December 2, 2007 12:02 PM PST

Microsoft FUDwatch II: Internet Explorer vs. Firefox security

Posted by Matt Asay

Microsoft is at it again. Or, rather, Jeff Jones is. Jones is Microsoft's security strategy direction and is the one who periodically remixes history and data to declare that Windows is more secure than Linux. Now he's declaring [PDF] that Internet Explorer is much safer than Firefox.

However, as ZDNet's Ryan Naraine writes, Jones may be mis-analyzing the data:

...[T]here's one key thing missing from Jones's analysis - the auto-patching mechanism built into Firefox that gives Mozilla a clear advantage over Microsoft.

In effect, Firefox patches itself whenever Mozilla ships updates while immediate Internet Explorer updates depend entirely on the end-user using the Windows AU mechanism. Don't even get me started on the forgotten world of dial-up Windows users who never, ever apply patches.

That's one of the main reasons malware authors take aim at IE more than any other desktop application.

This is an aspect of security that one wouldn't necessarily want to rely on, and yet it has deep importance. The Honeynet Project analyzed inherent vulnerabilities in Firefox and IE and found that Firefox had more, but that IE still experiences more security breakdowns. In fact, when the Project surfed to 30,000 known exploit servers, IE crumpled while Firefox didn't have a single security breakdown. Why?

We can only speculate why Firefox wasn't targeted. We suspect that attacking Firefox is a more difficult task as it uses an automated and "immediate" update mechanism. Since Firefox is a standalone application that is not as integrated with the operating system as Internet Explorer, we suspect that users are more likely to have this update mechanism turned on. Firefox is truly a moving target. The success of an attack on a user of Internet Explorer 6 SP2 is likely to be higher than on a Firefox user, and therefore attackers target Internet Explorer 6 SP2.

In other words, if you're a malware creator, you want to go where you can have the most impact. It's far easier to go after a single point of failure (Microsoft) than to have to figure out a successful Firefox exploit.

Is Firefox more secure than IE on a technology level? I don't know. I do know that I prefer the transparency of the Mozilla Foundation to the secrecy of Microsoft (or any proprietary software company). That transparency makes a material difference in the security process standing behind the browser.

It's a convenient fiction that buying everything from one vendor makes life easier. It may make installation and integration between programs easier, but that ease leads to single points of failure. Hijacking a browser is nice, but using the browser to dig deep into the OS, to have that hijacking facilitated by a too-close tie between the browser and the OS? Even better.

We're better off with open security processes and real competition in the browser market. No code is perfect, whether written by Microsoft or Mozilla. Perfection comes in the response to a problem, once we've done all we can to avert it in the first place. This is why Mozilla's Firefox makes the most sense for me. It's also why I won't be looking for a Mozilla OS anytime soon. I don't need a one-stop shop.

Topics:

Development,

Microsoft,

Number crunching

Tags:

Firefox,

open source,

Internet Explorer,

Microsoft

Bookmark:
Digg
Del.icio.us
Reddit
Recent posts from The Open Road
Microsoft and the desktop: Blessing or curse?
New startups explore new niches for open source
Analysts as a lagging indicator of success
Symbian on the decline: Time to move on open source
The key to making money: Charge for your product
Add a Comment (Log in or register) 10 comments
by AppleSuxLeo December 1, 2007 8:09 PM PST
This guy is a clown...IE7 is the standard now , not IE6 sp2...and when IE runs on Vista it is "sandboxed" which is even more secure.Never had a security issue here ;)
It must me FUD if it involves MSFT , right ? WRONG ! Apple`s Leoptard is a shiny hunk of junk with a firewall that doesn`t even work and it crashes often. FireFox has become a bloated memory hog with KNOWN memory leaks. MSFT has actually done something about security. With Apple and opensource it is just talk.
Reply to this comment View reply
by poopster December 2, 2007 4:58 AM PST
This talk is such rubbish. Both IE7 and FF are pretty darn secure. FF3 will be even more secure. IE7 is a vast improvment over IE6.

