You'd think Microsoft executives would drop to their knees in thanks over this sort of thing:
Mozilla found itself having to defend Firefox's integrity last week amid reports that exploit code was chasing two serious security holes in the open source browser. After all the headlines about Firefox chipping away at Internet Explorer's market share, it appeared the honeymoon was over. Microsoft had been vindicated.
Don't tell that to Wayne Pierce, a Boston-based IT security consultant.
"I love Firefox and have been using it for a very long time on Windows and Linux," he said in an e-mail interview. "If you just compare the design of the two browsers, I feel that Firefox is more secure. It's not integrated with the operating system, so a security issue with Internet Explorer is generally much more problematic than Firefox. This is an old argument against Internet Explorer, but it's still valid."
Pierce's unshaken devotion seems to reflect the mood of most users in the wake of last week's vulnerability reports. For those less enamored with Mozilla's browser, the recent flaws simply show that no software is 100% ironclad against a determined attacker. But for the Firefox faithful, the recent problems actually validate their belief that it's more secure.
Mozilla is quick to disclose and fix its vulnerabilities while Microsoft sits on its flaws for months, they said. And since Firefox isn't tightly wound with an operating system as Internet Explorer is to Windows, it will never be as successful an attack vector, they added.
"I would give Firefox the edge, based on [Mozilla's] ability to react more quickly with its more streamlined application," Charlie Burton, senior technical analyst for Centennial, Colo.-based Cendant Corp.'s travel distribution services division, said in an e-mail. "Windows and IE always make for attractive targets for anyone wanting to make an impact, just because of the size of their market. The actual vulnerabilities may be comparable, but Mozilla seems to be resolving them quickly, and the focus of the spyware and worm builders is definitely aimed at the more mainstream targets."
Is the best security quick and dirty or slow and deliberate?
Chris Hofmann, director of engineering for Mozilla, said the organization's handling of recent security holes shows why Firefox is a safer bet than Internet Explorer.
"Our code is open source and we encourage researchers to look at the code from a number of angles to improve our software's security," he said. "Feedback is constant. We have a very active user community that's passionate about security. We've been very quick to respond to problems."
Unlike some other software distributors, he said security isn't an afterthought for his organization.
"Security is a mindset," he said. "It's been in our culture for the last eight years. That's our big advantage. It took Microsoft 18 months into its Trusted Computing initiative to develop SP2. We don't want to get in the situation where it takes us 18 months to make enhancements that can protect users."
The best proof of Firefox's toughness is that it has yet to suffer a major attack, Hofmann said. "Look at the Download.ject incident last summer, where exploits worked together to hit a combination of vulnerabilities on the Web server side and IE," he said. "We haven't had anything like that. We want to stay ahead of the smaller vulnerabilities and make it so attackers can't construct those kinds of attacks."
Stephen Toulouse, program manager for the Microsoft Security Response Center, said quick fixes aren't always the right fixes. He agreed Microsoft patches don't always arrive as fast as people would like. But it's better to spend more time developing them than to come out with half-baked solutions, he said.
"A lot of customer feedback goes into our approach to security, and one thing they've made clear to us is that they don't want quicker updates if they're not solid enough and cause problems later," he said. "We simply can't treat our users as our testers. They want to know that they can trust our updates."
He said customers have also made it clear they don't want to download products in their entirety whenever fixes arrive, as Firefox users must do.
"They want updates, not entirely new versions of the product," Toulouse said.
The more open, the more secure
Those interviewed agreed solid fixes are preferable to the quick and dirty approach. But when there's a big security hole with exploit code in the wild, they said it's better to have a half-baked fix than nothing at all. If nothing else, at least acknowledge the problem and suggest workarounds until a patch is available.
Pierce said Mozilla understands that better than Microsoft. "When new security issues are found Firefox discusses them in the open and Microsoft doesn't." he said. "By discussing the security issues in the open I can take preventive measures before a security patch is released and the Firefox developers are less likely to add in non-security changes."
Burton said Mozilla's handling of the latest flaws shows that Firefox still has the edge. And he doesn't think it's such a big deal to update the entire program.
"After the release of the vulnerabilities last week, I fell back more on Explorer temporarily," he said. "I've [since] loaded the new version of Firefox… and the update went very smoothly. I've heard arguments that the incremental patching for IE is an advantage over total reinstall with each version of Firefox. At the same time, I suspect the full reinstall might beat the patchwork that exists in IE."
John Gehrke, a systems administrator for the U.S. Geological Survey's Denver, Colo.-based Branch of Quality Systems, said in an e-mail interview that both browsers are easy to update, "although Firefox may be easiest with an icon shown at all times in the upper right corner that checks for updates."
"Above all, with source code available, Firefox ultimately should be the safer browser," he said. "And certain IE technologies are fairly mysterious -- ActiveX plug-ins and 'Browser Helper Objects,' for example -- and may be more frequently targeted by spyware distributors."
An industry-wide problem
In the end, Toulouse said the issue isn't whether one browser is more secure than the other. Mozilla's recent headaches merely illustrate a problem everyone must confront.
"It drives home the fact that this is an industry-wide issue," he said. "We're seeing more flaws in Firefox. Mac OS X has flaws, and Oracle and Red Hat have to release updates regularly. For me, it's just about doing our best to make our products as secure as it can be."
At Microsoft, that means developing the security improvements that went into SP2 and the upcoming release of Internet Explorer 7.0, he said.
And as another IT professional points out, it doesn't matter which browser is safer if users aren't using their security scruples.
"Which is safer, a steak knife or a paring knife?" asked Eric Case, support systems analyst for the University of Arizona's Department of Chemical and Environmental Engineering, via e-mail. "It's not so much the tool as the user."