Is Firefox Less Secure than IE?

by Preston Gralla

Symantec's newest Internet Security Threat Report claims that Firefox has twice the number of vulnerabilities as Internet Explorer. Does that mean that Firefox is twice as dangerous as IE?

In a word, no. In fact, despite the Symantec report, Firefox remains a far more secure browser.

How can that be? First of all, even though Firefox may have twice as many theoretical vulnerabilities as IE, those vulnerabilities are rarely targeted. That's because IE is so much more popular that it's a much bigger target.

Second, Firefox vulnerabilities are patched far more quickly than IE ones, the report notes. So a Firefox security hole lasts a shorter time than one in IE.

Finally, when you attack Firefox you attack just a browser. When you attack IE, you can attack Windows itself and wreak far more damage. So a Firefox security hole, by nature, is less severe than an IE one.

Does this mean that Firefox users can remain smug about their security? Far from it. It should be a wake-up call to them and to the Mozilla Foundation that more work needs to be done. As Firefox gains in popularity, its security holes may be increasingly exploited.

Still, if you're worried about security, you'd do well to switch from IE to Firefox -- it's flat-out more secure.

What do you think about Firefox security?


2005-09-21 17:53:24
Very true

People can be very easily convinced about anything if the right statistics are used. These reports are not providing an accurate interpretation of these numbers, and people are gonna take it the wrong way, obviously.

Firefox flaws are patched at an amazing speed, and no known exploits have been made. Exploits can be designed using some of the advisories, yes, but no malicious one has been seen so far. If users update their versions when released and don't install extensions from malicious sites (I have seen none to this day), there's nothing to worry about.

I must say, though, that although the Mozilla Foundation is very concious about security, most users aren't. The update icon on the top right must be made a little more appealing, or a different system must be implemented. Some users just don't know what it is or its importance. This means there's a lot of people with unpatched versions out there, and can be dangerous. They are vulnerable to fixed security bugs. Fixes, workarounds and news about patches and advisories are always posted on the Mozillazine site, but I don't think all Firefox users visit this site on a regular basis.

Users are the weaker link in security, and everything must be done to raise security awareness. If Firefox wants to really make it into the mainstream, I think they need to improve their alert system.

2005-09-22 08:37:18
Symantec data flawed
The Symantec data for the study is based on what Microsoft acknowledges is a security flaw in their own product.

Is your system not owned if Msoft doesn't acknowledge yet another Internet Explorer 0day? Please.

Symantec is encouraging poor decision-making about maintaining secured systems with their marketing buzzlines.

2005-09-22 11:58:46
Undifferentiated security reports
The general trouble with security reports in the media and on the Internet seems to me that most journalists/experts do not differentiate between security risks although it is presented as an expert’s point of view. The big discussion about security of Firefox and IE during the last couple of weeks is very necessary for the public awareness about computer security but all the “secure” and “insecure” statements and pure numbers of vulnerabilities contribute nothing. For example, if I could choose between a browser with five vulnerabilities that could cause a crash and a browser with only one vulnerability that is a backdoor for viruses or root kits, guess what. I would be very happy with the “insecure” five vulnerabilities.

Complexity and likelihood of a potential attack is another issue. I understand that it isn’t easy to write about it for a general audience but conclusions based on oversimplifications are counterproductive.

In the case of Symantec’s report I see even a big conflict of interest because they are selling anti-virus software seem be eager to get into the growing Linux market.

Frequently, I find the promise on the Internet that we can automate more and more plus automated security checks on top of it. I think this is exactly what Microsoft tried while underestimating or neglecting the increasing risk. So on the bottom line I think software development should be balanced between functionality and security.