"Firefox has more security problems than IE!" screamed the headlines of several technology news stories recently.
If youre a casual news reader, you might see these headlines and think to yourself, "Hmm, thats funny—I thought Firefox was supposed to be more secure than Internet Explorer. It just goes to show you that no Web browser is really secure."
But if youre the type of person who actually reads more than just the headline of a story, you might have seen that the Symantec report on which these stories were based (Internet Security Threat Report Vol. 10) included a lot more information than just the number of vulnerabilities found per browser.
Indeed, the report, which noted trends seen from January to June 2006, included the illuminating fact that the Mozilla Foundation takes less time than Microsoft does to patch browser holes—just one day of exposure on average for Mozilla browsers, including Firefox, as opposed to nine days for Internet Explorer.
Look at it this way: Instead of focusing on the 47 reported vulnerabilities in Mozilla browsers versus the 38 reported vulnerabilities in IE, the headlines could just as easily have bellowed, "IE users exposed to vulnerabilities for 342 days vs. only 47 days for Mozilla users!"
Any reader of the stories about Symantecs report may have felt a touch of déjà vu. Indeed, if you felt like you had read pretty much the exact same story before, its because you did: Symantec releases these reports periodically, and the report that came out last year at this time said basically the same thing as this years report (and spurred similar news stories).
So, a year from now, when another report including data on browser security (or lack thereof) pops up, dont forget to look past the provocative "IE vs. Firefox" headlines. Make sure you dig deep into the reports findings to discern what the results really mean. If you dont, it will be déjà vu all over again.
Labs Director Jim Rapoza can be reached at firstname.lastname@example.org.