While surfing the internet, I suddenly landed on a link where I found a very interesting article, by Jeff Jones, about “BROWSER VULNERABILITY ANALYSIS OF INTERNET EXPLORER AND FIREFOX”. Although the article is pretty old (2007) but yes its very interesting and worth reading. I am posting a few excerpts from the article.
BROWSER VULNERABILITY ANALYSIS
OF INTERNET EXPLORER AND FIREFOX
Published on: November 27, 2007
Written By: Jeff Jones
Blog: http://blogs.csoonline.com/blog/jeff_jones
Mozilla released Firefox 1.0 in November 2004 and has subsequently released Firefox 1.5 and Firefox 2.0. These three versions make up the supported Firefox versions in the three years from November 2004 to October 2007. The time period covered in this report is through the end of October 2007. In that same timeframe, Microsoft has supported Internet Explorer 5.01 SP3 and SP4, Internet Explorer 6.0 Gold, SP1, SP2, and Windows Server 2003 edition, plus Internet Explorer 7.
Since the release of Firefox 1.0 in November 2004, Mozilla has fixed 199 vulnerabilities in supported Firefox products – 75 HIGH severity, 100 MEDIUM severity and 24 LOW severity. In the same timeframe, Microsoft has fixed 87 total vulnerabilities affecting all supported versions of Internet Explorer – 54 HIGH severity, 28 MEDIUM severity, and 5 LOW severity.
Significant differences in lifecycle support policies between the vendors that have potential security implications. Mozilla released Firefox 1.0 in November 2004, Firefox 1.5 in November 2005, and Firefox 2.0 in October 2006. Only Firefox 2.0 is currently supported with security fixes from Mozilla, as it is has been Mozilla’s policy to support a previous version for six months after a new (major) version is released. So, according to its original schedule, Firefox 3.0 was scheduled to ship in November 2007, which meant Firefox 2.0 support would end in May 2008. While a revised schedule has not officially been announced by Mozilla, they have announced that three Beta releases are planned and the current estimate for Firefox 3.0 is “early 2008.
To put this in perspective, if Microsoft had this same policy, then support of Internet Explorer 6 would have ended in May 2007, or similarly Internet Explorer 5.01 support would have ended in 2001. In contrast, Microsoft generally releases a browser in conjunction with a new operating system release and commits to supporting that version for the lifecycle of the product – now 10 years for business products. Major versions do have service packs and the Microsoft policy is to support a previous service pack for at least one year after a new service pack is released.
Microsoft released Internet Explorer 6 for Windows XP SP2 in August 2004 and Internet Explorer 7 in October 2006 (for Windows XP SP2 – Internet Explorer 7 Vista released with Windows Vista in November 2007). Both versions of Internet Explorer are currently supported by Microsoft. Below figure shows a timeline of browser releases since November 2004, along with end of life for those products no longer in support.
Although not shown in the diagram, Internet Explorer 5.01 SP4 is also still supported for those Windows 2000 users that have made the decision never to upgrade their browser to a different release. One key factor of lifecycle is simply the fact that “unsupported” versions of products don’t get patches developed for them. This is equally true for all vendors, but shorter lifecycles mean more people may still be running an unsupported version and be exposed. To explain this comment, take a look at an example using Microsoft IE6 SP2. Imagine that after IE7 was released last October that one month later support for IE6 would end. How likely is that everyone will have upgraded by the end of that month? What if it was six months? Isn’t it likely that some consumers or companies might not have upgraded to the newer version by the end of the six month grace period?
I would suggest that you read the complete article because; I have posted very little here (just a few interesting details). For those of you, who really want to read the complete article, please refer to the below link:
> Up-to-date information can be found @
http://blogs.csoonline.com/scrutiny_of_mozilla_security_claims
