortiGuard global security research team.
“In reality, though, that is not the case,” Manky told TechNewsWorld.
The Conficker worm, for instance, has been particularly relentless and damaging. It was actually patched very quickly by Microsoft, Manky pointed out. For two months after the patch was released, activity was quiet — then began to pick up.
The lesson, of course, is that administrators are not applying the patches as quickly as they should, he said.
The fact is, EVERY SOFTWARE has vulnerabilities. It’s a fact, don’t try to dispute it. The real question is, who finds the vulnerabilities, and what do they do with it? In the case of open source software, a lot more people have in interest in patching rather than exploiting the holes. In the case of proprietary software, only a very small number of people are CAPABLE of patching the holes, while a relatively large number of people have an interest in exploitation. Look at the track record: in terms of lost revenue due to exploits, Microsoft has been more expensive than ALL OTHER SOFTWARE COMBINED! IE, Outlook, and WMP, all combined with ActiveX provide so many security holes, that it would be difficult to DESIGN a less secure system than Microsoft offers!!
From secunia:
Microsoft Internet Explorer 6.x
Affected By 135 Secunia advisories
142 Vulnerabilities
Unpatched 16% (22 of 135 Secunia advisories)
Microsoft Internet Explorer 7.x
Affected By 34 Secunia advisories
72 Vulnerabilities
Unpatched 26% (9 of 34 Secunia advisories)
Mozilla Firefox 2.0.x
Affected By 29 Secunia advisories
154 Vulnerabilities
Unpatched 10% (3 of 29 Secunia advisories)
Mozilla Firefox 3.x
Affected By 11 Secunia advisories
55 Vulnerabilities
Unpatched 9% (1 of 11 Secunia advisories)
IE market share has not moved substantially: http://www.statowl.com/web_browser_market_share_trend.php
as another reply has already pointed out, the bare number of fixes doesn’t tell you anything about the risk. but IMO the bigger missed point here is that it’s Firefox under _Linux_ which is dramatically safer than IE under Windows. there’s a huge population of people who mainly use computers for web access, and only use Windows by default. They are the ones who would be much better served, especially security-wise, by switching to Firefox+Linux.
I heard all of this at a tech conference last year. Yet, I’ve been in IT for over 11 years, most of which was for the Air Force. The bottom line is this. The number of patches does not equate to how secure something is. It is the severity of those patches.
In addition, patching something quickly can effectively shorten the risk, but that only works if you beat the hacker(s)’ attempt(s). Meanwhile, having worked in the industry for as long as I have and having used computers for over 30 years now, I have to state that I had more problems with Microsoft Windows than Apple machines, more problems with Internet Explorer (every version since its inception) than Firefox or Safari, and more problems with payed-for products than the free ones.
I highly recommend not taking this article too seriously, as it does not address the severity of the patches applied, nor does it address how many problems arose from one or the other because of their vulnerabilities. To say that IE is more of a target because of it’s preponderance appears to be speculation here, rather than a true relationship of correspondence or of causation.