As Mozilla and Microsoft executives argue about which browser -- Firefox or Internet Explorer -- is more secure, fans of the former have numbers on their side, a Belgian security consultancy said this week.
According to Brussels-based ScanIT, users of Microsoft's Internet Explorer (IE) were "unsafe" 98 percent of the time during 2004, while Mozilla users -- which would include those using Mozilla and Firefox -- were "unsafe" only 15 percent of last year.
ScanIT determined the unsafe periods by examining the life spans of vulnerabilities in IE, Mozilla, and Opera -- a Norwegian browser that has a nearly insignificant share of the U.S. market -- which could be exploited remotely by attackers. By documenting the time between the disclosure of the vulnerability and when a patch was issued, ScanIT calculated the total number of days each browser was vulnerable. It also matched those vulnerable dates against periods when out-in-the-wild exploits were making the rounds.
IE was vulnerable all but seven days of 2004, or 98 percent of the year. "There was only one period in 2004 when there were no publicly known remote code execution bugs," said ScanIT's report. "Between the 12th and the 19th of October. That means a fully patched Internet Explorer installation was known to be unsafe for 98 percent of 2004."
During 200 days (54 percent of the time), there was a worm or virus on the loose that exploited one of the unpatched IE vulnerabilities. (ScanIT's IE vulnerability timeline can be found here.)
In comparison, Firefox (and the other Mozilla browsers) was vulnerable only 56 days in 2004 (15 percent of the time) during off-and-on stretches starting in May. At no time in 2004 were worms or viruses circulating that exploited one of the unpatched Firefox vulnerabilities.
"In 2004, Mozilla was not targeted by malware writers," ScanIT's report said to explain why Firefox wasn't at risk last year. "But this might change as Mozilla software gains popularity."
Even then, however, ScanIT said Mozilla/Firefox may still have an advantage over IE. "Security researchers seem to be more inclined to report vulnerabilities privately to the Mozilla development team rather than publish them immediately," said the report. "This might be because the Mozilla project produces free open-source software, and being nice to it is considered 'A Good Thing.'" ScanIT also considered Mozilla's bug bounty, which pays $500 to users reporting critical flaws, as playing a part.
Naturally, Mozilla Foundation executives touted the ScanIT data. "Their research points out that Microsoft's IE was 'unsafe' for 98 percent of 2004, while we were 'unsafe' only 15 percent of the time," said Chris Hofmann, chief of engineering at Mozilla. "This is really the metric that makes the most sense to most users." Earlier in the week, in fact, Mitchell Baker, the president of Mozilla, claimed that her foundation's browsers were inherently more secure because they weren't tied to the Windows operating system, and rejected the idea that a boost in market share would make Firefox more vulnerable.
Her head of engineer tweaked that message a bit in an e-mail to TechWeb. "People really should be looking at the architecture of the browsers and the source of potential vulnerability," said Mozilla's Hofmann. "Browsers share many of the same architectural components, but it's been Microsoft proprietary extensions to the browser such as ActiveX, and the complex Microsoft Security Zone model, where the most severe exploits have surfaced in the past and continue to be exploited.
"Microsoft has made strides in securing these areas in [Windows XP] SP2, but in some ways they were Band-Aids on an insecure architecture."
Microsoft, of course, doesn't see it that way. In his blog, IE product manager Dave Massy first defended his browser. "As we develop IE we go through very thorough and stringent security reviews to ensure that every change is secure and does not expose the user to attack."
Next, he took issue with Baker's claim that IE would always have more bugs because it was tied so tightly to Windows. "The security of any browser is irrelevant if it is part of the operating system," Massy said. "If we are to debate security of browsers then let's bring in relevant arguments and accurate details about different possible attacks rather than rely on the irrational fear that because IE is part of the operating system it must be exposing OS functionality to the Web."
Interestingly, a third party -- Alfred Huger, the vice president of engineering for Symantec's security research group -- isn't sure which browser will be less or more secure going forward, but is sure of one thing: attackers will continue to focus on browsers.
"Everyone has a browser, so it's the biggest possible audience," he said. "Hackers will be targeting Web clients with greater effort in 2005, something that's definitely going to get a lot of attention."