The popular Firefox browser received a security upgrade, known as version 1.0.4, when the Mozilla Foundation released the new code on May 11. This upgrade closes a security hole that could allow a hacker Web site to install software without a visitors’ knowledge or approval.
This is the fourth minor update to Firefox since the open-source browser’s 1.0 release on Nov. 9, 2004. That doesn’t seem like very many patches to me, compared with Firefox’s dominant competition, Microsoft’s Internet Explorer (IE), which is included in every copy of Windows. But I’ve heard a surprising amount of comment that Firefox might no longer be as secure as IE.
At Microsoft’s Windows Hardware Engineering Conference (WinHEC), held in Seattle April 25-27, for example, an IE product manager made this case explicitly. Firefox had had (at that time) “three major releases,” she said, while Internet Explorer 6.0 had had none. This statement was presented as though a lack of upgrades to IE was a benefit.
In fact, Microsoft has released at least 20 major security patches for Windows or Internet Explorer since November 2004. Most of these patches were rated “Critical,” Microsoft’s most severe security alert level.
The evidence I’ve seen so far indicates that Firefox remains much more secure than IE. But it’s worth our time to take a closer look.
IE users were exposed for 200 days in 2004
Some remarkable statistics comparing the major Web browsers have been developed by Scanit NV, an international security firm with headquarters in Brussels, Belgium, and Dubai, United Arab Emirates.
The company painstakingly researched the dates when vulnerabilities were first discovered in various browsers, and the dates when the holes were subsequently patched.
The firm found that IE was wide open for a total of 200 days in 2004, or 54% of the year, to exploits that were “in the wild” on the Internet.
The Firefox browser and its older sibling Mozilla had no periods in 2004 when a security flaw went unpatched before exploits started circulating on the Net. With the latest 1.0.4 upgrade, Firefox has retained its “patch-before-hackers-can-strike” record so far in 2005, as well.
These statistics are so important to understanding the “attack surface” of the major browsers that we should break down this study into its individual findings:
• IE suffered from unpatched security holes for 359 days in 2004. According to Scanit, there were only 7 days out of 366 in 2004 during which IE had no unpatched security holes. This means IE had no official patch available against well-publicized vulnerabilities for 98% of the year.
• Attacks on IE weaknesses circulated “in the wild” for 200 of those days. Scanit records the first sighting of actual working hacker code on the Internet. In this way, the firm was able to determine how many days an IE user was exposed to possible harm. When Microsoft released a patch for an IE problem, Scanit “stopped the clock” on the period of vulnerability.