Browser Insecurity Wars Still Rage

By Larry Seltzer  |  Posted 2007-12-03 Print this article Print

Opinion: Maybe one of the major browsers is more secure than the other, but the real problem is people running old versions.

I can sympathize with Microsoft's Jeff Jones. We both like to throw gasoline on a fire now and then. It's fun to see the flames that ensue. The flames last week came from Mozilla, responding to Jones' Browser Vulnerability Analysis report. Jones, a "Security Guy" at Microsoft, has made a hobby of monitoring and reporting on vulnerability disclosures and patches in various products of Microsoft and their competitors.

Observers often gripe about his reports, but I haven't seen anyone dispute their factual accuracy. These reports usually clobber conventional wisdom (in some circles, at least) by showing that Linux, Mac OS X, Firefox and other Microsoft competitors compare unfavorably to Microsoft when it comes to the number of published vulnerabilities, their severity and how quickly they are fixed.

An extremely critical Apple QuickTime flaw can enable malware attacks on Windows and Mac OS X systems. Click here to read more.

This latest Jones report focuses on vulnerabilities in Internet Explorer and Firefox since the release of Firefox, about three years ago. The main chart in the report shows that Firefox had far more vulnerabilities than IE in all versions and at all severity levels. It's also a good time to look since it's about one year since IE7 was released.

To me, the most amazing thing about the chart is that it includes all versions, and Microsoft's lifecycle policies result in old versions hanging around unsupported for years past their prime. For example, IE 5.01 is still supported on Windows 2000. Mozilla, by contrast, retires product support, including security updates, six months after the release of the next one. If Microsoft had Mozilla's support policies only IE7 would be supported now, and updates would be few and far between.

Mike Shaver, chief evangelist for Mozilla, takes umbrage at Jones' analysis. Jones points out that the number of vulnerabilities does not directly correlate with the overall security of the browser. Shaver calls the report lazy at best, malicious at worst. It seems to me that he doth protest too much.

"The vast majority [of the Firefox user base] is updated to the most secure version of Firefox in less than a week," according to Shaver. This just goes to prove the self-selected expert nature of the Firefox user base, but it's also partly a function of their shorter support period. Both browsers have automatic update features, at least for critical updates.

Microsoft does have a harder time getting people to upgrade browsers, although they just announced that in the United States and United Kingdom, IE7 is the most popular IE version, and that they expect it to pass IE6 worldwide very soon. It's not clear how many of those IE6 users are applying updates, especially critical updates, as soon as they come out, but they have the opportunity to apply them quickly and automatically, just as with Firefox.

Both Shaver and Jones have good points and both are right to some degree. Clearly Microsoft Internet Explorer and other, newer Microsoft products are far more secure than the older ones, and in terms of published vulnerabilities compare favorably to Firefox. Microsoft is not the security research whipping boy it used to be, and by the time they ship a product, the low-hanging fruit seems to be gone.

But Shaver has a point about unpublished fixes, not that he has any proof of them. Microsoft doesn't publish enough detail about anything for us to know whether they are fixing large numbers of vulnerabilities that they don't disclose to the public. I have to think the numbers of these have to be small or more of them would have been reverse-engineered and made public, but it's certainly possible.

Shaver's better point is that vulnerability totals don't prove anything about what the safer browser is as a practical matter. Just look at the Mac: There have been myriad serious vulnerabilities in the platform for years, yet attackers haven't bothered with it. It's like being able to leave your door unlocked because there are no burglars in the neighborhood. Is your unlocked house safer because nobody is breaking in? It's a philosophical question, but it has real practical import. And as Sunbelt Software has been demonstrating, the cutting edge of malware is on the Mac.

Windows users are doomed at this point to live in a high-crime neighborhood, so all Microsoft can do is a better job. They have been doing that. In security terms, the practical difference between current versions of IE7 and Firefox are probably not big, It's the people running the old stuff, and people running malware unrelated to any vulnerabilities, that are getting attacked. This is why I'm optimistic about the longer term.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. Check out's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzer's blog Cheap Hack More from Larry Seltzer
Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel