New Firefox Version Heightens Debate Over Browser Security

The group released Firefox 1.0.2 on its site to fix three flaws, including one inherited from Netscape in processing .gif image files. That bug was discovered by Internet Security Systems (ISS), and if hackers were able to get users to visit sites or view e-mail messages with specially-crafted .gif files, they could take control of their PCs.

A patch was produced before ISS alerted the public, said Chris Hofmann, chief of engineering at Mozilla, so no harm, no foul. "The bug patched in this update has no known real world exploits, and we were able to provide a quick response."

This is the second security-related update of Firefox in the last month. In late February, the non-profit foundation released v. 1.0.1, which patched 17 vulnerabilities.

The spate of vulnerabilities and the updates bring into question the assumption by many that Firefox is more secure than Microsoft's Internet Explorer, one of the reasons many experts and analysts have given for Firefox's rapid climb from 0 to about 6 percent of the usage share in the United States.

To add fuel to that argument, Symantec this week said in its Internet Security Threat Report that during the last six months of 2004, it counted 21 vulnerabilities for Firefox, but only 13 for IE.

Although IE's count was dramatically up over the first half's mere 3, it was down from the 17 found in the last six months of 2003.

"This is likely due to two factors: the effort that Microsoft has undertaken to secure Internet Explorer and patch latent vulnerabilities, and the shift of vulnerability researcher interest towards alternative browsers that are being marketed or promoted as secure," Symantec's researchers concluded.

The surge in Firefox vulnerabilities, said Symantec, was directly tied to "the increased popularity and deployment of the browser, which is itself a reaction to the widespread abuse of several high-profile vulnerabilities in Internet Explorer."

Mozilla's Hofmann countered. "Rather than get hung up on the specific numbers, it's better to look at the trends. The bottom line in just about all the independent studies I've seen is that the severity of exploits discovered in IE is greater, and Microsoft takes longer to fix the problems."

Symantec's numbers backed up Hofmann.

By Symantec's classification, IE still had a higher percentage of "high severity" vulnerabilities in the second half of the year than did Firefox. Nine out of the 13 IE vuls, or 69 percent, were tagged as "high," while 11 of the 21 Firefox vulnerabilities, or 52 percent, were so marked.

And, Symantec said, the Mozilla Foundation fixes flaws much faster than does Microsoft.

"They patch faster, simple as that," said Alfred Huger, vice president of engineering for Symantec's security response team. "The average time between when a vulnerability is publicly announced and when a patch comes out is 43 days for Internet Explorer, only 26 days for Firefox."

"It's amazing the kind of rapid turn-around we see on some bugs when they get reported," said Hofmann in explaining Firefox's advantage. "All the code is available and the [open-source] community can help us to find and fix security problems faster than closed-source commercial software efforts."

And IE still leads Firefox -- leads every Windows application, in fact -- in the total number of vulnerabilities to-date. Symantec's count has IE as having "just north of 300 known vulnerabilities," said Huger. "That's the most vulnerabilities in any [Windows] application that we're aware of. The next in line is IIS [Internet Information Services) with 116."

Mozilla's code line, which goes back as far as Netscape, which preceded IE, has "under 100," said Huger.

Mozilla's Hofmann said that future updates to Firefox -- and its other products, which include the Mozilla suite and the Thunderbird e-mail client -- will be released "on an ongoing basis andas warranted."

"We must stay ahead of the curve in patching potential vulnerabilities," he said.