December 4, 2007 10:20 AM PST

Critics rap Microsoft safety study of IE, Firefox

Internet Explorer is more secure than Firefox, according to a senior Microsoft executive, who compared how many vulnerabilities were found in the two browsers--but critics say his study is flawed.

Jeff Jones, security strategy director of Microsoft's Trustworthy Computing Group, released a study last week comparing the flaws in Microsoft's Internet Explorer to Mozilla's Firefox browser; unsurprisingly, he concluded that Microsoft is doing a better job than Mozilla.

Challenging early predictions that Mozilla's Firefox browser would experience fewer vulnerabilities than IE, Jones conceded that both companies' browsers have experienced significant flaws.

Jones said Mozilla has fixed more flaws in its browser than Microsoft during equivalent periods, which he said renders Firefox more vulnerable than IE.

"Since the release of Firefox 1.0 in November 2004, Mozilla has fixed 199 vulnerabilities in supported Firefox products--75 high severity; 100 medium severity; and 24 low severity. In the same timeframe, Microsoft has fixed 87 total vulnerabilities affecting all supported versions of Internet Explorer--54 high severity, 28 medium severity; and five low severity," Jones said.

Comparing Microsoft's 2004 release, IE 6 (Service Pack 2), with Firefox 1.0, Jones said Microsoft fixed 79 flaws while Mozilla fixed 88.

He also compared IE 7 with Firefox 2.0 over a 12-month period, during which he said Mozilla fixed 56 flaws while Microsoft fixed only 17 in IE 7.

"While the data trends show that both Internet Explorer and Firefox security quality is improved in the latest version, it also demonstrates that, contrary to popular belief, Internet Explorer has experienced fewer vulnerabilities than Firefox," said Jones.

However, Jonathan Oxer, technical director and founder of Web application development company Internet Vision Technology and president of Linux Australia, said the study is flawed because Microsoft tends to bundle its fixes, which leads to a lower count over the period being compared.

"For example, when fixing a vulnerability there might be several issues being resolved in one go. So it decreases the bug count," he said.

Oxer explained that the way in which levels of security are reported is frequently different. "In the case of Firefox there may be issues that (Mozilla) has reported for which there is no known exploit--a theoretical exploit--so it's not necessarily accurate to directly compare fixed exploits without an understating of how the numbering or definition of an exploit is determined," he said.

Oxer believes that a more valid way to score software in terms of security is to give each exploit a value depending on the number of days from discovery of a bug to the release of a fix, multiplied by a severity factor.

"Two products that have a similar number of exploits fixed over a certain period may actually be very different in terms of the number of days of exposure to which users are subjected," Oxer said.

Distributor support
The Microsoft data also raises the issue of support for legacy versions of the software. While Mozilla ends support for each version six months after a new release of Firefox, Microsoft maintains support for up to a decade after the version ends, in line with its cycle for operating systems.

"If Microsoft had this same policy, then support of Internet Explorer 6 would have ended in May 2007, or similarly Internet Explorer 5.01 support would have ended in 2001. In contrast, Microsoft generally releases a browser in conjunction with a new operating system release and commits to supporting that version for the lifecycle of the product--now 10 years for business products," Jones said.

Support issues also affect third-party distributors, Jones said. Despite Mozilla ending support for Firefox 1.5 in May 2007, Ubuntu 6.06 LTS--which integrates that version of Firefox--has committed to providing security support until 2009. Likewise, Novell Suse Linux offers support for Firefox 1.5 until 2013. While Ubuntu and Red Hat released patches for Firefox version 1.5, Jones said: "The vulnerabilities patched by each vendor only overlap partially."

"Lifecycle considerations are likely (to be) more important to corporate enterprises, as they sometimes have custom Web applications and are hesitant to upgrade between major releases very often, and even then may have a relatively long transition plan," Jones said.

However, Linux Australia's Oxer said this manner of delivering support is a benefit of the open-source model, because it allows customers greater flexibility throughout a contract.

"One of the major differences between the proprietary and open-source models is when multiple vendors are providing support for a single code base...even though Mozilla may end its support, there are software vendors--such as (Linux) distribution providers--that are committed to providing support to enterprise customers," Oxer said.

"What it means is that end users get to choose the level of support they want. If you choose a company with long-term support for maintaining a stable operating environment for desktops, that's one option they can take. Or they may want a distributor with more frequent updates," he said.

The disadvantage of using a proprietary software company such as Microsoft, said Oxer, is that enterprise customers are shackled to the schedule of a single vendor, which may not fit the organization's timetable.

Liam Tung of ZDNet Australia reported from Sydney.

