Hot on the press! Firefox is more insecure than Internet Explorer, says security tracking company Symantec. It blows my mind how quick news companies are to echo press releases without verifying their validity.

Symantec only reports vulnerabilities that have been confirmed by the vendor. I for one don't trust that Microsoft is very forthcoming about their security vulnerabilities, as there are several known highly critical vulnerabilities from a few years ago that they never bothered to confirm or fix. Security research company eEye said that they have plenty of vulnerabilities they privately discovered and notified Microsoft of that still haven't been publicly recognized or fixed. This means that all of these vulnerabilities aren't counted in Internet Explorer's sum.

In the last year, the Mozilla Foundation has also announced more vulnerability fixes than Microsoft has. Microsoft has a history of not saying exactly what vulnerabilities a particular patch fixes. Rather, they announce fixes to known vulnerabilities by pointing users to the respective patch in the vulnerability report. Vulnerabilities that don't have public reports from Microsoft (which I am certain there are many of) usually go unannounced when the patch rolls out. These vulnerabilities also don't get counted in Internet Explorer's sum. On the other hand, since Firefox is developed by a community, all of their fixed vulnerabilities become public.

According to Secunia's data, Internet Explorer has had 31 vulnerabilities since 2002 that still don't have complete fixes, and 24 of them are from before 2005. This Symantec report is only covering vulnerabilities that were discovered in 2005. You have to remember that users are currently affected by all of those vulnerabilities, not just the ones discovered recently. According to Secunia's data, Firefox only has four vulnerabilities without complete fixes, in total. Secunia also shows that there have been more vulnerabilities found in Firefox than Internet Explorer in 2005, but that fact is ultimately of very little significance when you look at the bigger picture. The bottom line is that users have constantly been more insecure using Internet Explorer than Firefox, and that's what matters in the end.

Another important issue is how long it takes to fix the vulnerabilities. Ignoring vulnerabilities with unknown fix dates and vulnerabilities that were only publicly known after the patch release, if all unfixed vulnerabilities in both browsers were to be fixed today, Internet Explorer would have taken a mean average of 250 days or a median average of 286 days to fix a vulnerability, while Firefox (Windows version) would have taken only a mean average of 79 days or a median average of 47 days. Ignoring not critical and less critical vulnerabilities, Internet Explorer would have taken a mean average of 170 days or a median average of 121 days, while Firefox would have taken only a mean average of 36 days or a median average of 23 days. (By the way, Opera would have taken a mean average of 73 days or a median average of 81 days.)

No matter how you stack it, Firefox is still the more secure web browser, and Internet Explorer is still seriously unsafe to use. By publishing such a clearly misleading report, Symantec is doing a disservice to its purpose: informing the public on the issue of security. And by mindlessly echoing this press release, the news media is also doing a disservice to its purpose: uncovering and reporting the truth of a situation.

UPDATE 2005-09-20: ZDNet UK has done the right thing and posted another article presenting the other side of the issue.

UPDATE 2005-09-20: I made an error in the median calculation. It's fixed now. I also added the higher severity average values.

UPDATE 2005-09-21: I changed the values to only regard the Windows version of Firefox, to be more fair. I also added the note about Opera.

UPDATE 2005-09-26: CNET has published an article making a defense similar to mine. Thanks, Robert Vamosi, for actually doing some research, unlike most of the news media on this topic.