Mozilla vs. IE: A Security Object Lesson

NewsForge has an excellent article contrasting how recently-discovered security holes involving Mozilla and Internet Explorer were handled by those who produce the browsers. Exerpt:

So [in the case of Mozilla] we had a fix in less than 24 hours, and the exploit wasn’t that bad to begin with.

Let’s compare this to Microsoft’s handling of a recent Internet Explorer exploit that was taken advantage of by the Scob trojan, which sought to steal sensitive personal and financial information from its unknowing victims. The trojan attacked on June 25, and Microsoft had a patch released a quick and speedy seven days later, on July 2. So for seven days a serious hole remained in Internet Explorer, and even then the vulnerability remained!

One day for the [Mozilla] community to discover, discuss, and patch a Windows security flaw through Mozilla, one week for Microsoft to incorrectly patch a serious IE exploit. Now tell me, Mr. Ballmer, Mr. Gates: Which is the better development model?

If you check out the article, you’ll also discover that the “hole” relating to Mozilla wasn’t even a problem with Mozilla itself. It is a problem with an external (non-Mozilla) program that is part of the the Windows operating system, which is the only operating system to be affected by the issue. Basically, Mozilla would merely pass on a Internet request to the Windows OS, and the OS is stupid enough to honor the request unchallenged. (The other OSes Mozilla runs on aren’t that stupid.) Even Microsoft was aware of the problem with the OS, and Windows XP Service Pack 1 was supposed to have fixed the problem, but Microsoft “fixed it wrong,” and the hole continues to exist.

Once this came to light, the Mozilla folks simply disabled the passing on of the request in order to protect the Windows operating system from its own security stuipidity. They did had the needed patch (and revised versions of their software) in place in a matter of hours, so quickly in fact that no systems are known to have been compromised by the problem.

The fact that more folks are noting the problems with MS-produced products is perhaps why the superdominant IE browser has lost 1% of its market share in the last month. A story at PCWorld.com notes:

Internet Explorer has held more than 95 percent of the browser market since June 2002, and until June had remained steady with about 95.7 percent of the browser market, according to WebSideStory’s measurements. Over the last month, however, its market share has slowly dropped from 95.73 percent on June 4 to 94.73 percent on July 6.

A loss of 1 percent of the market may not mean much to Microsoft, but it translates into a large growth, proportionately, in the number of users running Mozilla and Netscape-based browsers. Mozilla and Netscape’s combined market share has increased by 26 percent, rising from 3.21 percent of the market in June to 4.05 percent in July, Johnston said.

“It takes a lot to get someone to change their browser. It’s been years since anyone has been willing to do this in significant numbers,” he [analyst Goeff Johnston] said.

Most of the period in which the losses to IE occurred was before the Download.Ject vulnerability in IE were discovered and CERT recommended that people start ditching IE, so the losses may well continue–and accelerate.

The PCWorld.Com article also notes:

Microsoft has yet to release a comprehensive fix for Download.Ject, but the company is providing customers with “prescriptive guidance to help mitigate these issues” on the Microsoft.com Web site, he said.

Robert Duncan III, a technologist at Bacone College, in Muskogee, Oklahoma, switched to Firefox recently, attracted by the software’s wide variety of plug-ins and new features, as well as the fact that Mozilla is less integrated with the computer’s operating system than is Internet Explorer.

“Since Mozilla is completely isolated from the operating system, I know that if the browser gets completely hijacked and obliterated that the program is not going to completely destroy everything I’ve got on disk,” he said.

About 20 percent of the computers Duncan administers at the college now use Mozilla-based browsers, Duncan said, and the main impediment to more widespread adoption is user perception, he said. “They have this perception that open source software can’t be worth anything because it’s free.”

“Once people start examining the features of Mozilla versus Internet Explorer instead of looking at a brand name . . . I think they’ll see there’s a lot more value,” he said.

I agree that Mozilla has much better features than IE, particularly through the available extensions (it also runs way faster, too), but I find it interesting that Microsoft’s integrate-the-browser-into-the-OS-in-order-to-try-to-thwart-federal-antitrust-regulators-in-court strategy has come back to haunt it. By so tightly binding IE to the Windows OS, it has made the OS more vulnerable to exploitation from sources on the Internet. Mozilla, by contrast, is not tightly bound up with the operating system and thus less likely to wreak havoc with the OS.

Author: Jimmy Akin

Jimmy was born in Texas, grew up nominally Protestant, but at age 20 experienced a profound conversion to Christ. Planning on becoming a Protestant seminary professor, he started an intensive study of the Bible. But the more he immersed himself in Scripture the more he found to support the Catholic faith, and in 1992 he entered the Catholic Church. His conversion story, "A Triumph and a Tragedy," is published in Surprised by Truth. Besides being an author, Jimmy is the Senior Apologist at Catholic Answers, a contributing editor to Catholic Answers Magazine, and a weekly guest on "Catholic Answers Live." View all posts by Jimmy Akin