Anyone who regularly reads my writings knows that I’m a strong proponent of Open Source software and the value it holds in the information community. Unfortunately in the interests of marketing, attempts are popping up to try to shake that foundation for Firefox. Basically there have been a couple high-risk vulnerabilities discovered in the code which are receiving dramatic amounts of publicity. This publicity is not actually because vulnerabilities in Firefox are often this serious, but because simple conclusions have made the jump-to list.

We should never so entirely avoid danger as to appear irresolute and cowardly; but, at the same time, we should avoid unnecessarily exposing ourselves to danger, than which nothing can be more foolish. – Cicero

The connection seems apparent enough. Open Source is to Open Door, as a business is to a store front. You can’t do business effectively if you don’t open the door, and you can’t effectively do security if you don’t test yourself under open-minded criticism. Firefox has exposed itself and said “Come beat on me and I will remain.” The alternative being pushed has said “I’m not going in the ring with that guy!”

The point is, Internet Explorer does not publish itself for criticism. It doesn’t allow itself to be fully tested. It’s like a boxer that requires only jabs in its fights. This works until someone gets in the ring and throws an unexpected hook. Sure it might be a foul but it doesn’t help the browser that’s unconscious.

Within hours of an exploit being discovered, patches are released and code is updated. It is on a rare occasion that Microsoft can claim this success. In fact, examples exist (here and here) where Microsoft has failed to respond for weeks! I simply can not remember the last time an Open Source vulnerability was found where a patch was not released in lightning speed.

Lets add to this, the argument that is not accepted by other contenders: Software published with the code in the open is more thoroughly examined and more effectively fixed. For an example to support this statement, lets look at the popular OpenSSL package which has been heavily used over the last 5 years in the open source community:

  • 2003: 8 vulnerabilities, 3 high risk
  • 2004: 3 vulnerabilities, 3 high risk
  • 2005: 3 vulnerabilities, none high risk

The trend should be fairly obvious. To add to this, the last vulnerability released for OpenSSL was published this month. However it was fixed in July and was simply a configuration issue with very little chance of exposure.

The fact is, you are more safe under Firefox than under IE. If you follow sensible and logical guidelines about installing security fixes, avoiding disreputable sites and blocking unauthorized flash and java applications, you will be far more secure than Internet Explorer can provide.