[GLLUG] Microsoft Compares IE and Firefox
Stanley C. Mortel
mortel at cyber-nos.com
Wed Dec 12 22:42:54 EST 2007
From "Security Update" 12/12/07:
Microsoft Compares IE and Firefox
People can't resist arguing about whether one browser is better than
another, and invariably the argument centers on Mozilla Firefox versus
Microsoft Internet Explorer (IE). Last week, I came across a study
conducted by Microsoft Strategy Director Jeff Jones that compares the two
browsers. The study would have been better if it had included Opera. I
guess omission is one good way to marginalize the competition.
My assumption was that because someone from Microsoft produced the report,
it would try to show that Microsoft's strategy for IE development and
support results in a better, safer product. The report didn't convince me
that IE is superior to the open-source Firefox.
Jones said that he examined vulnerabilities in Firefox and IE over the past
three years, broke them down by severity, looked at each browser version by
version, and examined each browser in terms of unfixed vulnerabilities.
Right away, Jones said that according to his findings, more security
problems have been found and fixed in Firefox than in IE. Jones' findings
point out that the Internet community is finding problems and Mozilla is
fixing those problems both openly and quickly. The findings cause me to
ponder a thought: If people can find 199 security problems in Firefox, then
imagine how many might be found if Microsoft opened the IE source. Well
Microsoft isn't about to do that, and even without the source, people have
found at least 87 problems in IE, according to Jones.
Next, Jones takes aim at Mozilla's support life cycle for Firefox, which is
shorter than Microsoft's for IE. What Jones failed to mention is that IE
is--according to Microsoft--tightly integrated into the OS. So Microsoft
has no choice but to support its browser versions longer. Updates to the
loosely integrated Firefox are unlikely to break a dozen other applications
or the OS itself. Therefore, Mozilla can enjoy the luxury of short support
periods, which in turn streamline development and speed up browser innovation.
Jones wrote that Novell is shipping SUSE Linux Enterprise Desktop 10 with
support until 2013, Red Hat is shipping Enterprise Linux 5 with support
until 2014, and Ubuntu 6.06 was shipped with support until 2009. All three
OSs include Firefox 1.5. Mozilla ended support for Firefox 1.5 back in May,
but that was announced well in advance, so each vendor should have been
aware of the support timeline. Now they have to decide how to handle
ongoing support by either choosing to patch Firefox 1.5 on their own or
have users upgrade to Firefox 2.x.
Jones also argues that frequent upgrades are risky for businesses.
Microsoft releases a batch of security patches and other product patches
nearly every month, many of which have broken various aspects of Windows.
I've been using Firefox since it was released. The browser tells me when an
update is available via a nonintrusive pop-up box, and I click OK. The
entire upgrade process takes about 20 seconds over a broadband link. Never
once has a Firefox upgrade ever broken anything on my systems. I bet others
have similar success stories. As for businesses, administrators can upgrade
Firefox on any number of systems and most likely experience similar results.
Jones stated that part of his motive for creating the report was to refute
Mozilla's statement that those who use Firefox "won't harbor nearly as many
security flaws as those that have Microsoft's Internet Explorer." While
Jones did do that, the proof is relatively meaningless. At the end of his
report, Jones summarizes by saying that IE has experienced fewer
vulnerabilities over time than IE, which left me wondering, "So what?" If
Windows runs on 80-something percent of all desktops, then by default IE
also runs on 80-something percent of all desktops. It seems obvious that a
major vulnerability in IE will cause more widespread damage than a similar
vulnerability in Firefox or any other browser. So that needs to be kept in
mind when comparing the number of vulnerabilities in each browser.
Jones also failed to point out that Mozilla fixes vulnerabilities faster
than Microsoft. Of course, Microsoft is more limited in what it can do in
terms of patch releases because it carries a much larger responsibility due
to its a huge Windows user base and because IE is tied to various other
aspects of the OS.
One thought that came to mind after reading the report is that maybe
Microsoft is bothered by the fact that Firefox is a very good browser, that
it's growing in popularity, that it's free, and that it's open source. Any
great open-source program makes open source look attractive to people. And
naturally that's problematic for Microsoft.
If you're interested in Microsoft's spin, then head over to Jones' blog at
the URL below where you'll find his report available in PDF format.
<http://ct.email.windowsitpro.com/rd/cts?d=33-747-803-202-8087-38052-0-0-0-1-2-207>blogs.technet.com/security/archive/2007/11/30/download-internet-explorer-and-firefox-vulnerability-analysis.aspx
****************************
Stan Mortel
mortel at cyber-nos.com
****************************
More information about the linux-user
mailing list