« One for My MISS LIST - TRANSNEURONIX | Sacred Cow Dung Home | FIND OF THE WEEK - Confused About Web 2.0? Web 2.0 - The Diagram »
September 17, 2005
Soon-To-Be Myth? FireFox is Less Vulnerable than Internet Explorer (IE)
My experience has been that Techies never miss a beat whenever someone has a problem with any Redmond product — always a good occasion to rub in how much better [Open Source | Linux | FireFox | Mozilla | Thunderbird | MacOS | or whatever] is than anything with a Microsoft imprimatur.
I must admit that I did shift over from IE to Firefox as my default brower quite awhile ago — partly for stability & reliability reasons — but mostly for interface workflow reasons. I find the feature set for Firefox is just more efficient for me (tabbed windows alone makes Firefox a better choice — for now at least). Still, I do need IE from time to time for certain sites or for client specific features I occasionally use. But vulnerabilites has NOT been one of my reasons to switch (although I heard this reason ALOT from my techies).
Well, I suppose it was inevitable that the more resourceful digital troublemakers out there would begin to shift their focus to a platform that has growing, and finally, some significant marketshare.
Of course, in the mind of a “troublemaker” —
Increasing Marketshare = Increasing Disruption Potential = Increasing Target Attractiveness
Here is a break down of recent vulnerabilities:
Month Firefox 1.x Vulnerabilities IE 6.x Vulnerabilities Sept 2005 1 0 Aug 2005 0 4 July 2005 10 1 June 2005 2 1 May 2005 3 1 Apr 2005 9 3 Mar 2005 15 0 Total 40 10
Note that this is not a count of the number of advisories because advisories can contain multiple vulnerabilities. This is a count of the actual number of vulnerabilities.
Here is a break down of recent published exploits:
Month Firefox Exploits IE Exploits Sept 2005 1 0 Aug 2005 0 3 July 2005 4 1 June 2005 0 0 May 2005 4 0 April 2005 2 2 Total 11 6
As you can see, the facade that Firefox is the cure to the Internet Explorer security blues is quickly fading. It just goes to prove that any popular software worth hacking that has security vulnerabilities will eventually have to deal with live working exploits. Firefox mostly managed to stay under the radar from hackers before April of 2005. Since that time, new exploits are being released almost on a monthly basis.
For the moment though, as I have already indicated, not forever, Firefox still enjoys a big lead in a far lower level of exploits.
Also you err … in comparing high vulnerabilities of a new product (Firefox) with the low levels in a mature product (Explorer).
As any good manufacturing engineer will tell you, every new product goes through what is called the Bathtub Curve (named after the shape of thew curve, reminiscent of a section through a bath). Initial fault rates (bugs, in software terms) are always high, but rapidly drop off over time then (the model assumes that no major revisions are made to the product) there is a period during which the product is highly productive, partly due to the fact that the curve is low and flat - the product is stable. Then, towards the end of it's life a products bits and pieces simply start to wear out and we see the other 'side' of the bathtub shape emerge in our error vs. time graph. This side of the curve, of course, doesn't usually arise in software.
The differance is that all of the firefox exploits were patched within weeks, and even days in most cases, of when they were discovered.
Microsoft was warned about an exploit that was taken advantage of by the lovebug virus, that went on to cause 32 million dollars in dammages, 6 months before the virus saw it's debut.
Posted by: Wesley Walser at November 9, 2005 11:22 PM
Post a comment
Thanks for signing in, . Now you can comment. (sign out)(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)