IE More Secure Than Firefox?

eWeek's John Rapoza takes on last week Symantec's announcement regarding IE vs Firefox security.

The bottom line: it's hard to tell for sure which one is better security-wise as it depends a lot on what you exactly you measure. I would really like to see someone come out with a precise metric for web browsers' security. But whatever comes out it should consider:

– Weighted number of discovered vulnerabilities. A critical flaw shouldn't count the same as a low one.

– Number of open vulnerabilities at present time.

– Attack surface.

– Time from discovery to work around if available. 

– Time from discovery to patch. 

And all all these factors are just approximations to the real question and web browser's security metric: how many security vulnerabilities remain undiscovered and how critical they are. Obviously, the more security vulnerabilities are discovered, the less undiscovered are left. But what if the number of flaws is just the tip of the iceberg?

No one can tell for sure. But I guess the chances of finding bugs in an open box where anyone (technically capable) can give a look are better than in a closed one with a few (dozens?) of watchers. Unfortunately it's hard to quantify how many more looks get an open source code repository than a closed on, or the quality and frequency of those looks.

Personally, I am sticking to Mozilla's track on security, my own experience, and open source chances.

2 thoughts on “IE More Secure Than Firefox?”

  1. Andrew, in the article I don’t try to establish which browser is more secure but instead mention just a few factors that should be considered and it’s more about questions rather than answers.

    You point to the number of security vulnerabilities patched during this year and numbers are fine and OK. The problem is how can you conclude which one is more secure based on this fact alone.

    Say Firefox have had and accrued 60 vulnerabilities since it shipped 1.0. Today it would be perfectly secure according to those numbers. If IE had the same numbers of vulnerabilities it would still have 30 flaws.

    What if Firefox really had 100 flaws? Then there are 40 around and yes IE is more secure even when patching less.

    The problem is without knowing the total number of flaws a software has, you can’t know how many flaws are left.

    Also you aren’t factoring how critical each flaw is. It’s one thing to have a crash (Denial of service) than allow remote execution which could in fact make a zombie of your computer.

    Then what about attack surface. What exactly can an attacker do once your browser is possessed? Can it take full control of your computer or just browser functionality?

    I am no security expert and just try to make my best decision based on as much information I can get and understand. I guess we all try to do that. I would really like to hear about better ways to measure a browser security.

Comments are closed.