Firefox, IE security revisited

Symantec stirred up some serious controversy last September when it released a report claiming the Firefox Web browser was more vulnerable to attack than Microsoft's Internet Explorer. The study, which CNET News.com covered at the time, caused quite an uproar on blogs and message boards.

The people who cried foul--mainly fans of the browser and the larger, open-source movement--saw the report for what it was: a flawed study that did not make a true comparison of the two browsers. Now Symantec seems to have come around and, while they haven't retracted the previous study, they have done further research to give a more complete picture of browser security. On Tuesday, Symantec's senior manager of Symantec's security response group, Oliver Friedrichs, told TechWeb.com, "How we did it before wasn't a fair comparison. It wasn't an apples to apples comparison."

The security company issued new research today as part of its semiannual Internet Security Threat Report, which analyzed browsers in two categories. This time, they counted both vendor-confirmed security holes and those that went unconfirmed. In the tally of vendor-confirmed flaws, IE narrowly edges out Firefox. But when confirmed and unconfirmed holes are combined, Firefox comes out on top, and Friedrichs claims this is the more reliable number.

Tallies aside, the issue raises interesting questions about how software vulnerabilities should be measured. Does one simply count the number of reported holes? Does it matter whether or not a vendor acknowledges those holes? Should judgment be based on how quickly patches are released, or does it all come down to how many exploits are published?

Blog community response:

"I think it was Groucho Marx who quipped 'Statistics are like a bikini. What they reveal is interesting, but what they conceal...that is vital!'"
--flyingpenguin

"So, what's going on here? Are the browser wars back? Tech Watch welcomes the latest competition, coming soon in the form of IE7. But beside universal access, browsers seem so old-school, and overworked for richer applications. As interface guru Jakob Nielsen said to me, imagine if iTunes was all web-based, rather than being software that pulls in web resources? It would not be the same, and we should not expect that of the web."
--InfoWorld's Techwatch (http://weblog.infoworld.com/techwatch/archives/005475.html)

"But I wondered if there was something in the data we collected to suggest that open-source vendors react more nimbly than those that do not open their blueprints to researchers. These two time-to-patch data sets hardly represent an exhaustive search for a definitive answer to that question, but the differences between the two sets of data certainly are stark enough. (discussing his own browser research)"
--Brian Krebs' Security Fix

"As much as I appreciate Firefox for defeating Internet Explorer in the enthusiast market, and as much as I??m pleased with its continual success, the Firefox community is too frustrating. I agree that Firefox has literally changed the way we browse the Internet, but that doesn??t mean that we have to affectionate the browser uncontrollably and recklessly."
--CoolTechZone