A little more than a year ago I made a prediction that I'm sure many people called crazy. I predicted that Firefox would, slowly but surely, become a less safe way to browse the web than Internet Explorer.
Well, it appears that my prediction may have been correct. According to an analysis by Microsoft's Jeff Jones, the number of vulnerabilities in Firefox was more than double those discovered in Internet Explorer.
Not only that, but the vulnerabilities that were discovered were, in general, worse for Firefox than that were for IE. In other words, there were a greater number of "critical" vulnerabilities in Firefox than in IE, as well as a greater number of "important" vulnerabilities.
I know many of you are immediately dismissing this analysis because it came from a Microsoft employee, but the report is based off public data. It's really just an aggregation of information that was published by non-Microsoft sources. Plus, many of you would dismiss it almost regardless of where it came from.
You're probably also thinking that Microsoft is hiding vulnerabilities from the public or patching them silently, a tactic that would be almost impossible for the open source Firefox. But you would be making unsupported assertions that I've already addressed.
Now, I can't really say that my prediction has come true. I actually predicted the attacks on Firefox would increase as IE7 on Vista started to gain market share. IE7 on Vista has indeed started to gain market share, and at the same time we've been seeing a dramatic increase in the number of exploits discovered in Firefox. This, of course, doesn't show a causal relationship.
While Firefox's market share gains have basically stopped, it does hold a solid 10%+. This means that security researchers are more interested in it, and therefore will look at it more closely. This could explain the huge increase in discovered vulnerabilities.
Regardless, it seems clear now that Firefox is not as secure as everybody thought. It is now a viable and almost certainly popular attack vector for bad guys.
IE7 on Vista, meanwhile, has not had a single remotely exploitable hole that could cause a security breach. There has been at least one DoS attack (crashed the browser), but nobody has defeated Protected Mode yet. IE7 on Vista has been on the market for over a year now, and it hasn't been cracked.
I'd say that's pretty damn strong evidence that the safest way to browse the web is no longer Firefox.