I have seen many people complaining about how Firefox is no more secure than Internet Explorer. Usually this impression comes up when people read the long lists of security bugs fixed with every maintenance release. Since I have reported a few security bugs myself and could observe how Mozilla deals with those, I knew well that Firefox is still incomparably more secure than Internet Explorer — and now there is proof. Internet Explorer Unsafe for 284 Days in 2006 has the data. Last year users of Internet Explorer have been exposed to unpatched critical security flaws for 284 days in total, on 98 of those days the security flaws were actively abused by web sites. In comparison, there was only one vulnerability in Firefox that was publicly disclosed before a patched Firefox release was available, amounting to 9 days of exposure.
So where did the long lists of security bugs go? Did the author of this article overlook them? No, he didn’t. These bugs were there, they have been discovered and fixed — and only then the information on them has been disclosed. So while each and every software has bugs, the major difference here is that Firefox vulnerabilities are reported and fixed before the information is disclosed and somebody gets a chance of abusing them — and with Internet Explorer it often happens the other way round.
What makes security researchers disclose information on IE vulnerabilities before those are fixed? As far as I can tell, it is not because they hate Microsoft. It is simply that reporting security issues to Microsoft is so painful. Microsoft tends to downplay the severity of the issues or call them a “feature” (e.g. the clipboard access bug that has been first reported in 2002 and is still unpatched). Security issues are also given low priority so that it may take a year until the actual fix. So far the best way to make Microsoft recognize the real severity of the bug and react was to disclose all information, ideally together with source code of the exploit.
On the other hand, Mozilla has a policy of treating every security issue as severe unless proven otherwise. With some luck the hole is patched within hours after it has been reported, so far I haven’t seen anything taking more than a week unless it is really very uncritical and hard to fix. Security issues are always top priority and they are never downplayed. And Mozilla always discloses all information on the fixed bugs so that people using old versions know the risks, never are security issues swept under the carpet (as happened to at least some Internet Explorer vulnerabilities discovered by Microsoft employees).