14 DAY TRIAL // In the latest episode of Internet Explorer vs. Firefox face-off, Microsoft went gunning after Mozilla and aimed at demystifying the open source browser's security aura. Jeff Jones, Strategy Director in the Microsoft Security Technology Unit, published a whitepaper, comparing the number of vulnerabilities that have impacted various editions of Internet Explorer and Firefox for the past three years, starting from November 2004 and ending in October 2007.
"Over the past 3 years, supported versions of Internet Explorer have experienced fewer vulnerabilities and fewer High severity vulnerabilities than Firefox, a result that stands in contrast to early assertions by Mozilla that Firefox "won't harbor nearly as many security flaws as those that have Microsoft's Internet Explorer"," Jones revealed.
Mozilla did not take much to react, and it also came out gunning after Microsoft via the voice of Mike Shaver, chief evangelist. Shaver pointed the finger back at Redmond and said that the Redmond company should bow its head in shame because of the IE vs. Firefox security jugglery that it managed to pull.
"Microsoft should be embarrassed to be associated with this sort of ridiculous "analysis". We don't pretend that hiding the rate of fixes improves our users' security in any way, and we never will. We're transparent and aggressive in dealing with security issues, and 130 million Firefox users are safer for it every day," Shaver stated.
Shaver attacked both Microsoft and Jeff Jones, claiming that simply playing the counting vulnerability game was easy and simply, but at the same time completely useless. Still, neither Microsoft nor Jones were found guilty of "Critical Thinking". Shaver argued the premise that more fixes are equivalent to less security, and at the same time criticized Microsoft for its lack of transparency, claiming that the Redmond company has swept vulnerabilities under the rug along the way, only for not being counted.
"If Mozilla wanted to do better than Microsoft on this report, we would have an easy path: stop fixing and disclosing bugs that we find in-house. (...) We count every defect distinctly. We count the ones that Mozilla developers find in-house. We count the things we do to mitigate defects in other pieces of software, including Windows itself and other third-party plugins. We count memory behaviour that we think might be exploitable, even if no exploit has ever been demonstrated and the issue in question was found in-house. We open our bugs up after we've shipped fixes, so that people don't have to take our word for our severity ratings," Shaver explained.
Continuing to mock Microsoft's standards for browser security, Shaver crowned Internet Explorer 4 as the most secure browser of all times, only because the product has received a total of zero security patches. "Even if the scales were the same, and we were living in a parallel universe in which Microsoft even approached Mozilla's standards of transparency and disclosure, the logic is just baffling: Jeff is saying that Mozilla's products are less secure than Microsoft's because Mozilla fixed more bugs. By that measure, IE4 is even more secure, because there were no security bugs fixed in that time frame; bravo to Microsoft for that," Shaver concluded.