Subscribe via e-mail: 
At first I intended to ignore the new IE bashing wave that surged after the Google hack of December 2009. But then I read Deb Shinder’s article about the topic. Even though her analysis is quite correct, I can’t help from adding a few of my own thoughts.
As noted a few weeks ago, I have a serious problem with all kinds of mass hysteria phenomena. The age old-IE bashing campaigns definitely fall into this category. Shortly after it became public that Internet Explorer played a major role in the Google hack, countless self-styled security experts, exhorting journalists, and even clueless governments felt obliged to recommend switching to an alternative browser.
Firefox certainly earned its market share due to its plug-in eco system. However, I think a significant part of this market share is based on these irrational warnings in IT tabloids. Every time a new serious IE vulnerability is found, new finger waving articles pop up warning people how insecure it is to use Internet Explorer and that the Open Source browser is by far the better choice.
As Deb Shinder correctly notes, Firefox and all other browser are also prone to security holes. Now, I am asking you, did you ever read a warning not to use Firefox because of a serious vulnerability, even if only temporarily until a patch is available? I regularly read the feeds of all major news sites and a ton of IT blogs, but I have never seen such a warning.
Did you ever wonder why? Because it is a matter of fact that Firefox is a secure browser? Did you know that Firefox is the most vulnerable browser? It is quite probable that you don’t know this because this news has mostly been neglected by the media. It is simply not popular to bash Firefox. IE bashing on the other hand has a tradition and as an callow IT journalist you can’t do much wrong by publishing another IE warning.
This works exactly as it did in the Vista bashing campaigns. After a while readers become used to such articles and start nodding automatically while reading. It is this “everyone agrees” attitude that makes most people vulnerable to false beliefs. Yes, we all know that our planet only recently became a sphere because in the Middle Age everyone agreed for over a thousand years that the earth is a disk.
So what are the facts? As a matter of fact, there are no solid facts that would justify any kind of assessment regarding the security of Internet Explorer or Firefox. Yes, there are quite a few statistics that count vulnerabilities and measure publisher’s response times. Some are in favor of alternative browsers and some are in favor of Microsoft. As with most statistics it depends mostly on the results the corresponding researcher wants to get.
This is all very interesting. However, when it comes to security the vulnerabilities of a piece of software are absolutely unimportant. Most self-styled security experts make the mistake of confusing “vulnerable” with “insecure.”
A simple analogy will make this profound difference clear. Most people are vulnerable to the rabies virus. Rabies is a serious disease and can be fatal. But does this mean that people who are not vaccinated live an insecure life? Yes, if you live in a slum somewhere in Southeast Asia, then being not vaccinated indeed poses a certain security risk. But no New York journalist in his right mind would recommend a rabies inoculation to his fellow citizens because the side effects are severe and the risk of getting infected in Manhattan is relatively low.
Why is it so different with Internet Explorer? Moving a whole corporate network to a new browser also has serious side effects, which doesn’t stop journalists and even governments from recommending this step. The point is that nobody really knows how dangerous it is to use a browser that has certain vulnerability. The fact that a popular company such as Google was hacked because some of their employees were still using Internet Explorer 6 says really nothing about the risks for your own company. Obviously, those guys were not only using a hopelessly outdated browser version (and operating system), but they also had been surfing in highly infectious waters somewhere in Asia.
When it comes to browser security, the only fact that counts is how many sites are infected by a certain exploit and how likely it is that your users will access those sites until you have deployed the corresponding update. There is no such data available for the Google hack vulnerability, but self-styled security experts know anyway that you should “inoculate” all your PCs with another browser regardless of the costs and side effects. This is highly irrational. E pur si muove.
“Did you know that Firefox is the most vulnerable browser?”
Are you sure?
Firefox 3.6.x – http://secunia.com/advisories/product/28698/
Firefox 3.5.x – http://secunia.com/advisories/product/25800/
IE 8.x – http://secunia.com/advisories/product/21625/
Regards
Yes, I am sure.
