Another meaningless security report…

So Symantec is saying that IE is more secure than Mozilla-based browsers because there were 25 security vulnerabilities disclosed in the first half of 2005 for Mozilla, as opposed to 13 for IE.

Such reports are fine for Clueless Information Officers. Let’s analyze this like someone who actually knows what to do with that thing that sits between your ears.First and foremost, Mozilla lacks tight integration into the operating system, making it fundamentally less dangerous. Internet Explorer is like a bank that leaves its vault open after hours because it locked the front door. Since Mozilla lacks those ties that go directly into the operating system, it’s like a bank that locks the front door and the vault. The more locks the crook has to crack, the better.

Also, past performance isn’t necessarily an indication of future gains. People who invest know this all too well. Remember, the first half of 2005 was when Mozilla was seeing explosive growth. It was still a young product and had a lot of things to shake out.

But the potential is certainly there. Let’s look at Apache vs. IIS. You see fewer Apache vulnerabilities than IIS, even though Apache’s source code is visible for everyone to see, and even though Apache is a much larger market. Mozilla has this same potential.

In the meantime, Mozilla is still a minority browser. Since most hackers these days are motivated by profits, they’re going to do the same thing any other businessman does: Look for volume. Internet Explorer still has 12 times the exposure that Mozilla does. And Internet Explorer is often used in corporate environments, since many corporate intranets rely on IE-specific technology. That makes it an attractive target, since it’s easier to get through a browser than it is a corporate firewall. And once you do manage to get in, there’s a lot more good stuff inside a corporate LAN than there is inside a home LAN.

And by Symantec’s own admission, “at the time of writing, no widespread exploitation of any browser except Microsoft Internet Explorer has occurred.”

That tells us the Mozilla developers are working faster than the would-be Mozilla hackers, and it also suggests that hackers are looking harder at Internet Explorer.

Also, Symantec is being selective about the flaws it’s looking at. The article states that it only counts confirmed flaws. IE has 19 unconfirmed flaws versus 3 unconfirmed flaws for Mozilla. So IE has 19 unconfirmed and unfixed flaws plus 13 confirmed flaws, for a total of 32. Mozilla has 25 confirmed flaws plus 3 unconfirmed and unfixed, for a total of 28.

I don’t know about anyone else, but I’m more concerned about those unconfirmed and unfixed ones. As long as I’m running the current version of either browser, I’m protected against those 25 big bad flaws (for Mozilla) or the 13 (for IE) from earlier in the year. I can’t do anything about those 19 unfixed Internet Explorer flaws.

Frankly, I think Symantec is just trying to get a headline on a slow news day, and maybe trying to kiss up a bit to Microsoft, with whom it’s always had a very close relationship since Symantec traditionally has been willing to write the pieces of software that Microsoft for whatever reason doesn’t want to touch.

I’m sticking with Mozilla Firefox. Not only is it the safer browser when you look at the things that actually matter, it’s also the better one.

If you found this post informative or helpful, please share it!

One thought on “Another meaningless security report…

  • September 21, 2005 at 12:27 am
    Permalink

    I think the primary point to keep in mind is confirmed vs. unconfirmed. Mozilla cannot fix a flaw without you knowing about it. The public development process simple doesn’t allow this – well, not without some really good subterfuge, which I can tell you, most developers just want to CODE, not hide stuff.

    How many unknown bugs or exploits have been fixed by Microsoft without accompanying news releases?

    As well, consider the age of the product. Internet Explorer 6.0 has been out since October 25, 2001. (SP1 released September 9, 2002. SP2 released August 25, 2004. Wiki)

    Firefox has been a stand alone product since 2004. Firefox is supporting many of the newer W3C standards that Internet Explorer has no intention of supporting, including CSS2 and new facets of DHTML. Firefox is under active development and active deployment.

    If you want a true comparison, let’s do a feature addition/bug ratio comparison, shall we? I mean, if you have half a clue you dismiss Symantec’s report and you seriously question continuing use of their antivirus products because a company that states an opinion like that has blinders on when it comes to determining the real issues.

Comments are closed.