Malicious Websites Target Internet Explorer

I have always been a fan of Mozilla’s Firefox browser. To tell the truth, I have been using it since its original incarnation when it was known as Netscape Navigator (and Mosaic before that). I always thought it was more intuitive, faster, and had more and better features than Microsoft’s Internet Explorer. Of course, given that IE is included with the Windows operating system, and that Windows commands more than 90% of the desktop computer market, it is no surprise that IE remains the most popular browser in use today with 67% penetration.

However, there is another, even more important reason why Firefix is my prefered browser. Security. IBM’s ISS X-Force recently released its annual report on Internet security which analyzed trends in threats and vulnerabilities for 2008. This is an excellent report that all information security practitioners should read carefully in order to understand the the types of threats that we all face. But it was the information on page 56 of this report that really caught my attention.

For many years I have argued that Firefox provides a more secure browsing experience than IE. And now, I have proof to support this opinion. According to the ISS report, nearly 68% of all exploits hosted on malicious websites target ActiveX and IE. Conversely, less than half of one percent of exploits target Firefox. Admittedly, this is likely as much a result of IE’s popularity as a browser as it is Firefox’s superior security. However, Firefox is the second most widely used browser with 21.5% penetration. All things being equal, one would expect more than .3% of the exploits to be targeted at a browser with this much penetration. Clearly there are other forces at work.

screenshot001

So why are criminals giving Firefix a pass?  In order for a vulnerability to be exploited, it must be worth the time and effort that will be required to create the exploit.  That means, there must be a high probability that the exploit will be successful and generate revenue for the criminal organization.  The fact Firefox does such a great job of automating software updates makes it much more difficult to exploit vulnerabilities in the browser.  A July 2008 report found that over 83% of Firefox users were running the most up-to-date and secure version of the browser.  Conversely, only 47% of IE users were using the most up-to-date and secure version of the browser.  This translates into hundreds of millions of people who are using vulnerable versions of IE, ripe for exploitation by criminal elements.  When viewed from this perspective, it is easy to understand why Firefox is a more secure browser than Internet Explorer.

Comments are closed.