Reality: Open-Source Security Flaws Abound
US-CERT (United States Computer Emergency Readiness Team), a partnership between the Department of Homeland Security and the public and private sectors, impartially tracks all manner of security issues in operating systems and major applications, such as browsers. US-CERT issues a bulletin every week, outlining the current crop of problem areas. You can access all past and current bulletins here; I urge you to take a moment, click on over to their site, open several bulletins at random, and scroll down the page. In most cases in the more recent issues, you'll see the list of IE's vulnerabilities is shorter than those for Firefox, Mozilla, and the other alternate browsers. Likewise, with the more recent bulletins, you'll also see the list of Windows' vulnerabilities is actually much shorter than that for the other operating systems, even though Windows is far more widely installed.
US-CERT's findings aren't unique. For example, the Symantec Internet Security Threat Report provides a six-month update of Internet threat activity. It gathers data from
"...over 20,000 sensors monitoring network activity in over 180 countries. Symantec also gathers malicious code data along with spyware and adware reports from over 120 million client, server, and gateway systems that have deployed Symantec's antivirus products. In addition, Symantec maintains one of the world's most comprehensive databases of security vulnerabilities, covering over 11,000 vulnerabilities affecting more than 20,000 technologies from over 2,000 vendors. Furthermore, Symantec operates BugTraq, one of the most popular forums for the disclosure and discussion of vulnerabilities on the Internet ... The Symantec Internet Security Threat Report is grounded principally on the expert analysis of this data. Based on Symantec's expertise and experience, this analysis yields a highly informed commentary on current Internet threat activity...."
The most recent Symantec Internet Security Threat Report, covering the last six months of 2004, states in part:
Historically, most of the exploits targeting Web browser vulnerabilities have been directed at Microsoft Internet Explorer, the most widely used Web browser. In response to this, many people in the Internet community have turned to browsers such as Mozilla, Mozilla Firefox, Opera, and Safari as more secure alternatives. However, as security-conscious users have migrated away from Internet Explorer, attackers have followed suit....
The discovery of vulnerabilities affecting browsers appears to be on the rise, with more Mozilla vulnerabilities documented in this period than those affecting Microsoft Internet Explorer. This runs contrary to a trend seen in previous periods where nearly all browser vulnerabilities affected Microsoft Internet Explorer exclusively.
Between July 1 and Dec. 31, 2004, Symantec documented 13 vulnerabilities affecting Microsoft Internet Explorer. This is notably lower than the 21 vulnerabilities affecting each of the Mozilla browsers that were documented during the same period. Six vulnerabilities were reported in Opera and none in Safari.
It should be no surprise that alternate browsers--or alternate operating systems, for that matter--contain flaws. All software is imperfect; anything built by human minds can be destroyed or compromised by other human minds. Alas, while that should not be a surprise, it is to many in the open-source community: Many users have developed an almost mystical belief in open-source software, as if it were a magical talisman against the problems that Microsoft has experienced. Or, conversely, that Microsoft software is somehow "evil" and prone to problems to which that open source software is immune.
Not so. All software is imperfect, and as more and more users come to employ any given piece of software, more flaws will come to light. At the same time, as more people come to use a given piece of software, that group will become an increasingly interesting target to miscreants, who will actively seek out the exploitable flaws.
Both these trends mean that we'll be hearing of more and more security problems in non-IE browsers and non-Microsoft operating systems in the future.
That doesn't mean there's no good reason to look at open-source products such as Firefox. In fact, there are several excellent reasons, including those we listed earlier: Firefox is free, open source, cross-platform, and multilingual; and it also brings some much-needed competition to the browser market. But it's not a panacea for browser security problems. In fact, changing to Firefox--or Mozilla, or any similar software--because "it's more secure" is a dangerous misconception; and demonstrably false.