Microsoft, Mozilla squabble over browser security
- 07 December, 2007 08:23
Which browser is more secure Internet Explorer or Firefox? We all have our opinions, but rarely do we get a chance to hear Microsoft and the makers of the Firefox browser, Mozilla, debate the issue.
On Friday Microsoft Security Strategy Director Jeff Jones released a study "Download: Internet Explorer and Firefox Vulnerability Analysis" that proclaims Internet Explorer 7 is safer than Firefox (Did we expect a Microsoftie to tell us anything else?). The report can be accessed through Jones' blog.
In the study, Jones argues, because Microsoft releases new versions of its Web browsers less frequently and continues to patch older IE browser releases for longer periods of time, IE users are safer from security vulnerabilities than Firefox users.
"Over the past 3 years, supported versions of Internet Explorer have experienced fewer vulnerabilities and fewer High severity vulnerabilities than Firefox," according Jones' report.
He points out Microsoft released IE 6 in August 2004 and IE 7 in October 2006 and that both versions of IE are currently supported by Microsoft. Jones slams Mozilla for halting support on older versions of Firefox, instead directing users in many cases to simply upgrade to a newer version. He gives the example of Firefox 1.5 which Mozilla stopped supporting in May 2007, according to Jones. Mozilla dropped the ball, he argues, because it was only 2 months after a Red Hat Enterprise Linux 5 (RHEL) shipped with Firefox 1.5 bundled with the OS.
Soon after the RHEL5 release Mozilla reportedly urged users to upgrade their Firefox browser to avoid a "severe vulnerabilities."
Jones suggests that because Mozilla chose not to patch the older version of the browser (prompting people to download a new version instead) many who declined the upgrade were left vulnerable.
Mozilla Counters Jones' Claim
As you might guess, Mozilla had a few thoughts on the subject as well. According to a post at the the official Mozilla Security Blog a contributor named Window Snyder responds to Jones' report:
"One of the goals of the bug counting report (Jones' study) is to demonstrate that Microsoft fixed fewer bugs for IE than Mozilla did for Firefox. Unfortunately for Microsoft (and for anyone trying to use this report as analysis of useful metrics) he does not count all the security issues. If he were able to count them all, Microsoft could get credit for all the bugs they fixed."
Synder argues that many of Microsoft's browser bugs are spotted by "contractors" who are "engaged" by Microsoft to stress-test IE for vulnerabilities. Because of this relationship many IE bugs never become publicly known.
"Unfortunately for Microsoft's users this means they have to wait sometimes a year or more to get the benefit of this work. That's a lot of time for an attacker to identify the same issue and exploit it to hurt users."
Synder points to a Washington Post blog by Brian Krebs who wrote in January 2007:
"For a total 284 days in 2006 (or more than nine months out of the year), exploit code for known, unpatched critical flaws in pre-IE7 versions of the browser was publicly available on the Internet.
In contrast, Internet Explorer's closest competitor in terms of market share -- Mozilla's Firefox browser -- experienced a single period lasting just nine days last year in which exploit code for a serious security hole was posted online before Mozilla shipped a patch to remedy the problem."
"It speaks to the strength of our community based security efforts to actively identify and quickly fix security issues. We don't let fixes languish on the tree waiting for a major release while users are vulnerable. We ship fixes regularly because securing our users is more important than protecting our PR team..."