New research suggests that there are more flaws yet to be found in the current version of the Firefox web browser (version 1.5) than in the current version of Internet Explorer (version 6, and its updates). Furthermore, the researchers say, a larger proportion of Firefox's vulnerabilities are severe.

However, the researchers also determined that more vulnerabilities in Firefox are corrected with software patches than flaws in Internet Explorer, which could mitigate the effects, says computer scientist Yashwant K. Malaiya of Colorado State University and his team. The findings will be presented in November at the International Symposium on Software Reliability Engineering in Raleigh, NC.

The researchers' predictions are somewhat surprising, since Firefox is generally perceived to be more secure than Microsoft's Internet Explorer. Indeed, security is a popular reason why many people have switched over to the open-source browser in recent years. Firefox's market share almost tripled, from 4.6 percent to 12.9 percent, between November 2004 and July 2006.

But of course this increased popularity may be one reason why the number of detected flaws in Firefox has been increasing, says Malaiya. From November 2005 to July 2006, 73 vulnerabilities were found in Firefox, 33 of them critical. The number of vulnerabilities detected in Internet Explorer was smaller during a far longer period: from August 2001 to July 2006, it was 60, 15 of them critical.

To get a sense of the number of future vulnerabilities in the two Web browsers, the researchers applied a mathematical model that predicts the rate of detection. The model is based on previous data from software flaws found in operating systems and Web servers, and from earlier detected vulnerabilities in both Web browsers. Using the model, Malaiya and his team now project that Firefox will continue to have roughly 12.4 detected flaws per month, compared with Internet Explorer's projected 3.5. From the paper:

The available data suggests a higher number of new vulnerabilities can be expected in Firefox 1.5 compared with IE 6.x in the near future; they are also more likely to be of higher severity.

However, the paper adds, the process of finding flaws is only one piece of the security equation. The act of fixing the flaws is an important component--and this is where Firefox seems to have the edge over Internet Explorer. Again, from the paper:

Firefox developers are much better in developing patches with a significantly higher patch rate, thus significantly compensating for the higher vulnerability detection rate.

Malaiya and his team conclude that the evaluation of competing products needs to be repeated periodically so that the most recent data can be used to tweak their models and assess current and future risks.