Browser Vulnerability Study Unkind to Firefox

Browser Buddy writes "A new Symantec study on browser vulnerabilities covering the first half of 2006 has some surprising conclusions. It turns out that Firefox leads the pack with 47 vulnerabilities, compared to 38 for Internet Explorer. From Ars Technica's coverage: 'In addition to leading the pack in sheer number of vulnerabilities, Firefox also showed the greatest increase in number, as the popular open-source browser had only logged 17 during the previous reporting period. IE saw an increase of just over 50 percent, from 25; Safari doubled its previous six; and Opera was the only one of the four browsers monitored that actually saw a decrease in vulnerabilities, from nine to seven.' Firefox still leads the pack when it comes to patching though, with only a one-day window of vulnerability."

Not so bleak

[Noksagt]

From the article (emphasis mine):

That said, Internet Explorer remains the most popular target for attacks, with 69 percent of all browser attacks targeted specifically at that browser alone. 20 percent of the attacks monitored during the period in question were targeted at Firefox.

When it comes to patching, all of the browsers are improving. Firefox is the fastest to get its patches out, with a one-day window of exposure. Opera had a two-day window of exposure, down from 18 days during the last half of 2005. The window of exposure for Safari is up to five days (from zero), while Internet Explorer typically has a nine-day window, down from 25 days in the previous study.

So Firefox is still less targeted than IE & also gets fixed much sooner.

If we look to Secunia, we see that IE has 106 advisories, 19 of which are unpatched. Firefox has 3 of 36 unpatched. The most sever unpatched advisory in IE is rated as "extremely critical." In Firefox, as "less critical."

So what?

[ricky-road-flats]

Comparing the "number of vulnerabilities" is irrelevant to me. How many of them have actually been exploited in the wild? How many of them have caused users to lose data or unintentionally host malware? How many have resulted in people's identities being stolen?

This study shows me nothing useful. Given the fact that all software is buggy, there are many more people looking at the source for Firefox than for IE, so it's inevitable more issues will be found. The more that are found the more that can be fixed before they're a problem.

IE has improved over the years, and will improve further with v7. Doubtless Firefox's progress is at least partially driving that. But the noddy users (hi Dad!) that I've given Firefox or Opera to have had far fewer malware problems than those who insist on sticking with IE.

Re:Consider this...

[RonnyJ]

FireFox is constantly adding new features. When you add new features then you open yourself up to bugs.

Opera keeps having new features added too, though. Despite this, according to the article, Opera managed to have a decrease in vulnerabilities - so why not Firefox?

Re:And consider this, too...

[SirTalon42]

WebKit (based on KHTML, possibly going to be merged back with mainline KHTML soon) is Open Source (LGPL), which is what Safari uses for rendering.

Webkit is to Safari what Gecko is to Firefox and what KHTML is to Konqueror.

Re:Truth to the market segment argument?

[Daniel_Staal]

For that matter, they all could basically be because someone ran a code-audit on Firefox recently. Something like that would raise the 'found vulnerablities' level through the roof for the moment, but it really doesn't mean there are bigger problems with it; just that there was a concerted effort to find them recently. (I don't know of any such audit off the top of my head, but I don't follow that closely. It wouldn't nececarrally make the news.)

Re:Opera wins :-)

[RobbieGee]

And you completely ignored Hallvors' post where he said he would patch it for all Opera users if you'd given him the name of the site.