Mozilla's Firefox suffered from 26 percent fewer vulnerabilities in the second half of 2006 than Microsoft's Internet Explorer, a security company's research said Monday.
According to Symantec's tally, 40 Firefox vulnerabilities were disclosed between August and December 2006; Internet Explorer (IE), meanwhile, was hit with 54 bugs. Opera and Safari -- the browser Apple Inc. bundles with Mac OS X -- had four flaws each.
For all of 2006, however, the numbers were nearly neck and neck: Firefox was nailed by 87 flaws during the 12 months, IE by 92.
The trend line also put Firefox in the better light. The open-source browser had 15 percent fewer vulnerabilities in the second half of the year compared to the first, while IE's total increased 42 percent during the period.
"Internet Explorer was particularly affected by concerted efforts to 'fuzz' the browser for new vulnerabilities," said the Symantec report, which cited July's 'Month of Browser Bugs' project as a big contributor. "The majority reported affected Internet Explorer or Windows components accessible through the browser," Symantec said.
To add insult to injury to IE, Mozilla developers patched Firefox five times faster than did Microsoft's. On average, Firefox had an attack exposure window -- the amount of time between the disclosure of a bug and when it was patched -- of just two days based on a sample set of 26 flaws. By comparison, Microsoft took an average of 10 days to patch the sample 15 vulnerabilities. Both vendors' attack windows were a day longer in the second half of the year than in the first six months.
"Web browsers continue to be the big exploit area," said Vincent Weafer, senior director of Symantec's security response team "And they will increasingly be more important as more data reside on the back end, as Web applications become more popular."
The most recent data pegged IE's market share at 79.1 percent and Firefox's at 14.2 percent. Safari and Opera came in third and fourth, respectively, with 4.9 percent and 0.79 percent.
Symantec's twice-annual Internet security threat report can be found on the company's Web site.