So, which browser is more secure – Microsoft’s Internet Explorer (IE), or Mozilla’s Firefox?
Well, the answer is the industry analyst/pundit’s favorite gambit – that depends.
Jeff Jones, self-described “Security Guy” at Microsoft (and more officially, a strategy director for Microsoft’s Security Technology Unit), recently posted a blog entry at CSO (“Chief Security Officer”) online. That blog entry includes a link to an “Internet Explorer and Firefox Vulnerability Analysis Report,” which is available for free download.
Jeff’s report finds that IE has actually had fewer bugs that required fixing than Firefox.
Hmm.
However, at the Mozilla Security Blog, Window Snyder, head of security strategy at Mozilla Corp., rapidly posted a response. That response says, among other things, that Microsoft’s bug count is suspect, because it only includes publicly disclosed bugs. Snyder also argues that users have to wait for Service Packs or other major updates from Microsoft to get such bugs fixed, while Firefox users get bug fixes more rapidly.
Hmm.
Snyder also quotes from a Washington Post analysis that found that so-called “exploit code” that could take advantage of IE vulnerabilities was available online for 284 days during 2006 before being patched by Microsoft. This compared with nine days of similarly critical vulnerability before Mozilla patched Firefox, according to the Post citation in Snyder’s blog.
Hmm.
When I was growing up in Brooklyn, New York, there was a joke that went like this.
“What’s the difference between major surgery and minor surgery?”
“Major surgery is MY surgery; minor surgery is YOUR surgery.”
Vulnerabilities that cause no damage or risk, it can be argued, are irrelevant to almost all but hackers and developers. And risks associated with vulnerabilities are rarely mitigated completely or even meaningfully by patches alone.
Holes in code become vulnerabilities when (1) those holes create risks irresistible to miscreants, (2) those holes are not or inadequately disclosed to those at risk, and (3) holes go too long before they’re patched over. In this way, holes in code are like damaged roads – they can only hurt cars if they’re unlabeled, unrepaired, and encountered by cars.
In this regard, Microsoft and Mozilla parallel the different approaches taken by many if not most North American and European companies, respectively, regarding security breaches. In North America, companies frequently downplay and hush up news about such things, fearing reputational retribution in the marketplace. In Europe, companies frequently announce such vulnerabilities as soon as they’re discovered, so other companies can defend themselves and protect their customers and partners as quickly as possible.
Is one approach inherently better than the other, in either case? As Johnny Mathis used to sing, “It’s not for me to say.” However, I’m pretty confident which approach seems more open and less defensive and secretive. For whatever that’s worth…
