Microsoft, Mozilla squabble over browser security

Rarely do we get a chance to hear Microsoft and Mozilla debate the issue.

Which browser is more secure Internet Explorer or Firefox? We all have our opinions, but rarely do we get a chance to hear Microsoft and the makers of the Firefox browser, Mozilla, debate the issue.

On Friday Microsoft Security Strategy Director Jeff Jones released a study "Download: Internet Explorer and Firefox Vulnerability Analysis" that proclaims Internet Explorer 7 is safer than Firefox (Did we expect a Microsoftie to tell us anything else?). The report can be accessed through Jones' blog.

In the study, Jones argues, because Microsoft releases new versions of its Web browsers less frequently and continues to patch older IE browser releases for longer periods of time, IE users are safer from security vulnerabilities than Firefox users.

"Over the past 3 years, supported versions of Internet Explorer have experienced fewer vulnerabilities and fewer High severity vulnerabilities than Firefox," according Jones' report.

He points out Microsoft released IE 6 in August 2004 and IE 7 in October 2006 and that both versions of IE are currently supported by Microsoft. Jones slams Mozilla for halting support on older versions of Firefox, instead directing users in many cases to simply upgrade to a newer version. He gives the example of Firefox 1.5 which Mozilla stopped supporting in May 2007, according to Jones. Mozilla dropped the ball, he argues, because it was only 2 months after a Red Hat Enterprise Linux 5 (RHEL) shipped with Firefox 1.5 bundled with the OS.

Soon after the RHEL5 release Mozilla reportedly urged users to upgrade their Firefox browser to avoid a "severe vulnerabilities."

Jones suggests that because Mozilla chose not to patch the older version of the browser (prompting people to download a new version instead) many who declined the upgrade were left vulnerable.

Mozilla Counters Jones' Claim

As you might guess, Mozilla had a few thoughts on the subject as well. According to a post at the the official Mozilla Security Blog a contributor named Window Snyder responds to Jones' report:

"One of the goals of the bug counting report (Jones' study) is to demonstrate that Microsoft fixed fewer bugs for IE than Mozilla did for Firefox. Unfortunately for Microsoft (and for anyone trying to use this report as analysis of useful metrics) he does not count all the security issues. If he were able to count them all, Microsoft could get credit for all the bugs they fixed."

Synder argues that many of Microsoft's browser bugs are spotted by "contractors" who are "engaged" by Microsoft to stress-test IE for vulnerabilities. Because of this relationship many IE bugs never become publicly known.

"Unfortunately for Microsoft's users this means they have to wait sometimes a year or more to get the benefit of this work. That's a lot of time for an attacker to identify the same issue and exploit it to hurt users."

Synder points to a Washington Post blog by Brian Krebs who wrote in January 2007:

"For a total 284 days in 2006 (or more than nine months out of the year), exploit code for known, unpatched critical flaws in pre-IE7 versions of the browser was publicly available on the Internet.

In contrast, Internet Explorer's closest competitor in terms of market share -- Mozilla's Firefox browser -- experienced a single period lasting just nine days last year in which exploit code for a serious security hole was posted online before Mozilla shipped a patch to remedy the problem."

Synder continues:

"It speaks to the strength of our community based security efforts to actively identify and quickly fix security issues. We don't let fixes languish on the tree waiting for a major release while users are vulnerable. We ship fixes regularly because securing our users is more important than protecting our PR team..."

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Tom Spring

PC World
Show Comments

Father’s Day Gift Guide

Brand Post

Bitdefender 2019

Bitdefender solutions stop attacks before they even begin! Get cybersecurity that 500 MILLION users already have and trust.

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?