bullshit

Interesting that the first comment essentially proves your point that MS's reputation continues no matter what. "Please do not drag any actual facts into our argument that MS is insecure."

Lies, damn lies, and statistics:

* How long did it take to patch the vulnerabilities?
* Severity of vulnerabilities?
* How many are still unpatched:
&nbsp;&nbsp;&nbsp;&nbsp;Firefox: "Currently, 3 out of 22 Secunia advisories, is marked as "Unpatched" in the Secunia database." -- <a href="http://secunia.com/product/4227/">http://secunia.com/product/4227/</a>;
&nbsp;&nbsp;&nbsp;&nbsp;IE6.x: "Currently, 19 out of 85 Secunia advisories, is marked as "Unpatched" in the Secunia database." -- <a href="http://secunia.com/product/11/">http://secunia.com/product/11/</a>;

Yes, yes, we can keep playing this game:

IIS 6.0
The Secunia database currently contains 0 Secunia advisories marked as "Unpatched", which affects Microsoft Internet Information Services (IIS) 6.

Apache 2.0
Currently, 2 out of 27 Secunia advisories, is marked as "Unpatched" in the Secunia database.

The point is that MS's security and security responses have gotten better and better, but people adamantly insist that MS products are insecure. The kinds of responses here so far suggest that there is a set of people who will not admit, no matter what, this trend in MS products.

Right, you can bet that IE7 will be far better designed than IE6 originally was when it comes to security. It's not about where you were yesterday, it's about where you are today, and even more importantly which way you're trending-- up or down.

That said, MS deserves a lot of the ill will it is currently getting for the horrible security gaffes in the XP (circa 2001), IE6 (circa 2001), and IIS 5.

But it's clearly changing.

I dont know, I still feel that I have to save people from stuff they somehow downloaded while surfing with IE6..

Anyway, I was wondering .. is IE7 released because of Firefox? It seems like the only reason microsoft is releasing a new version of their browser.

Do you think that the reason the published vulnerabilities are higher with the open source stuff is that it is easier for a wider spread of people to find the problems in the first place? It's not really a huge surprise that open source software is more open about it's failings.

The number of vulnerabilities posted on Secunia doesn't necessarily equate to the actual number of vulnerabilities in the software. There may be gazillions more holes in Microsoft's stuff waiting to be exploited that we just don't know about (and we have to hope the nasty people don't know about either). It's just a guessing game really. I wonder how many problems Microsoft find and fix without anyone in the wider world ever even knowing (which isn't necessarily a bad thing).

Mind you, I guess this cuts both ways. If the vulnerabilities are more known about they are more likely to be exploited too.

Anyway what do I care - I use a Mac ;o)

"Not so good. Of course, there are many other reasons to use Firefox, but the better security argument isn't very persuasive in the face of this data."

Oh, please...
How about this data, from the same source:

Microsoft Internet Explorer 6.x with all vendor patches installed and all vendor workarounds applied, is currently affected by one or more Secunia advisories rated Highly critical.

Currently, 19 out of 85 Secunia advisories, is marked as "Unpatched" in the Secunia database.

And:

Mozilla Firefox 1.x with all vendor patches installed and all vendor workarounds applied, is currently affected by one or more Secunia advisories rated Less critical.

Currently, 3 out of 22 Secunia advisories, is marked as "Unpatched" in the Secunia database.

And talking about history: take a look, what kind of vulnerabilities both browsesr have - I mean criticality and impact.

So IE is more secure? Oh, well...

IE7 my be better, but it still has ActiveX, with all the consequences...

bullshit
IE sucks...People like George whO and ahem....don't have anything better to write about so hey IE 7 beta just got out so people are interested why not write something about IE vs Firefox blah blah blah.........

Context is everything. I'd take Firefox with no critical vulnerabilities and 100 advisories over Internet Explorer with two critical vulnerabilities and 25 advisories. (Numbers completely made up.) You can't make a sweeping generalization--IE is more secure than Firefox or vice versa--based on looking at raw totals.

When you get down to which is more fundamentally secure, then numbers mean very little. It's phenomenally difficult to say whether one side is inherently more secure than the other. It takes intimate knowledge of both before you can form such a judgement and even then there's so many different contexts that it borders on ludicrous. Apache in one context could be totally secure but vulnerable in another.

