Jeff Jones, security strategy director of Microsoft's Trustworthy Computing Group, released a study last week comparing the flaws in Microsoft's Internet Explorer to Mozilla's Firefox browser; unsurprisingly, he concluded that Microsoft is doing a better job than Mozilla.
ChallengingFirefox browser would experience fewer vulnerabilities than IE, Jones conceded that both companies' browsers have experienced significant flaws.
Jones said Mozilla has fixed more flaws in its browser than Microsoft during equivalent periods, which he said renders Firefox more vulnerable than IE.
"Since the release of Firefox 1.0 in November 2004, Mozilla has fixed 199 vulnerabilities in supported Firefox products--75 high severity; 100 medium severity; and 24 low severity. In the same timeframe, Microsoft has fixed 87 total vulnerabilities affecting all supported versions of Internet Explorer--54 high severity, 28 medium severity; and five low severity," Jones said.
Comparing Microsoft's 2004 release, IE 6 (Service Pack 2), with Firefox 1.0, Jones said Microsoft fixed 79 flaws while Mozilla fixed 88.
He also compared IE 7 with Firefox 2.0 over a 12-month period, during which he said Mozilla fixed 56 flaws while Microsoft fixed only 17 in IE 7.
"While the data trends show that both Internet Explorer and Firefox security quality is improved in the latest version, it also demonstrates that, contrary to popular belief, Internet Explorer has experienced fewer vulnerabilities than Firefox," said Jones.
However, Jonathan Oxer, technical director and founder of Web application development company Internet Vision Technology and president of Linux Australia, said the study is flawed because Microsoft tends to bundle its fixes, which leads to a lower count over the period being compared.
"For example, when fixing a vulnerability there might be several issues being resolved in one go. So it decreases the bug count," he said.
Oxer explained that the way in which levels of security are reported is frequently different. "In the case of Firefox there may be issues that (Mozilla) has reported for which there is no known exploit--a theoretical exploit--so it's not necessarily accurate to directly compare fixed exploits without an understating of how the numbering or definition of an exploit is determined," he said.
Oxer believes that a more valid way to score software in terms of security is to give each exploit a value depending on the number of days from discovery of a bug to the release of a fix, multiplied by a severity factor.
"Two products that have a similar number of exploits fixed over a certain period may actually be very different in terms of the number of days of exposure to which users are subjected," Oxer said.
The Microsoft data also raises the issue of support for legacy versions of the software. While Mozilla ends support for each version six months after a new release of Firefox, Microsoft maintains support for up to a decade after the version ends, in line with its cycle for operating systems.
"If Microsoft had this same policy, then support of Internet Explorer 6 would have ended in May 2007, or similarly Internet Explorer 5.01 support would have ended in 2001. In contrast, Microsoft generally releases a browser in conjunction with a new operating system release and commits to supporting that version for the lifecycle of the product--now 10 years for business products," Jones said.
Support issues also affect third-party distributors, Jones said. Despite Mozilla ending support for Firefox 1.5 in May 2007, Ubuntu 6.06 LTS--which integrates that version of Firefox--has committed to providing security support until 2009. Likewise, Novell Suse Linux offers support for Firefox 1.5 until 2013. While Ubuntu and Red Hat released patches for Firefox version 1.5, Jones said: "The vulnerabilities patched by each vendor only overlap partially."
"Lifecycle considerations are likely (to be) more important to corporate enterprises, as they sometimes have custom Web applications and are hesitant to upgrade between major releases very often, and even then may have a relatively long transition plan," Jones said.
However, Linux Australia's Oxer said this manner of delivering support is a benefit of the open-source model, because it allows customers greater flexibility throughout a contract.
"One of the major differences between the proprietary and open-source models is when multiple vendors are providing support for a single code base...even though Mozilla may end its support, there are software vendors--such as (Linux) distribution providers--that are committed to providing support to enterprise customers," Oxer said.
"What it means is that end users get to choose the level of support they want. If you choose a company with long-term support for maintaining a stable operating environment for desktops, that's one option they can take. Or they may want a distributor with more frequent updates," he said.
The disadvantage of using a proprietary software company such as Microsoft, said Oxer, is that enterprise customers are shackled to the schedule of a single vendor, which may not fit the organization's timetable.
Liam Tung of ZDNet Australia reported from Sydney.