Off-Topic > Off-Topic - Tiny Tux's Corner

FIrefox is the most insecure browser?

(1/6) > >>

bmarkus:
Cenzic just released its Web Application Security Trends Report, Q1-Q2, 2009 There are many interesting figures. One of the most supprising:


--- Quote ---Our Q1-Q2, 2009 Trends Report once again points out the continued growth of vulnerabilities and increase in attacks through Web applications. The total number of reported vulnerabilities went up to almost 3100, an increase of over 10 percent, and the percentage of Web vulnerabilities continued to be dominate at around 78 percent.

Of the Web vulnerabilities, 90 percent pertained to code in commercial Web applications, while Web browsers comprised about 8 percent and Web servers about 2 percent. Of the browser vulnerabilities, Firefox had 44 percent of the total, but perhaps the biggest surprise was Safari, which formed 35 percent of the browser vulnerabilities. Internet Explorer was third, with 15 percent, and Opera was at 6 percent.
--- End quote ---

Whole report is available here: http://www.cenzic.com/downloads/Cenzic_AppSecTrends_Q1-Q2-2009.pdf

OK, number itself means nothing. Average response time to fix a vulnerability, severity, etc. are also important. However...

trishtren18:
that's a little more than surprising

tclfan:
It seems to me this report is a bit flawed, as browser category 'Other' is missing in the pie chart and the numbers add up still to 100%.
Other would include such as Chrome.
Quote from the report:
"Vulnerabilities in Web browsers were concentrated among four popular technologies - Internet Explorer, Mozilla Firefox, Opera, and Safari."
This could either mean that Chrome was tested and did not expose any vulnerabilities worth incuding in the report or it was not tested at all, considering small market share...
It is expected that Opera has the least vulnerabilities, significantly lower than other browsers. It is unexpected IE has little, but the report does not seem to specify which versions were tested either...

lucky13:
Not sure why anyone's surprised by this. I think there's a too-casual assumption made by many people that "open source" is inherently safer or more secure because of all the eyeballs that can look at the code to find potential problems. It's true that more things can be detected when more eyes are looking at it and this no doubt attributes to detectable flaws in one application or another.

The problem with that kind of thinking, though, is that it presumes all the eyes are beneath white hats; for every contributor who fixes a flaw, there are plenty more looking for flaws they either can (ab)use or sell to people with malicious/criminal  intentions. Regardless of open or closed source, code is written by humans and increased complexity brings a concomitant (or possibly even exponential) risk of flaws and the risk:reward for finding them overwhelmingly favors the criminal class. It's a lot easier to find flaws when you have the code right in front of you than when only a few people (and you're not one of them) have access to it. (Edit: So maybe a better benchmark would include the number of zero-day exploits plaguing a particular application; it's hard to blame anyone when the fix is offered pro-actively before it can be exploited in the wild.)

What's more staggering is the "market share" of Firefox (upon which Chrome is based, and Chrome's own share is marginal at best so its exclusionis hardly noteworthy) and Safari (WebKit-based like other browsers such as Konqueror) accounting for a combined 79% of flaws while making up (estimated) less than a third of all browser use (see link below which counts Chrome separately).
http://en.wikipedia.org/wiki/Usage_share_of_web_browsers

The moral of the story is to keep your system fully patched no matter what OS or browser or applications you choose to use.

jpeters:

--- Quote from: lucky13 on November 13, 2009, 06:32:47 PM ---The moral of the story is to keep your system fully patched no matter what OS or browser or applications you choose to use.

--- End quote ---


A good reason to  install FF on HD, vs as an extension....with automatic updates. (although Jason has done a great job staying on top of them)

Navigation

[0] Message Index

[#] Next page