I had an interesting inquiry from a Twitter follower earlier this week asking the question “Which would you say is safest, Firefox or IE?”. Not a question that hasn’t been asked before, but in light of the happenings of the past few days a far deeper question than it may seem on the surface.
I work with (and play with for that matter) many people who are fans of alternative operating systems, whose natural response to any question that includes choosing between Microsoft and anything else is always to not choose Microsoft. We need to more carefully consider this based on merit and not brand.
Microsoft’s Internet Explorer has been the king of browsers on the internet for 10 or more years now. Although its market dominance has been diminishing somewhat as of late, it still holds a commanding lead.
Microsoft also had a rocky start when it comes to the security of IE, but has worked hard to improve it and made lots of progress. One benefit IE brings to the corporate IT table is the ability to centrally manage it through Group Policy Objects, and centrally update through Windows Update and WSUS.
The now famous patch Tuesday can be considered another benefit to receiving predictable updates that processes and scheduling can be designed around. The other side of this is that you sometimes must wait a month or more for a fix (Like the current IE exploit being targeted as noted by SophosLabs).
ActiveX has also been a large worry for administrator’s as many controls are needed in a business workplace, yet allowing users to install and update ActiveX controls gives 3rd parties the ability to run malicious code on users’ PCs.
The final story for Microsoft is the introduction of Internet Explorer 8. While IE8 is more compliant than any previous version, it still trails behind Firefox, Chrome, and Safari. Internet Explorer 8 makes large improvements toward secure design and awareness of interoperability.
Mozilla Firefox on the other hand has a different set of issues to contend with. It is more difficult to centrally manage than IE, and has no predictable update release pattern.
By default Firefox will check with Mozilla for updates, but does require that the user accept the update. They must have enough privilege to apply the update, and cannot be behind an SSL proxy that may interfere with its signing certificate.
Recently Firefox has faced new challenges from Google, Microsoft, and others in the browser security arena, and the Mozilla team seem up to the challenge of maintaining Firefox’s security respect.
Searching on the National Vulnerability Database for Firefox bugs rated medium or higher since January 2009 results in 56 separate disclosures (Some of which have more than one flaw).
Microsoft has reported 34 for the same period, with the same statistical note as to many having multiple issues in a single advisory.
The more interesting part that seems to divide the commercial software giant from the open source driven Firefox is the methods they choose to use to inform the public.
The Firefox vulnerability in its JIT compiler was discovered by a Firefox developer and resulted from a public bug that was filed last Thursday (July 10th, 2009). The Firefox community has debated whether it was appropriate for the bug to be disclosed publicly which led to its exploitation the following Monday.
On the other hand, The Register has published an article suggesting Microsoft knew of the most recent IE flaw for more than a year before making a disclosure and patching the flaw.
There is no clear answer to which browser is more secure, the only conclusion a security expert can come to is that surfing the web is always a potentially risky activity. Hopefully this information provides you with more facts to help you make an informed decision.