See more CNET content tagged:
Jeff Jones, severity, exploit, Mozilla Corp., critic

58 comments

Join the conversation!
Add your comment
Typical Microsoft FUD
Typical Microsoft FUD. Just the lasts flailing gasps from a anachronistic dying company.
Posted by FrankTurd (26 comments )
Reply Link Flag
Been hearing that line for oh 14 years now
But strangley, they seam to be getting more market share while Linux has seen its share erroded.
Posted by wolivere (780 comments )
Link Flag
MS and FF
I have windows vista for all most a year know and explorer crashes all the time. I been using FireFox for 5 years now. I will take FireFox over explorer any day. I am glad that FireFox updates and fixes bugs all the time. It shows that they care for the users out there. Keep up the grate work FireFox.

Dave Baker
skype me: sirdaveoh
<a class="jive-link-external" href="http://davecmu7.com" target="_newWindow">http://davecmu7.com</a>
Posted by sirdavefl (3 comments )
Link Flag
I'm and IE user but I still agree that it is FUD
Firefox is an excellent browser but I am just used to IE. MS always has to spin other's competing products. They are even spinning Vista over one of their own products WinXP.

Just take this "study" like someone passing gas, it stinks and they won't admit they did it.
Posted by fred dunn (793 comments )
Link Flag
Blame MS
Ofcourse, if the study is from MS then they are wrong. That is how it works for all the linux and opencrap (opensource) junkies...
Posted by slickuser (668 comments )
Reply Link Flag
IE vs. Firefox
MS has nothing to be proud of. IE6 lasted long enough (or was broke long enough) that Netscape, Mozilla and Opera ran away with the technology and features arms race. If that kind of comparison is the best that they can do.....they should be embarrassed.

The next question for the MS camp is once they get IE fixed and modernized will they make it fully standards compliant?
Posted by Voodoo101 (25 comments )
Reply Link Flag
yay for IE 3.0
So if the number of bug fixes indicates how non-secure an app is according to their logic, that must mean Internet Explorer 3.0 was the most secure web browser of all time right?

Right?
Posted by tarrantm (41 comments )
Reply Link Flag
Right
Thats it. I am switching to IE 3.0 immediately.
Posted by ikenna4u (13 comments )
Link Flag
If this is true
then why is it, that almost every time a new online hazard (virus,
trojan, spyware, etc) is discovered, the list of things the experts recommend we do to protect yourself is use Firefox instead of IE?

We virtually eliminated web based problems at my company by
locking IE security settings on High, and standardizing on Firefox.
Posted by rcrusoe (1305 comments )
Reply Link Flag
Not many people are using 7 yet
I know from being an IT support person that many major companies still have not made the move to 7.0 due to compatibility issues with existing systems in place. Sounds a little like Vista?

This is Microsoft's biggest problem. They keep reinventing the wheel to find that compatibility is their current roadblock.

So, the vulnerabilities really wont show up until more businesses upgrade, which won't be for a while.
Posted by morningowl (17 comments )
Reply Link Flag
Come again?
<a class="jive-link-external" href="http://www.w3schools.com/browsers/browsers_stats.asp" target="_newWindow">http://www.w3schools.com/browsers/browsers_stats.asp</a>

<a class="jive-link-external" href="http://news.zdnet.com/2100-3513_22-6150449.html" target="_newWindow">http://news.zdnet.com/2100-3513_22-6150449.html</a>
Posted by Maclover1 (440 comments )
Link Flag
Better source of critique from Mozilla's Window Snyder
<a class="jive-link-external" href="http://blog.mozilla.com/security/2007/11/30/critical-vulnerability-in-microsoft-metrics/" target="_newWindow">http://blog.mozilla.com/security/2007/11/30/critical-vulnerability-in-microsoft-metrics/</a>
Posted by jeromatron (103 comments )
Reply Link Flag
No better
That is no better than M$ trumpeting their own product. Both are bias toward their product.
Posted by DrtyDogg (3084 comments )
Link Flag
Counting flaws is flawed
MS could fix 100,000 IE flaws in a year and IE will still be more vulnerable then Firefox because it is part of the OS and runs the notoriously flawed ActiveX controls.
Posted by The_Decider (3097 comments )
Reply Link Flag
Is how many Flaws are NOT fixed or found...
Who cares how many are fixed? Fixed bugs are good. Its the ones that are still there or not found, and have exploits available.

The bug fixes from Firefox are found and public, and in most cases are not even critical or exploitable at all. Microsoft bullies and pays people to keep from making bugs "public".

How about a survey of how many people have been "exploited" by a bug or got spyware from a browser? I bet there would be a lot of IE users raising their hand.
Posted by umbrae (1073 comments )
Reply Link Flag
Puffery
<a class="jive-link-external" href="http://en.wikipedia.org/wiki/Puffery" target="_newWindow">http://en.wikipedia.org/wiki/Puffery</a>

Marketing that poses as science that barely passes as legal.
Posted by ppgreat (1128 comments )
Reply Link Flag
wtf??
If CNet wants to find some security expert for an opinion they had to find the head of Linux Australia? Something make me feel he might be a bit biased.
Posted by FutureGuy (742 comments )
Reply Link Flag
Article author was in Australia...
To explain why the Australian security person was interviewed, check the author of the article:

Liam Tung of ZDNet Australia reported from Sydney.
Posted by Kings X Rocks! (89 comments )
Link Flag
What hasn't changed...
...is that every study that comes from Microsoft is a lie until proven otherwise.
Posted by Microsoft_Facts (109 comments )
Reply Link Flag
The MS Non-Competitive Culture
"We have fewer bugs than you" ????
That's how Microsoft promotes its products?????