Problem with IE , however, is it lacks in its support for standards (yes even IE7).
Reply to this comment
by peoriahoi December 2, 2007 8:31 AM PST
In term Windows users will understand, this is like saying notepad is more secure than Word. It's probably true, but who cares? Notepad just isn't a reasonable replacement for Word. IE can render web pages and thats about it and they added tabbed browsing last. Firefox is pretty much an application platform with all the great plugins it has. I don't even think we can compare the two. @AppleSuxLeo: Leopard isn't a browser, Safari is and you can use it on Windows if you like. When you say "the standard" what do you mean? I have to use IE6 on my work laptop, still. Microsoft has had to do "something" about security. Have a good day.
Reply to this comment
by Richard Fdisk December 2, 2007 11:22 AM PST
I use firefox and prefer it I was a bit leary at first 'cause it came on the new laptop but no-one told me what it was so I tried it once and have never looked back.
& I can't get IE7 because IE7 is for Vi$ta and was only "back-ported" to XP and not really coded for XP so it can't be installed on any of the machines here because it will destroy some of the programs since it's so integrated with the O$
ie. all Roxio ECDC versions except 9 and up will be destroyed by installing the IE7 & or WiMP11 "updates"
a host of other programs are "affected" by the IE7 update also, so until M$ quits making it's "accessories" that attack other programs on the system I'll use other products.

cheers
?RfD?
Reply to this comment
by crabmeat December 2, 2007 1:31 PM PST
Microsoft, has become, the wipping boy, for many years. I used just about everything, they make. Software, is prone to break, under certain conditions. That mean's all software! It's just the way it is. If anybody, thinks for a minute, they could do it better, go get a job, with Microsoft, and help them out, or just, shut up!
Reply to this comment View reply
by chustar December 2, 2007 2:50 PM PST
@ Richard Fdisk: Why did you put a dollar sign $ when they writing vista? I'm just wondering. I've seen it when people put in in microsoft but i've always wondered why.
Reply to this comment
by Murrquan December 3, 2007 10:14 AM PST
chustar: Because Microsoft is everyone's whipping boy. >.< There is a lot of valid criticism of Microsoft, and its software. But many believe that it makes their point stronger if they call names and attack Microsoft, rather than point out the facts.

crabmeat: Why should we have to work for Microsoft? Do they have a right to our money, our code, and a place on our desktops? I like to think that I don't have to use their software, even if they try very hard to make me. Furthermore, their software is demonstrably less secure and more poorly-designed than its competition, especially their Internet Explorer web browser and Windows Vista operating system.

My brother keeps trying to tell me that Linux is just like Windows, and that the only reason there are hardly any viruses for it is because relatively few people use it. That's what they said about Mac, too, and that's what they continue to say even now that Apple is one of the biggest computer manufacturers in the United States. Likewise, Firefox has come out of nowhere to take a substantial market share, and yet it's still plagued by fewer security holes. This article is helpful in explaining why.

You may have to use Microsoft software because of your work requirements or to run certain apps, but you don't have to be resentful of those who do not. Someday you'll have that choice too, whether or not you decide it's the best one. But it'll be you who decides.
Reply to this comment
by chustar December 3, 2007 7:50 PM PST
@ Murrquan: I was actually asking what it means? Also, you said Apple is one of the biggest computer manufacturers in the United States, but what about elsewhere? What about the rest of the world? In most of Africa (maybe 90%, i don't have figures so I won't say for sure) most people have never heard of macs and no one uses them, same goes for linux. Does anyone have any idea why this is? Thanks
Reply to this comment
Powered by Jive Software
advertisement

Latest tech news headlines

Resource center from News.com sponsors
What you need in business class email.
Mailtrust

Click Here!
Never worry about email again. From mobility and shared calendaring to virus and spam protection starting at only $3 per mailbox. more>

Rackspace Mailtrust
Total Email Relief

We'll take care of your email so you can take care of your business.

