eWeek's John Rapoza takes on last week Symantec's announcement regarding IE vs Firefox security.
The bottom line: it's hard to tell for sure which one is better security-wise as it depends a lot on what you exactly you measure. I would really like to see someone come out with a precise metric for web browsers' security. But whatever comes out it should consider:
– Weighted number of discovered vulnerabilities. A critical flaw shouldn't count the same as a low one.
– Number of open vulnerabilities at present time.
– Attack surface.
– Time from discovery to work around if available.
– Time from discovery to patch.
And all all these factors are just approximations to the real question and web browser's security metric: how many security vulnerabilities remain undiscovered and how critical they are. Obviously, the more security vulnerabilities are discovered, the less undiscovered are left. But what if the number of flaws is just the tip of the iceberg?
No one can tell for sure. But I guess the chances of finding bugs in an open box where anyone (technically capable) can give a look are better than in a closed one with a few (dozens?) of watchers. Unfortunately it's hard to quantify how many more looks get an open source code repository than a closed on, or the quality and frequency of those looks.
Personally, I am sticking to Mozilla's track on security, my own experience, and open source chances.