Does Firefox Really Provide More Security Than Internet Explorer?
by Vaida Bogdan - Originally published in issue 1 of (IN)SECURE Magazine - Monday, 23 May 2005.

Internet Explorer is a graphical web browser made by Microsoft and comes integrated with Windows. Even though it's by far the most widely used browser, since 2004 it slowly began losing popularity to other browsers like Mozilla Firefox, its Open Source rival developed by the Mozilla Foundation.

Internal security architecture of IE and Firefox

Microsoft Internet Security Framework brings a wide variety of security features to IE, features like SSL, PCT (both public-key-based security protocols are implemented in Firefox), authentication using public keys from Certificate Authorities (Verisign's Digital IDs), CryptoAPI (used to incorporate cryptography into applications) and in the future, it will incorporate Microsoft Wallet into Internet Explorer.

IE6SP1 comes with pop-up blocking, a feature long expected which Firefox had since before its name (it was originally known as Phoenix and briefly as Firebird). They are both able to selectively block pop-ups or view blocked pop-ups later. IE6 also provides different levels of security zones thus dividing the Internet into 4 categories: Internet, Local Intranet, Trusted Sites, and Restricted Sites.

Other features it possesses are fault collection (more of a Windows feature, it allows users to upload crash information to Microsoft for analysis), content-restricted IFrames (enhances security of iFrames by disabling script for their content) and Content Advisor (objectionable content filtering). It also uses ActiveX scripts, a technology that allows a web designer to add music and animations to a page.

Due to high number of malicious designed websites in which small scripts automatically download malware to users computers, Microsoft added a warning prompt to IE in order for a user to choose blocking ActiveX on a page.

Firefox doesn't use ActiveX technology and even though this might appear that it restricts web features, use of ActiveX for important tasks in web pages seems most unlikely.

In addition to the features already mentioned (pop-up blocking, SSL and PCT public key authentication) Firefox strikes back with other cool additions like switching user agents (to pretend you are Googlebot or IE2SP8), referrer disabling while browsing, viewing http headers when clicking on links, disabling cookies, java and images in a 2 click step and others.

All in all, preserving security while surfing is a balancing act, the more open you are to downloads of software and to multimedia features, the greater your exposure to risk.

Large Flaws And Timeline In Which Fixes Were Released

Please note that the information was added at the time of writing of this article - March 17th 2005. Some of it may be incorrect now.

According to Internet Explorer has 20 out of 79 security vulnerabilities that are still not patched in the latest version (with all vendor patches installed and all vendor workarounds applied), while Firefox has only 4 out of 12 security vulnerabilities unpatched.

Based on information on (1 and 2) we can see the benefit of an Open Source browser in the security field: while Internet Explorer only issued a patch for 52% of the bugs found and applied partial fixes in 14%, Firefox has not only patched 69% of its flaws but it has never used a partial fix or a workaround. Quoting Marc Erickson: "Its Open Source nature means that anyone can look at the code and either find or fix holes - and development can go on 24 hours a day, as programmers in different time zones around the world wake up and begin their day.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Tue, Feb 9th