back to article Mozilla rubbishes IE Firefox security study

Mozilla developers have hit back at a Microsoft study that suggests Internet Explorer is more secure than Firefox. The study, Internet Explorer and Firefox Vulnerability Analysis, is based on a comparison between the number and severity of security updates issued for IE and Firefox since the release of Firefox in November 2004 …

COMMENTS

This topic is closed for new posts.
  1. Steve
    Gates Horns

    shurely you mean...

    Microsoft has fixed 87 *known* vulnerabilities in various flavours of IE while Mozilla has patched 199 *known* vulnerabilities in Firefox products.

  2. Anonymous Coward
    Anonymous Coward

    Poor study

    This is indeed a poor study, trying to trick people with misleading statistics. It reminds me of the times I would visit a friend, and invariably find his computer riddled with viruses and malware. He wasn't the most careful of people. "How come I only ever seem to get a virus when you come round?" he would ask... Firefox developers are to be commended for being more transparent, not criticised by shoddy, piss-poor 'studies'.

  3. Dan
    Gates Horns

    Never mind security

    On Vista, IE isn't even fit for purpose. I persevered with IE for ages because I wasn't convinced Firefox was fully compatible yet - how wrong did I get that one. If you're using a widescreen display with 1440 x 900 res, IE can't even render the pages nicely, and repeatedly falls over for no reason. Since I installed Firefox, it's like I just cleaned the Windows (no pun intended) and can see the view properly. It's crashed 3 times in the last month, as opposed to maybe twice a day.

  4. Chad H.
    Flame

    Microsoft English

    Quality Assurance, Better Experience, Innovation, Trusted Computing, Security... Is Microsoft English a different language to the regular english? Is a Microsoft English Dictionary avalible on Cash and Carrion?

  5. adnim

    Here's another way of looking at it

    Mozilla has fixed 199 problems in its software. However, micro$oft has only fixed 87 of its problems.

    It's all semantics shemantics*

    *lice in the hair of ladyboys... I'll get my coat.

  6. Anonymous Coward
    Thumb Down

    Boot on other foot

    Strange isn't it that Mozilla/Linux/Mac/<fill in blank MS Hater Group> fan-boys are happy to quote numbers of vulnerabilites in Microsoft products when it suits them but when the boot is on the other foot they cry foul.

  7. Anonymous Coward
    Joke

    Vista more secure

    Just to turn the argument on it's head, for those who like to bash linux

    1: Of course Vista is more secure. You can't run anything on the darn thing

    2: Of course there is less mallware for vista, it as a smaller userbase.

  8. Harry

    "Is Microsoft English a different language to the regular english?"

    It is indeed. Many times has microsoft tried to foister American-speak substitutes for my REAL English.

    And that's even despite setting to BRITISH English (and since when was there a non-British England?)

    America is still using a beta-test version of English from many centuries ago. Its time it did a global update to REAL live, current English.

  9. gareth
    Linux

    RE: Boot on the other foot

    @ AC

    you seem to miss the point of the article. Did you even read it?

    this ins't about the number of security vulnerabilities but the number of fixes

    if the numbers had been put into context with the number of vulnerabilities found in each and the length of time it took for each to be fixed you would get a true picture of which is the more secure

    firefox is updated very regularly as vulnerabilities are patched as soon as possible where MS will try to cover up a vulnerability and only bother to patch it once someone has found a way to abuse said vulnerability try engaging brain befor speaking out your arse

  10. Karl Lattimer

    Statistics...

    They are of course only counting the vulnerabilities that microsoft owned up to and fixed. Not the bugs that exist that still sit there unfixed because microsoft haven't acknowledged them yet.

    Mozilla have a different issue, this is, all or at least almost all of the bugs on the bugzilla come from users and security researchers outside, as well as ones inside.

    This means that mozilla in being more transparent has shown more fixes, looks to me that they're doing better than MS more bugs, more fixes in the same time period means mozilla is working harder. That's generally how software works!

  11. Anonymous Coward
    Joke

    Wait a minute...

