Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox Most Vulnerable Browser, Safari Close

Posted by CmdrTaco on from the say-what-now dept.

An anonymous reader writes "Cenzic released its report revealing the most prominent types of Web application vulnerabilities for the first half of 2009. The report identified over 3,100 total vulnerabilities, which is a 10 percent increase in Web application vulnerabilities compared to the second half of 2008. Among Web browsers, Mozilla Firefox had the largest percentage of Web vulnerabilities, followed by Apple Safari, whose browser showed a vast increase in exploits, due to vulnerabilities reported in the Safari iPhone browser." It seems a bit surprising to me that this study shows that only 15% of vulnerabilities are in IE.

9 of 369 comments (clear)

  1. Re:Certified by cmeans · · Score: 5, Informative
    And then there's this:

    http://www.cenzic.com/pr_20061011/

    --
    Give a hand, not a hand-out.
  2. Re:I wonder by calidoscope · · Score: 4, Informative

    The Register's article on the Cenzic report also speculated the the report was based on published vulnerabilities. They made some rude noises about Cenzic's focus on the number of the vulnerabilities as opposed to the severity of vulnerabilities.

    --
    A Shadeless room is a brighter room.
  3. Re:I wonder by Actually,+I+do+RTFA · · Score: 4, Informative

    So in other words, this isn't a count of how many vulnerabilities there are, it's a count of how many vulnerabilities are found and fixed. Something tells me their methodology is a bit flawed. Of course, that's by design, given Cenzic's financial ties to Microsoft.

    Actually, in other words, the GP was making shit up. But since it conformed to your worldview, you agreed with it and based an entire post on it even though he said he didn't RTFA. Somehow it then got modded to +5.

    In reality, the vulnerabilities were culled from a variety of 1st and 3rd party sources.

    --
    Your ad here. Ask me how!
  4. Re:I wonder by natehoy · · Score: 5, Informative

    Have read the article, and the attached PDF, and they only state the conclusions. No mention is made of how they counted vulnerabilities, only that Firefox had 44% of them, and that they represented "Web Vulnerabilities by Major Type". Adding to the confusion was that they also talked about applications and servers and alternated back and forth between the three with little warning.

    Also interesting was that "ActiveX" was listed as a technology separate from Web Browsers, the one time it was mentioned. In other words, their vulnerability percentage, which is already vague, may not include ActiveX vulnerabilities within IE. Or they may. All we know is that they claim IE has 15%.

    Nowhere is there mention of what constitutes a reportable vulnerability, what versions of each browser were counted, how they were classified or even what the classifications were, what sorts of reports were included by browser (did plugins or addons get included in Firefox? ActiveX for IE? For multiplatform browsers like Opera, Firefox, and Safari, were vulnerabilities mitigated by only being exploitable on some platforms and not others, or reported multiple times - once for each vulnerable platform?)

    The PDF was severely [citation needed], but remarkably honest in that it expressed surprise that Firefox was the most vulnerable web browser when compared IE, Safari, and Opera, and comprised almost half the identified vulnerabilities among the four browsers.

    If this is like most reports of the same type, they are using vendor-reported bugs. Firefox would, by definition, have the largest bug list by any stretch in such a report. They are the only web browser development team that allows (and encourages) access to the same bug-tracking database that their developers use. Safari, IE, and Opera only report vulnerabilities when (a) they have been fixed, or (b) when so many reports have come out that they finally have to 'fess up.

    --
    "This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
  5. Re:I wonder by Bloody+Peasant · · Score: 4, Informative

    So in other words, this isn't a count of how many vulnerabilities there are, it's a count of how many vulnerabilities are found and fixed.

    I read the report. It is a marketing document, with one person (Mandeep Khera, Chief Marketing Officer) identified in it as both project lead and executive editor.

    Also, despite the fact that the report itself downplays browser vulnerabilities (8% vs. 90% web apps, 2% web servers), they still put in a single token page which just seems out of place. Nowhere does it say what their methodology is for determining what comprises a "vulnerability". Another poster already pointed out the google search results on the CERT site (~367 for IE, ~61 for Firefox; that's over 6 times more vulnerability reports on the CERT site for IE versus those for Firefox; oops, was I shouting?).

    I suspect the authors' methodology is simply to count something like the number of patches. Given Microsoft's monthly bundling of their security patches, and the Mozilla Firefox project's immediate release of more frequent version updates in response to vulnerability reports and discoveries, such methodology leads to a systematic undersampling of those for IE. A better approach would be to count verified CVE candidates.

    Pure speculation: were they paid by anyone to put that browser breakdown in (it really doesn't seem to belong in my opinion), or was it ignorance or lack of thinking? Without an honest clarification from the company we'll probably never know.

    --
    -- This .sig intentionally left meaningless.
  6. Re:Certified by adamchou · · Score: 5, Informative

    You didn't mention how to become an MCP though. Its not just a matter of filling out a form and sending it to Microsoft. These companies go through a rigorous set of evaluations based specifically around Microsoft products in order to become MCP. So although Microsoft might not control them, their pocket books do and they sure as hell invested a lot of money to become MCP's.

  7. Re:I wonder by WinterSolstice · · Score: 4, Informative

    I was going to point this out as well - there was nothing really backing up the browser diagram at all. They didn't even really go into how they determined these vulnerabilities existed, even though they did go into how web apps break down (reasonably enough).

    Just another BS FUD report

    --
    An operating system should be like a light switch... simple, effective, easy to use, and designed for everyone.
  8. Re:I wonder by GumphMaster · · Score: 4, Informative

    In what way is a Microsoft Certified Partner not financially tied to the maintenance of the Microsoft ecosystem in the face of encroaching offerings, particularly in the browser space?

    A more cynical person might assert that a company peddling security assessment tools for web servers would actively promote less secure server systems that kept them in business. Spreading FUD about a browser is only peripheral to that but it does feed the "non-Microsoft is bad" or "open-source is bad" ethic of senior management and bean counters... keeping major systems on Microsoft platforms and Cenzic in business. As I say though, you'd have to cynical ;)

    --
    Patent litigation: A doctrine of Mutually Assured Destruction... in which everyone seems willing to push the button
  9. Re:I wonder by Anonymous Coward · · Score: 4, Informative

    Well it seems Opera are not too impressed with the report either, despite the fact they come first:
    http://my.opera.com/haavard/blog/2009/11/10/cenzic-security

    Which is interesting. Not often you see a company criticise a report that shows them in such a good light