14 Day Free Trial

With expert support 24x7x365 we guarentee 100% uptime. Try us for free for 14 days. Never worry about your email again.

Just $3 per mailbox

Choose the plan that is right for your company and only pay for what you need.

About The Open Road

Matt Asay brings a decade of in-the-trenches open-source business and legal experience to the Open Road, with an emphasis on emerging open-source business strategies and opportunities. Matt is general manager of the Americas division and vice president of business development at Alfresco, a company that develops open-source software for content management. He is a member of the CNET Blog Network and is not an employee of CNET. Disclosure.

Add this feed to your online news reader

The Open Road topics

Featured blogs

advertisement

Inside CNET News

Scroll Left Scroll Right

  • News - Business Tech

    Chrome's JavaScript challenge to Silverlight

    The advent of Google's Chrome browser, software pros say, should spur a big speedup for JavaScript, which would raise its standing against Microsoft's Silverlight technology.

  • Gallery

    Photos: Top 10 reviews of the week

    Here are CNET Reviews' 10 favorite items from the past week, including the TiVo HD XL, Sony Cyber-shot DSC-H50, and the Dish Network's newest digital TV converter box.

  • News - Apple

    Apple watchers spot 'iPod Nano' pix, iTunes hints

    The rumor mill has long been predicting a longer, leaner new version of the iPod Nano, and now it's conjuring up some pictures.

  • Coop's Corner

    Chris Shipley 1, Internet lynch mob 0

    Demo's impresario goes public with a tart and smartly written riposte to the shoot-from-the-lip crowd.

  • Video

    Katie Couric reflects on first Webcast

    The political conventions are over and so are CBS Evening News anchor Katie Couric's first series of Webcasts. CNET's Kara Tsuboi sat down with Couric on the final night of the Republican National Convention to discuss what she liked about Webcasting, some of her most memorable guests, and whether TV news will still be around by the next round of conventions.

  • News - Digital Media

    National Advertising trade group opposes Yahoo-Google search ad deal

    The Association of National Advertisers announces it has sent a letter to the top antitrust chief for the U.S. Department of Justice, issuing its objections to the controversial Yahoo-Google search ad partnership.

  • Video

    YouTube plays party politics

    During the presidential campaigning four years ago, YouTube didn't even exist. Now it's a tool candidates must master to get their message across. CNET's Kara Tsuboi stops by the YouTube upload booths at the Democratic and Republican conventions to find out why Google's video site has such a big presence in Denver and St. Paul, Minn.

  • News - Gaming and Culture

    Are Demo and TechCrunch50 fragmenting their audiences?

    With both events scheduled to start Monday, many press, as well as venture capitalists and others are having to choose which one to attend.

  • News - Cutting Edge

    Execs predict next Google-like tech

    On eve of company's 10-year anniversary, researchers and business pundits speculate about what technologies might someday have as much impact as Google.

  • Gallery

    Images: The art of 'Spore' prototypes

    Will Wright and his Maxis team worked on dozens of prototypes to test the elements of their soon-to-be-released evolution game. Here's a sampling.

  • Webware

    DemoFall preview: 10 to watch

    If you can only watch 10 pitches from DemoFall, these would be good ones.

  • Green Tech

    Duke Energy to invest in mini solar power plants

    Can hundreds of rooftop solar panels collectively operate like a central power plant? Duke Energy launches $100 million distributed solar program to find out.

News
Latest news
Business tech
Green tech
Wireless
Security
Media
Popular topics
Apple iPhone
Apple iPod
Dell
PlayStation 3
Wii
Windows Vista
CNET sites
CNET TV
Downloads
Forums
News
Reviews
Site map
More information
Newsletters
Corrections
Customer Help Center
RSS
What's new
About CNET