    I'm sure I've read an article somewhere with Microsoft saying that because it issues more fixes than Apple, it's more secure than Apple.

    And now here's Microsoft saying that because Firefox issues more fixes than Microsoft, Microsoft is better then Firefox?

    Can't say I've heard of Firefox Tuesday or anything like that but that's just me - I live in a cave.

    Lordy, I'm glad Microsoft is around to defend me against dodgy software that's prone to weak security and infliltration.

    Thank you Microsoft.

  12. Anonymous Coward
    Gates Horns

    As they say...

    Lies, damn lies, and statistics...

  13. Don Mitchell

    Trusted Zones

    If you're serious about browser security, set IE into high security mode, set the "Trusted Zone" to medium and move trusted sites into the trusted zone. That's not automatic enough for everyone, but its much safer than just assuming that any massive program is bug-free and secure.

  14. Nexox Enigma

    Re: Poor study

    """...trick people with misleading statistics..."""

    You mean that someone discovered non-misleading statistics somewhere!?! Or maybe you're just being redundant for extra effect?

    Wouldn't it be weird if one day Microsoft saw the light and endorsed open source? Stop laughing... It could... Maybe... Happen... Maybe...

  15. yeah, right.

    lies?

    There are no lies. Everything Microsoft says is "The Truth". Right?

    Certainly the US government seems to think so, as well as all the large company droids that keep pushing their crap into the server rooms, then wonder why their IT costs have doubled.

    For me, it's a simple equation:

    Microsoft = I.P theft + marketing = lies = bad for business.

    Removing Microsoft from my client's businesses (where possible, obviously) has significantly reduced their I.T. costs and their downtime. The clients that insisted they stay with Microsoft when non-Microsoft alternatives were available require much more of my time. So much so that I don't offer them the "fixed monthly rate" I.T. management service that I offer companies who take my advice, and I actively try to pawn them off to other consultants. All my clients are small businesses.

    That's my experience. Microsoft can just go suck rotten eggs.

  16. Matt Horrocks

    Better comparison...

    ...if they're comparing IE to when Firefox was released.. how about compare bugs fixed since IE v1 with bugs fixed since Firefox v1.

    They could spend their time a lot better, like by finishing that new file system they promised for longhorn and vista but then dumped.

  17. Mike Moyle

    Statistics

    Total numbers of bugs and fixes are one useful metric, I suppose, but the one that I'd bet interested in seeing alongside of that - for any comparison between competing OSes, browsers, etc., is the PERCENTAGE of known bugs that have been fixed.

    Without knowing how many bugs there were (and their severity) AND how many have been fixed, any claims one way or the other are disingenuous at best.

  18. Mark

    Simple question

    What are you using to browse the reg at the moment?

  19. b shubin
    Pirate

    Hard sell

    the IE/Firefox comparison was based on a time-honored tactic:

    When you have no basis for an argument, abuse the plaintiff. --Cicero

    perhaps if Ballmer & Company made better software, they wouldn't have to spin everything (thus the "Get the Spin...err, Facts!" marketing campaign). it's absurd that every sentence that comes from Microsoft and friends, has to be checked for marketing-driven bias, which then has to be filtered out; otherwise all data must be discarded as useless.

    a vendor's recipe for integrity is very simple: make a good product, provide a good service, fess up when you mess up, and charge a fair price.

    Vista was universally judged to be a pig, but they continue to put lipstick on it.

  20. Sceptical Bastard

    Balderdash, MS

    Have you all actually *read* the CSO article? Very illuminating.

    If it shows anything (which is debatable) it shows the reverse of what Microsoft would like to claim.

    Besides, by any standard (and by experience) both Opera and Firefox (especially 'Fox with NoScript) are far less vulnerable to exploitation than IE7, let alone IE6.

    And, BTW, a quick trawl of my logs reveals that IE6 still accounts for a substantial proportion of visitors.

  21. Morely Dotes

    Re: Boot on other foot

    Let's try it this way:

    199 bugs fixed by Mozilla, average time to release the fix: 2 days. That makes Mozilla's "total vulnerable time" 398 days.

