That’s what Bit9, a vendor of application and device control technology, said in their yearly ranking of the top 12 most vulnerable popular applications. See this article for more details: The Web’s 12 Scariest Applications
It is amazing the lengths they go to in order to give IE a free pass.
First, they give Firefox a bad mark essentially because it isn’t part of the operating system like IE is. Both programs have security updates that are supplied regularly. The only difference is that IE’s can be pushed out in a general OS update from a central server or from the built-in Windows Update rather than happening on a user controlled update by the individual application. However, the folks at Bit9 don’t seem to consider what happens when these security updates are not pushed out for various reasons by administrators or have turned Windows Update off.
They also give IE a pass because of Microsoft’s regular “Patch Tuesdays” which, once again, doesn’t help if updating is turned off either by system administrators or users.
IE7 does seem more secure than it’s predecessors but it’s still got a big target painted on it. The recent PDF vulnerability demonstrated how simply having IE on the system can create a security hole. While Firefox is higher profile than it once was, it’s security failings have had a significantly lower impact on users. In contrast, IE users are still often loaded down with malware.
To be fair, Bit9 did say Microsoft’s MSN Messenger was vulnerable to attack so we can’t accuse them of giving the whole company a free pass. But to say that IE is more secure than Firefox is simply not true.
What do you think? Are they right or wrong about this?