Firefox is less secure than Internet Explorer?

Fred Langa has written one of the most misleading and ill-informed articles I have read on the web in quite some time.

In this misleading and ill-informed article, Fred posits that

changing to Firefox–or Mozilla, or any similar software–because “it’s more secure” is a dangerous misconception; and demonstrably false

Incredibly, Fred is trying to tell us that Firefox is not more secure than Internet Explorer!

To back up his claims, Fred very carefully chooses quotes from the US-CERT site

In most cases in the more recent issues, you’ll see the list of IE’s vulnerabilities are fewer than those for Firefox, Mozilla, and the other alternate browsers

and from the Symantec Internet Security Threat Report

Between July 1 and Dec. 31, 2004, Symantec documented 13 vulnerabilities affecting Microsoft Internet Explorer. This is notably lower than the 21 vulnerabilities affecting each of the Mozilla browsers that were documented during the same period

All sounds pretty damning, right? Yes, until you do a little bit of research.

Firstly, Fred conveniently neglects to mention what classification the vulnerabilities have (high/medium/low) i.e. how potentially risky they are for your computer.

Compare the two graphs below (from Secunia) to see that for Internet Explorer 6.x – 42% of its bugs are highly dangerous or above whereas only 7% of Firefox bugs are highly dangerous.

Microsoft IE 6 criticalities from 2003 - 2005

Mozilla Firefox 1.x criticalities from 2003 - 2005

Secondly, US-CERT – the site Mr. Langa choses to take some of his information from, explicitly advise people not to use Internet Explorer

IE is integrated into Windows to such an extent that vulnerabilities in IE frequently provide an attacker significant access to the operating system. It is possible to reduce exposure to these vulnerabilities by using a different web browser

For an unbiased review of vulnerabilities in both browsers, see the Vulnerability Reports on the Secunia website for IE 6.x and Firefox 1.x. Scroll down on these pages to see that Internet Explorer currently has 19 unpatched (some of which are highly critical and have been unpatched for more than a year) and 10 partially fixed vulnerabilities whereas Firefox has 4 unpatched (none of which are even moderately critical).

Finally and from a purely personal perspective – I frequently get support calls from clients infected by spyware and malware of all sorts. I have never had one of these calls from a client I have migrated to Firefox – it is always the IE users who get infected.

With this level of inaccuracy in his piece, you have to wonder about the motivation behind writing such a dangerous and misleading article…

12 thoughts on “Firefox is less secure than Internet Explorer?”

  1. Nope Bryan, I didn’t email him – I don’t know him well enough (read I don’t know the man at all!) that I feel I could send him an unsolicited email.

    A friend of mine did post a link to this post on his forum though.

  2. Tom:

    Nice rebuttal. Note too that as of today, Fred’s recommended visit to current US-CERT bulletins shows vulnerabilities exist only in IE and none are now present in Firefox or Mozilla.

    I’m a paying subscriber of Fred’s, and I deeply respect him, but I’m frankly mystified by this article. Perhaps it’s time for a medical checkup or something to see if there are heavy metals in his drinking water.

    — Tim

  3. UPDATE:

    Bryan, I had second thoughts about emailing Fred after replying to your comment so I have emailed him – if I hear back from him, I’ll post the response here.

    Tim, thanks for the comment and the compliment!

    I’m not overly familiar with Fred’s previous writings, not being a paying subscriber but I am familiar with his reputation.

    Unfortunately, for him, I think this article has done his reputation a considerable amount of damage because his article will prompt some people to go back to Internet Explorer. These unfortunates will get infected by malware and spyware simply for doing what they were informed was the more secure thing to do.

    I hope he has the good sense to publish a correction. Quickly.

  4. After Fred wrote that article, within less than 24 hours there have been opposing replies in a thread on his discussion forum, the thread was 4 pages when I posted my comments there.

    But seems that thread was deleted overnight, because everyone didn’t agree with him and many of the people came up with solid proofs refuting his misleading statements.

