Defending The Kingdom

The last months of 2006 saw the unveiling of new versions of both Internet Explorer and Firefox, the first and second most used web browsers respectively. Both browsers got security enhancements as well as pleasing feature additions, but, for our purposes, we will discuss only the security implications of the new releases. In the past, this blog has forcibly advocated Firefox over Internet Explorer for security reasons. Does this still stand?

The security story so far

Firefox is, as ever, quite secure. The surprise is that Internet Explorer is now in the same league. This is a good thing for everyone who uses the internet, no matter what browser you use. This is because those using safer browsers are lower infection risks to others on the internet. Just as you hope that your neighbours and coworkers have enough sense to treat themselves quickly (and make themselves scarce!) when they have an infectious disease, you should hope that your fellow internet users do their best to keep themselves free of viruses, including using a safe browser.

If you’re wondering just how much catching up Internet Explorer 7 has done, consider this: as of 20 February 2007, Secunia, a security consultancy, reports that Firefox is affected by 5 security vulnerabilities, 4 of which remain unpatched, whereas Internet Explorer is affected by 6 vulnerabilities, 4 of which remain unpatched. This is somewhat surprising for those who have become accustomed to reports of Microsoft’s pathetic security efforts, especially browser related ones.

So, which do I recommend?

The data above indicates that Firefox and Internet Explorer are now on equal footing with respect to current security flaws. They both have 4 unfixed vulnerabilities (although there may be some as yet unknown vulnerabilities for either browser). On this criteria, you would be equally safe using IE and Firefox.

In that case, why haven’t I added a link to the Internet Explorer 7 download page on my sidebar, right next to the Firefox link? The answer is this: While I am wildly impressed at IE’s new security status, there is another consideration that prevents me from wholeheartedly endorsing it. This is the speed at which the Firefox and Internet Explorer browsers have historically been repaired when a new vulnerability was discovered. A story from TechWeb illustrates the point:

[Firefox’s] open-source browser had a decided advantage over Microsoft’s on a time-to-patch criteria. Firefox rivals such as IE, Safari, and Opera were patched considerably faster in the first half of 2006 than they were in the last half of 2005, but Mozilla’s beat them all. IE, for instance, had an average window of exposure, the time between an exploit appearing and a fix released, of 9 days, while Mozilla patched in 1 day. (Safari’s window was 5 days, Opera’s was 2.)

Even though Internet Explorer 7 is vastly more secure than Internet Explorer 6, there is no indication that Microsoft has become faster at fixing vulnerabilities than previously. Thus, a user running Internet Explorer may be vulnerable for more days during a given year than a similar Firefox user even if the total number of vulnerabilities for each browser is the same. On these grounds, I would still recommend Firefox over Internet Explorer, but the issue isn’t nearly so urgent as it once was.

Bottom line: until evidence surfaces that shows one browser to be definitively more secure than the other, feel free to use whatever browser makes you happy.