Reader Comments about "IE vs. FireFox: Who's the Safest Browser of them All?"

My recent post about IE vs. FireFox drummed up some interest. One reader sent me some personal comments via email. His thoughts included such a thorough and well-thought out discussion regarding the statistics there that I asked his permission to post it. This reader, who asked just to be called Dragon, comments about the post, the original of which you can find here:

Interesting! And it touches on things you have talked about in the past -- publicized versus non-disclosed vulnerabilities. Any Open Source solution is going to have a hard time keeping vulnerability finds quiet, since everyone has access to the code. I'm sure some people hunt for vulnerabilities just so they can be the first to point them out, while others hunt for them just so they can be the first to exploit them. The same holds true for non-OpenSource products. I'm sure Jeff Jones spends at least as much time hunting for IE7 vulnerabilities as any individual hacker does.
One of the referenced links lead me to this page:
http://blogs.zdnet.com/security/?p=474

Here, it shows a comparison between IE6, Firefox 1.5, and Opera 8 (all of which are now out-dated, but as a point-in-time snapshot, it's interesting). Firefox had WAY more publicized vulnerabilities than IE6 (and Opera had the fewest). But then the report says:

Click past the fold for the rest of the story...

"However, when client honeypots with these browsers surfed to a list of about 30,000 known exploit servers, the URLs that resulted in a 0.5735% of successful compromises of Internet Explorer 6 SP2 did not cause a single successful attack on Firefox 1.5.0 or Opera 8.0.0."
This calls back to the "security through obscurity" discussion I've heard you discuss, but in this case, the analyst suggests that the reason Firefox isn't targeted is not so mcuh due to its obscurity (it is, in fact, a popular browser), but rather because updates for it are quicker, easier, and more persistent than IE's. This may have to do with the idea that IE's updates are linked with the OS updates, whereas Firefox benefits from the freedom of being a fully standalone application.

FYI, they site w3schools.com as a place to find browser usage statistics, but that's only browsers that hit w3schools:
http://w3schools.com/browsers/browsers_stats.asp

The piece doesn't break down the Firefox versions at all (aside from the fact that pre-2005, Firefox reported as Mozilla). What interested me was that IEx.x only has 57% of the browser share for that site. I would have placed it higher. What also interested me was that in July 2005, IE experienced a sharp uptick -- was there some major release / patch that MS put out around that time? Maybe XP SP2?

Here are some other sources for browser usage:
http://www.webreference.com/stats/browser.html
http://www.thecounter.com/stats/2007/November/browser.php

Basically, any kind of hit-counter site (like Adelade, or hitbox) will have more representative data on browser usage, since their statistics span many websites. Ebay I think uses Adelade and Netsomething, and those stats would be very interesting to see.

Regarding the above, webreference.com shows an interesting trend: Of all the Firefox users (from 12/4), two thirds of them are already at the latest version that was released just last week, and 83% of them are running versions no older than a month. IE's versions don't break down so granularly, but you can see that only 46% are using IE7, and about 50% are still using IE6. But, I guess since IE6 is still getting regular patches (right?), it's perfectly valid as a current browser. It would be nice to see a more granular breakdown of versions on the IE side, so that a more meaningful comparison can be made between the them and Firefox.

Alas thecounter.com doesn't have nearly as much granularity, but it shows far more IE users than FF users, as compared to webreference.com or even w3schools.com. That's fascinating in its own right! I wonder why there's such a discrepancy.