Microsoft FUDwatch II: Internet Explorer vs. Firefox security

Microsoft is at it again. Or, rather, Jeff Jones is. Jones is Microsoft's security strategy direction and is the one who periodically remixes history and data to declare that Windows is more secure than Linux. Now he's declaring [PDF] that Internet Explorer is much safer than Firefox.

However, as ZDNet's Ryan Naraine writes, Jones may be mis-analyzing the data:

...[T]here's one key thing missing from Jones's analysis - the auto-patching mechanism built into Firefox that gives Mozilla a clear advantage over Microsoft.

In effect, Firefox patches itself whenever Mozilla ships updates while immediate Internet Explorer updates depend entirely on the end-user using the Windows AU mechanism. Don't even get me started on the forgotten world of dial-up Windows users who never, ever apply patches.

That's one of the main reasons malware authors take aim at IE more than any other desktop application.

This is an aspect of security that one wouldn't necessarily want to rely on, and yet it has deep importance. The Honeynet Project analyzed inherent vulnerabilities in Firefox and IE and found that Firefox had more, but that IE still experiences more security breakdowns. In fact, when the Project surfed to 30,000 known exploit servers, IE crumpled while Firefox didn't have a single security breakdown. Why?

We can only speculate why Firefox wasn't targeted. We suspect that attacking Firefox is a more difficult task as it uses an automated and "immediate" update mechanism. Since Firefox is a standalone application that is not as integrated with the operating system as Internet Explorer, we suspect that users are more likely to have this update mechanism turned on. Firefox is truly a moving target. The success of an attack on a user of Internet Explorer 6 SP2 is likely to be higher than on a Firefox user, and therefore attackers target Internet Explorer 6 SP2.

In other words, if you're a malware creator, you want to go where you can have the most impact. It's far easier to go after a single point of failure (Microsoft) than to have to figure out a successful Firefox exploit.

Is Firefox more secure than IE on a technology level? I don't know. I do know that I prefer the transparency of the Mozilla Foundation to the secrecy of Microsoft (or any proprietary software company). That transparency makes a material difference in the security process standing behind the browser.

It's a convenient fiction that buying everything from one vendor makes life easier. It may make installation and integration between programs easier, but that ease leads to single points of failure. Hijacking a browser is nice, but using the browser to dig deep into the OS, to have that hijacking facilitated by a too-close tie between the browser and the OS? Even better.

We're better off with open security processes and real competition in the browser market. No code is perfect, whether written by Microsoft or Mozilla. Perfection comes in the response to a problem, once we've done all we can to avert it in the first place. This is why Mozilla's Firefox makes the most sense for me. It's also why I won't be looking for a Mozilla OS anytime soon. I don't need a one-stop shop.

[AppleSuxLeo]

This guy is a clown...IE7 is the standard now , not IE6 sp2...and when IE runs on Vista it is "sandboxed" which is even more secure.Never had a security issue here ;)
It must me FUD if it involves MSFT , right ? WRONG ! Apple`s Leoptard is a shiny hunk of junk with a firewall that doesn`t even work and it crashes often. FireFox has become a bloated memory hog with KNOWN memory leaks. MSFT has actually done something about security. With Apple and opensource it is just talk.

[RRosal]

And yet another Microsoft payrolled lackey speaks his brilliance. But then anyone could tell your anti-Apple bias from your username, so we should know what to expect in regards to a well-thought out comment.

[poopster]

This talk is such rubbish. Both IE7 and FF are pretty darn secure. FF3 will be even more secure. IE7 is a vast improvment over IE6.

Problem with IE , however, is it lacks in its support for standards (yes even IE7).

[peoriahoi]

In term Windows users will understand, this is like saying notepad is more secure than Word. It's probably true, but who cares? Notepad just isn't a reasonable replacement for Word. IE can render web pages and thats about it and they added tabbed browsing last. Firefox is pretty much an application platform with all the great plugins it has. I don't even think we can compare the two. @AppleSuxLeo: Leopard isn't a browser, Safari is and you can use it on Windows if you like. When you say "the standard" what do you mean? I have to use IE6 on my work laptop, still. Microsoft has had to do "something" about security. Have a good day.

[Richard Fdisk]

I use firefox and prefer it I was a bit leary at first 'cause it came on the new laptop but no-one told me what it was so I tried it once and have never looked back.
& I can't get IE7 because IE7 is for Vi$ta and was only "back-ported" to XP and not really coded for XP so it can't be installed on any of the machines here because it will destroy some of the programs since it's so integrated with the O$
ie. all Roxio ECDC versions except 9 and up will be destroyed by installing the IE7 & or WiMP11 "updates"
a host of other programs are "affected" by the IE7 update also, so until M$ quits making it's "accessories" that attack other programs on the system I'll use other products.

cheers
?RfD?

[crabmeat]

Microsoft, has become, the wipping boy, for many years. I used just about everything, they make. Software, is prone to break, under certain conditions. That mean's all software! It's just the way it is. If anybody, thinks for a minute, they could do it better, go get a job, with Microsoft, and help them out, or just, shut up!

[kingttx]

Do you remember the issue around Ford Pinto cars a few decades ago? Remember how, if they were rear-ended they had a tendency to explode easily? Of course, taking your logic, Ford should be just fine still making the Pinto the way they always did. Thankfully, they do not. Whew! Any car, if hit just right, may explode. The Pinto was just prone to exploding in "normal" crashes whereas a better built car would take a harder crash, perhaps being hit with a truck that has a protruding pipe that would penetrate the gas tank.

See the difference?

Concerning helping MS out, have you ever heard the horror stories of folks that DID try? I just read an article from one guy that had tried to send MS a fix. Their response: thanks for the help, but our code is already SCHEDULED to be released so it'll go out as is. Yes, it hadn't been released yet, but heaven forbid they actually take a fix and implement it to better their own product. It's more important to hit the deadline.

[chustar]

@ Richard Fdisk: Why did you put a dollar sign $ when they writing vista? I'm just wondering. I've seen it when people put in in microsoft but i've always wondered why.

[Murrquan]

chustar: Because Microsoft is everyone's whipping boy. >.< There is a lot of valid criticism of Microsoft, and its software. But many believe that it makes their point stronger if they call names and attack Microsoft, rather than point out the facts.

crabmeat: Why should we have to work for Microsoft? Do they have a right to our money, our code, and a place on our desktops? I like to think that I don't have to use their software, even if they try very hard to make me. Furthermore, their software is demonstrably less secure and more poorly-designed than its competition, especially their Internet Explorer web browser and Windows Vista operating system.

My brother keeps trying to tell me that Linux is just like Windows, and that the only reason there are hardly any viruses for it is because relatively few people use it. That's what they said about Mac, too, and that's what they continue to say even now that Apple is one of the biggest computer manufacturers in the United States. Likewise, Firefox has come out of nowhere to take a substantial market share, and yet it's still plagued by fewer security holes. This article is helpful in explaining why.

You may have to use Microsoft software because of your work requirements or to run certain apps, but you don't have to be resentful of those who do not. Someday you'll have that choice too, whether or not you decide it's the best one. But it'll be you who decides.

[chustar]

@ Murrquan: I was actually asking what it means? Also, you said Apple is one of the biggest computer manufacturers in the United States, but what about elsewhere? What about the rest of the world? In most of Africa (maybe 90%, i don't have figures so I won't say for sure) most people have never heard of macs and no one uses them, same goes for linux. Does anyone have any idea why this is? Thanks