Microsoft, Mozilla squabble over browser security

Rarely do we get a chance to hear Microsoft and Mozilla debate the issue.

Which browser is more secure Internet Explorer or Firefox? We all have our opinions, but rarely do we get a chance to hear Microsoft and the makers of the Firefox browser, Mozilla, debate the issue.

On Friday Microsoft Security Strategy Director Jeff Jones released a study "Download: Internet Explorer and Firefox Vulnerability Analysis" that proclaims Internet Explorer 7 is safer than Firefox (Did we expect a Microsoftie to tell us anything else?). The report can be accessed through Jones' blog.

In the study, Jones argues, because Microsoft releases new versions of its Web browsers less frequently and continues to patch older IE browser releases for longer periods of time, IE users are safer from security vulnerabilities than Firefox users.

"Over the past 3 years, supported versions of Internet Explorer have experienced fewer vulnerabilities and fewer High severity vulnerabilities than Firefox," according Jones' report.

He points out Microsoft released IE 6 in August 2004 and IE 7 in October 2006 and that both versions of IE are currently supported by Microsoft. Jones slams Mozilla for halting support on older versions of Firefox, instead directing users in many cases to simply upgrade to a newer version. He gives the example of Firefox 1.5 which Mozilla stopped supporting in May 2007, according to Jones. Mozilla dropped the ball, he argues, because it was only 2 months after a Red Hat Enterprise Linux 5 (RHEL) shipped with Firefox 1.5 bundled with the OS.

Soon after the RHEL5 release Mozilla reportedly urged users to upgrade their Firefox browser to avoid a "severe vulnerabilities."

Jones suggests that because Mozilla chose not to patch the older version of the browser (prompting people to download a new version instead) many who declined the upgrade were left vulnerable.

Mozilla Counters Jones' Claim

As you might guess, Mozilla had a few thoughts on the subject as well. According to a post at the the official Mozilla Security Blog a contributor named Window Snyder responds to Jones' report:

"One of the goals of the bug counting report (Jones' study) is to demonstrate that Microsoft fixed fewer bugs for IE than Mozilla did for Firefox. Unfortunately for Microsoft (and for anyone trying to use this report as analysis of useful metrics) he does not count all the security issues. If he were able to count them all, Microsoft could get credit for all the bugs they fixed."

Synder argues that many of Microsoft's browser bugs are spotted by "contractors" who are "engaged" by Microsoft to stress-test IE for vulnerabilities. Because of this relationship many IE bugs never become publicly known.

"Unfortunately for Microsoft's users this means they have to wait sometimes a year or more to get the benefit of this work. That's a lot of time for an attacker to identify the same issue and exploit it to hurt users."

Synder points to a Washington Post blog by Brian Krebs who wrote in January 2007:

"For a total 284 days in 2006 (or more than nine months out of the year), exploit code for known, unpatched critical flaws in pre-IE7 versions of the browser was publicly available on the Internet.

In contrast, Internet Explorer's closest competitor in terms of market share -- Mozilla's Firefox browser -- experienced a single period lasting just nine days last year in which exploit code for a serious security hole was posted online before Mozilla shipped a patch to remedy the problem."

Synder continues:

"It speaks to the strength of our community based security efforts to actively identify and quickly fix security issues. We don't let fixes languish on the tree waiting for a major release while users are vulnerable. We ship fixes regularly because securing our users is more important than protecting our PR team..."

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Tom Spring

PC World

Comments

Comments are now closed.

Latest News Articles

Most Popular Articles

Follow Us

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Resources

Best Deals on GoodGearGuide

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?