I believe that Mozilla and Firefox are inherently less of a security risk than Internet Explorer for one very important reason: they are both pretty much stand-alone rather than being tightly integrated into Windows.

Internet Explorer is tightly bound to Windows in two ways (besides Microsoft's statement that it is). First, in a word, ActiveX. No other major browser by default will load and execute native Windows code from arbitrary websites.

Second, and less widely recognized, is that core components (esp. the rendering engine) of Internet Explorer are used by many other pieces of software, both from Microsoft and, increasingly, from other vendors. (Many third-party applications will not even install if a sufficiently recent version of IE is not present.) Since the rendering engine (Gecko) of Mozilla/Firefox can't be assumed always to be present in a typical Windows installation, few if any third-party software packages make use of it.

The tight integration of Internet Explorer into Windows, while often increasing power and convenience, increase the scope of any security vulnerabilities present in that browser.

Compartmentalization is one of the important principles of most security regimes: Internet Explorer doesn't provide it.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/11327/32521#32521