What’s new: browser security
20 February 2007
The last months of 2006 saw the unveiling of new versions of both Internet Explorer and Firefox, the first and second most used web browsers respectively. Both browsers got security enhancements as well as pleasing feature additions, but, for our purposes, we will discuss only the security implications of the new releases. In the past, this blog has forcibly advocated Firefox over Internet Explorer for security reasons. Does this still stand?
The security story so far
Firefox is, as ever, quite secure. The surprise is that Internet Explorer is now in the same league. This is a good thing for everyone who uses the internet, no matter what browser you use. This is because those using safer browsers are lower infection risks to others on the internet. Just as you hope that your neighbours and coworkers have enough sense to treat themselves quickly (and make themselves scarce!) when they have an infectious disease, you should hope that your fellow internet users do their best to keep themselves free of viruses, including using a safe browser.
If you’re wondering just how much catching up Internet Explorer 7 has done, consider this: as of 20 February 2007, Secunia, a security consultancy, reports that Firefox is affected by 5 security vulnerabilities, 4 of which remain unpatched, whereas Internet Explorer is affected by 6 vulnerabilities, 4 of which remain unpatched. This is somewhat surprising for those who have become accustomed to reports of Microsoft’s pathetic security efforts, especially browser related ones.
So, which do I recommend?
The data above indicates that Firefox and Internet Explorer are now on equal footing with respect to current security flaws. They both have 4 unfixed vulnerabilities (although there may be some as yet unknown vulnerabilities for either browser). On this criteria, you would be equally safe using IE and Firefox.
In that case, why haven’t I added a link to the Internet Explorer 7 download page on my sidebar, right next to the Firefox link? The answer is this: While I am wildly impressed at IE’s new security status, there is another consideration that prevents me from wholeheartedly endorsing it. This is the speed at which the Firefox and Internet Explorer browsers have historically been repaired when a new vulnerability was discovered. A story from TechWeb illustrates the point:
[Firefox’s] open-source browser had a decided advantage over Microsoft’s on a time-to-patch criteria. Firefox rivals such as IE, Safari, and Opera were patched considerably faster in the first half of 2006 than they were in the last half of 2005, but Mozilla’s beat them all. IE, for instance, had an average window of exposure, the time between an exploit appearing and a fix released, of 9 days, while Mozilla patched in 1 day. (Safari’s window was 5 days, Opera’s was 2.)
Even though Internet Explorer 7 is vastly more secure than Internet Explorer 6, there is no indication that Microsoft has become faster at fixing vulnerabilities than previously. Thus, a user running Internet Explorer may be vulnerable for more days during a given year than a similar Firefox user even if the total number of vulnerabilities for each browser is the same. On these grounds, I would still recommend Firefox over Internet Explorer, but the issue isn’t nearly so urgent as it once was.
Bottom line: until evidence surfaces that shows one browser to be definitively more secure than the other, feel free to use whatever browser makes you happy.
Read more about browsers
Comment by Mike Chan — 20 February 2007 @ 8:02 pm
Wouldn’t you consider Automatic Update delivery of security updates an advantage given most people do not hit “Check for update” on Firefox every day? What about Protected mode on Windows Vista? Yes I do work for Microsoft to be fair =)
Comment by Ian Saxon — 21 February 2007 @ 1:24 am
Hi Mike,
Thanks for your question. And, of course, I’m happy to hear from everyone, even MS employees!
As far as I know, Firefox automatically checks for updates (security updates, extension updates, version updates, etc.) whenever it is started. This feature is turned on by default, although it can be turned off if desired. So, no, I wouldn’t say that Windows Automatic Update gives an advantage over Firefox, but I could be missing something here.
As for Protected Mode in Windows Vista, I have to plead ignorance. I haven’t yet had a chance to use Vista extensively and don’t know enough to make an informed comment. Perhaps you can provide a few details for the benefit of this blog’s readers.
Ian
Comment by DamionKutaeff — 22 March 2008 @ 3:17 pm
Hello everybody, my name is Damion, and I’m glad to join your conmunity,
and wish to assit as far as possible.
Comment by Dan(lazy)Honnet — 25 March 2008 @ 7:01 am
Hello everybody, my name is Daniel, and I’m glad to join your conmunity,
Wish to assist as far as possible.