[GLLUG] Microsoft Compares IE and Firefox

Stanley C. Mortel mortel at cyber-nos.com
Wed Dec 12 22:42:54 EST 2007 

 From "Security Update" 12/12/07:

Microsoft Compares IE and Firefox

People can't resist arguing about whether one browser is better than 
another, and invariably the argument centers on Mozilla Firefox versus 
Microsoft Internet Explorer (IE). Last week, I came across a study 
conducted by Microsoft Strategy Director Jeff Jones that compares the two 
browsers. The study would have been better if it had included Opera. I 
guess omission is one good way to marginalize the competition.

My assumption was that because someone from Microsoft produced the report, 
it would try to show that Microsoft's strategy for IE development and 
support results in a better, safer product. The report didn't convince me 
that IE is superior to the open-source Firefox.

Jones said that he examined vulnerabilities in Firefox and IE over the past 
three years, broke them down by severity, looked at each browser version by 
version, and examined each browser in terms of unfixed vulnerabilities. 
Right away, Jones said that according to his findings, more security 
problems have been found and fixed in Firefox than in IE. Jones' findings 
point out that the Internet community is finding problems and Mozilla is 
fixing those problems both openly and quickly. The findings cause me to 
ponder a thought: If people can find 199 security problems in Firefox, then 
imagine how many might be found if Microsoft opened the IE source. Well 
Microsoft isn't about to do that, and even without the source, people have 
found at least 87 problems in IE, according to Jones.

Next, Jones takes aim at Mozilla's support life cycle for Firefox, which is 
shorter than Microsoft's for IE. What Jones failed to mention is that IE 
is--according to Microsoft--tightly integrated into the OS. So Microsoft 
has no choice but to support its browser versions longer. Updates to the 
loosely integrated Firefox are unlikely to break a dozen other applications 
or the OS itself. Therefore, Mozilla can enjoy the luxury of short support 
periods, which in turn streamline development and speed up browser innovation.

Jones wrote that Novell is shipping SUSE Linux Enterprise Desktop 10 with 
support until 2013, Red Hat is shipping Enterprise Linux 5 with support 
until 2014, and Ubuntu 6.06 was shipped with support until 2009. All three 
OSs include Firefox 1.5. Mozilla ended support for Firefox 1.5 back in May, 
but that was announced well in advance, so each vendor should have been 
aware of the support timeline. Now they have to decide how to handle 
ongoing support by either choosing to patch Firefox 1.5 on their own or 
have users upgrade to Firefox 2.x.

Jones also argues that frequent upgrades are risky for businesses. 
Microsoft releases a batch of security patches and other product patches 
nearly every month, many of which have broken various aspects of Windows. 
I've been using Firefox since it was released. The browser tells me when an 
update is available via a nonintrusive pop-up box, and I click OK. The 
entire upgrade process takes about 20 seconds over a broadband link. Never 
once has a Firefox upgrade ever broken anything on my systems. I bet others 
have similar success stories. As for businesses, administrators can upgrade 
Firefox on any number of systems and most likely experience similar results.

Jones stated that part of his motive for creating the report was to refute 
Mozilla's statement that those who use Firefox "won't harbor nearly as many 
security flaws as those that have Microsoft's Internet Explorer." While 
Jones did do that, the proof is relatively meaningless. At the end of his 
report, Jones summarizes by saying that IE has experienced fewer 
vulnerabilities over time than IE, which left me wondering, "So what?" If 
Windows runs on 80-something percent of all desktops, then by default IE 
also runs on 80-something percent of all desktops. It seems obvious that a 
major vulnerability in IE will cause more widespread damage than a similar 
vulnerability in Firefox or any other browser. So that needs to be kept in 
mind when comparing the number of vulnerabilities in each browser.

Jones also failed to point out that Mozilla fixes vulnerabilities faster 
than Microsoft. Of course, Microsoft is more limited in what it can do in 
terms of patch releases because it carries a much larger responsibility due 
to its a huge Windows user base and because IE is tied to various other 
aspects of the OS.

One thought that came to mind after reading the report is that maybe 
Microsoft is bothered by the fact that Firefox is a very good browser, that 
it's growing in popularity, that it's free, and that it's open source. Any 
great open-source program makes open source look attractive to people. And 
naturally that's problematic for Microsoft.

If you're interested in Microsoft's spin, then head over to Jones' blog at 
the URL below where you'll find his report available in PDF format.
<http://ct.email.windowsitpro.com/rd/cts?d=33-747-803-202-8087-38052-0-0-0-1-2-207>blogs.technet.com/security/archive/2007/11/30/download-internet-explorer-and-firefox-vulnerability-analysis.aspx 



****************************
Stan Mortel
mortel at cyber-nos.com
****************************

More information about the linux-user mailing list