For years, Microsoft Internet Explorer has been criticised for its lack of security, high number of vulnerabilities and endless patching regime. With a cluster of Firefox updates in the last few weeks, it seems natural to ask the question: should Firefox be getting similar criticism? Why aren't people complaining about Firefox needing so many updates? So far it seems that Firefox's general goodwill has held out, but it's unlikely that people have just started to appreciate better security.

The average user really doesn't care much about their browser. Just as they like a car that goes from A to B and has a stereo, they want a browser that opens websites and doesn't bug them for updates too often. They've got net banking to do and stuff to buy on eBay - why should they mess around with updates?

everyone hates updates

A little while back, Microsoft was getting criticised particularly heavily for constantly releasing patches. Users felt like they were always being bugged by Windows Update and technical administrators were stuck in an endless cycle of testing and deploying patches. Microsoft's solution? Hold back all the patches and release them at the end of the month. Too bad if the latest hack is found the day after patch day.

Firefox clearly goes the other way: as soon as a patch is prepared, it's released. It looks like 1.0.5 was probably pushed out too fast, since 1.0.6 had to be released almost immediately to fix bugs in 1.0.5.

It's a classic case of tension between the best result for the user (being fully patched) and doing what the user wants (don't make them install patches). The Mozilla Foundation is taking the more responsible approach to patching while Microsoft sacrifices better security in favour of a "better" user experience.

The argument can't be solved, so we set it to one side and look for a less subjective way to compare browsers.

quality over quantity

If we ignore the number and frequency of patches, what's left is how well those patches performed. There are some major differences between IE, Firefox and Opera in terms of....

  1. How long it takes for a patch to come out for a security flaw
  2. Whether the patch actually fixes the problem
  3. Whether a patch is released at all

Secunia advisories show it pretty well. Opera is the clear winner on patching; Firefox isn't too bad; and IE is the clear loser.

Browser patch success rate (Feb 2003 to July 2005)
Browser IE 6 Firefox 1 Opera 7/8**
Number of advisories since Feb 2003* 83 21 42
Vendor patch 55% 81% 100%
Vendor workaround 1% 0 0
Partial fix 13% 5% 0
Unpatched 30% 14% 0

* Firefox advisories start from August 2004.
** Opera 7 and 8 are combined to create a better comparison in terms of the number of advisories.

Data source: Secunia Vulnerability Reports - Explorer 6.x, Firefox 1.x, Opera 7.x, Opera 8.x.

what about other gecko browsers?

You could compare based on rendering engine, since people have become aware of them lately; or at least they've heard of Gecko and perhaps understand that it's not a browser. That said, most people who can name Gecko (Mozilla, Firefox, Netscape) would have trouble naming Trident (IE) or Presto (Opera).

In any case, the problem is that the rendering engine is only part of a browser. Plenty of flaws are a result of the interface wrapped around the rendering engine, so you'll get skewed results combining all browsers with a common code base.

death, taxes and patches

To an extent, updates are just a fact of life. Even the least interested user has to be able to understand that occasionally they'll need to update their system. Mind you, some users resent more than one change in about three years... I can't help but wonder what state their cars are in.

At the end of the day, people complain less if they can see some benefit from the updates they carry out on their system. Virus definition updates help keep their machine working, new versions of applications should add useful features and software patches/updates should fix bugs and close security holes.

conclusion

So, back to the original question: should Firefox be getting the same criticism as IE? Well it would be fair to say that Firefox has probably rushed a patch or two; but it would also be fair to point out that some problems were actually related to extensions and not Firefox itself. We also have to remember that some level of patching is not just required, it's the mark of a responsible vendor. Based on whether identified problems have been fixed, Firefox is doing better than IE on the update stakes; but neither one is as good as Opera. So, no - Firefox does not deserve the same criticism as IE.