First of all, did you read this Secunia statement:
“PLEASE NOTE: The statistics provided should NOT be used to compare the overall security of products against one another.”
It doesn’t make sense to compare IE 8.x with Firefox 3.5.x. I am not even sure if it makes sense to compare IE 8.x with Firefox 3.x.
Second, the fact that someone claims that there is a serious vulnerability doesn’t necessarily mean that there is really one. Did you notice the advertisement at the top. It is in Secunia’s interest that Microsoft product appear insecure, so many people download Secunia CSI.
Third, it is interesting to note that even Secunia counted more vulnerabilities for Firefox 3.5.x as for IE 8.x. This proves that Firefox is more vulnerable. Obviously, it is easier to find vulnerabilities in Firefox than in IE. This is probably due to the fact that Firefox is Open Source.
Note that Secunia can only publish advisories for vulnerabilities that have been reported by someone. Real hackers don’t report vulnerabilities, they exploit them. Therefore, nobody knows how many unpatched vulnerabilities Firefox or IE really have. We can only guess that Firefox has more. However, as outlined in the article this doesn’t say much about security.
Furthermore, one has also take into account that IE runs in protected mode on Vista and Windows 7 which makes many vulnerabilities harmless.
Can you link to a place that measures response times? I was given to understand that one of the benefits of Open Source was a supposedly fast response to problems as compared with the behemoth corporation that is Microsoft. But since I have only rumor and hearsay on this subject, I’d love to have a better grounding in fact.
A quick Google search has yielded the standard cacophony of differing opinions but I haven’t found much in the way of objective facts. Can you help?
I haven’t seen new statistics lately. However, I think it is a myth that Open Source apps are patched faster. Response times are only dependent on the commitment of the publisher. I think Microsoft response times appear longer because their security experts often come to a different conclusion than organizations such as Secunia who want Windows appear as insecure as possible. This is probably not very smart from Microsoft. Not because of security, but because of marketing. The Mozilla guys used this marketing weakness intelligently in the past.
Please, tell me Michael, why Secunia report is worse than Cenzic? Cenzic report is not clear in many places. For ex. which version of IE does it cover? As I read it in another comments the Firefox was taken with many plugins. And IE?
And tell me Micheal, if Firefox is such vulnerable browser, why Cenzic is using Firefox for their projects?
I’m not a browser/opensource/microsoft/whatever fanboy. I’m IT guy with 20 years experience and I know that life is not black and white – it’s gray.
Peace
I didn’t say that the Secunia report is worse. My point is that this counting of vulnerabilities is rather pointless. I don’t know why others are using Firefox, but I use it because of the available plugins. Whenever I need a bulletproof browser, I use Opera or Chrome but certainly not Firefox.
I also disagree with your opinion about the world’s color. It is not black, not white, and not gray; it is gay.
I’ve just found interesting discussion here:
http://tech.slashdot.org/story/09/11/11/1626224/Firefox-Most-Vulnerable-Browser-Safari-Close?art_pos=24
Regards and keep your mind open
@goozoo
I dont get it. Whats your point, linking him/us to read
discussions amongst other computer users and not Researchers. We already know that people have opinions on what they like and dont like. And from what i can tell, you’re not to happy to hear anything negative about Firefox.
@Lenix
Do you really believe Cenzic report was prepared by “Researchers”? I don’t think so:
Project Lead & Executive Editor: Mandeep Khera, Chief Marketing Officer, Cenzic, Inc.
Marketing? Are you kidding me?
“And from what i can tell, you’re not to happy to hear anything negative about Firefox.”
No, I’m using IE/Firefox/Opera/Safari/Chrome and I’m not emotionally connected with any software.
“We already know that people have opinions on what they like and dont like”
There are many facts, also. Not only opinions. Read it careful.
IMO Cenzic report is just another FUD, nothing more.
Regards
There is a critical unpatched Firefox vulnerability which is already weeks old: http://secunia.com/advisories/38608/
Better use IE until a patch is available