• United States



Internet Explorer and Firefox Vulnerability Analysis Report

Nov 30, 20072 mins
Data and Information SecurityIT Leadership

For most people, their web browser is central to their interaction with the Internet, connecting to global web sites and helping them consume online services providing everything from booking flights to banking services to online shopping. This reality makes browsers a key tool when evaluating the security experience of users as the browser interprets Web content and programs delivered from around the world.

Over the past few years, there has been much discussion of the need for improvements in browser security, but few hard data studies performed to support assertions concerning the security of available browsers.

I’ve just finished up and posted for download a vulnerability analysis of Internet Explorer and Firefox, including fixed and unfixed vulnerabilities, that covers roughly the past three years since Firefox first released.

As usual for these, I want to post one chart as a teaser to get you to go look at the full report.  In this case, I’m choosing one that looks at alternative upgrade paths.  Let’s say you deployed Firefox 1.0 and then Firefox 1.5 came out – did you upgrade immediately or did you wait until support for Firefox 1.0 was ending?  (… or maybe you’re still using 1.0… tsk tsk)  Same question for 2.0.  Take a look at this chart:

Vulnerabilities for quick or slow upgrade paths.

This chart looks at four cases starting back in the Autumn of 2004:

  • Firefox 1.0 users that upgraded to 1.5 and 2.0 immediately
  • Firefox 1.0 users that upgraded only when support ended
  • IE 6 SP2 users that upgraded to IE 7 immediately
  • IE 6 SP2 users that did not upgrade to IE 7

So, how do the findings line up with your expectations?  Go over to this download page and download the full report to see other findings, including unfixed issues on the latest releases…

Jeff Jones is a 24-year security industry professional that has spent the last several years at Microsoft helping drive security and privacy progress as part of the Trustworthy Computing group. In this role, Jeff draws upon his security experience to work with enterprise CSOs and Microsoft's internal security teams to drive practical and measurable security improvements into Microsoft process and products. Prior to Microsoft, Jeff was the vice president of product management for security products at Network Associates where his responsibilities included PGP, Gauntlet and Cybercop products, and several improvements in the McAfee product line. These latest positions cap a career focused on security, managing risk, building custom firewalls and being involved in Darpa security research projects while part of Trusted Information Systems. Jeff is a frequent global speaker and writer on security topics ranging from the very technical to more high level, CxO-focused topics such as Security TCO and metrics. Jeff is also a contributor the Microsoft Security Blog ( and writes on a wide range of personal interests (e.g. books, poker, gaming) at