FIrefox is the most insecure browser?

[bmarkus]

Cenzic just released its Web Application Security Trends Report, Q1-Q2, 2009 There are many interesting figures. One of the most supprising:

Our Q1-Q2, 2009 Trends Report once again points out the continued growth of vulnerabilities and increase in attacks through Web applications. The total number of reported vulnerabilities went up to almost 3100, an increase of over 10 percent, and the percentage of Web vulnerabilities continued to be dominate at around 78 percent.

Of the Web vulnerabilities, 90 percent pertained to code in commercial Web applications, while Web browsers comprised about 8 percent and Web servers about 2 percent. Of the browser vulnerabilities, Firefox had 44 percent of the total, but perhaps the biggest surprise was Safari, which formed 35 percent of the browser vulnerabilities. Internet Explorer was third, with 15 percent, and Opera was at 6 percent.

Whole report is available here: http://www.cenzic.com/downloads/Cenzic_AppSecTrends_Q1-Q2-2009.pdf

OK, number itself means nothing. Average response time to fix a vulnerability, severity, etc. are also important. However...

[trishtren18]

that's a little more than surprising

[tclfan]

It seems to me this report is a bit flawed, as browser category 'Other' is missing in the pie chart and the numbers add up still to 100%.
Other would include such as Chrome.
Quote from the report:
"Vulnerabilities in Web browsers were concentrated among four popular technologies - Internet Explorer, Mozilla Firefox, Opera, and Safari."
This could either mean that Chrome was tested and did not expose any vulnerabilities worth incuding in the report or it was not tested at all, considering small market share...
It is expected that Opera has the least vulnerabilities, significantly lower than other browsers. It is unexpected IE has little, but the report does not seem to specify which versions were tested either...

[lucky13]

Not sure why anyone's surprised by this. I think there's a too-casual assumption made by many people that "open source" is inherently safer or more secure because of all the eyeballs that can look at the code to find potential problems. It's true that more things can be detected when more eyes are looking at it and this no doubt attributes to detectable flaws in one application or another.

The problem with that kind of thinking, though, is that it presumes all the eyes are beneath white hats; for every contributor who fixes a flaw, there are plenty more looking for flaws they either can (ab)use or sell to people with malicious/criminal  intentions. Regardless of open or closed source, code is written by humans and increased complexity brings a concomitant (or possibly even exponential) risk of flaws and the risk:reward for finding them overwhelmingly favors the criminal class. It's a lot easier to find flaws when you have the code right in front of you than when only a few people (and you're not one of them) have access to it. (Edit: So maybe a better benchmark would include the number of zero-day exploits plaguing a particular application; it's hard to blame anyone when the fix is offered pro-actively before it can be exploited in the wild.)

What's more staggering is the "market share" of Firefox (upon which Chrome is based, and Chrome's own share is marginal at best so its exclusionis hardly noteworthy) and Safari (WebKit-based like other browsers such as Konqueror) accounting for a combined 79% of flaws while making up (estimated) less than a third of all browser use (see link below which counts Chrome separately).
http://en.wikipedia.org/wiki/Usage_share_of_web_browsers

The moral of the story is to keep your system fully patched no matter what OS or browser or applications you choose to use.

[jpeters]

The moral of the story is to keep your system fully patched no matter what OS or browser or applications you choose to use.

A good reason to  install FF on HD, vs as an extension....with automatic updates. (although Jason has done a great job staying on top of them)

[tclfan]

Considering the above, and assuming data is accurate to some degree:
Chrome appears to have almost 4% market,while vulnerability is possibly negligible (possibly, since it is not even mentioned in vulnerability share...).
Would this be a good conclusion that Chrome is the safest at this point, even safer than Opera?
I am not sure if Chrome is available for Linux yet, but if it is by now, any chance for Chrome extension as well as Opera 10.10 extension?

[bmarkus]

Google Chrome for Linux is in development* and a team of engineers is working hard to bring it to you as soon as possible.

[trishtren18]

chrome is available, or chromium if you will.
http://www.ghacks.net/2009/04/19/google-browser-google-chrome-and-chromium-download/
I personally know thier is a working copy for ubuntu that you could look at though i cant seem to find the link anymore but i have the package on my external drive.

[lucky13]

Considering the above, and assuming data is accurate to some degree:
Chrome appears to have almost 4% market,while vulnerability is possibly negligible (possibly, since it is not even mentioned in vulnerability share...).

How do you get that? It's based on webkit so it presumably has at least some, if not all, of the same vulns from that. Additionally, it's been found to have vulns from things unique to itself. Then you add to that the vulns from plugins (Flash, etc.).

No browser is going to have "negligible" security issues because you're dealing with complex software coded by human beings and, perhaps most vital of all, used by human beings. The weakest security link is more often than not the user.

Security isn't a function of the number of users:number of advisories unless you're interested in "security through obscurity." But that's not really security, it's just obscurity.

Would this be a good conclusion that Chrome is the safest at this point, even safer than Opera?

