Does Firefox Really Provide More Security Than Internet Explorer?
Introduction
Internet Explorer is a graphical web browser made by Microsoft and comes integrated with Windows. Even though it’s by far the most widely used browser, since 2004 it slowly began losing popularity to other browsers like Mozilla Firefox, its Open Source rival developed by the Mozilla Foundation.
Internal security architecture of IE and Firefox
Microsoft Internet Security Framework brings a wide variety of security features to IE, features like SSL, PCT (both public-key-based security protocols are implemented in Firefox), authentication using public keys from Certificate Authorities (Verisign’s Digital IDs), CryptoAPI (used to incorporate cryptography into applications) and in the future, it will incorporate Microsoft Wallet into Internet Explorer.
IE6SP1 comes with pop-up blocking, a feature long expected which Firefox had since before its name (it was originally known as Phoenix and briefly as Firebird). They are both able to selectively block pop-ups or view blocked pop-ups later. IE6 also provides different levels of security zones thus dividing the Internet into 4 categories: Internet, Local Intranet, Trusted Sites, and Restricted Sites.
Other features it possesses are fault collection (more of a Windows feature, it allows users to upload crash information to Microsoft for analysis), content-restricted IFrames (enhances security of iFrames by disabling script for their content) and Content Advisor (objectionable content filtering). It also uses ActiveX scripts, a technology that allows a web designer to add music and animations to a page.
Due to high number of malicious designed websites in which small scripts automatically download malware to users computers, Microsoft added a warning prompt to IE in order for a user to choose blocking ActiveX on a page.
Firefox doesn’t use ActiveX technology and even though this might appear that it restricts web features, use of ActiveX for important tasks in web pages seems most unlikely.
In addition to the features already mentioned (pop-up blocking, SSL and PCT public key authentication) Firefox strikes back with other cool additions like switching user agents (to pretend you are Googlebot or IE2SP8), referrer disabling while browsing, viewing http headers when clicking on links, disabling cookies, java and images in a 2 click step and others.
All in all, preserving security while surfing is a balancing act, the more open you are to downloads of software and to multimedia features, the greater your exposure to risk.
Large Flaws And Timeline In Which Fixes Were Released
Please note that the information was added at the time of writing of this article – March 17th 2005. Some of it may be incorrect now.
According to secunia.com Internet Explorer has 20 out of 79 security vulnerabilities that are still not patched in the latest version (with all vendor patches installed and all vendor workarounds applied), while Firefox has only 4 out of 12 security vulnerabilities unpatched.
Based on information on secunia.com (1 and 2) we can see the benefit of an Open Source browser in the security field: while Internet Explorer only issued a patch for 52% of the bugs found and applied partial fixes in 14%, Firefox has not only patched 69% of its flaws but it has never used a partial fix or a workaround. Quoting Marc Erickson: “Its Open Source nature means that anyone can look at the code and either find or fix holes – and development can go on 24 hours a day, as programmers in different time zones around the world wake up and begin their day.
24 hour development is extremely difficult for most proprietary software companies to do – they need to be very large – like Microsoft – and then they run into large corporation difficulties – politics, turf wars, who gets credit for accomplishments, project coordination, how does a boss in one time zone supervise employees around the world when he has to sleep, etc.
If we look at Secunia’s criticality graphs (1 and 2) we can see that Firefox has 0% extremely critical and 8% highly critical bugs while Internet Explorer has 14% extremely critical and 27% highly critical bugs.
Comparison Of The Two Browsers
The biggest challenge facing Firefox is that even though it offers tabbed browsing, live bookmarks, text zooming, pop-up blocking and a superior user interface, Microsoft’s Internet Explorer is still the most widespread browser. After all, every copy of Microsoft Windows sold includes a version of Internet Explorer and every Web site is optimized for Internet Explorer.
A Google fight reveals us: Internet Explorer – 36,000,000 results, and surprisingly, Firefox – 31,000,000 results. Still, Firefox has its flaws like crashing while trying to view PDF files and taking a lot of time to load. If the next IE version would support tabbing and would be 50% more secure than before, Microsoft would surely maintain dominance in the field. According to W3Schools, Firefox has slowed in growth over the past few months and it now has 21% of usage share, compared to IE6 which has 64%.)
Expectations for the future
At the present time Firefox seems more secure than Internet Explorer, but what will the future bring?
An interesting alternative is SecureIE which costs 30$ and seems to outperform Firefox and IE in the security field.
Microsoft has made spyware prevention one of its primary missions as well, so its browser may improve too in that regard, but for now, switching browsers is the best defense against malware.
As more and more users dump IE due to its lack of features and move towards a faster and more efficient alternative like Firefox, virii and spyware programmers will start using it as their new “feeding ground.”