The flames last week came from Mozilla, responding to Jones' Browser Vulnerability Analysis report. Jones, a "Security Guy" at Microsoft, has made a hobby of monitoring and reporting on vulnerability disclosures and patches in various products of Microsoft and their competitors.
Observers often gripe about his reports, but I haven't seen anyone dispute their factual accuracy. These reports usually clobber conventional wisdom (in some circles, at least) by showing that Linux, Mac OS X, Firefox and other Microsoft competitors compare unfavorably to Microsoft when it comes to the number of published vulnerabilities, their severity and how quickly they are fixed.
This latest Jones report focuses on vulnerabilities in Internet Explorer and Firefox since the release of Firefox, about three years ago. The main chart in the report shows that Firefox had far more vulnerabilities than IE in all versions and at all severity levels. It's also a good time to look since it's about one year since IE7 was released.
To me, the most amazing thing about the chart is that it includes all versions, and Microsoft's lifecycle policies result in old versions hanging around unsupported for years past their prime. For example, IE 5.01 is still supported on Windows 2000. Mozilla, by contrast, retires product support, including security updates, six months after the release of the next one. If Microsoft had Mozilla's support policies only IE7 would be supported now, and updates would be few and far between.
Mike Shaver, chief evangelist for Mozilla, takes umbrage at Jones' analysis. Jones points out that the number of vulnerabilities does not directly correlate with the overall security of the browser. Shaver calls the report lazy at best, malicious at worst. It seems to me that he doth protest too much.
"The vast majority [of the Firefox user base] is updated to the most secure version of Firefox in less than a week," according to Shaver. This just goes to prove the self-selected expert nature of the Firefox user base, but it's also partly a function of their shorter support period. Both browsers have automatic update features, at least for critical updates.
Microsoft does have a harder time getting people to upgrade browsers, although they just announced that in the United States and United Kingdom, IE7 is the most popular IE version, and that they expect it to pass IE6 worldwide very soon. It's not clear how many of those IE6 users are applying updates, especially critical updates, as soon as they come out, but they have the opportunity to apply them quickly and automatically, just as with Firefox.
Both Shaver and Jones have good points and both are right to some degree. Clearly Microsoft Internet Explorer and other, newer Microsoft products are far more secure than the older ones, and in terms of published vulnerabilities compare favorably to Firefox. Microsoft is not the security research whipping boy it used to be, and by the time they ship a product, the low-hanging fruit seems to be gone.
But Shaver has a point about unpublished fixes, not that he has any proof of them. Microsoft doesn't publish enough detail about anything for us to know whether they are fixing large numbers of vulnerabilities that they don't disclose to the public. I have to think the numbers of these have to be small or more of them would have been reverse-engineered and made public, but it's certainly possible.
Shaver's better point is that vulnerability totals don't prove anything about what the safer browser is as a practical matter. Just look at the Mac: There have been myriad serious vulnerabilities in the platform for years, yet attackers haven't bothered with it. It's like being able to leave your door unlocked because there are no burglars in the neighborhood. Is your unlocked house safer because nobody is breaking in? It's a philosophical question, but it has real practical import. And as Sunbelt Software has been demonstrating, the cutting edge of malware is on the Mac.
Windows users are doomed at this point to live in a high-crime neighborhood, so all Microsoft can do is a better job. They have been doing that. In security terms, the practical difference between current versions of IE7 and Firefox are probably not big, It's the people running the old stuff, and people running malware unrelated to any vulnerabilities, that are getting attacked. This is why I'm optimistic about the longer term.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
More from Larry Seltzer