Critics rap Microsoft safety study of IE, Firefox

Internet Explorer is more secure than Firefox, according to a senior Microsoft executive, who compared how many vulnerabilities were found in the two browsers--but critics say his study is flawed.

Jeff Jones, security strategy director of Microsoft's Trustworthy Computing Group, released a study last week comparing the flaws in Microsoft's Internet Explorer to Mozilla's Firefox browser; unsurprisingly, he concluded that Microsoft is doing a better job than Mozilla.

Challenging early predictions that Mozilla's Firefox browser would experience fewer vulnerabilities than IE, Jones conceded that both companies' browsers have experienced significant flaws.

Jones said Mozilla has fixed more flaws in its browser than Microsoft during equivalent periods, which he said renders Firefox more vulnerable than IE.

"Since the release of Firefox 1.0 in November 2004, Mozilla has fixed 199 vulnerabilities in supported Firefox products--75 high severity; 100 medium severity; and 24 low severity. In the same timeframe, Microsoft has fixed 87 total vulnerabilities affecting all supported versions of Internet Explorer--54 high severity, 28 medium severity; and five low severity," Jones said.

Comparing Microsoft's 2004 release, IE 6 (Service Pack 2), with Firefox 1.0, Jones said Microsoft fixed 79 flaws while Mozilla fixed 88.

He also compared IE 7 with Firefox 2.0 over a 12-month period, during which he said Mozilla fixed 56 flaws while Microsoft fixed only 17 in IE 7.

"While the data trends show that both Internet Explorer and Firefox security quality is improved in the latest version, it also demonstrates that, contrary to popular belief, Internet Explorer has experienced fewer vulnerabilities than Firefox," said Jones.

However, Jonathan Oxer, technical director and founder of Web application development company Internet Vision Technology and president of Linux Australia, said the study is flawed because Microsoft tends to bundle its fixes, which leads to a lower count over the period being compared.

"For example, when fixing a vulnerability there might be several issues being resolved in one go. So it decreases the bug count," he said.

Oxer explained that the way in which levels of security are reported is frequently different. "In the case of Firefox there may be issues that (Mozilla) has reported for which there is no known exploit--a theoretical exploit--so it's not necessarily accurate to directly compare fixed exploits without an understating of how the numbering or definition of an exploit is determined," he said.

Oxer believes that a more valid way to score software in terms of security is to give each exploit a value depending on the number of days from discovery of a bug to the release of a fix, multiplied by a severity factor.

"Two products that have a similar number of exploits fixed over a certain period may actually be very different in terms of the number of days of exposure to which users are subjected," Oxer said.

Distributor support
The Microsoft data also raises the issue of support for legacy versions of the software. While Mozilla ends support for each version six months after a new release of Firefox, Microsoft maintains support for up to a decade after the version ends, in line with its cycle for operating systems.

"If Microsoft had this same policy, then support of Internet Explorer 6 would have ended in May 2007, or similarly Internet Explorer 5.01 support would have ended in 2001. In contrast, Microsoft generally releases a browser in conjunction with a new operating system release and commits to supporting that version for the lifecycle of the product--now 10 years for business products," Jones said.

Support issues also affect third-party distributors, Jones said. Despite Mozilla ending support for Firefox 1.5 in May 2007, Ubuntu 6.06 LTS--which integrates that version of Firefox--has committed to providing security support until 2009. Likewise, Novell Suse Linux offers support for Firefox 1.5 until 2013. While Ubuntu and Red Hat released patches for Firefox version 1.5, Jones said: "The vulnerabilities patched by each vendor only overlap partially."

"Lifecycle considerations are likely (to be) more important to corporate enterprises, as they sometimes have custom Web applications and are hesitant to upgrade between major releases very often, and even then may have a relatively long transition plan," Jones said.

However, Linux Australia's Oxer said this manner of delivering support is a benefit of the open-source model, because it allows customers greater flexibility throughout a contract.

"One of the major differences between the proprietary and open-source models is when multiple vendors are providing support for a single code base...even though Mozilla may end its support, there are software vendors--such as (Linux) distribution providers--that are committed to providing support to enterprise customers," Oxer said.

"What it means is that end users get to choose the level of support they want. If you choose a company with long-term support for maintaining a stable operating environment for desktops, that's one option they can take. Or they may want a distributor with more frequent updates," he said.

The disadvantage of using a proprietary software company such as Microsoft, said Oxer, is that enterprise customers are shackled to the schedule of a single vendor, which may not fit the organization's timetable.

Liam Tung of ZDNet Australia reported from Sydney.

[FrankTurd]

Typical Microsoft FUD

Typical Microsoft FUD. Just the lasts flailing gasps from a anachronistic dying company.

[wolivere]

Been hearing that line for oh 14 years now

But strangley, they seam to be getting more market share while Linux has seen its share erroded.

[sirdavefl]

MS and FF

I have windows vista for all most a year know and explorer crashes all the time. I been using FireFox for 5 years now. I will take FireFox over explorer any day. I am glad that FireFox updates and fixes bugs all the time. It shows that they care for the users out there. Keep up the grate work FireFox.

Dave Baker
skype me: sirdaveoh
http://davecmu7.com

[fred dunn]

I'm and IE user but I still agree that it is FUD

Firefox is an excellent browser but I am just used to IE. MS always has to spin other's competing products. They are even spinning Vista over one of their own products WinXP.

Just take this "study" like someone passing gas, it stinks and they won't admit they did it.

[slickuser]

Blame MS

Ofcourse, if the study is from MS then they are wrong. That is how it works for all the linux and opencrap (opensource) junkies...

