Programming - - By Kevin Yank

Microsoft and Mozilla Disagree on Browser Security

Microsoft and Mozilla are locked in a war of words over whose browser has the better security track record. All Web developers seem to care about, though, is that Mozilla just released the first public beta of Firefox 3, while Microsoft has yet to say much of anything about IE.Next.

One year on from the release of Internet Explorer 7, Microsoft’s IEBlog has posted The First Year of IE7, summing up the accomplishments of the browser:

According to internal Microsoft research based on data from Visual Sciences Corporation, there are over 300 million users are experiencing the web with IE7. This makes IE7 the second most popular browser after IE6. IE7 is already #1 in the US and UK, and we expect IE7 to surpass IE6 worldwide shortly.

Tony Chor, Group Program Manager for Internet Explorer at Microsoft, went on to discuss IE7’s achievements in the realm of security:

According to a vulnerability report published today, IE7 has fewer vulnerabilities than previous versions of IE over the same time period. What’s more, the report showed that IE7 had both fewer fixed and unfixed vulnerabilities in the first year than the other browsers we compared.

Obviously, this sort of claim was bound to ruffle a few feathers at Mozilla. First to chime in was Mozilla’s VP of Marketing, Paul Kim, who pointed out that the report Microsoft was citing was actually prepared by Microsoft, in Lies, Damned Lies, and Microsoft Security Marketing:

That should really say:

“According to a vulnerability report published today by Microsoft Security Strategy Director Jeff Jones, IE7 has fewer vulnerabilities than previous versions of IE over the same time period.”

This was quickly followed up by several other voices out of Mozilla, including Mozilla’s VP of Engineering Mike Schroepfer (aka Schrep), who debunked Microsoft’s claims in Apples, Organges, and the truth:

Wanting to verify the data I wandered over to the public IE bug database that Microsoft launched to great fanfare and I encountered this:

Thank you for visiting the IE Feedback Site. The site is temporarily closed. It will re-open in the future.

A vivid reminder that there is no way for anyone outside of Microsoft to confirm how many vulnerabilities ever existed in Internet Explorer.

Schrep then goes on to present his own metric for browser security performance over the past year, which paints a very different picture of IE7’s record:

Bug counts are meaningless, what matters is whether you are at risk or not. Symantec looked at this problem before as has Brian Krebs of the Washington Post. I recently found this up-to-date analysis of data on Secunia which paints the same picture. Firefox is safer than IE:

I’ll let you decide for yourself who to believe, but as Web developers, we don’t particularly care about which browser has the fewest security holes. What we really want to know is when we can expect the next browser version with new developer features and improved standards compliance.

Mozilla is clearly taking the lead on this front, too. Firefox 3.0 Beta 1 was released over two weeks ago, now, and Microsoft hasn’t even told us what the next version of IE will be called.

The inside word on IE.Next is that there will be information revealed at MIX08, but that isn’t until March. It looks like those awaiting Microsoft’s next browser may be in for a very cold winter.

Sponsors