By Kevin Yank

Microsoft and Mozilla Disagree on Browser Security

By Kevin Yank

Microsoft and Mozilla are locked in a war of words over whose browser has the better security track record. All Web developers seem to care about, though, is that Mozilla just released the first public beta of Firefox 3, while Microsoft has yet to say much of anything about IE.Next.

One year on from the release of Internet Explorer 7, Microsoft’s IEBlog has posted The First Year of IE7, summing up the accomplishments of the browser:

According to internal Microsoft research based on data from Visual Sciences Corporation, there are over 300 million users are experiencing the web with IE7. This makes IE7 the second most popular browser after IE6. IE7 is already #1 in the US and UK, and we expect IE7 to surpass IE6 worldwide shortly.

Tony Chor, Group Program Manager for Internet Explorer at Microsoft, went on to discuss IE7’s achievements in the realm of security:

According to a vulnerability report published today, IE7 has fewer vulnerabilities than previous versions of IE over the same time period. What’s more, the report showed that IE7 had both fewer fixed and unfixed vulnerabilities in the first year than the other browsers we compared.

Obviously, this sort of claim was bound to ruffle a few feathers at Mozilla. First to chime in was Mozilla’s VP of Marketing, Paul Kim, who pointed out that the report Microsoft was citing was actually prepared by Microsoft, in Lies, Damned Lies, and Microsoft Security Marketing:

That should really say:

“According to a vulnerability report published today by Microsoft Security Strategy Director Jeff Jones, IE7 has fewer vulnerabilities than previous versions of IE over the same time period.”

This was quickly followed up by several other voices out of Mozilla, including Mozilla’s VP of Engineering Mike Schroepfer (aka Schrep), who debunked Microsoft’s claims in Apples, Organges, and the truth:

Wanting to verify the data I wandered over to the public IE bug database that Microsoft launched to great fanfare and I encountered this:

Thank you for visiting the IE Feedback Site. The site is temporarily closed. It will re-open in the future.

A vivid reminder that there is no way for anyone outside of Microsoft to confirm how many vulnerabilities ever existed in Internet Explorer.

Schrep then goes on to present his own metric for browser security performance over the past year, which paints a very different picture of IE7’s record:

Bug counts are meaningless, what matters is whether you are at risk or not. Symantec looked at this problem before as has Brian Krebs of the Washington Post. I recently found this up-to-date analysis of data on Secunia which paints the same picture. Firefox is safer than IE:

I’ll let you decide for yourself who to believe, but as Web developers, we don’t particularly care about which browser has the fewest security holes. What we really want to know is when we can expect the next browser version with new developer features and improved standards compliance.

Mozilla is clearly taking the lead on this front, too. Firefox 3.0 Beta 1 was released over two weeks ago, now, and Microsoft hasn’t even told us what the next version of IE will be called.

The inside word on IE.Next is that there will be information revealed at MIX08, but that isn’t until March. It looks like those awaiting Microsoft’s next browser may be in for a very cold winter.

  • (web)developers should care about both security and improved standards compliance! Everybody should demand secure browsers. This is even more important for the “normal” user.

    I use and support Firefox, and I think it’s foolish to just think of the support for standard compliance, and don’t care about security. This is the best way for Explorer to take a bigger share of the market.

  • Interesting that neither side wants to admit that Opera beats them both in terms of its fix record.

  • wwb_99

    IE.NEXT now has a name.

  • I don’t care how many browsers are out there. I use Firefox simply because it’s free and it doesn’t bug up too much. I don’t need a chart to tell me Firefox is safer then IE, just as I don’t need a chart telling me Linux is safer then windows. I already know. Just as I don’t care if Opera is safer then Firefox, Firefox has more functionality.

  • azn_romeo_4u

    my firefox crashed about 15 times last month O_O Firefox ain’t the next jesus is all I have to say. IE isn’t either, but I gotta give IE some props were doing a pretty damn good job with IE7.

  • Arthur

    Quite frankly the war of words about which browser is best leaves me completely cold. As a simple user who wants to browse and put up a small web site of my own, what matters is whether or not I can do what I want and easily. I have both browsers on my computer but I use IE7 most of the time because the size of the text is right for my eyes. Standard FireFox is too small for my eyes and the next size up is too big for my screen. Basically I use it to check that my web pages can be read by avid FireFox users.

  • Anonymous

    I am really worried about security. I am also concerned about utility. But I have NO interest at all in functionality for functionality’s sake. I’m not a follower of “Top Gear” for computers. I “drive” in the real world, for the prosaic reason of getting from A-B quickly and comfortably. I changed to FF because it works, but mostly because I didn’t and don’t trust Microsoft. Prior to FF et al MS didn’t care about security or even utility. They provided functionality and it was up to users to navigate around their messy, tangled, bloated software. They were a monopoly and because IT was/is the future, and there was nowhere else to go, were making money hand over fist. Without FF et al we would all suffer still. Whether you think MS is “good” or “evil”, nonetheless it still remains an absolute truth that “Power corrupts and absolute power corrupts absolutely”. Monopolies are bad! The problem is that the development of the “free world’s” consumer protection mechanisms haven’t kept pace with the new world of IT in any of its forms or applications. We should support the alternatives to protect ourselves. We will have a free market in IT, and the protection that it affords, when MS alternatives become firmly embedded in all markets vertically and horizontally. Twenty-five years on and we still have to play on the old DOS playing field! Is the new MS-DOS which everything is built upon the internal combustion engine of IT? I found this on wikipedia:
    “1876: Nikolaus Otto, working with Gottlieb Daimler and Wilhelm Maybach, developed a practical four-stroke cycle (Otto cycle) engine. The German courts, however, did not hold his patent to cover all in-cylinder compression engines or even the four-stroke cycle, and after this decision, in-cylinder compression became universal.”
    Is it the MS patents that are the problem?

  • kgun

    The browser that will be first on implementing more XML technologies may get an increased market share in the future.

    My ranking of importance:
    1. Security.
    2. Accessibility.
    3. Mobility.
    4. XML compatibility.

  • Security and standards compliance are both important, but far more important is a browser that doesn’t crash all the time. Like azn_romeo_4u, I’ve found that Firefox crashes all the time on a wide variety of sites. I love the various development plugins I have for Firefox, but I’m switching increasingly to Opera for general browsing. The sooner Firefox sorts the basics out, the happier I’ll be.

Get the latest in Front-end, once a week, for free.