He didn't detail that fragment, nor did the lousy reporter pursue it.

If we're talking about the number of security advisories issued, in 2005 so far Secunia shows 9 advisories for IE and 17 for Firefox. Of course that doesn't talk about active exploits found "in the wild", severity of the exploit and so on.

Or the number fixed, or the fact that MoFo pay cash bounties to people who find security bugs :)

Plus, as I recall, some of those bugs attributed to Firefox were actually Java bugs that had nothing to do with the browser itself. And besides, IE exploits can always be more severe than any other browser simply because of the way it's tied in with the OS.

And, of course, there's plain and simple experience. Show me a spyware-ridden computer where Firefox is used exclusively for browsing. I don't think you could find such a thing, assuming the computer was clean to start with and average common sense had been used with downloads.

On another note, it's kind of nice to see the notice MS has been taking of Firefox lately. They must be feeling threatened.

Hmm, that was the number of bugs found in 2005, so far.

.

In other news...

Number of Unpatched Vulnerabilities:

(something like)

Firefox: 3 out of 23

IE: 23 out of 50-something-plus

Wish I could find the article from last week that had the exact numbers.

Or the articles that mention how long some very major IE security holes went unpatched, months, some I think as long as 6 months. Firefox, on the other hand, had 17 or whatever holes because in most cases, people are looking for them, finding them, posting them, then they get fixed. Usually within days. And almost in all cases long before the exploit actually was seen in the wilds.

Compare that with the legions of MS powered zombie pcs, what a joke..

Or the fact that a lot of MSIE security holes are involved with active x, which gives root level control of the OS.

The funny thing is that I think Bill actually sort of believes this nonsense, which is really good, that means that no matter what MS says in its PR releases, the corporate culture - ie, what bill wants and believes - will continue to generate more and more insecure products, that can only help the alternatives, which do not suffer from this mental deficiency. Why? Because they - open source products, that is - are almost all developed over the web, and have to deal with security issues as a matter of course, day in and day out. If you want to find one of the most security conscious group of people in the world, hang out with some debian developers, they might even share their pgp key with you if they like you...

I know one thing though, if I want real security information, I'm not going to ask an MS person, I'm going to ask a unix/linux type.

Plus the completely undeniable fact that if someone is using Firefox and Thunderbird, they aren't being exposed to anywhere close to the real world risk IE/Outlook users are being exposed to. MS can spin this as much as they want, but they keep adding more and more junk to these products; that virtually guarantees that they will always be filled with holes.

[edited by: 2by4 at 1:31 am (utc) on Aug. 3, 2005]

We can of course debate various statistics and compare records, but, well, it's Bill Gates, chairman of Microsoft. He would say that, wouldn't he? Microsoft is working very hard on improving IE security, with IE7 probably a very big step forward. It would be one hell of a story if he had said that Firefox was better than IE, but as it is, it's just the usual spin.

They must be feeling threatened.

Threatened? No! Just look at Microsoft's history, they have always got what they wanted. To say FireFox is much safer would be foolish. Just wait to they become really popular among average computer users, where the hackers start targeting them and then we'll see how safe it really is. However, it's great for us Internet users, now both of them will have to work real hard on their browsers if they want people using them.

threatened

Well, you don't hear Mr. Gates talking about Opera. Clearly, this Firefox upstart does not fit into the MS plans. You don't start talking or spinning about a competitor unless you do consider them a real competitor. Look at that reporter's question (at least as pulished.) The reporter did not mention Firefox, Bill Gates introduced it by name.

hackers start targeting them [Firefox]

That started a while ago - a year ago or more. Sure, it's true that the bigger the market share the bigger the target. But that doesn't mean that hackers are ignoring Firefox until it reaches 40% or some onumental number. In fact, it would be a big coup for a hacker to release a working exploit against Firefox. So far, there's been precious little found "in the wild" and most vulnerabilities have been found and patched in a preventative manner - not after users were suffering.

I think it's important to crank up the level of discriminative thinking here and filter out spin and partial truths. What kind of measure is "number of exploits identified"? Especially when, as Robin mentioned, there is a bounty available - real cash - for finding a hole in Firefox and nothing like that for IE.

Secunia gives us pie graphs to compare "criticality" of how severe the reported security holes are - here are the two top numbers from the IE and Firefox reports:

Extremely critical -- 15% ie -- 0% ff
Highly critical -- 27% ie -- 19% ff

Sources on secunia.com:
Internet Explorer 6 security [secunia.com]
Firefox 1.x security [secunia.com]

edited for clarity

[edited by: tedster at 3:50 am (utc) on Aug. 3, 2005]

"To say FireFox is much safer would be foolish"

Ok, I'll go ahead and say it: FIREFOX IS MUCH SAFER.

Why do I feel comfortable saying this? Because I've followed the history of MSIE for many years. Now if you had said 'say that MSIE will ever be really secure would be foolish' I'd have to agree with you wholeheartedly, since you'd have many years of exploits and security failures to point to to support your claim.

And there's just simple facts like Firefox not having Active X, and not supporting certain proprietary JS MSIE system calling functions, lots of other stuff.

And Firefox is open source, anyone can fix any hole they find anytime they want, then submit the fix. Including security researches, who have to pray that MS will pay attention when they notify them.

I don't often stick my neck out with predictions but I'm going to here.

IE 7 will be the last release. MS will give up because the reward to effort ratio will make it uneconomic. Right now, this is already true. IE 7 is under development for reasons of company pride not commercial logic.

If MS were to officially unburden themselves, that would leave a lot of programmers that could be reassigned to commercially-viable products and/or OS development. That would just leave the compiled html help system and Outlook(express). If these were converted to a mozilla engine, the job would be done.

Eventually, MS will realise this and bite the bullet.

Kaled.

Just wait to they become really popular among average computer users, where the hackers start targeting them and then we'll see how safe it really is.

The real security issue here is not marketshare, it's the fact that IE is so deeply integrated with the operating system. That makes it inherently insecure. That and ActiveX.

Also, notice the relative marketshares of Apache and IIS. And yet, it's IIS that's always getting hacked and new vulnerabilities always being found.

It's always interesting to me when I see posters repeat word for word MS company spin, I guess MS is getting some value for their PR dollars.

As MatthewHSE points out, absolutely correctly, Apache serves up something like 65% of all the websites on the web, it's the by far most dominant web server on the planet, and has been for years, yet it's IIS that has been the victim of attackers. The same IIS that at one point the gartner group declared to be an absolute security disaster.

Please, if you are going to repeat spin, at least have some facts to back it up. MSIE has active x, it has javascript access to Windows system functions, it has so many other holes in it, by design, and that is why it has been a brutally exploited target. Firefox has none of these weaknesses, by design, so when security holes are discovered, they are a: easy to fix, and b: not as big. This is by design. Again, MSIE is insecure by design, it's a function of how it was built to work.

Worth taking a look at what US-CERT say - they appear to be talking on behalf of the US Dept of Homeland Security.

One example:

[kb.cert.org...]
"Use a different web browser ..... There are a number of significant vulnerabilities in technologies related to the IE domain/zone security model..."

If they advise using another browser rather than IE, anyone else's advice to use IE should be rigorously backed up with evidence of mistakes in US-CERT's analysis.

For me, it's their recommendation I pass on to my clients.