In its latest Internet Security Threat Report, released Monday, security vendor Symantec Corp. noted that in the first six months of 2005, the open-source Firefox Web browser had more confirmed vulnerabilities than Microsoft Corp.’s Internet Explorer browser. So does that mean that the Mozilla-based browser is less secure than proponents have said and that Internet Explorer is more secure than believed?
Not exactly, according to security experts.
Symantec reported that during the first half of 2005, 25 vendor-confirmed vulnerabilities were disclosed for Mozilla browsers, including 18 that were classified as highly severe. During the same six-month period, 13 vendor-confirmed vulnerabilities were disclosed for Internet Explorer, eight of which were considered highly severe.
But that’s not the whole story, said Vincent Weafer, senior director of Symantec’s Security Response Team. Even though more confirmed vulnerabilities were reported for Mozilla browsers, he said, the widespread use of Internet Explorer means that whatever vulnerabilities affect it have the potential to affect a much larger user base.
“No technology by itself is safer,” Weafer said. “It really is about securing it all to the max. None of them are immune to attack.”
Internet Explorer has been a target of hackers for many years as the most widely used Web browser worldwide, he said, meaning it has been attacked so many times that the easiest-to-target flaws have already been uncovered. That makes it harder for hackers to find and take advantage of vulnerabilities.
With the recent popularity of Firefox, hackers are beginning to go after it in larger numbers in an effort to uncover — and exploit — any vulnerabilities, he said.
Mike Schroepfer, director of engineering for the Mozilla open-source project, which develops the Firefox browser, questioned the Symantec numbers.
“Vendors tend to report vulnerabilities differently,” Schroepfer said. Microsoft tends to group several confirmed vulnerabilities together in one announcement and patch, whereas Mozilla announces each confirmed vulnerability individually. That skews the number of confirmed vulnerabilities.
Other security monitoring companies, such as Secunia in Copenhagen, Denmark, show different results, he said. Recent Secunia vulnerability reports show 19 unpatched Internet Explorer 6 vulnerabilities, compared to three unpatched Firefox 1.0 vulnerabilities, he said.
“In general, we still believe Firefox is the safest browser around,” he said. In addition, the open-source development model used for Mozilla allows vulnerabilities to be found and fixed much faster, making it easier to patch. “It speeds the time when we discover and patch these vulnerabilities, which I think is more important.”
Analyst Pete Lindstrom, of Spire Security in Malvern, Pa., said the arguments over the number of vulnerabilities in the competing products is overrated.
“The whole game we play about counting vulnerabilities is kind of silly to begin with,” Lindstrom said. “The entire security industry ought to be slapped on the wrist for saying Firefox was more secure than IE about a year ago” because Firefox wasn’t out long enough to prove its stealth and hackers hadn’t yet had enough time to attack it.
“Firefox and every application that receives some sets of information can also be attacked” successfully by hackers, Lindstrom said. Users need to take the approach that every single application must be properly configured for defense. “If someone wants to, they can protect their applications,” he said, though it costs money and takes time to do it properly.
Symantec’s semiannual Internet Security Threat Report covers Internet threat data from Jan. 1 to June 30, 2005, according to the Cupertino, Calif.-based security and maintenance software vendor. The report provides analysis of network-based attacks, a review of known vulnerabilities and highlights of malicious code and additional security risks.