Just how flawed is Firefox?

By Davey Winder
Tuesday, 10 November 2009 17:37

Security

Please don't shoot the messenger, but all is not well in Firefox land.

According to one new report, Firefox is responsible for some 44% of all the browser vulnerabilities that were reported during the first six months of 2009. The Cenzic report pegs Firefox as far more problematical than Internet Explorer.

Not just a tad more, but if you are using the number of reported browser vulnerabilities as a metric we are talking country mile territory here. Internet Explorer accounted for just 15% of the vulnerabilities putting it in third place behind Safari in second on 35%.

Of the 'big four' browsers, Opera performed best with just 6% of the flaws coming from the direction of what used to be the only alternative browser in town.

It would seem that the Cenzic report was put together using a number of sources including the Common Vulnerabilities and Exposures database in order to tally the flaws over the half year. What the report does not do, however, is make any distinction between the bugs found.

So zero-day problems, which because of the nature of them not being patched while being exploited in the wild makes them hugely dangerous, were treated as just as another flaw along with relatively minor bugs.

Certainly the report is worrying for end users who have switched from Internet Explorer not only for the flexibility that Firefox offers but also because of the perceived higher level of security on offer.

What the headline figures from this report do not make clear are the differences between browsers in terms of response to bugs and being up front about flaws. Firefox has a reputation, courtesy of the open source development process, of dealing with flaws very quickly indeed.

The same cannot be said of Internet Explorer, with users often hanging around for months waiting for a Microsoft patch to cover up one hole or another. Indeed, it has been argued that the Microsoft Patch Update process can effectively be used to hide some flaws, whereas open-source development throws everything into the public realm.

One thing is for sure, the figures reveal that as Firefox gets ever more popular so security will have to become an ever more important part of the development process. If not, then stories comparing Firefox and Internet Explorer security will become increasingly interesting to read.