Interesting compairson; however, you're missing one fundamental point brought out by the first graph:

Bugs (security exploits/malware) remain constant over time, regardless of operating system or number of patches issued.

The final point brought out by the second graph is that security exploits/malware are a function of market share.

The truth is rarely black or white; It is more often a shimmering shade of gray.

Anybody who keeps a firewall between their internet facing systems and the rest of the world knows that probes for OSS and propriatary systems are de rigeur.

All said and done, IE and firefox or ISS and apache do similar things, thus are going to have similar problems (Duh!). In the end, however, having source code level visablity is positive and a negative. Exploits are a matter of analysing the code, but fixes come quickly and there are likely to be less vulnerabilities in general (off set by the ease of exploit development). On the other hand, the closed source model is a complete black box over which you have almost zero control (except the free market ability to vote your confidence with your $$s and considering MS has a virtual monopoly on the operating system and office application market, voting with your $$s is unrealistic). Even thought exploit development is, in theory, easier with OSS, I would expect closed source software to have more zero day vulnerabilities (hence microsoft's intense interest the that particular facet of security with their honey monkey project).

"it's about where you are today, and even more importantly which way you're trending-- up or down."

Right, and today IE 6 is Microsofts offering. IE 7 is due to be released with Vista and my understanding is that it's XP/Vista only.

Which means that my primary healthcare provider will still be running IE 6 post IE 7s release. Simply because the effort it would take to upgrade ALL of their machines to Vista || XP capable machines probably costs more than the effort to contain and fix security repairs.

I find it interesting that Microsoft maintains older (I mean VERY old) versions of Excel and VB for large corporations, but leaves mainstream users hanging when it comes to support of it's older OS's.

To me, how long the unpatched exploits, combined with how critical they are, is what I'm interested in. I can't derive that information without taking some time to parse the data. But they have compiled some other interesting statistics.

Criticallity:
IE 6 - 14% extremely
Mozilla 1.x - (no extremely critical patches) 23% Highly

So even though Mozilla has more exploits, they are less severe than the microsoft ones.

IE 6 - 69 advisories from 2003-2005 - 28% unpatched

Mozilla 1.x - 22 advisories from 2003-2005 - 14% unpatched.

More "Lies, damn lies, and statistics". :)

Another interesting stat are the "Impact" statistics. 18% of the Mozilla exploits allow system access vs 31% of the IE exploits.

I don't look at server statistics because honestly, that's the router muppets job. Secure their damn server. If they're running an older version, it's their job to understand the attack vectors and make sure they are plugged or monitored. Know your system!

It's also interesting to note that XP is still based on the old NT/2K architecture, where Vista is based on Server 2K3. Meaning that Vista will automagically benefit from the increased security in Server 2K3 in addition to all the work the security teams have been doing at Microsoft. That's a "good thing".

Stephen,

You should care even if you use a Mac. I use an iBook and Safari as my main browser. Safari is based on KTHML and the WebKit ( http://webkit.opendarwin.org/ ) Which is Open Source.

Safari 2.0 is 0-1 in patching exploits. :0 It has one unpatched spoofing exploit.

http://secunia.com/product/5289/

> IE 7 is due to be released with Vista and my understanding is that it's XP/Vista only

I'm fairly sure IE7 will be released for XP prior to Vista's release.

Compare security alerts for IE6 when it was first released versus Firefox 1.x, or compare security alerts of firefox 1.x at the same age as IE6. My betting is IE6 will be on a par if not slightly worse. Hardly a fair comparison. As usual.

At the end of the day what I care about security is:
1. How vulnerable are my systems?
It doesn't matter if my system has 100 security advisories an hour if they are difficult to exploit and the damage caused is small.
2. How much time do I have to spend in security issues? This includes time to recover as well as time spent preventing attacks.

From my experience, linux scores better than windows so far, but windows is improving and MS is taking security more seriously.

From all I've read about the issue, one of my favourite articles is:
<a href="http://www.theregister.co.uk/security/security_report_windows_vs_linux/">http://www.theregister.co.uk/security/security_report_windows_vs_linux/</a>;

Pedro.

I find it interesting how the responses that basically read "that's bullshit" are ones all in favour of open source. Maybe it's just me, but there are _way_ too many zealots all too happy to just point their fingers and stop "LIES, LIES!". Well, nevermind.