Microsoft and Mozilla have again locked horns over whose browser is more secure.
On Friday, Microsoft posted a report showing that, while the software giant and Mozilla have both improved security in the latest version of their browsers, Internet Explorer has overall had fewer publicly disclosed flaws than Mozilla's Firefox in the past three years. While the report stopped short of calling Microsoft's browser more secure, the analysis spotlighted bug counts as a measure of "security quality."
"While the results in this study showing fewer vulnerabilities in Internet Explorer might be surprising to some, to others the results will simply be a confirmation that improving security is a hard job even with the best of intentions," Jeff Jones, security strategy director for Microsoft, said in the report.
Mozilla immediately struck back at the critique, pointing out that the open-source browser has done better than Internet Explorer with significantly lower average times to patch a vulnerability. Moreover, Mozilla's vice president of engineering Mike Schroepfer also questioned whether Microsoft public vulnerability disclosures have any relationship to the actual number of flaws found in any of the company's products.
"A vivid reminder that there is no way for anyone outside of Microsoft to confirm how many vulnerabilities ever existed in Internet Explorer," he said in a blog post, adding: "Bug counts are meaningless, what matters is whether you are at risk or not."
Microsoft and Mozilla have both boasted about the security of their respective browsers. Following the release of Internet Explorer 7 and Firefox 2.0, the two organizations faced off over the browsers' phishing features. In July, the two groups argued over whether the browsers should check uniform resource identifiers (URIs) before passing them to other applications. Mozilla quickly fixed the issue, while Microsoft originally argued that the problem should be handled by third-party application, before ultimately releasing a patch.
Ironically, market share may mean far more than the number of exploitable security holes. An survey of attacks against Mozilla Firefox 1.5 and Microsoft Internet Explorer 6 Service Pack 2 found that, while Firefox had more publicly disclosed flaws, every single attack appeared to target Internet Explorer 6 SP2.
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos