The likelihood of PCs using Internet Explorer being infected with spyware while browsing the web is 21 times higher compared to systems running Mozilla’s open-source browser, Firefox.
This conclusion comes from a researcher at the University of Washington, a university that has received support from Microsoft, as presented in a recent research report.
“We cannot say whether Firefox is a secure browser or not,” asserted Henry Levy, one of the two professors from the University of Washington who, along with two graduate students, developed crawlers to track spyware on the web in 2005. “But we can definitely say that users will be safer browsing the web with Firefox.”
“However, we also cannot say that IE is less secure,” Levy explained, “because we chose to use unpatched versions of the browsers. We are only trying to understand the number of threats, which is why we used unpatched versions to detect more malware.”
In May and October 2005, Levy and his colleague Steven Gribble sent their crawlers to 45,000 websites to search for and classify executable files, as well as to test the effectiveness of malicious websites containing software that could automatically download and install using unpatched versions of Internet Explorer and Firefox.
Levy and Gribble, along with others involved in this research, set up IE with two different configurations – one configured to allow all download requests and one that did not permit any download requests – in order to monitor the number of successful spyware intrusions into the system.
Results from the investigation in October 2005 showed that only 1.6% of the websites successfully infiltrated the IE browser with the first configuration. Meanwhile, only 0.6% succeeded in installing spyware on the system even when users rejected all download requests. “These are not very large numbers,” Gribble asserted, “but they would be significant when considering the number of websites currently on the Internet.”
With a similar configuration, only 0.9% of dangerous websites successfully attacked Firefox. No website succeeded in attacking Firefox with auto-download installation software.
Thus, when comparing IE and Firefox with similar configurations, the risk of spyware infection on IE is 21 times higher than on Firefox.
Most malware exploits security vulnerabilities in IE to penetrate user systems using ActiveX or JavaScript, Gribble noted. These are the two technologies that present the most security holes for IE. Meanwhile, Firefox does not support ActiveX, making it appear safer against malware compared to IE. Consequently, most malware targeting Firefox primarily uses Java applets.
One of the most surprising conclusions from the report by the two researchers is that for every 20 executable files on the web, one is spyware, and for every 25 websites, one contains spyware.
