Friday, November 30, 2007

The Microsoft FUD Machine cometh again: Firefox said to be less secure than Internet Explorer

I had lost all interest in blogging, but the latest installment of FUD by Microsoft has made me again take it up. Jeff Jones , security guy at Microsoft has published a paper stating that Firefox has more number of unpatched vulnerabilities, and is more insecure. Now, I had done a small study a few months back comparing the vulnerabilities of the three major browsers on the Windows platform, and could come to no conclusion except that IE was the most insecure browser.
I will go through his paper thoroughly now, and also refine my analysis, but I can tell you two things:
i) Jeff Jones is extremely competent about calculating the "days of risk" in comparing Linux and Windows, but he has not done so in his study. I will determine over the next two days what the "days of risk" actually were. I just suspect he has something to hide over there ;)
ii) The above "days of risk" are theoretical, the "actual days of risk", that is the days that the user was actually under attack even though fully patched, is also important. 
You may have just one vulnerability, but if that is undergoing a zero day attack and 
you have not patched it, then it is much less secure for all practical purposes than 
a software with a hundred patched vulnerabilities having a thousand "days of risk". 
IE has undergone too many zero day exploits to be called a secure browser under XP. This is never mentioned by any Microsoft report. So, if someone tells you that IE is more secure than Firefox, just mention the words "Zero day".
iii) Since he is so self congratulatory about the vulnerability counts of IE, let him compare IE with Opera, and follow his thread of reasoning  in assessing the security of the browsers.
iv) Vulnerability counts are not everything, thay are just one metric. I have to say that if UAC is switched on in Vista, it would make IE 7 more secure than even Opera, even if IE has more unpatched vulnerabilities. However, for Windows XP, IE was till a few months ago the most insecure browser. Let me see if things have changed! I strongly suspect NOT!
Till then read my previous blog about that subject and tell me if you have any objections to my methodology. I did not use the NVD ratings, but did use another respected third party rating, so I do not think there is any issue there.
Till then, stay well and beware of FUD