There’s been a lot of discussion lately on whether Firefox is really more secure than Internet Explorer, or whether it’s only security is because it’s a less targetted browser.
It will take a lot of evidence for someone to ever convince me that Internet Explorer is more secure. There’s a lot of studies that try to accurately measure the security based on the number of patches, the time it takes for a vulnerability to be patched, etc. There’s a couple of factors that are almost always overlooked:
- Microsoft patches are usually for multiple vulnerabilities — If you look at the details of most microsoft IE patches, you’ll see a single patch rolls up fixes for a half dozen or so vulnerabilities usually. Many studies never bother to crack the seal and only count that as one vulnerability.
- Microsoft has a history of long patch times — Don’t take my word for it, go look at eeye’s unpatched vulnerability page. In case Microsoft actually fixes some of the patches, let me highlight for you the top few items on that page:
- Internet Explorer and Outlook
- Remote exploit - minimal user interaction - 188 days
- Remote exploit - minimal user interaction - 151 days
- Remote exploit - minimal user interaction - 146 days
- Windows
- Priviledge escalation - not so serious - 133 days
- The mother of all of them, the holy grail, remote exploit in default installations of Win2k, XP, and 2k3 - 87 days
Yup, that’s right. For nearly three months there has been a remote vulnerability of the sort to for ISC drop to Infocon Purple. And that’s just ONE security research company. Granted, they’re one of the most knowledgeable and skilled, but I find it hard to believe there aren’t other companies with similar vulnerabilities just waiting announcement.
You find me a single remote exploit in a default install of any of the BSD’s that remained unpatched for more than 30 days and I’ll buy you a lunch.
I might not be the greatest browser security guru but the advantages that all the extensions offer to Firefox make it fun to use the internet again. When I use IE I am reminded of all the ads that Adblock takes care of and I am constantly reminded of the weather in Florida with ForecastFox. So many others too!
Left by Colin on October 4th, 2005
Don’t forget that Firerox notifies you automatically when there’s an update, and the fix is simple. Just about as simple as when there’s a new version of Flash - just click ‘accept’ wait a few seconds, and you’re done.
IE patches are usually OMGWTF-sized and require great risk to system stability due to the sheer number of changes involved.
Left by Rehmeyer on October 6th, 2005
Firefox rock solid? Maybe, but my firefox isn’t working on two different computers now. In fact, on Joy’s computer Firefox, Netscape, and IE are all down. I can open them, but then they just close on me immediately thereafter.
So, I had to use Quicken’s browser to get online and download Opera. Opera works just fine for now. (QUICKEN! Can you believe that it was the only browser out of four in my computer that worked?) Yes, yes. It is always nice to have Quicken around for the old back-up browser.
Left by David on October 7th, 2005