Boy why bother with facts when it’s so easy to make stuff up and to throw out randomly generated numbers like these:
“Organized cybercrime gangs are more highly focused than ever on taking control of your computer through browser-based hacks. They’ve already turned some 40% of the world’s 800 million Internet-connected PCs into obedient “bots” used to spread spam, harvest your sensitive data and commit fraud.”
Emphasis above is mine of course. Yes folks – 320 million PCs are in USA Today’s botnet out there on the Internets.
“In setting out to elevate Firefox’s basic security, Snyder is also compelling Microsoft and Apple, maker of the Safari browser, to follow her lead — or get out of the way.”
Hmm – let’s see what sort of lead we should be following by having a look at the 2007 CVE counts for IE7 and FF 2.0 in the National Vulnerability Database shall we?
It seems that for 2007:
IE7 had 40 unique CVEs
FF 2.x had 67 unique CVEs
Hmm . . . so we were already better than FF 2.x last year . . .
Okay so let’s see how we’re doing so far in 2008:
IE7 has 3 unique CVEs listed so far this year
FF 2.x has 24 unique CVEs listed so far this year
So we’ve gone from ~4 CVEs/month on average in 2007 to .5 CVEs/month on average in 2008 a noticeable improvement.
Meanwhile FF 2.x has gone from ~5.6 CVEs/month on average in 2007 down to a mere ~4.3 CVEs/month on average this year . . . not quite as good.
Of course I’m not sure how much faith to put in those numbers as according to our own bulletin count for IE7 on Vista for the last 6 months we’ve patched 6 CVE’s that had “CVE-2008” in the description and 7 CVEs total . . . still – that’s way less than FF 2.x has patched this year.
Finally let us not forget that IE7 on Vista runs at LOW integrity preventing write access to the majority of the file system and registry so standard off the shelf exploits written for IE7 that assume the user has write access to various ASEPs will fail to install persistent malicious software on Vista whereas that’s not the case with FF 2.x and 3.x which run at Medium IL and therefore have write access to the per-user ASEPs on the system allowing exploits to quite easily backdoor a users profile.
So not only is IE7 less likely to have a security defect than FireFox – it’s also a safer browser to run on Vista. IMHO this is probably one of the biggest reasons Vista is so much less likely to have malware on it when compared to even XPSP2.
We’ll see how FF 3.x fairs over the next year and whether it’s any better than its predecessor . . . I for one will keep using IE7 on Vista – and download IE8 the day it comes out. 🙂