They indicate no desire to have the best browser, just the least worst. Pitiful!

They put quality second in everything they do, like it once was with the Phone Company.
Posted by rickbbell (18 comments )
Reply Link Flag
Microsoft is out of touch
They are an 80s, 90s paradigm, but it is the 00s.
Posted by t8 (3716 comments )
Reply Link Flag
Stupid
Apple is out of touch! FANBOY LOSER!
Posted by zunezrok (20 comments )
Link Flag
What?
That's a little backwards I think. No program is bug free. So, I would assume that both still have serious bugs in them.

So wouldn't the more secure one be the one that had found and patched the most bugs? Unless one is willing to make the brave statement that IE is now 100 percent bug free.

That's the nature of Open Source. Because more people see the source, more people find problems with the source. That also means the bug is likely to get found sooner. Which means it will be patched sooner, which means the window in which a hacker can use that vulnerability to take advantage of people is open for a shorter period of time.

Imagine if you?re buying a car, and one car lot says, you can look under the hoods of all the cars if you like, and another car lot says, even after you buy it, you are not allowed to look inside and see if anything is broken? Which one would be in better mechanical condition? There is no way to tell, but which ones would you find the most amount of stuff wrong with? It would be the cars on the lot that allowed you to look under the hoods. That doesn?t mean that they are in worse condition though, you have no way to tell because you can?t look under the hoods of the other cars. They may have ten times as many things wrong with them. Then again, they may not have anything wrong with them. I think the most danger is in not knowing if one has bad breaks.
Posted by Imalittleteapot (835 comments )
Reply Link Flag
IE
Since MSFT decided to integrate the browser to the OS, there you have the basic difference between IE and FireFox.

Firefox is a modular application, and IE is inside the OS. That is a big architectural difference, that turns a nightmare to keep IE secure.

It is clear that MSFT did that just as another marketing strategy to block competition. They don't care much to take decisions based on the user benefit.

For those of you stil using IE, give Firefox a try, I think it is (much) better that IE.
Posted by giant_david (49 comments )
Reply Link Flag
All i know
All I know is that ever since I've downloaded and used Firefox(since it first came out), I haven't had a single piece of malicious software installed on my Windoze PC.
Posted by msiwiec (3 comments )
Reply Link Flag
These problems
I went to microsoft site cause my IE7 keeps popping up and spybot says I have smitfraud and zlob problems. I don't have mozilla doing this and I only found a fix on the microsoft page for the smitfraud. My mcaffee with comcast didn't find a problem but I have completely quit using IE cause of all the popups and problems I'm having now.
Gary B.
Posted by Gary Chamberlain (1 comment )
Reply Link Flag
Geee I wonder why he would say that.....
Well its obvious that a M$ executive says the IE7 is more "secure" the Firefox. He is trying to promote IE7, even though the open source Firefox is eating into the market share of IE7.
Posted by Dr.Venkman (1 comment )
Reply Link Flag
Firefox, Microsoft
What is Firefox? please in novice terms.

thank you
Posted by 1957joe (5 comments )
Reply Link Flag
web browser
It's a web browser (like IE, Safari, Netscape, etc).
Posted by bassprocm (4 comments )
Link Flag
filepicker
Hi I dont really know who is right on this opinion, but I do know that I have in 1 year have had to remove firefox twice and re-install as I keep getting something called filepicker which in turn stops me from downloading anything from the internet. Any ideas????
Posted by zoepod (1 comment )
Reply Link Flag
Reply for "I am PC, I am Mac" thing..
If Mac can do it, Microsoft can also do it, just in a different form, to different company. Mac Ad gets wild and wilder nowaday. Firstly, I thought it's very funny, but, now it's ridiculous.
Posted by Gunady (191 comments )
Reply Link Flag
Microsoft is doomed
Microsoft is dead.
Posted by Mproject (11 comments )
Reply Link Flag
I wouldn't trust Microsoft
any further than I could throw that tubby Steve Ballmer.
Posted by The_happy_switcher (2175 comments )
Reply Link Flag
IE freezeups
Everytime I opened the explorer first after computer start ups, I got locked or frozen so I had to use firefox to get messages fast. After I shut down the explorer and restarted the IE, It worked like charm. They(Microsoft) have not given the fix for that first frozen startup. There are some items that IE worked but not in firefox and vice versa. I am a longtime user of both but I like firefox, mostly since mozilla started netscape but I haven't mostly used netscape since american online brought this brouser company out.
Posted by busybluebee (4 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.