Microsoft claims that the reason IE has the most vulnerbilities is because it's the most popular not because there is inherently wrong with IE per se. They argue, if firefox became the most popular people would start finding vulnerbilities in it and exploit them. Do you agree with this? People often say that with linux there is very low market penetration so people don't bother writing viruses for it though it is very simple.
Another thing, if software is closed source does that make it generally more secure than open source software? If you have the source code available does this make it easier to find vulnerbilites than closed source?
Microsoft claims that the reason IE has the most vulnerbilities is because it's the most popular not because there is inherently wrong with IE per se.
Somewhat true. Those interested in compromising most machine would search for bugs in popular software than they would in less popular ones. They argue, if firefox became the most popular people would start finding vulnerbilities in it and exploit them.
People are finding vulns in Firefox and are writing malware which exploits Firefox, but to a lesser degree. People often say that with linux there is very low market penetration so people don't bother writing viruses for it though it is very simple.
There are many exploits for software which runs on Linux and other *nix'es. Remote services sometimes have vulnerabilities that are discovered. Popular software written in badly designed languages like PHP tends to be a very common target as well for attackers interested in compromising servers, and you have local root exploits for just about every Linux kernel version which is not the latest(yet to be discovered). Another thing, if software is closed source does that make it generally more secure than open source software?
That's not really true. It's perfectly possible to analyze closed source software for vulns. There is much research and many tools for doing this. For example, if you encounter some crash, you can start reverse engineering the application at the state of the crash until you find the cause, and if it's something exploitable, you can make an exploit. There are also static binary analysis tools and many other ways of locating vulnerabilities. Auditing binaries is harder than auditing sources, but those are different topics. Sometimes, auditing a live application can be even easier than understanding a mess of SEPPLES source code. If you have the source code available does this make it easier to find vulnerbilites than closed source?
Sometimes, but the ways of auditing source code and auditing binaries differ. Having source code just means someone can audit the source without using more unconventional methods involved in auditing binaries.
I don't think it makes a huge difference.
An application's security depends on how it was designed, the libraries used, the language used, and how well the programmers followed their ``best practices'' and how well they know their language/libs/platform. Code auditing and testing can help, but some practices can make programmers more prone to commiting some errors. For example, compare the amount of vulnerabilities found in software written in C, C++, PHP, Perl to that in software written in Java/C#, Haskell, Smalltalk, Scheme, Common Lisp.