    87 bugs fixed by Microsoft, average time to release the fix: 14 days (that's being generous, it's actually closer to 21 days average). Internet Explorer's "total vulnerable time" is then 1218 days.

    In other words, you would be at least 3 times safer using Mozilla than uusing Internet Explorer.

    And lest Anonymous Coward accuse me of being *any* kind of fanboi, I work in an all-Microsoft shop during the day, run Linux servers at home, with a mix of Linux and Win2K and WinXP client PCs. The only reason I have no Macs is because I can't talk the wife into modernizing (she's the remaining Win2K client; refuses to move to XP or Mac). Each OS has strengths and weaknesses. Security is NOT a Microsoft strength.

    I even have OS/2 Warp. Not sure why, really...

  22. Dick
    Happy

    Simple answer

    Firefox / 2.0.0.11

    of course

  23. John
    Gates Halo

    One of Microsofts best surveys yet

    Of course its got flaws in it that a G.C.S.E. maths student should spot, but when compared to previous "MS is more secure than Linux" surveys it actually looks like they used a statistics book when then did this. Never mind that they would have probably got an F.

    FUD FUD FUD FUD FUD FUD FUD FUD FUD FUD FUD FUD FUD FUD FUD

  24. Stuart Gray

    @Mark

    Mozilla, running on eComStation. What are you using?

    Stuart

  25. The Other Steve
    Flame

    @Chad

    "Is Microsoft English a different language to the regular English?"

    Yes, very much so. As anyone who has ever tried to read any of Microsoft's API documentation can bitterly attest. Often for hours, especially after a few pints with some other codemonkeys.

    "Is a Microsoft English Dictionary avalible on Cash and Carrion?"

    I doubt it, since MS have a fun fun tendency to redefine words as soon as people get used to a meaning. It keeps us all on our toes, and the landlords of several local hostelries in Bahaman holidays.

    @Ill informed AC :

    Jeez, shot your wad a bit early there, at least wait until you see a fanboi before you start flaming them.

  26. Walter Brown

    Typical MS self promoting bullshit...

    This reminds me of a story that ran in the first part of this year, in which a certain bald headed chair chucker was touting "significant gains" in the search engine market, claiming more and more people were switching to live search over google. despite everyone knowing that those figures were artificially inflated with the release of vista and IE7...

    The only thing microsoft proves with these PR stunts is that they are better at bullshitting the public than they are at making useful / stable / secure products... this will never change.

    @Mark... Firefox...

  27. Mark Simon

    And the winner is ...

    "In the three years since then, Microsoft has fixed 87 vulnerabilities in various flavours of IE while Mozilla has patched 199 vulnerabilities in Firefox products."

    Or, to put in another way, Microsoft has yet to patch how many bugs, vulnerabilities and flaws?

  28. Martin Usher

    Its just marketing

    We all know better than to think that anything that comes from a marketing type person has any meaning. He's paid to show that MSFT's product is better than Mozilla's because, obviously, Moz's product is showing up on the radar. Put crudely, you get to use IE by default (because its on the computer when you bought it) and you use Firefox (or Opera) by choice. That alone says a lot.

    A lot of MSFT's web development over the last decade seems to be focussed on trying to establish proprietary technologies -- wherever you go you come across oddball, incompatible and (often) not-quite-finished DiY technologies that they claim to be some kind of industry standard because they sell Windows. This is an infernal nuisance because they have a very myopic vision of what computers and computer users are. I find that the less I have to do with them the easier things become.

  29. Bernadette Newburg
    IT Angle

    Get the What?

    Back when M$ was heavily promoting their "Get the Facts" campaign against Linux, they royally pissed off another 800 pound gorilla...a big blue one. So in the battle of 800 pound gorillas funding studies about this, that, and the other thing, it was discovered that, of course, the best studies that had the best facts were...the independent ones. Jones was heavily criticized for his 90 day report card earlier this year. As a lot of people said, Vista was safe because you couldn't get on the Internet with it - still can't, you need to use Firefox or Opera most of the time. Gates, Ballmer, and Co. should have learned then - don't tout your own studies, don't do your own research. Wait for someone else to independently do it. I'm just waiting for them to piss IBM off again. It really was fun to watch when I worked there.

