Report: Firefox Security Superiority a Myth

Secunia has debunked a myth held dear by Linux devotees and anti-Microsoft grousers: that Firefox is safer than Internet Explorer.

There were 115 reported security vulnerabilities in Firefox last year -- almost twice as many as Internet Explorer and Apple's (Nasdaq: AAPL) Safari browser combined, according to a new report by the security researcher. Firefox did surpass IE in one respect, though. Mozilla was much faster at repairing bugs once they were reported or discovered than Microsoft (Nasdaq: MSFT) was.

The Secunia report follows on the heels of the release of Mozilla's new Firefox 3 browser -- 3.0.7, which includes fixes for several security problems. Three of the patches in the new browser addressed critical flaws that could -- if not remedied -- give a hacker the ability to remotely execute code on a computer.

In response to a request for comment, Mozilla directed TechNewsWorld to its blog post on the subject, which was still dark when the article was filed.

Browser Wars

IE is the dominant browser in the marketplace by far -- but its share is steadily eroding, thanks to inroads made by Firefox, Safari and other alternatives.

Last month, Net Applications issued a report finding that all three browsers -- IE, Firefox and Safari -- had reached new milestones: IE accounted for 67.6 percent of browser users in January 2009, its lowest percentage of market share since Net Applications began following the space. Meanwhile, Firefox and Safari achieved new highs: 21.53 percent and 8.29 percent, respectively.

A report by StatCounter Global Stats found that Microsoft's combined IE 7 and IE 6 marketshare fell from 68 percent last July to 63 percent in February 2009. Firefox 3 and 2 grew from 25 percent last July to 27 percent by February.

One reason IE's popularity is dropping -- ironically, considering Secunia's finding -- is its perceived security and stability issues. To cite just one example, Microsoft has had to release two out-of-band security updates in recent months in order to plug vulnerabilities that were being widely exploited by hackers. It was a double-edged sword for Microsoft: An IE vulnerability was putting consumers and enterprises at risk, but the company's fast response should have been praised. Yet Firefox won the PR battles on both issues, largely because its flaws have not been in the spotlight as much.

More Marketshare, More Problems

While there are valid criticisms that can be levied about the bugs and flaws in IE -- as well as Microsoft's responsiveness in fixing them -- it must be pointed out the company's market share is working against it, especially in an apples-to-apples comparisons of which browser is better, faster or more secure.

"I don't know for a fact whether Mozilla does fix bugs faster than Microsoft -- perhaps it very well is true," Rohyt Belani, CEO of Intrepidus Group, told TechNewsWorld.

"What I do know is that Microsoft has a much larger share of the market, and hackers will always target Microsoft more than they do Firefox or Safari," he said.

In terms of development practices, though, Belani would not say that one browser was more secure than any other.

Patch Management

Another issue to take into account is user behavior -- specifically, patch management practices.

In theory, releasing a bug patch faster reduces the Zero Day window or threat level, said Derek Manky, security and cyber threat researcher for Fortinet's FortiGuard global security research team.

"In reality, though, that is not the case," Manky told TechNewsWorld.

The Conficker worm, for instance, has been particularly relentless and damaging. It was actually patched very quickly by Microsoft, Manky pointed out. For two months after the patch was released, activity was quiet -- then began to pick up.

The lesson, of course, is that administrators are not applying the patches as quickly as they should, he said.