Wednesday, September 21, 2005

Firefox has more holes than IE

.. is this a problem?

This week Symantec came with a very interesting report stating that it more security holes were found in Firefox than in Internet Explorer in recent months. Well, that is something that shocks the world

But is it shocking? Even the number of serious holes is bigger in Firefox than in IE. So, are all the claims about Firefox being more secure than IE a load of crap?

To be honest, the numbers surprised in a way. But then I thought a little more about it and decide that the problem might not be as severe as it seems.

Now, Mozilla has reacted to the claims. Tristan Nitot, president of Mozilla Europe, came up with a nice list of arguments against the Symantec case.

  • Mozilla's reaction time is shorter than Microsoft's. When a vulnerability is found Mozilla has been more able to build a solution and roll it out. In this respect they are much better than Microsoft.
  • Adding to that, the observation that Microsoft decided this month to skip a security patch. It is obvious that any vulnerabilities will not be addressed for at least another month. Not something that Mozilla would do.
  • Over a longer period the Microsoft vulnerabilities were more critical. Last two years security company Secunia has issued 22 security advisories regarding Firefox 1.x, and rate it as "less critical". In the same period Microsoft Internet Explorer 6.x had 85 Secunia advisories, and is rated as "highly critical".
  • Firefox being open source gives more people access to the code. This gives them plenty opportunity to look for bugs. Internet Explorer is closed source and only reverse engineering gives a clue about vulnerabilities.
  • As Firefox runs on different platforms it is quite difficult to exploit.

So, there is plenty of evidence that defends Firefox, so for me that case is resolved. Firefox to me is still more secure than Internet Explorer.

However, now Firefox is becoming more and more widespread, it becomes an increasingly attractive target. People who have moved to Firefox shouldn't only rely on having swapped their browser, They should also look at the security of the entire configuration of their systems.

Finally I have to quote Tristan Nitot on the different types of security holes in Firefox and IE: Which would you prefer, to have a broken finger, or your head ripped off?