  5. Hi Tom,

    I wanted only to say that I’ve been reading Fred in the last months, and this seems to be a “deadline-savior” article. It’s amazing how a person with his credibility and fame can write this kind of amazinly stupid non-confronted things about such an important theme of discussion like IE Vs. FF….. I have read the 4-pages repplies and what I can say is already said : according to my experience, FF is far more better than IE because 1)NO spyware since I left away my old IE , 2) tab browsing , 3) it didn’t crashed my O.S. when it freezed; I only had to stop the process and star it again, 4) Non-well-viewed pages are bad-designed pages, not let’s-blame-FF-for-this pages, 5) no pop ups at all at this very moment for me, 6) Plugins, you can change all in FF with non-3rd-party tools, 7) it’s constantly reviewed and every error is published with its right fix (try to imagine this in IE XDDDD),….
    Oh, and I have emailed Fred, but I don’t think he’s going to answer any of us……

    Regards, and keep on writing the truth ๐Ÿ˜‰

    MoN

  6. Oh, I forgot two or three more things :
    – What about privacy in IE??? Even if I press the “clean my history”, “delete cookies” and “delete temp files” in my IE, there are files that cannot be deleted, and, to give an example : try to do all this an go to Google, you’ll still see all your past queries ๐Ÿ˜‰
    – I have seen no home-page-hijacking using FF, and this was a daily problem for me and my users with IE.
    – And, after all, you can uninstall FF if you don’t like it. Can you do the same with IE? XDDDDDDDDDDDDDD……

    Regards,

    MoN

  7. MoN,

    thanks for stopping by and for commenting.

    Of course, the other cool thing about Firefox is that it is platform independent – I can run it on my Mac, as well as my PC whereas Microsoft stopped developing and supporting Internet Explorer on the Mac after Internet Explorer version 5.2.3 a couple of years back.

  8. Tom,
    Excellent!
    I also noticed the lack of severity classification in Fred’s screed.

    OTOH, we have to be careful when talking about rate of infection. We have to avoid that statistical bugaboo — cause vs effect (or correlation).
    Obviously, we’re going get fewer problems with FF users than IE users!!
    Why?
    Because these are the more computer-savvy users in the first place !! :>)

    I’m an avid FF convert (can anyone say, “TABbed browsing”; how can anyone live without it), but I can honestly say that I have never been infected by a computer virus or piece of spyware on my personal Windows boxes using IE over these many years. (Maybe I just don’t have much fun on the Internet ;>) — of course, I have all the safe-surf tools installed).

    So, what we need is a double-blind study :>)

    BTW, I’m a Langa Plus subscriber. I enjoy it and benefit from the occasional cool tool that somebody’s uncovered. I just stay away from the MS vs. anti-MS crap. I like Windows XP — I like Linux (and make my living as a Unix consultant). But I don’t like IE now that FF’s here!

    Oh, crap.
    There’s some strange beeping and my computer’s starting to slooow dooown…

  9. I’ve also written a letter to the editor on this. I find this quite a bizarre biest article. It has gone about writing the article ignoring many of the factual IE cons, and many of factual Firefox pro’s. As a result it is a very misleading article.

    Not only does Firefox not have extremely critical vulnerabilities like IE, as said it reports and fix the smallest of bugs which even then have a negative effect on the smaller bug comparison rates. IE does not report or fix such small bugs which has a positive affect on those rates, but not for the web.

    IE was insecure and un patched for approx 95% of 2004, Firefox only 50%. Only a small portion of this large difference is due to the market share differences. Such public articles need to be stopped and corrected before they have a negative affect on the site themselves, for not reporting the facts. That’s what a reviewer has the duty to do, and is not what has happened. It needs serious correcting and clearing up in an un biased way, and serious changes for future articles.

  10. Tom,
    While I strongly agree with you on the part about IE being intergrated into windows I disagree with this entire feud on IE versus Firefox.

    I’ve used Internet Explorer on my network . I have about 651 PC’s all running Microsoft Windows XP Professional Edition and Internet Explorer is the default browser for every pc. Not one of those PC’s have a problem.

    As an Infastructure Technology Administrator of the Pennsylvainna Facility for Microsoft, We, that is to say I, only use Windows Live OneCare and Windows Firewall and my PC’s are well protected.

    So for the firefox users, Switch back to IE, Download the new more secure version of IE, which is IE7, and Get some Anti-Virus software and a good firewall.

    Remember to update them frequently because those pieces of software are no good without updates.

Comments are closed.