  30. Odd Einar Aurbakken

    I'd rather like to know how dangerous they are

    Does anyone know how often the average Firefox user get in trouble because of a Firefox bug v.s. how often the same happen to the average I.E user? Or even better, do a study on random users, how often do they get into trouble because of security bugs in their browsers and what browser do they use?

  31. Steve Browne
    Jobs Horns

    Dispose of IE, dispose of problems

    My experience is that switching to Firefox enhances security no end. I am sure there are problems lurking, but I get updates frequently to deal with them. I have had no issues with spyware, adware or any other unwanted *ware since switching. My friends who had many spyware/adware infiltrations per day, like in the 100s, dropped to zero when converted to Firefox.

    So, MS can release as many studies as they like, my own empirical study on real machines with real people using them indicate that IE brings in too many problems for it to be left in unskilled hands. Installing Firefox removes these problems, in fact, if they persist in using IE after I have set up Firefox then I tell them they are on their own, as I refuse to constantly fix the same thing time after time.

    I still have IE, it is handy for Windows Update, but that is all it is used for. Firefox remains my personal choice.

    MS would be better served remembering when they were the good guys, instead of the greedy, lying, ugly creature they have become.

  32. Smell My Finger

    They have a point

    The problem with IE - other than the fact it's a dull, uninteresting browser characterised by a lack of innovation is that it's reputation proceeds it. People still think it's as insecure as version 4 which it clearly isn't. Mostly Internet Explorer is used as a whipping-boy by dishonest computer evangelists that specialise in FUD regardless of the facts. It always amazes me though that if Microsoft wanted to attack Firefox it be easier just to examine its ridiculous memory consumption and the way it leaks memory like a bastard (http://kb.mozillazine.org/Memory_Leak) and seems to never get fixed...

  33. Anonymous Coward
    Alert

    Re: Trusted Zones

    Might want to be careful with that suggestion. IE gets a little weird about the trusted sites zone. Setting the security slider doesn't mean exactly the same thing in different zones, which is counterintuitive. There are parts of windows that only check which ZONE the site is in, the slider position isn't checked. It just sets a bunch of things to an arbitrary set of defaults.

    Ask your self, do you really think that every security function in IE has a selectable option in the GUI settings page? Or could someone at MS possibly be lazy, or stupid, or intentionally obfuscating an essential security check. I can't say that I have peeked into the gut of the latest version of IE on vista, but earlier versions have happily surrendered both local file system and windows registry access to "trusted sites" even when trusted sites was set to maximum security. Some of the ActiveX stuff gets weird about the Zones too.

    Considering that in almost 15 years they couldn't be bothered to implement a security zone that allows tight control of locally saved copies of potentially unsafe content, I prefer not to make assumptions that include them having thought things through. These are the same people who keep missing the fact that it's a horrible idea to use a blacklist (i.e. the Killbit) to keep a ActiveX control from running in IE. So we get a fistful of root exploits every year because developers who will NEVER write a line of code for IE forgot to check a box in Visual Studio. Hello, Whitelist?

    Since the tone of this is fairly harsh towards MS, I feel I should apply some at least the kiss of the jackboot to the pants our friends at Mozilla. Before they realized they could grand stand about security they were just as bad as MS. They both militantly believed that they could make the web browser into the it-does-everything-wonder-app. Now they lie through their teeth claiming to be more secure, while pretending that they ARE secure.

    Hats off to all the the coders who have been working their tails off fixing things, but there is still plenty of ugly code and bad architecture to fix. Also while root exploits seem to be take seriously, privacy issues like invasive java script, third party cookies, web bugs, and and other session tracking techniques are generally left wide open, and only managed effectively through the use of third party tools and extensions. Probably because of generous cash contributions from data mining firms and banner ad houses?

This topic is closed for new posts.