Jeff Jones, instead of being a troll, why don't you look at your own insecure browser code? I guess last month's zero day security vulnerability which was heavily exploited to require and out of band patch isn't eye opening enough? We don't need your useless, biased analysis, Secunia and other companies does a much better job than MS.

In other much more interesting news, EU just announced IE bundling in Windows is illegal. Good luck with them, it will be a great day for the Internet once IE is unbundled from Windows.

@Anonymous: wow! You really do hate them don't you? Suppose you have all the time in the world to develop your hate?

I'm a web developer and quite fed up with all these browser/os wars. Please come together and build us a standard compliant base web browser and a basic operating system without all kinds of fancy features. By the way: I happen to like vista (after stripping a lot of fancy stuff it does what it has to do for me).

Regards from the Netherlands /RK

build us a standard compliant base web browser and a basic operating system

Install Ubuntu. Done.

"Why don't you build us a standards compliant web browser, Microsoft."

I'll second that comment.

You'll also have to go a little bit deeper than simply pointing fingers. You will admit, as a security guy, that tying the web browser into the Operating System is an inherent security risk taken by choice that immediately puts users at risk. As soon as the browser is compromised, so is the OS.

You also have to admit that many of the vulnerabilities to either browser are actually vulnerabilities in the underlying OS that are exploitable because of the Windows side of the rendering engine.

While it is your job to try and tear down your competitor, let's at least be honest: Internet Explorer's architecture is more inherently insecure than any other stand-alone browser. End of story.

It always is very good to see people so to be secure with open source!! None software is secure!! Remember you!!

To Anonymous Ubuntu-friend: https://launchpad.net/ubuntu/+bugs

I have to say that if you consider a "Day" to be one revolution of the Earth around its axis, then it's hard to get to 285 "days" of vulnerability for Firefox. You're counting each day where two vulnerabilities were open as two days. In this way, it's easy to imagine that a browser could have more than 365 "days" of vulnerability in a year...which just doesn't make a lot of sense to me. But then, I'm only a user...what do I know? (Maybe Mozilla also counted in this same nonsensical way, who knows?)

Full disclosure: While I personally prefer Firefox, I use IE more often because other people at work and at home are more comfortable with it.

The Mozilla figures are based on an article from the washington post only looking at CRITICAL vunerabilities.
That is not the saem as you did Jeff!

What a joke... Jeff, did you even try to look at the vulnerabilities you quote? For example CVE-2006-2894 - an issue that is very difficult to exploit and happens to be a loophole in the patch for SA20449, something that was never fixed in Internet Explorer in the first place. CVE-2006-6077 can only be exploited if the website in question is vulnerable to XSS (and in that case there are other ways to get your password). And CVE-2005-4134 is a pretty boring DoS vulnerability (there are much easier ways to bring down a browser, *any* browser). What's the point in counting theoretical vulnerabilities that will never affect anybody? There is a reason why Brian Krebs only looked at vulnerabilities with "high" and "critical" ratings.

Hey Jeff this was interesting reading. Since it's using Mozilla's own measurement there is really no excuse, they need to update their deceptive marketing.

As of today they still have not.

I'm looking forward to the rest of your series, how can I tell when they are posted up?

Thanks

I don't trust Jeff Jones. I trust Firefox.