[Voodoo101]

IE vs. Firefox

MS has nothing to be proud of. IE6 lasted long enough (or was broke long enough) that Netscape, Mozilla and Opera ran away with the technology and features arms race. If that kind of comparison is the best that they can do.....they should be embarrassed.

The next question for the MS camp is once they get IE fixed and modernized will they make it fully standards compliant?

[tarrantm]

yay for IE 3.0

So if the number of bug fixes indicates how non-secure an app is according to their logic, that must mean Internet Explorer 3.0 was the most secure web browser of all time right?

Right?

[ikenna4u]

Right

Thats it. I am switching to IE 3.0 immediately.

[rcrusoe]

If this is true

then why is it, that almost every time a new online hazard (virus,
trojan, spyware, etc) is discovered, the list of things the experts recommend we do to protect yourself is use Firefox instead of IE?

We virtually eliminated web based problems at my company by
locking IE security settings on High, and standardizing on Firefox.

[morningowl]

Not many people are using 7 yet

I know from being an IT support person that many major companies still have not made the move to 7.0 due to compatibility issues with existing systems in place. Sounds a little like Vista?

This is Microsoft's biggest problem. They keep reinventing the wheel to find that compatibility is their current roadblock.

So, the vulnerabilities really wont show up until more businesses upgrade, which won't be for a while.

[Maclover1]

Come again?

http://www.w3schools.com/browsers/browsers_stats.asp

http://news.zdnet.com/2100-3513_22-6150449.html

[jeromatron]

Better source of critique from Mozilla's Window Snyder

http://blog.mozilla.com/security/2007/11/30/critical-vulnerability-in-microsoft-metrics/

[DrtyDogg]

No better

That is no better than M$ trumpeting their own product. Both are bias toward their product.

[The_Decider]

Counting flaws is flawed

MS could fix 100,000 IE flaws in a year and IE will still be more vulnerable then Firefox because it is part of the OS and runs the notoriously flawed ActiveX controls.

[umbrae]

Is how many Flaws are NOT fixed or found...

Who cares how many are fixed? Fixed bugs are good. Its the ones that are still there or not found, and have exploits available.

The bug fixes from Firefox are found and public, and in most cases are not even critical or exploitable at all. Microsoft bullies and pays people to keep from making bugs "public".

How about a survey of how many people have been "exploited" by a bug or got spyware from a browser? I bet there would be a lot of IE users raising their hand.

[ppgreat]

Puffery

http://en.wikipedia.org/wiki/Puffery

Marketing that poses as science that barely passes as legal.

[FutureGuy]

wtf??

If CNet wants to find some security expert for an opinion they had to find the head of Linux Australia? Something make me feel he might be a bit biased.

[Kings X Rocks!]

Article author was in Australia...

To explain why the Australian security person was interviewed, check the author of the article:

Liam Tung of ZDNet Australia reported from Sydney.

[Microsoft_Facts]

What hasn't changed...

...is that every study that comes from Microsoft is a lie until proven otherwise.

[rickbbell]

The MS Non-Competitive Culture

"We have fewer bugs than you" ????
That's how Microsoft promotes its products?????

They indicate no desire to have the best browser, just the least worst. Pitiful!

They put quality second in everything they do, like it once was with the Phone Company.

[t8]

Microsoft is out of touch

They are an 80s, 90s paradigm, but it is the 00s.

[zunezrok]

Stupid

Apple is out of touch! FANBOY LOSER!

[Imalittleteapot]

What?

That's a little backwards I think. No program is bug free. So, I would assume that both still have serious bugs in them.

So wouldn't the more secure one be the one that had found and patched the most bugs? Unless one is willing to make the brave statement that IE is now 100 percent bug free.

That's the nature of Open Source. Because more people see the source, more people find problems with the source. That also means the bug is likely to get found sooner. Which means it will be patched sooner, which means the window in which a hacker can use that vulnerability to take advantage of people is open for a shorter period of time.

Imagine if you?re buying a car, and one car lot says, you can look under the hoods of all the cars if you like, and another car lot says, even after you buy it, you are not allowed to look inside and see if anything is broken? Which one would be in better mechanical condition? There is no way to tell, but which ones would you find the most amount of stuff wrong with? It would be the cars on the lot that allowed you to look under the hoods. That doesn?t mean that they are in worse condition though, you have no way to tell because you can?t look under the hoods of the other cars. They may have ten times as many things wrong with them. Then again, they may not have anything wrong with them. I think the most danger is in not knowing if one has bad breaks.

[giant_david]

IE

Since MSFT decided to integrate the browser to the OS, there you have the basic difference between IE and FireFox.

Firefox is a modular application, and IE is inside the OS. That is a big architectural difference, that turns a nightmare to keep IE secure.

It is clear that MSFT did that just as another marketing strategy to block competition. They don't care much to take decisions based on the user benefit.

For those of you stil using IE, give Firefox a try, I think it is (much) better that IE.

[msiwiec]

All i know

All I know is that ever since I've downloaded and used Firefox(since it first came out), I haven't had a single piece of malicious software installed on my Windoze PC.

[Gary Chamberlain]

These problems

I went to microsoft site cause my IE7 keeps popping up and spybot says I have smitfraud and zlob problems. I don't have mozilla doing this and I only found a fix on the microsoft page for the smitfraud. My mcaffee with comcast didn't find a problem but I have completely quit using IE cause of all the popups and problems I'm having now.
Gary B.

[Dr.Venkman]

Geee I wonder why he would say that.....

Well its obvious that a M$ executive says the IE7 is more "secure" the Firefox. He is trying to promote IE7, even though the open source Firefox is eating into the market share of IE7.

[1957joe]

Firefox, Microsoft

What is Firefox? please in novice terms.

thank you

[bassprocm]

web browser

It's a web browser (like IE, Safari, Netscape, etc).