Browser wars.... which is safest?
As many of you may know, I have been a Microsoft MVP specialising in Internet Explorer since October 1999. Some of you may expect my answer to my byline question to be "Internet Explorer is safest". You'd be wrong.
Symantec has released its Internet Security Threat Report for 2005. You can download a copy here:
Symantec say a lot of stuff in the document, but specific to web browsers, they say:
"During the first half of 2005, the Mozilla browsers, including Firefox, had the most vulnerabilities of all browsers. During this period, 25 vendor confirmed Mozilla vulnerabilities were disclosed, compared to 32 in the previous reporting period and two in the first half of 2004. 18 of the 25 Mozilla vulnerabilities in this period, or 72%, were classified as high severity. This is up from the 14 high-severity Mozilla vulnerabilities in the second half of 2004 and one in the first half of 2004.
During the first six months of 2005, 13 vendor confirmed Microsoft Internet Explorer vulnerabilities were disclosed. This is a decrease from the 31 documented in the second half of 2004. During the first half of 2004, seven Internet Explorer vulnerabilities were confirmed by Microsoft.
The average severity rating of the vulnerabilities associated with Internet Explorer during the first six months of 2005 was high. Eight of the 13 Internet Explorer vulnerabilities disclosed during the current period, or 62%, were considered high severity. 18 Internet Explorer vulnerabilities were considered high-severity in the last six months of 2004, amounting to 58%. In the first half of 2004, four of the seven, or 57%, were rated high severity."
Symantec also says:
"The time between the disclosure of a vulnerability and the release of associated exploit code decreased from 6.4 days to 6.0 days. In addition, an average of 54 days elapsed between the appearance of a vulnerability and the release of an associated patch by the affected vendor."
Several news sites have picked up on the Symantec report, but if you are interested in the topic then I recommend that you download and read this document for yourself rather than depend on the opinion of popular press. Why? Well first of all, the original PDF document is 106 pages long - its hard to distill such a long document into a few hundred words - believe me, I tried ;o) Its also hard to accurately distill the entire document into a few snappy bylines.
Secondly, interpretation varies depending on a person's perspective. For example, news.com.au says (after interviewing the Australian Managing Director of Symantec):
"Mr Sykes said the increasing popularity of open source software, such as the Mozilla Foundation's Firefox browser, could be part of the reason for the increase in the gap between vulnerability and patch, with the open source development model itself part of the problem."
Yet the Symantec report itself says:
"The fact that Mozilla browsers had the most vendor confirmed vulnerabilities over the past two six-month periods may suggest that Mozilla is currently acknowledging and fixing vulnerabilities more quickly than other vendors. This could be because the Mozilla browsers are open source and may be more responsive to reports of new vulnerabilities and subsequently developing and delivering associated patches."
It has always been a pet hate of mine how the more extreme proponents of different operating systems and browsers put their particular favorite forward as some type of panacea. The Symantec report makes it plain that there is no panacea - no browser or operating system is 'safe'. I say read the document to learn of the latest trends - arm yourself with knowledge - but don't use the document as a weapon in the Firefox/IE ; Windows/Mac/Linux wars. We have to *try* and stay neutral when helping our users stay safe. The spread of vulnerabilities across many different browsers shows that we should *not* hold up one particular browser or operating system as the ultimate - and we should not encourage such a false sense of security.