You need to comment on patched as well as unpatched bugs - a lot of users don't upgrade their software (even if auto-update is turned on). That said, where is Internet Explorer in the "report"? The fact that it's entirely missing makes me assign
no credibility whatsoever to it.
Also, when looking at vulnerabilities, count is
nothing -
severity of the vulnerabilities is everything. And the severity labels that various security firms give aren't always correct, imho. Sure, a cross-site scripting bug is bad, and it might even be "severe". But it's a shitload less critical than something that can lead to automated remote code execution.
Hint: IE has had a lot of remote code execution, FireFox has had a lot less. But of course the attack vector is often flash or java (java, not javascript) which works pretty much the same in all browsers.
Bottom line: FireFox is still a bunch more secure than IE, and because it still doesn't have market dominance it isn't targeted as much as IE either, giving an even bigger advantage.
It is an interesting approach to security though - which apps have know issues? Surely it is the unknown issues that are the problem!-Carol Haynes
Yes and no. "Unknown" issues means that generally only a few people know of the bugs - the kind of people who're interested in keeping this knowledge to themselves, so they can attack really specific systems. Once exploits are used for zombie botnet purposes, they get known
really fast - and it's the automated zombie-harvesting attacks
we need to worry about.