IE more secure than Firefox?

Well, that's certainly not a headline that you see every day. According to a report authored by Jeffrey Jones, a researcher and the Security Strategy Director at--where else?--Microsoft's Trustworthy Computing group, Internet Explorer is a more secure browser than Mozilla's Firefox. As the grounds for his report, he compared the security track records of Firefox 1.5 and IE6 as well as Firefox 2.0 and IE7. For his purposes, he breaks down vulnerabilities into three distinct levels of severity: high, medium and low. The most telling statistic is as follows: "Since November 2004, Microsoft has fixed 87 total vulnerabilities in Internet Explorer 6 and 7, while Mozilla has issued 199 fixes to Firefox 1, 1.5, and 2.0."

Of course, a Microsoft study of a Microsoft product is not going to go uncontested and to that end, Mozilla responded to the report in a recent blog post. "We count every defect distinctly," Mozilla chief evangelist Mike Shaver wrote. "We count the ones that Mozilla developers find in-house. We count the things we do to mitigate defects in other pieces of software, including Windows itself and other third-party plugins. We count memory behavior that we think might be exploitable, even if no exploit has ever been demonstrated and the issue in question was found in-house. We open our bugs up after we've shipped fixes, so that people don't have to take our word for our severity ratings." What's more, he suggests that Microsoft spend more time addressing vulnerabilities instead of "hoping that defects aren't found by someone who they can't keep quiet." Oooh, burn!

At any rate, what's clear here is that you can probably prove that anything is secure, provided that you choose the right parameters by which security is measured. As Ars Technica aptly points out, this study in particular "neatly coincides with the release of IE 6 for Windows XP SP2," which, as you may already know, "was the culmination of a massive two-year refocusing on security by Microsoft that mandated security training for every developer in the company." Ultimately, it's difficult to take the results of this report too seriously though it does raise an interesting question--which browser really is more secure? Hit us up in the comments with your thoughts.

For more on the report:
- see this Ars Technica article