I have said it before, and I’ll say it again: Firefox isn’t really all that secure! It only seems more secure because it doesn’t have a large enough market share to warrant attacking. Fortunately, some other people have noticed this and done some excellent analysis, like George Ou and ZDNet:
Now that Firefox has become the first viable contender to Microsoft Internet Explorer in years, its popularity has brought with it some unwanted attention. Last week’s premature disclosure of a zero-day Firefox exploit came a few weeks after a zero-day exploit for Internet Explorer appeared on the Internet. Firefox not only has more vulnerabilities per month than Internet Explorer, but it is now surpassing Internet Explorer for the number of exploits available for public download in recent months.
In the post, George shows that since March of this year, Firefox has encountered 40 vulnerabilities, compared with Internet Explorer’s 10. And since April 2005, there have been 11 exploits for Firefox compared with only 6 for Internet Explorer. One could make the case that Internet Explorer 6 has been around longer and thus many of it’s problems were fixed prior to March of this year. It would be interesting to see some data on that. Of course, Firefox shouldn’t have had any of the same vulnerabilities though, as it was released after IE6 and should have been able to learn from it’s mistakes, right?
A new report from Symantec found similar results, but also noted that hackers still focus their efforts on IE – no doubt because of the size of IE’s market share and installed base:
According to the report, 25 vendor-confirmed vulnerabilities were disclosed for the Mozilla browsers during the first half of 2005, “the most of any browser studied,” the report’s authors stated. Eighteen of these flaws were classified as high severity. “During the same period, 13 vendor-confirmed vulnerabilities were disclosed for IE, eight of which were high severity,” the report noted.
The average severity rating of the vulnerabilities associated with both IE and Mozilla browsers in this period was classified as “high”, which Symantec defined as “resulting in a compromise of the entire system if exploited.”
See the browser wars aren’t really Firefox versus IE at all. No, the browser wars are hackers versus vendors.