Firefox Security vs Internet Explorer Security - Fight!
Last Friday night, immediately after reading Jeff Jones' Browser Vulnerability Analysis paper and Window Snyder's response (as well as schrep's post), I wrote this:
Microsoft Internet Explorer and Mozilla Firefox have completely different security goals. Firefox security is designed to sell beanies and duffel bags and appeals to people who actually want to use it. Internet Explorer security is for the serious company executive who is forced to use it by overbearing corporate IT department types. The only people with IE swag got it free from Microsoft.
Don't believe me? Compare Microsoft's Online Store with Mozilla's.
Incidentally, those were just the first Google hits for "shop microsoft store" and "shop mozilla store".
Now I guess the question might arise "what does marketing merchandise have to do with security?" I think the answer is that it makes about as much sense as trying to come up with a security metric based on number of fixed vulnerabilities.
Counting past vulnerabilities is just pointless navel gazing. You know the phrase: "past performance is no guarantee of future results". Does the fact the Firefox has more fixed vulnerabilities mean that it has more bugs? Does it mean that more of the bugs have been fixed? Are the really nasty bugs still lurking in IE7? Should vulnerabilities be prorated based on NVD CVSS score? Or, maybe, the vulnerabilities should be adjusted for browser market share?
Let's face it, both Firefox and IE have unpatched vulnerabilities that can be used to harm users, so it may be more instructive to focus on why the vulnerabilities continue appearing. Besides the general fact that web browsers are incredibly complex, Firefox and IE both have legacy security problems.
Firefox continues to struggle against the perception that it is a browser for developers. The "what about developers?" voices seem to generate the most WONTFIX arguments. Too many times it appears that security vulnerabilities remain unresolved because a developer or extension writer is depending on the feature. But the recent jar: URI issue seems to indicate Firefox is closer to turning the corner in this regard. There wasn't any waffling after domino web access was broken. I think that is a hopeful sign that Firefox 3 may overcome some of those legacy arguments.
Internet Explorer suffers a different type of legacy problem. After years and years of invasive operating system integration, IE has a lot of pre-"Security Push" baggage. The critical vulnerabilities that are being found in IE aren't necessarily in the browser but rather in operating system components (e.g., XML, WMF, ANI and GDI exploits). IE just serves as the vector that allows for exploitation. It's not even clear if these categories of vulnerabilities were included in Jones' analysis.
Legacy issues obviously aren't the entire story. What if an entirely new and novel vulnerability class is discovered tomorrow? What about new exploitation techniques?
What then? Daniel J. Bernstein suggests a big part of the answer is ruthlessly eliminating bugs. Which is why Microsoft's claims of SDL success ring hollow in the real world. Which browser are most in the wild attacks targeting? With the years of legacy cruft, there are probably plenty of IE client-sides left.
Getting owned isn't any fun. And since it can happen to anyone, vulnerability counting probably won't matter when its your turn.