RealTime IT News

Security Debate Centers on Firefox And IE

Microsoft Internet Explorer developer Dave Massy responded to a Mozilla Foundation claim that Firefox will "always" be more secure.

On a blog post today, Massy referenced reported comments made by Mozilla Foundation chair Mitchell Baker two days ago.

"Mitchell Baker, president and chief lizard wrangler of the Mozilla Foundation, is quoted as saying Mozilla is and always will be more secure than IE," Massy wrote.

One reason Mozilla claims it will always be more secure is related to the fact that it is separate from the operating system, as opposed to IE, which is tightly integrated.

"The issue of not being part of the operating system is an interesting one, though that is frequently the subject of misunderstanding," Massy blogged. "IE is part of the Windows operating system so that parts of the OS and other applications can rely on the functionality and APIs being present. IE in turn relies on operating system functionality to do its job."

Massy argues that since the operating system APIs that are used by IE are all part of the platform SDK and are all documented by the Microsoft Developer Network (MSDN), they are also available to any other software that will run on the Windows OS.

"The security of any browser is irrelevant if it is part of the operating system," Massy states. "If we are to debate security of browsers then let's bring in relevant arguments and accurate details about different possible attacks rather than rely on the irrational fear that because IE is part of the operating system it must be exposing OS functionality to the Web."

"This is not the case, as any software has access to the same set of OS APIs and can therefore expose the same set of OS functionality as IE," Massy added.

Security experts queried by internetnews.com, however, were not as definitive about the lack of risk posed by IE due to its tighter OS integration.

Ioana Spiridonica, spokesperson for European software vendor BitDefender, disputes Massy's assertion.

"The argument presented in the blog -- "any software has access to the same set of OS APIs and can therefore expose the same set of OS functionality as IE" brings the man's whole argumentation down," Spiridonica told internetnews.com. "Because unlike IE, although Firefox has access to those APIs, it does not expose them to the Web like IE does."

Patrick Hinojosa, CTO of security vendor Panda Software, however, doesn't think the fact that Mozilla Firefox is "separate" from the Windows OS necessarily shields it better from threats than IE.

"I do think that an exploited vulnerability in IE could have more serious ramifications for the system as a whole because of the tight integration," Hinojosa told internetnews.com. "The distinction is important because, given the same vulnerability in IE and Firefox, you might end up with different bad effects on the rest of the system. It is probable that this would be worse in favor of IE."

In October, IE got an unexpected endorsement from a security researcher who noted that IE was more secure than its alternative counterparts in certain respects.

With Firefox popularity on the rise, however, Hinojosa asserts that there will be more malicious users searching for vulnerabilities to exploit in the upstart open source browser.

"I feel this will result in some lowering of security in the sense that holes will be found and exploited," Hinojosa explained. "The biggest area where Firefox is more secure is that it doesn't have the ability to run ActiveX. I know this is now turned off by default in the latest IE, but there are millions of users not using the latest version.

"So, for the time being, I feel Firefox delivers a better experience security-wise to the average user that is on the net."

A quick review of the current status of reported, but unpatched, vulnerabilities as listed by security vendor Secunia also shows the disparity between Firefox and IE.

For Firefox, which was just patched yesterday, the security firm has four out of 13 advisories marked as unpatched. For IE, the number of unpatched is 20 out of a total of 79 advisories.