People can't resist arguing about whether one browser is better than another, and invariably the argument centers on Mozilla Firefox versus Microsoft Internet Explorer (IE). Last week, I came across a study conducted by Microsoft Strategy Director Jeff Jones that compares the two browsers. The study would have been better if it had included Opera. I guess omission is one good way to marginalize the competition.

My assumption was that because someone from Microsoft produced the report, it would try to show that Microsoft's strategy for IE development and support results in a better, safer product. The report didn't convince me that IE is superior to the open-source Firefox.

Jones said that he examined vulnerabilities in Firefox and IE over the past three years, broke them down by severity, looked at each browser version by version, and examined each browser in terms of unfixed vulnerabilities. Right away, Jones said that according to his findings, more security problems have been found and fixed in Firefox than in IE. Jones' findings point out that the Internet community is finding problems and Mozilla is fixing those problems both openly and quickly. The findings cause me to ponder a thought: If people can find 199 security problems in Firefox, then imagine how many might be found if Microsoft opened the IE source. Well Microsoft isn't about to do that, and even without the source, people have found at least 87 problems in IE, according to Jones.

Next, Jones takes aim at Mozilla's support life cycle for Firefox, which is shorter than Microsoft's for IE. What Jones failed to mention is that IE is--according to Microsoft--tightly integrated into the OS. So Microsoft has no choice but to support its browser versions longer. Updates to the loosely integrated Firefox are unlikely to break a dozen other applications or the OS itself. Therefore, Mozilla can enjoy the luxury of short support periods, which in turn streamline development and speed up browser innovation.

Jones wrote that Novell is shipping SUSE Linux Enterprise Desktop 10 with support until 2013, Red Hat is shipping Enterprise Linux 5 with support until 2014, and Ubuntu 6.06 was shipped with support until 2009. All three OSs include Firefox 1.5. Mozilla ended support for Firefox 1.5 back in May, but that was announced well in advance, so each vendor should have been aware of the support timeline. Now they have to decide how to handle ongoing support by either choosing to patch Firefox 1.5 on their own or have users upgrade to Firefox 2.x.

Jones also argues that frequent upgrades are risky for businesses. Microsoft releases a batch of security patches and other product patches nearly every month, many of which have broken various aspects of Windows. I've been using Firefox since it was released. The browser tells me when an update is available via a nonintrusive pop-up box, and I click OK. The entire upgrade process takes about 20 seconds over a broadband link. Never once has a Firefox upgrade ever broken anything on my systems. I bet others have similar success stories. As for businesses, administrators can upgrade Firefox on any number of systems and most likely experience similar results.

Jones stated that part of his motive for creating the report was to refute Mozilla's statement that those who use Firefox "won't harbor nearly as many security flaws as those that have Microsoft's Internet Explorer." While Jones did do that, the proof is relatively meaningless. At the end of his report, Jones summarizes by saying that IE has experienced fewer vulnerabilities over time than IE, which left me wondering, "So what?" If Windows runs on 80-something percent of all desktops, then by default IE also runs on 80-something percent of all desktops. It seems obvious that a major vulnerability in IE will cause more widespread damage than a similar vulnerability in Firefox or any other browser. So that needs to be kept in mind when comparing the number of vulnerabilities in each browser.

Jones also failed to point out that Mozilla fixes vulnerabilities faster than Microsoft. Of course, Microsoft is more limited in what it can do in terms of patch releases because it carries a much larger responsibility due to its a huge Windows user base and because IE is tied to various other aspects of the OS.

One thought that came to mind after reading the report is that maybe Microsoft is bothered by the fact that Firefox is a very good browser, that it's growing in popularity, that it's free, and that it's open source. Any great open-source program makes open source look attractive to people. And naturally that's problematic for Microsoft.

If you're interested in Microsoft's spin, then head over to Jones' blog at the URL below where you'll find his report available in PDF format.

http://blogs.technet.com/security/archive/2007/11/30/download-internet-explorer-and-firefox-vulnerability-analysis.aspx