Absolutely not, unless you're paid by Google to make such claims. I don't know of anyone at Google actually saying such things, though.

Product specific avisories:
http://secunia.com/advisories/product/20760/?task=advisories
http://secunia.com/advisories/product/25469/?task=advisories
http://secunia.com/advisories/product/25720/?task=advisories

Note that there are unpatched vulns listed in the first two advisories (Chrome 1 and 2). What should matter more is how fast things are fixed and whether you keep your own system patched. Otherwise, you're pissing in the wind with any discussion of which is safer without even getting into safe/unsafe browsing habits and third-party plugins.

The real problem isn't one of branding, it's how browsers leverage multiple pieces into one whole. The whole sum is only as strong as each of its component parts, some of which (like Flash) are third-party code which comes with its own vulnerabilities. There's no "safe" or even "safer" browser and users shouldn't beguile themselves into thinking they're safer using one or another if their own habits aren't safe.

[tclfan]

Thank you Lucky, for such elaborate assessment in response to my polling opinions on browser security.
Now, even assuming that each browser has vulnerabilities and there are no better or worse browsers out there from this perspective (please correct me if my broad interpretation of the above is not what you meant), the differentiator remains the market share... The smaller the market share the more secure the browser can be in practice. This is because developers of programs exploiting vulnerabilities of browsers are focusing on those which have the largest market share. At least in logical theory.  Therefore Opera is regarded as the most secure browser, not counting Chrome...
My question was that extrapolating our expectation, since Chrome has even smaller market share than Opera, is this a good expectation it should be in practice even safer? Are there some lab tests comparing them side by side?

[jpeters]

Are there some lab tests comparing them side by side?

Lab tests never make it in the real world....too many unpredictable variables are involved.  The safest browser is the one with the least functionality.  FF has very active development, and prompt updates. There is a responsibility on the user, like what sites do you go to and what do you download.  

[bigpcman]

Are there some lab tests comparing them side by side?

Lab tests never make it in the real world....too many unpredictable variables are involved.  The safest browser is the one with the least functionality.  FF has very active development, and prompt updates. There is a responsibility on the user, like what sites do you go to and what do you download.  

The browser is just a small part of a much bigger security environment picture. The software operating environment as a whole is the best way to evaluate security. Where you go and what you download can cause harm in many different ways depending upon your software environment. Here's one of the best articles (actually an interview) I've read on the subject:

http://www.tomshardware.com/reviews/joanna-rutkowska-rootkit,2356.html

and just in case you missed it here's another good discussion:

http://www.securitytube.net/Attacking-Intel-Trusted-Execution-Technology-%28Wojtczuk-Rukowska%29-video.aspx

Be patient on this video, it starts getting interesting about 6 minutes in when the subject of bios protection begins. At 54 minutes in a discussion about Intel's response to their super dooper new hardware oriented code protection scheme vulnerabilities starts.

[lucky13]

@tclfan

The smaller the market share the more secure the browser can be in practice.

Again, obscurity isn't security. Such statements also ignore the fact that there are myriad shared code/projects between browsers. Read, for example, the "Third Parties" section in the Opera "about" page. Nearly every browser uses either OpenSSL or TLS, zlib, libpng, etc. Depending on operating system, they also may share common graphic toolkits (such as GTK) and other code. Then there are the guts that render web pages, some of which are shared between projects. A vuln in one affects more than one, including some of the more "obscure" browsers. So we're right back where we started with security through obscurity, adding that the more shared code there is between projects the more risks there are no matter how obscure one or another project is in terms of market share. A vuln affecting a piece -- like OpenSSL -- shared by various browsers affects the security of all of them.

And that's only a tipping point. You're no safer with one browser over another if the point of entry to your system is something like Flash or some other unrelated piece of software common on enough systems.

"In practice" is the operative part of all of this. User practices count here. I don't click on every link sent to me. I know people who can't resist clicking on links. Am I more at risk with a more popular (and by your reasoning, riskier) browser with my very careful habits than someone else would be with a more marginally-popular browser and more risky habits? Bad habits get more people into trouble than "bad" browsers. And even good habits aren't without risks from things like cross-site scripting.
http://en.wikipedia.org/wiki/Cross-site_scripting

@jp

The safest browser is the one with the least functionality.

Correct. The more complex anything is, the more room for error. The safest browser is one lacking java, javascript, plugins like Flash, animated gif support, compression, etc. How boring.

Perhaps a safer alternative is the paranoid system used by RMS, who says he uses wget to fetch everything he browses.
http://lwn.net/Articles/262570/

Oops: http://secunia.com/advisories/product/3416/?task=statistics

[julianb]

The safest browser is one lacking java, javascript, plugins like Flash, animated gif support, compression, etc. How boring.

I suspect Lynx/Links browsers and their derivatives are very secure when you compare them against mainstream web browsers.   

[mwhit95]

I personally like dillo.  It is the only browser that I will use to view questionable links.  It doesn't run javascript and doesn't have flash.  It is a small extension and web pages do look better with pictures.