Computerworld - In its latest Internet Security Threat Report, released yesterday, security vendor Symantec Corp. noted that in the first six months of 2005, the open-source Firefox Web browser had more confirmed vulnerabilities than Microsoft Corp.'s Internet Explorer browser.
So does that mean that the Mozilla-based browser is less secure than proponents have said and that Internet Explorer is more secure than believed?
Not exactly, according to security experts.
Symantec reported that during the first half of 2005, 25 vendor-confirmed vulnerabilities were disclosed for Mozilla browsers, including 18 that were classified as highly severe. During the same six-month period, 13 vendor-confirmed vulnerabilities were disclosed for Internet Explorer, eight of which were considered highly severe.
But that's not the whole story, said Vincent Weafer, senior director of Symantec's Security Response Team. Even though more confirmed vulnerabilities were reported for Mozilla browsers, he said, the widespread use of Internet Explorer means that whatever vulnerabilities affect it have the potential to affect a much larger user base.
"No technology by itself is safer," Weafer said. "It really is about securing it all to the max. None of them are immune to attack."
As the most widely used Web browser worldwide, Internet Explorer has been a target of hackers for many years, he said, noting that it has been attacked so many times that the easiest-to-target flaws have already been uncovered. That makes it harder for hackers to find and take advantage of vulnerabilities.
With the recent popularity of Firefox, hackers are beginning to go after it in larger numbers in an effort to uncover -- and exploit -- any vulnerabilities, he said.
Mike Schroepfer, director of engineering for the Mozilla open-source project, which develops the Firefox browser, questioned the Symantec numbers.
"Vendors tend to report vulnerabilities differently," Schroepfer said. Microsoft tends to group several confirmed vulnerabilities together in one announcement and patch, whereas Mozilla announces each confirmed vulnerability individually. That skews the number of confirmed vulnerabilities.
Other security monitoring companies, such as Secunia in Copenhagen, show different results, he said. Recent Secunia vulnerability reports show 19 unpatched Internet Explorer 6 vulnerabilities, compared to three unpatched Firefox 1.0 vulnerabilities, he said.
"In general, we still believe Firefox is the safest browser around," he said. In addition, the open-source development model used for Mozilla allows vulnerabilities to be found and fixed much faster, making it easier to patch. "It speeds the time when we discover and patch these vulnerabilities, which I think is more important."
A Microsoft spokesman echoed Weafer's comments that no software is completely immune
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
