I have lost count of the number of times I have read reviewers telling people that they should switch to Firefox because it is secure, unlike Internet Explorer. This is simply untrue. Mozilla-based browsers are somewhat more secure than IE, for two main reasons: one, they don’t support ActiveX controls (although with Service Pack 2, the likelihood of being attacked by an ActiveX control has dropped dramatically); and two, because most virus/spyware writers have historically targeted the IE platform. But the more successful Mozilla/Firefox becomes, the more likely it is that bad guys will start targeting it too. Over time you will see more alerts like this one:
(This vulnerability is fixed in the version of Mozilla that forms the core of Firefox 1.0, so don’t worry if you’re running the released version of Firefox.)
Virtually every virus and spyware attack in recent memory has taken advantage of a vulnerability for which there was a patch. Windows users who conscientiously apply patches and security updates (a painless process using Automatic Updates) don’t get hit. Those who ignore updates become victims.
Firefox does script. It uses buffers. Most viruses and many spyware programs use buffer overflows and hostile scripts to force unwanted software onto users’ machines. If you install a copy of Firefox and then don’t update it when a security patch comes out, you are vulnerable to these exploits.
The programmers who put together Firefox have done a remarkable job. But I guarantee you they are on the lookout for reports like this one. When (not if) someone discovers a critical flaw in Firefox, they’ll write a patch. Will all 14 million people who have downloaded Firefox 1.0 also install each new patch? We’ll see.
Update: For news of a later and apparently more ominous security hole that affects Firefox but not Internet Explorer, see “Oops! This Firefox security exploit is a doozy.”
Ed Bott 
Firefox does have an automatic update notifier function, which is turned on by default. I also seem to remember that when running Firefox 1.0PR and a critical patch was released for it, it interrupted the user’s browsing session and encouraged them to update.
It’s also likely that Firefox will be updated with new versions more often than IE, so the patches will come with new releases.
Right, Firefox is configured to check for updates automatically. So has every version of Windows for several years, as do antivirus programs, and yet people IGNORE the message to update their software. I assume that a nontrivial percentage of Firefox users will ignore the inevitable update messages as well.
We’re talking about the masses here, not about techies like you and me.
I don’t think Windows Autoupdate is automatic, or at least it’s pretty easy to turn off, and it’s definitely off on the Corporate level, at a huge Corporation I work at in St Paul MN, Windows Update isn’t even a option, you have to go type in the URL or do a websearch to find Windows Updates, as it’s not turned on and theirs no little Windows Update button on the Start menu.
Then again Corporations are using Firefox either. Saddly what they are doing more and more is locking down systems from having Internet access in the first place.
From my experience Firefox has proven itself to be ten million time better that IE. One simple reason is Pop-ups it can easily block pop-ups, Second reason is I found it faster on all my computers even my slow laptop. Third its easily customizable w/ Themes and nice extensions to download wich by the way IE does not have, Fourth there are so many tweaks for firefox that actually work and help performance of the browser. Fifth reason is it is more friendly to hackers/programmers per se. So really the more popular it gets the more hackers are going to love it because of all the stuff you can do with it like changing your useragent and alot more tweaks. So I would have to say your wrong on the fact about the more popular it gets the more flames or whatever they are going to get.
“Windows users who conscientiously apply patches and security updates (a painless process using Automatic Updates) don’t get hit. Those who ignore updates become victims.”
I think that is partly true, but I wonder if completely. Spyware seems to still find it’s way on updated computers. And not just tracking cookies or from knowingly installing adware. IE still seems to be the main conduit.
Spyware can still find its way onto a patched computer if a user clicks a link to install the software. IE makes it too easy to fool a naive or unsophisticated person into saying yes when they should say no. But anyone who chooses to install Kazaa or Grokster despite the many known problems with these programs invites the problem on their own as well.
“IE makes it too easy to fool a naive or unsophisticated person into saying yes when they should say no.”
True. But even if you’re smart, what about drive by downloads, tricky dialog boxes, or it’s late and you just click on the wrong thing? Is it possible to make IE safe?
I’d like to take a fully updated XP box, without admin priviledges and default security settings and browse IE through some bad web pages and see what it picks up. Clicking “No” on any requested downloads. Would that be a fair test?