Security Watch: In defense of Mozilla Firefox

I've read more than one article recently stating that Mozilla Firefox is no more secure than Internet Explorer.

Much of the Firefox bashing is the result of Symantec's most recent Internet Security Threat Report (registration required). Symantec found that during the first six months of 2005, the volume and the severity of Firefox's reported vulnerabilities was greater than that reported for Internet Explorer. Much greater. On the surface, that sounds pretty bad, and it gives the Firefox naysayers fresh ammo, but I have a copy of the Symantec report myself. Does it give me pause to rethink our Editors' Choice for Firefox? Hell no.

Fun with statistics
Let's look at those numbers in greater detail. Symantec says that from January through June 2005, there were 25 vendor-confirmed vulnerabilities reported in Mozilla Firefox, 18 of which Symantec classified as high threats, while there were 13 vendor-confirmed vulnerabilities reported in Microsoft Internet Explorer, 8 of which were classified as high threats. But Symantec's talking about only those vulnerabilities that the vendor confirms, not all of the publicly known vulnerabilities that are out there. Microsoft is well known to be tone-deaf to independent security researchers.

A more holistic view comes from security vendor Secunia, which issues its own vulnerability alerts, whether a vendor recognises them or not. During the same January to June 2005 interval chosen by Symantec, Secunia lists Firefox 1.x as having 15 critical security vulnerabilities reported, with all but one at least partially patched as of this writing. Internet Explorer 6.x, on the other hand, had only 8 critical security vulnerabilities during this period -- but 5 remain unpatched today. So, according to Secunia, Mozilla offers its users a 94 percent patch rate, while Microsoft provides only a 37 percent patch rate.

Expanding the interval tells a similar story. From 2003 to 2005, Secunia reported 22 security flaws in Firefox 1.x and 83 security flaws in Internet Explorer 6.x. But, to be fair, Internet Explorer 6.x has been out longer, and the vulnerability number is cumulative; Firefox 1.x was first available in August 2004. A more accurate match would be 22 security vulnerabilities in Firefox 1.x vs. 54 security vulnerabilities in Internet Explorer 6.x, with three unpatched vulnerabilities still in Firefox 1.x and 18 unpatched flaws in Internet Explorer 6.x. That's still an 86 percent patch rate for Mozilla, with only a 66 percent patch rate for Microsoft -- or to put it another way, one-third of all security vulnerabilities in Internet Explorer have gone unpatched during the same time interval.

If I'm going to conduct my banking and other such services online, I'm sure as heck not going to use Internet Explorer. Unfortunately, more and more U.S. government agency Web sites are becoming Internet Explorer-only sites. For example, if you want to fill out a Katrina claim form online with FEMA, you have no other choice but to use the only 66 percent secure Internet Explorer 6.x.

Spin
I think the recent reports about inherent Firefox's insecurity have been taken out of context. Yes, now that Firefox enjoys roughly 10 percent of the browser market, security researchers are giving it more scrutiny, and naturally, they're finding more flaws. But that's good. According to Symantec, criminal hackers still prefer to exploit the vulnerabilities within Internet Explorer. It's better that Firefox work out its kinks now rather than under the harsh glare of a computer virus or worm epidemic.

Truth is, I really don't care how many security vulnerabilities are found in a given software product (I once tested and documented software; I know that "unintended features" appear within even the best products from time to time); I ask only that the vendor be responsible and fix the security vulnerabilities, especially the critical ones, in a timely fashion. Microsoft isn't one of those vendors. According to Secunia, Internet Explorer 6.x has several unpatched, critical security vulnerabilities dating back to 2003 (the first year Secunia offered its own security alerts). And this month, Microsoft arrogantly decided not to issue any security patches -- none.

But wait... there's more
If you're truly fed up with the whole Internet Explorer vs. Firefox name-calling (and I know some of you are), there's also Netscape 8, which uses technology from both Microsoft and Mozilla, flipping back and forth to render pages based on Netscape's own White Lists of secure and insecure URLs. I like Netscape, and I have used it for many years as my default browser (before Firefox).

Even bigger news, however, is that Opera 8 is now free. I also like some of the cutting-edge features found only within Opera 8, but if I'd paid $40 to download Opera a month ago, I'd be bummed that everyone else can get this browser for free now. I told the CEO of Opera the pay-to-view-without-ads model was a huge limitation when they visited CNET about a year ago. Now that Opera is less than 1 percent of the market, I guess they took that criticism to heart.